I don't know what patches Debian put in to 4.2.6. I know we fixed these issues in 4.2.8 and 4.2.8p1. If you are running linux, you want to use 4.2.8p1 and to protect other applications that might use IPv6 ACLs for protection you also want to be sure your firewall rules block packets claiming to be from ::1 that arrive on external interfaces.
H -- Robert Gray writes: > On 21 December 2014 at 22:27, Harlan Stenn <[email protected]> wrote: > > > > Debian should have patches now. > > > > The debian security update DSA 3108-1 reported that: "The default ntpd > configuration in Debian restricts access to localhost (and possible the > adjacent network in case of IPv6). Keys explicitly generated by "ntp-keygen > -M" should be regenerated." > > It was not clear to me whether the problem was actually fixed or simply not > considered a problem. The Debian security site does not list the resolution > either https://www.debian.org/security/ > > Rather than take my server entirely offline I have replaced ntp with > openntpd until there is more clarity. > > Robert Gray > Ph +64 9 233 6201 Mob +64 21 971 860 > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
