Hej, Currently on 10.0 I run: FreeBSD tart 10.0-RELEASE-p14 FreeBSD 10.0-RELEASE-p14 #2 r265783M: Thu Dec 18 11:14:03 CET 2014 root at tart:/usr/obj/usr/src/sys/TART i386 (ntpd -? | head -1) ntpd - NTP daemon program - Ver. 4.2.4p8 If someone could share a diff between ntpd 4.2.7 and 4.2.8 would be a good start. Some more technical info can be found here: http://circl.lu/pub/tr-29/ <http://circl.lu/pub/tr-29/> As soon as there are FreeBSD relevant information we will include it. cheers, Steve> On 22 Dec 2014, at 10:50, Winfried Neessen <neessen at cleverbridge.com> wrote: > > Hi everyone, > > there has been a security advisory for several vulnerabilities in ntpd. Is FreeBSD > affected by this? According to http://www.kb.cert.org/vuls/id/852879 <http://www.kb.cert.org/vuls/id/852879> OpenBSD is > not affected, but I guess that's due to the fact, that they have OpenNTPd. The > status for FreeBSD on that page is still "unknown".-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141222/110ec0e6/attachment.sig>
Chances are good it is vulnerable: https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log <https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log> https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log <https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log> Regarding the diff: diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l 7723 Cherry picking the patches is easier. ntpd source trees: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/> http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/> Luckily that is still up? atm ntp.org is down. Here is the cached version of the notice: http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice -- Steve Clement https://www.twitter.com/SteveClement mailto:steve at localhost.lu .lu: +352 20 333 55 65> On 22 Dec 2014, at 11:06, Steve Clement <steve at localhost.lu> wrote: > > If someone could share a diff between ntpd 4.2.7 and 4.2.8 would be a good start.-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141222/c8837bfe/attachment.sig>