On Thu, Oct 22, 2015 at 10:33:03AM +0200, Miroslav Lichvar wrote: > On Wed, Oct 21, 2015 at 03:13:02PM -0400, Jared Mauch wrote: > > with this public disclosure: http://www.cs.bu.edu/~goldbe/NTPattack.html > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 > > This one is probably the most severe issue from all that went public > yesterday. I think it's just a matter of time before someone attacks > the pool servers and makes a lot of people unhappy. > > Unfortunately, it seems the fix included in ntp-4.2.8p4 is bad. It > still allows a spoofed KoD RATE packet to set the mininum polling > interval and effectively disable synchronization. It also completely > breaks peering (symmetric associations). I'm not sure how this passed > testing. > > Harlan, attached is a proper fix. It applies to 4.2.6p5 and 4.2.8p3. > It would be good if you could make a quick 4.2.8p5 release. Maybe even > include the one-liner for CVE-2015-5300.
That patch does not apply to 4.2.8p4, I've attached a patch that does. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
