The ntp daemon included in OpenBSD is our own openntpd, written from scratch.
openntpd is not vulnerable. Around 10 years ago it was written by Henning, at my request because the ntpd source code scared the hell out of us. At the time communications with the ntp team showed they had little interest in removing unused functionality from the ntp.org code, or any help with our form of source code audit. Because it was a rewrite, the major benefit in openntpd is that it priviledge seperated. If problems like these were found, they would not be realistically exploitable. Furthermore openntpd is a modern piece of code <5000 lines long written using best known practices of the time, whereas ntp.org's codebase is reportedly 100,000 lines of unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration. This might be a good time to circle the conversation back to the common practice of: srand(time(NULL)); Sorry, getting really jaded. When will the software vendors WAKE THE HELL UP? This is not 2000 anymore. It has become abundantly clear that it is very difficult to push lessons regarding better software practices into the greater open source community and the vendors who live off the teat.