Hi, A friend who uses linux a lot happened to notice on a FreeBSD box I installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. They reckon that's had a lot of issues (e.g. CVE reports) against it - and it should be newer. I'm sure the one it has been 'updated' with is secure - and just reports that version, but if someone can confirm that'd be great, Thanks, -Karl
On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz <kpielorz_lst at tdx.co.uk> wrote:> > Hi, > > A friend who uses linux a lot happened to notice on a FreeBSD box I > installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. > > They reckon that's had a lot of issues (e.g. CVE reports) against it - and > it should be newer. > > I'm sure the one it has been 'updated' with is secure - and just reports > that version, but if someone can confirm that'd be great, >Don't take anything I say as confirmation, but I would have thought, looking at this page [1], that he is wrong. All the CVEs listed there say they apply to "before 4.2.4p8" or a lower version. Cheers Tom [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html
On 11/1/2013 9:05 AM, Karl Pielorz wrote:> A friend who uses linux a lot happened to notice on a FreeBSD box I > installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8.There are two ntpd's in ports: a newer version of the one in base (it's literally a drop in replacement) and OpenBSD's openntpd. If you just need a local accurate clock and maybe time service for your LAN, the one in base is ok because you can configure it to workaround the open CVEs. If you're running a public NTP service, you can't workaround spoofing vulnerabilities, so use one of the ports because you can keep it up to date much more easily. You can remove ntpd from the base yourself: 1. Add "WITHOUT_NTP" to /etc/src.conf 2. Run the delete-old and delete-old-libs targets to "uninstall" the base ntpd. 3. Install ports/etc/ntp The port uses the in-base RC script, so you need to set ntpd_program="/usr/local/bin/ntpd" ntpd_config="/usr/local/etc/ntp.conf" in /etc/rc.conf to repoint the script at the port. You don't have to move ntp.conf, but /etc/ntp.conf gets removed by the delete-old target.