Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 03 Sep 2014 07:16:39 -0500
From:      dweimer <dweimer@dweimer.net>
To:        Ronald Klop <ronald-lists@klop.ws>
Cc:        owner-freebsd-stable@freebsd.org, freebsd-stable@freebsd.org
Subject:   Re: Stale NTP software included in FreeBSD (RELEASE/STABLE/CURRENT)
Message-ID:  <79435abc6a25af126747cdd036a8fafa@dweimer.net>
In-Reply-To: <op.xllzz91ukndu52@82-171-231-144.ip.telfort.nl>
References:  <20140903061024.GA14382@rwpc15.gfn.riverwillow.net.au> <op.xllzz91ukndu52@82-171-231-144.ip.telfort.nl>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 09/03/2014 6:39 am, Ronald Klop wrote:
> On Wed, 03 Sep 2014 08:10:24 +0200, John Marshall
> <john.marshall@riverwillow.com.au> wrote:
> 
>> All of the following FreeBSD releases included stale NTP software at 
>> the
>> time of their release.
>> 
>>   8.3-RELEASE  (ntp 4.2.4p5)
>>   8.4-RELEASE  (ntp 4.2.4p5)
>>   9.0-RELEASE  (ntp 4.2.4p8)
>>   9.1-RELEASE  (ntp 4.2.4p8)
>>   9.2-RELEASE  (ntp 4.2.4p8)
>>   9.3-RELEASE  (ntp 4.2.4p8)
>>  10.0-RELEASE  (ntp 4.2.4p8)
>> 
>> ntp 4.2.4 is the version that shipped in all of the above releases and
>> is also included in 10-STABLE and 11-CURRENT at present.  ntp 4.2.4 
>> was
>> superseded by the ntp 4.2.6 release on 12-Dec-2009.  Is there any
>> interest in getting a supported version of the ntp software into the
>> upcoming 10.1 release?  I would have thought that the latest patch
>> release of the stable ntp version (4.2.6p5 24-DEC-2011) would be
>> appropriate?  I know that the ntp folks are working on releasing 4.2.8
>> but it isn't quite there yet.
>> 
>> I understand that this is a volunteer project and that volunteers 
>> don't
>> have time to do everything.  I'm just waving the flag in case this is
>> something that may have been overlooked.
>> 
>> Thank you to all those committers who look after vendor imports for 
>> all
>> of the contributed software that helps make up the FreeBSD releases.
>> 
> 
> I think that before discussing 10.1 it is nice to create patches for
> 11-CURRENT and try to update it there.


I think it would likely be a good idea for someone to address the 4.2.6 
being marked as FORBIDDEN since January with a reference to 
CVE-2013-5211 / VU#348126 before its put in base.  I have been running a 
few of my servers using WITHOUT_NTP in /etc/src.conf and running the 
ports version as the old version number gets flagged in PCI scans, now 
sadly I run the ntp-devel port on 4.2.7, which is probably less secure, 
but does pass the scans.

-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?79435abc6a25af126747cdd036a8fafa>