ntpd 4.2.4p8 - up to date?
Tom Evans
tevans.uk at googlemail.com
Tue Nov 5 16:17:40 UTC 2013
On Sat, Nov 2, 2013 at 12:18 AM, Dimitry Andric <dim at freebsd.org> wrote:
> On 01 Nov 2013, at 17:31, Tom Evans <tevans.uk at googlemail.com> wrote:
>> On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz <kpielorz_lst at tdx.co.uk> wrote:
>>>
>>> Hi,
>>>
>>> A friend who uses linux a lot happened to notice on a FreeBSD box I
>>> installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8.
>>>
>>> They reckon that's had a lot of issues (e.g. CVE reports) against it - and
>>> it should be newer.
>>>
>>> I'm sure the one it has been 'updated' with is secure - and just reports
>>> that version, but if someone can confirm that'd be great,
>>>
>>
>> Don't take anything I say as confirmation, but I would have thought,
>> looking at this page [1], that he is wrong. All the CVEs listed there
>> say they apply to "before 4.2.4p8" or a lower version.
>>
>> Cheers
>>
>> Tom
>>
>> [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html
>
> That page lists a bunch of CVEs, and the relevant ones have already had FreeBSD security advisories:
>
> CVE-2009-3563 http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc
> CVE-2009-1252 http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc
> CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2
> CVE-2009-0021 not relevant, NTP before 4.2.4p5
> CVE-2004-0657 not relevant, NTP before 4.0
>
> -DImitry
>
Which is what I said? FreeBSD is currently at 4.2.4p8, all those CVEs
apply to "before 4.2.4p8".
Cheers
Tom
More information about the freebsd-security
mailing list