I'd like to propose that FreeBSD move to OpenNTPD, which appears to
have none of the
fixed or unfixed (!) vulnerabilities that are present in ntpd.
There's already a port.
--Brett Glass
At 03:25 AM 12/22/2014, Steve Clement wrote:
>Chances are good it is vulnerable:
>
>https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log
><https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log>
>https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log
><https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log>
>
>Regarding the diff:
>
> diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l
> 7723
>
>Cherry picking the patches is easier.
>
>ntpd source trees:
>
>http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/
><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/>
>http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/
><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/>
>
>Luckily that is still up… atm ntp.org is down.
>Here is the cached version of the notice:
>http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice
>
>--
>Steve Clement
>https://www.twitter.com/SteveClement
>mailto:steve@localhost.lu
>.lu: +352 20 333 55 65
>
> > On 22 Dec 2014, at 11:06, Steve Clement <steve@localhost.lu> wrote:
> >
> > If someone could share a diff between ntpd 4.2.7 and 4.2.8
> would be a good start.
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
No comments:
Post a Comment