Ask Bjørn Hansen wrote:
You are right that strictly speaking in the context of this list “you should
upgrade” is not completely unreasonable, but for “regular users” knowing more
details about the scope and the mitigation options than was listed in the
announcement would be nice.
Most of us running ntpd’s that participate in the NTP Pool also have numerous
other devices with NTP software.
As far as I understand the reports on bugzilla the main vulnerabilities
are in functions where signed packets (symmetric key or autokey) are
used, or dynamic/remote configuration via ntpq and/or ntpdc is enabled,
which, as far as I know also requires some sort of crypto top be enabled.
So from my understanding disabling crypto in ntp.conf should avoid the
main vulnerabilities as a first, quick step.
Martin
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
