Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2014-01-21 12:29:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntp" Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2013-10-23 10:10:52.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ntp.new/ntp.changes 2014-01-23 15:50:08.000000000 +0100 @@ -1,0 +2,7 @@ +Mon Jan 20 16:41:52 UTC 2014 - [email protected] + +- CVE-2013-5211, bnc#857195: restrict query, configuration, + modification access from world by default. Avoids that ntp can + be used as a DDoS amplifier. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.Rcpumq/_old 2014-01-23 15:50:08.000000000 +0100 +++ /var/tmp/diff_new_pack.Rcpumq/_new 2014-01-23 15:50:08.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package ntp # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ conf.ntp.conf ++++++ --- /var/tmp/diff_new_pack.Rcpumq/_old 2014-01-23 15:50:09.000000000 +0100 +++ /var/tmp/diff_new_pack.Rcpumq/_new 2014-01-23 15:50:09.000000000 +0100 @@ -41,6 +41,26 @@ ## # rcntp addserver <yourserver> ## +# Access control configuration; see /usr/share/doc/packages/ntp/html/accopt.html for +# details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> +# might also be helpful. +# +# Note that "restrict" applies to both servers and clients, so a configuration +# that might be intended to block requests from certain clients could also end +# up blocking replies from your own upstream servers. + +# By default, exchange time with everybody, but don't allow configuration. +restrict -4 default kod notrap nomodify nopeer noquery +restrict -6 default kod notrap nomodify nopeer noquery + +# Local users may interrogate the ntp server more closely. +restrict 127.0.0.1 +restrict ::1 + +# Clients from this (example!) subnet have unlimited access, but only if +# cryptographically authenticated. +#restrict 192.168.123.0 mask 255.255.255.0 notrust + ## ## Miscellaneous stuff ## -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
