I'd like to propose that FreeBSD move to OpenNTPD, which appears to have none of the fixed or unfixed (!) vulnerabilities that are present in ntpd. There's already a port. --Brett Glass At 03:25 AM 12/22/2014, Steve Clement wrote:>Chances are good it is vulnerable: > >https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log ><https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log> >https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log ><https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log> > >Regarding the diff: > > diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l > 7723 > >Cherry picking the patches is easier. > >ntpd source trees: > >http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ ><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/> >http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ ><http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/> > >Luckily that is still upatm ntp.org is down.>Here is the cached version of the notice: >http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice > >-- >Steve Clement >https://www.twitter.com/SteveClement >mailto:steve at localhost.lu >.lu: +352 20 333 55 65 > > > On 22 Dec 2014, at 11:06, Steve Clement <steve at localhost.lu> wrote: > > > > If someone could share a diff between ntpd 4.2.7 and 4.2.8 > would be a good start. >
On Mon, Dec 22, 2014 at 10:39:54 -0700, Brett Glass wrote:> I'd like to propose that FreeBSD move to OpenNTPD, which appears to > have none of the > fixed or unfixed (!) vulnerabilities that are present in ntpd. > There's already a port.Heartbleed, more than any other vulnerability in recent memory, showed us users on the outside of the Project just how much effort is involved in patching the base system (thank you, again, DES, for being patient and explaining all the details!). Because of this, I am reticent to support more software going into the base system. It should be small enough to build itself and bootstrap the ports tree, with very little else. The more things are in base, the more things the developers need to worry about patching across all the different supported versions of FreeBSD. It's a lot faster to update a port to use a different version. If you want fast security updates, use ports. Or hire developers to patch software for you. -- Chris Nehren -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 908 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141222/9fa1ea4b/attachment.sig>
On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote:> I'd like to propose that FreeBSD move to OpenNTPD, which appears to > have none of the > fixed or unfixed (!) vulnerabilities that are present in ntpd. > There's already a port. >Historically OpenNTPD has been dismissed as a candidate because of its reduced accuracy and missing security features. For example, it doesn't implement the NTPv4 functionality or authentication. Quite literally the OpenNTPD is vulnerable to a MITM attack because of the lack of authentication. Their stance has been that you should trust your NTP servers and suggest using a VPN for the NTP traffic. Probably not a bad idea, honestly. I don't have a qualified opinion, but that should get you on the right track if you want to research further.