Assessed risk level: Low Previous versions of the puppetlabs-ntp module did not default to using 'disable monitor', which is one of the two configurations required to fully mitigate CVE-2013-5211. The module by default would set 'noquery' for all remote hosts, but the system would still be vulnerable to local attacks.
With the puppetlabs-ntp 4.1.1 release, the default value for the 'disable_monitor' parameter is set to 'true' for all platforms. No action is required unless you are manually setting 'disable_monitor' to false or you need monitoring enabled in your environment. Please see https://puppetlabs.com/security/cve/puppetlabs-ntp-nov-2015-advisory for more information. -- Morgan Haskel [email protected] Release Engineer -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2BFnDv0rgnh5p3%3DjFwUDoYo1hWS5rHMA3doQKNa8k8PO7kW1Fw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
