ntpd vulnerabilities
Steve Clement
steve at localhost.lu
Mon Dec 22 10:25:25 UTC 2014
Chances are good it is vulnerable:
https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log <https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log>
https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log <https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log>
Regarding the diff:
diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l
7723
Cherry picking the patches is easier.
ntpd source trees:
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/>
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ <http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/>
Luckily that is still up… atm ntp.org is down.
Here is the cached version of the notice: http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice
--
Steve Clement
https://www.twitter.com/SteveClement
mailto:steve at localhost.lu
.lu: +352 20 333 55 65
> On 22 Dec 2014, at 11:06, Steve Clement <steve at localhost.lu> wrote:
>
> If someone could share a diff between ntpd 4.2.7 and 4.2.8 would be a good start.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20141222/c8837bfe/attachment.sig>
More information about the freebsd-security
mailing list