svn commit: r339717 - in head: net/ntp security/vuxml
Cy Schubert
cy at FreeBSD.org
Tue Jan 14 20:54:58 UTC 2014
Author: cy
Date: Tue Jan 14 20:54:57 2014
New Revision: 339717
URL: http://svnweb.freebsd.org/changeset/ports/339717
QAT: https://qat.redports.org/buildarchive/r339717/
Log:
Mark net/ntp forbidden.
Security: CVE-2013-5211 / VU#348126
Modified:
head/net/ntp/Makefile
head/security/vuxml/vuln.xml
Modified: head/net/ntp/Makefile
==============================================================================
--- head/net/ntp/Makefile Tue Jan 14 20:44:10 2014 (r339716)
+++ head/net/ntp/Makefile Tue Jan 14 20:54:57 2014 (r339717)
@@ -14,6 +14,7 @@ DISTNAME= ${PORTNAME}-${PORTVERSION:S/P/
MAINTAINER= cy at FreeBSD.org
COMMENT= The Network Time Protocol Distribution
+FORBIDDEN= CVE-2013-5211 / VU#348126
LATEST_LINK= ${PORTNAME}
GNU_CONFIGURE= yes
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Jan 14 20:44:10 2014 (r339716)
+++ head/security/vuxml/vuln.xml Tue Jan 14 20:54:57 2014 (r339717)
@@ -51,6 +51,45 @@ Note: Please add new entries to the beg
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="3d95c9a7-7d5c-11e3-a8c1-206a8a720317">
+ <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command </topic>
+ <affects>
+ <package>
+ <name>ntp</name>
+ <range><lt>4.2.7p26</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>ntp.org reports:</p>
+ <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using">
+ <ul>
+ <li> References: CVE-2013-5211 / VU#348126
+ <li>Versions: All releases prior to 4.2.7p26
+ <li>Date Resolved: 2010/04/24
+ <li>Summary: Unrestricted access to the monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013
+ <li>Mitigation:
+ <ul>
+ <li>Upgrade to 4.2.7p26 or later.
+ <li>Users of versions before 4.2.7p26 should either:
+ <ul>
+ <li>Use noquery to your default restrictions to block all status queries.
+ <li>Use disable monitor to disable the ntpdc -c monlist command while still allowing other status queries.
+ </ul>
+ </ul>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2013-5211</cvename>
+ </references>
+ <dates>
+ <discovery>2014-01-01</discovery>
+ <entry>2014-01-14</entry>
+ </dates>
+ </vuln>
+
<vuln vid="ba04a373-7d20-11e3-8992-00132034b086">
<topic>nagios -- denial of service vulnerability</topic>
<affects>
More information about the svn-ports-all
mailing list