From owner-freebsd-security@FreeBSD.ORG Sat Mar 15 05:34:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 636E37C9; Sat, 15 Mar 2014 05:34:42 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3D564F09; Sat, 15 Mar 2014 05:34:42 +0000 (UTC) Received: from delphij-macbook.local (c-24-5-244-32.hsd1.ca.comcast.net [24.5.244.32]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 90B301EE0C; Fri, 14 Mar 2014 22:34:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1394861681; bh=stpo7iMLDLAWpLy8zHTn56Y4k9CbddDW1PGThz8E1A4=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=AsCiM8CTvgXDEG0+1ZeJ4LwpNvmUS90JmIYmhUcsJJeqcLtuIencx56kwP7lhhuxm cpW+ySiOpM4Qjk7XSOuTCOZhS4qOosame4bZGDrkC1vLoG2NxwAq9t6/DX/eHg8VTO kKI4743XVXztDA24LGSex4bW+I4RZi64XuD5wp0I= Message-ID: <5323E670.5020905@delphij.net> Date: Fri, 14 Mar 2014 22:34:40 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Brett Glass , d@delphij.net, Fabian Wenk , freebsd-security@freebsd.org Subject: Re: NTP security hole CVE-2013-5211? References: <52CEAD69.6090000@grosbein.net> <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org> <52CF82C0.9040708@delphij.net> <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch> <201403141700.LAA21140@mail.lariat.net> <5323AF47.9080107@delphij.net> <201403150343.VAA27172@mail.lariat.net> In-Reply-To: <201403150343.VAA27172@mail.lariat.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Ollivier Robert , hackers@lists.ntp.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Mar 2014 05:34:42 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 3/14/14, 8:43 PM, Brett Glass wrote: > At 07:39 PM 3/14/2014, Xin Li wrote: > >> FreeBSD 10.0-RELEASE ships with new default NTP settings, are >> you talking an earlier RC (before RC4 as r259975), or are you >> saying 10.0-RELEASE ships with a ntp.conf with wrong defaults? > > The latter. The ntp.conf shipped with 10.0-RELEASE still allows > relaying of attacks, even with an ntpd that is patched to prevent > amplification. I can't reproduce with fresh install. How did you tested it (or what is missing in the default ntp.conf), can you elaborate? Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTI+ZvAAoJEJW2GBstM+ns18UP/031jrsOBWNewc/WbvpxbE0I KxY1p07drvzE1ftYfwZ7Wi8F9U+f4/qJ1ufCU4DfD3GUUxUm4K3YyKRqBxTCHP+g 4N5FBwS1iKVK9DP1NvBOhLQT2l3X3gHgvi8ICa4MPi/OOTSQx8rlAnPAs2Mq2JS0 FlrTYjHoWpQvT7+46m7Yvz/nqtHOHScrGvbebVB/l8iuDdbtrCJutoHUTPtPH4IP 8Rqx9pMKRBiQ5jFWGQsSqTpveHFXw7d58hjOOQrWSUiz6U+ZinVtbZucpkFFs2WG QZbgNKkeF2rqXvbP/+EPtaTbJ+fQJnrU9c5kNDmZPmDfp2C2qxq6vvZWZcEcE96w D5GzGU64cc1RkqxS2T0NqUDbBWDM+hF1Smxxy1zMo+JDNz3rtouvuXQrQi1U5KRl JUMpbRDI1QOZFlmz/ps0wyq5lDYUFNlOlwDAj1vXFsIw9kROMfZmIQ0M35gnWIEv AyR6RmxPcbpRqouil1lmzDhfNY2z6HG0W5XKQGRULZWB+6dSX05VSXUR7sQiJFiu 7izQ3BdFcG9aL85m/toH8c1qPu/UoZ9rAQ6+gnSNT0eoPXy7bWnciSvlNg9GfpC/ a9XwixLCggI4fV+T+yzFbzUe2PzSBEwx4k1/XO3VDLtY/NUTmiZsIZYySelvkOWq 1CySClbtRbT+AtlDdCfQ =6zOm -----END PGP SIGNATURE-----