Stale NTP software included in FreeBSD (RELEASE/STABLE/CURRENT)

dweimer dweimer at dweimer.net
Wed Sep 3 12:16:48 UTC 2014 

On 09/03/2014 6:39 am, Ronald Klop wrote:
> On Wed, 03 Sep 2014 08:10:24 +0200, John Marshall
> <john.marshall at riverwillow.com.au> wrote:
> 
>> All of the following FreeBSD releases included stale NTP software at 
>> the
>> time of their release.
>> 
>>   8.3-RELEASE  (ntp 4.2.4p5)
>>   8.4-RELEASE  (ntp 4.2.4p5)
>>   9.0-RELEASE  (ntp 4.2.4p8)
>>   9.1-RELEASE  (ntp 4.2.4p8)
>>   9.2-RELEASE  (ntp 4.2.4p8)
>>   9.3-RELEASE  (ntp 4.2.4p8)
>>  10.0-RELEASE  (ntp 4.2.4p8)
>> 
>> ntp 4.2.4 is the version that shipped in all of the above releases and
>> is also included in 10-STABLE and 11-CURRENT at present.  ntp 4.2.4 
>> was
>> superseded by the ntp 4.2.6 release on 12-Dec-2009.  Is there any
>> interest in getting a supported version of the ntp software into the
>> upcoming 10.1 release?  I would have thought that the latest patch
>> release of the stable ntp version (4.2.6p5 24-DEC-2011) would be
>> appropriate?  I know that the ntp folks are working on releasing 4.2.8
>> but it isn't quite there yet.
>> 
>> I understand that this is a volunteer project and that volunteers 
>> don't
>> have time to do everything.  I'm just waving the flag in case this is
>> something that may have been overlooked.
>> 
>> Thank you to all those committers who look after vendor imports for 
>> all
>> of the contributed software that helps make up the FreeBSD releases.
>> 
> 
> I think that before discussing 10.1 it is nice to create patches for
> 11-CURRENT and try to update it there.


I think it would likely be a good idea for someone to address the 4.2.6 
being marked as FORBIDDEN since January with a reference to 
CVE-2013-5211 / VU#348126 before its put in base.  I have been running a 
few of my servers using WITHOUT_NTP in /etc/src.conf and running the 
ports version as the old version number gets flagged in PCI scans, now 
sadly I run the ntp-devel port on 4.2.7, which is probably less secure, 
but does pass the scans.

-- 
Thanks,
    Dean E. Weimer
    http://www.dweimer.net/

More information about the freebsd-stable mailing list