Kurt Roeckx writes: > On Sun, Mar 15, 2015 at 08:49:13AM +0000, Harlan Stenn wrote: > > I don't know what patches Debian put in to 4.2.6. > > Just like almost everybody else we backported the changes after > having problems even finding all the relevant patches.
I think it would seem self-serving if I told you how many hours/week I was doing from that first week of December until the end of January (and in to February, which included some other "interesting" events). The patches were in the bug reports and in the patch logs. I remain curious why folks would want to stick with 4.2.6 when I had repeatedly announced that 4.2.8 was in a release candidate state and folks, including Debian, knew that 4.2.8 would be released with the security patches. I believe we also mentioned that over 1100 bugfixes and improvements had been made between 4.2.6 and 4.2.8. Why were you not actively exploring 4.2.8? Is 4.2.8pX in your pipeline now? > > I know we fixed these issues in 4.2.8 and 4.2.8p1. If you are running > > linux, you want to use 4.2.8p1 and to protect other applications that > > might use IPv6 ACLs for protection you also want to be sure your > > firewall rules block packets claiming to be from ::1 that arrive on > > external interfaces. > > Please note that this are all still e-mails from December that > suddenly made it to the list at which time you didn't release > information about the ::1 problem yet. That was only in February. Yes, and that was my bad. I had just replied to a new recent message that felt "trollish" to me and then there were these other messages in my queue where I didn't realize they were old, from before 4.2.8p1. I apologize for being harsh in the replies to those "old" messages. I also apologize for being still crushed for time and not doing a followup apology for each of thse messages. > > Robert Gray writes: > > > On 21 December 2014 at 22:27, Harlan Stenn <[email protected]> wrote: > > > > > > > > Debian should have patches now. > > > > > > > > > > The debian security update DSA 3108-1 reported that: "The default ntpd > > > configuration in Debian restricts access to localhost (and possible the > > > adjacent network in case of IPv6). Keys explicitly generated by "ntp-keyg > en > > > -M" should be regenerated." > > It's saying that by default the weak keys could not be exploited > because of the default ACLs, but that you should regenerate your > keys anyway. I have no idea how easy it is to exploit any of the MD5 keys that were generated with the old random number code. Sites that are either unpatched or do not have ::1 filtering on the box are vulnerable still. Even if you have an ntpd that is patched to protect against ::1 spoofing under Linux, any other service that uses ACLs to protect against malicious changes is still vulnerable. H _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
