You are right that strictly speaking in the context of this list “you should upgrade” is not completely unreasonable, but for “regular users” knowing more details about the scope and the mitigation options than was listed in the announcement would be nice.
Most of us running ntpd’s that participate in the NTP Pool also have numerous other devices with NTP software. I’ll add to the list of questions: Is ‘ntpdate’ affected? Lots and lots of “stuff that never gets updated” uses that, so if it is affected it’ll make it more relevant to put firewall rules in place to make sure they only get NTP traffic from “trusted sources”. Ask — http://askask.com/ On Sat, Dec 20, 2014 at 9:20 AM, Harlan Stenn <[email protected]> wrote: > Ask Bj?rn Hansen writes: >> >> > On Dec 20, 2014, at 8:13, Harlan Stenn <[email protected]> wrote: >> >=20 >> >=20 >> >> > You are whining, and I'll attribute that to the extra work this time = >> of >> > year. =20 >> >> We'll read your snarky/defensive response with the same disclaimer. :-) > Fair enough. True enough. >> > Please tell me a valid use case for sticking with the older version. >> >> Appliances with an old version that can't easily be upgraded. While = >> waiting for vendor support it'd be nice to know what mitigations would = >> be possible. Is a client exposed? How much difference does it make to = >> disable crypto? Is it possible to firewall/filter the dangerous packets? = >> (etc). > Doesn't fly. Even if somebody backported the patches to those releases, > who is going to rebuild the software on those appliances? > Who is going to be able to install that new software on those devices? > How many of these devices are in the pool? > H _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
