Redhat has issued an advisory
https://rhn.redhat.com/errata/RHSA-2014-2024.html, which seems to
indicate that CVE-2014-9295 is a lot less serious than it first appeared
to be.
They write: "the crypto_recv() flaw requires non-default configurations
to be active, while the ctl_putdata() flaw, by default, can only be
exploited via local attackers, and the configure() flaw requires
additional authentication to exploit."
From my reading the other CVEs also seem to affect only setups with
authentication.
If this is true, then most of us are probably not affected at all. My
ntpd does not have local users, and does not use authentication. Can I
turn it back on? I'm using ubuntu, and they do not yet offer an update.
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
