On Thu, Oct 22, 2015 at 07:27:25PM +0200, Kurt Roeckx wrote: > On Thu, Oct 22, 2015 at 10:33:03AM +0200, Miroslav Lichvar wrote: > > On Wed, Oct 21, 2015 at 03:13:02PM -0400, Jared Mauch wrote: > > > with this public disclosure: http://www.cs.bu.edu/~goldbe/NTPattack.html > > > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704 > > > > This one is probably the most severe issue from all that went public > > yesterday. I think it's just a matter of time before someone attacks > > the pool servers and makes a lot of people unhappy. > > > > Unfortunately, it seems the fix included in ntp-4.2.8p4 is bad. It > > still allows a spoofed KoD RATE packet to set the mininum polling > > interval and effectively disable synchronization. It also completely > > breaks peering (symmetric associations). I'm not sure how this passed > > testing. > > > > Harlan, attached is a proper fix. It applies to 4.2.6p5 and 4.2.8p3. > > It would be good if you could make a quick 4.2.8p5 release. Maybe even > > include the one-liner for CVE-2015-5300. > > That patch does not apply to 4.2.8p4, I've attached a patch that > does.
And here is one that actually builds. Kurt _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
