Package: ntp Severity: important Tags: security This was assigned CVE-2013-5211: https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
Upstream ripped out monlist in favour of mrulist: http://bugs.ntp.org/show_bug.cgi?id=1531 http://bugs.ntp.org/show_bug.cgi?id=1532 The default configuration in Debian uses "noquery" and thus doesn't allow monlist: # By default, exchange time with everybody, but don't allow configuration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery For unstable we should update to 4.2.7. What's your suggesttion on this for stable? We could - Provide 4.2.7 for stable-security (or backport the changes if not too intrusive) - Ignore this for stable-security and offer 4.2.7 in backports.debian.org for those sites which run a public NTP server - Ignore this altogether since it doesn't affect the standard configuration and operators of large public NTP servers most definitely have updated to 4.2.7 already or deployed other workarounds. Cheers, Moritz _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
