Re: ntpd vulnerabilities

Mon, 22 Dec 2014 09:51:46 -0800

I'd like to propose that FreeBSD move to OpenNTPD, which appears to have none of the fixed or unfixed (!) vulnerabilities that are present in ntpd. There's already a port. 

--Brett Glass

At 03:25 AM 12/22/2014, Steve Clement wrote:


Chances are good it is vulnerable:
https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log <https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log> https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log <https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log> 

Regarding the diff:

 diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l
    7723

Cherry picking the patches is easier.

ntpd source trees:
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/> http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/> 

Luckily that is still up… atm ntp.org is down.
Here is the cached version of the notice: http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice 

--
Steve Clement
https://www.twitter.com/SteveClement
mailto:[email protected]
.lu: +352 20 333 55 65

> On 22 Dec 2014, at 11:06, Steve Clement <[email protected]> wrote:
>
> If someone could share a diff between ntpd 4.2.7 and 4.2.8 would be a good start. 



_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"

Reply via email to