On Sun, Mar 15, 2015 at 08:49:13AM +0000, Harlan Stenn wrote: > I don't know what patches Debian put in to 4.2.6.
Just like almost everybody else we backported the changes after having problems even finding all the relevant patches. > I know we fixed these issues in 4.2.8 and 4.2.8p1. If you are running > linux, you want to use 4.2.8p1 and to protect other applications that > might use IPv6 ACLs for protection you also want to be sure your > firewall rules block packets claiming to be from ::1 that arrive on > external interfaces. Please note that this are all still e-mails from December that suddenly made it to the list at which time you didn't release information about the ::1 problem yet. That was only in February. > Robert Gray writes: > > On 21 December 2014 at 22:27, Harlan Stenn <[email protected]> wrote: > > > > > > Debian should have patches now. > > > > > > > The debian security update DSA 3108-1 reported that: "The default ntpd > > configuration in Debian restricts access to localhost (and possible the > > adjacent network in case of IPv6). Keys explicitly generated by "ntp-keygen > > -M" should be regenerated." It's saying that by default the weak keys could not be exploited because of the default ACLs, but that you should regenerate your keys anyway. Kurt _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
