On Mon, Dec 22, 2014 at 11:16 AM, Dag-Erling Sm?rgrav <des at des.no> wrote:> Yes, FreeBSD is vulnerable, and we have informed CERT of that fact, so I > don't know why they have us down as "unknown". We are preparing an > advisory for tomorrow. As was the case with BIND, this takes more work > than for many other operating systems since we maintain older versions > in older branches; for instance, 8.4 has 4.2.4.It looks like all supported FreeBSD versions use 4.2.4. At least CURRENT and 10.1 report that as the version: Dec 22 23:35:56 ntpd[660]: ntpd 4.2.4p5-a (1) Will 4.2.8 be pulled into CURRENT eventually, or is the plan to replace it entirely with ntimed?
As a practical matter, is the default config vulnerable to the buffer overflow issues? The announcement: http://lists.ntp.org/pipermail/announce/2014-December/000122.html says that "restrict ... noquery" is sufficient mitigation for the 3 buffer overflow issues. I'm no expert on ntp.conf, but this appears in my ntp.conf on one of my FreeBSD systems: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery However, it also has these: restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 Joe
Robert Simmons <rsimmons0 at gmail.com> writes:> Will 4.2.8 be pulled into CURRENT eventually, or is the plan to > replace it entirely with ntimed?We have two people working on 4.2.8. DES -- Dag-Erling Sm?rgrav - des at des.no
According to Robert Simmons:> Will 4.2.8 be pulled into CURRENT eventually, or is the plan to > replace it entirely with ntimed?It is being worked on, import is already done in /vendor/ntp with two more patches (nothing to do with security, just compatibility). The usr.sbin bits are being worked on. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto at keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/