Winfried Neessen <neessen at cleverbridge.com> writes:> there has been a security advisory for several vulnerabilities in ntpd. Is FreeBSD > affected by this? According to http://www.kb.cert.org/vuls/id/852879 OpenBSD is > not affected, but I guess that's due to the fact, that they have OpenNTPd. The > status for FreeBSD on that page is still "unknown".Yes, FreeBSD is vulnerable, and we have informed CERT of that fact, so I don't know why they have us down as "unknown". We are preparing an advisory for tomorrow. As was the case with BIND, this takes more work than for many other operating systems since we maintain older versions in older branches; for instance, 8.4 has 4.2.4. DES -- Dag-Erling Sm?rgrav - des at des.no
On Mon, Dec 22, 2014 at 11:16 AM, Dag-Erling Sm?rgrav <des at des.no> wrote:> Yes, FreeBSD is vulnerable, and we have informed CERT of that fact, so I > don't know why they have us down as "unknown". We are preparing an > advisory for tomorrow. As was the case with BIND, this takes more work > than for many other operating systems since we maintain older versions > in older branches; for instance, 8.4 has 4.2.4.It looks like all supported FreeBSD versions use 4.2.4. At least CURRENT and 10.1 report that as the version: Dec 22 23:35:56 ntpd[660]: ntpd 4.2.4p5-a (1) Will 4.2.8 be pulled into CURRENT eventually, or is the plan to replace it entirely with ntimed?