svn commit: r339721 - head/security/vuxml
Cy Schubert
Cy.Schubert at komquats.com
Wed Jan 15 03:42:55 UTC 2014
In message <201401142115.s0ELFB1Q068278 at svn.freebsd.org>, Remko Lodder
writes:
> Author: remko (src,doc committer)
> Date: Tue Jan 14 21:15:10 2014
> New Revision: 339721
> URL: http://svnweb.freebsd.org/changeset/ports/339721
> QAT: https://qat.redports.org/buildarchive/r339721/
>
> Log:
> Fix the latest entry, it has many issues, make validate
> told us exactly what was wrong. I redid the entry and
> just took out the ul/li structure and replaced it with
> regular paragraphs. It might be worth investigating
> to use the FreeBSD SA that got released because of this
> as the main text, which is best suited imo.
>
> Hat: secteam
>
> Modified:
> head/security/vuxml/vuln.xml
>
> Modified: head/security/vuxml/vuln.xml
> =============================================================================
> =
> --- head/security/vuxml/vuln.xml Tue Jan 14 21:14:46 2014 (r33972
> 0)
> +++ head/security/vuxml/vuln.xml Tue Jan 14 21:15:10 2014 (r33972
> 1)
> @@ -52,7 +52,7 @@ Note: Please add new entries to the beg
> -->
> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
> <vuln vid="3d95c9a7-7d5c-11e3-a8c1-206a8a720317">
> - <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command </t
> opic>
> + <topic>ntpd DRDoS / Amplification Attack using ntpdc monlist command</to
> pic>
> <affects>
> <package>
> <name>ntp</name>
> @@ -63,26 +63,23 @@ Note: Please add new entries to the beg
> <body xmlns="http://www.w3.org/1999/xhtml">
> <p>ntp.org reports:</p>
> <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#D
> RDoS_Amplification_Attack_using">
> - <ul>
> - <li> References: CVE-2013-5211 / VU#348126
> - <li>Versions: All releases prior to 4.2.7p26
> - <li>Date Resolved: 2010/04/24
> - <li>Summary: Unrestricted access to the monlist feature in ntp_requ
> est.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denia
> l of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) RE
> Q_MON_GETLIST_1 requests, as exploited in the wild in December 2013
> - <li>Mitigation:
> - <ul>
> - <li>Upgrade to 4.2.7p26 or later.
> - <li>Users of versions before 4.2.7p26 should either:
> - <ul>
> - <li>Use noquery to your default restrictions to block all s
> tatus queries.
> - <li>Use disable monitor to disable the ntpdc -c monlist com
> mand while still allowing other status queries.
> - </ul>
> - </ul>
> - </ul>
> + <p>Unrestricted access to the monlist feature in
> + ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote
> + attackers to cause a denial of service (traffic
> + amplification) via forged (1) REQ_MON_GETLIST or (2)
> + REQ_MON_GETLIST_1 requests, as exploited in the wild in
> + December 2013</p>
> + <p>Use noquery to your default restrictions to block all
> + status queries.</p>
> + <p>Use disable monitor to disable the ``ntpdc -c monlist''
> + command while still allowing other status queries.</p>
> </blockquote>
> </body>
> </description>
> <references>
> <cvename>CVE-2013-5211</cvename>
> + <freebsdsa>SA-14:02.ntpd</freebsdsa>
> + <url>http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplifi
> cation_Attack_using</url>
> </references>
> <dates>
> <discovery>2014-01-01</discovery>
>
>
I'm sorry, my bad. There is no excuse for this.
--
Cheers,
Cy Schubert <Cy.Schubert at komquats.com>
FreeBSD UNIX: <cy at FreeBSD.org> Web: http://www.FreeBSD.org
The need of the many outweighs the greed of the few.
More information about the svn-ports-all
mailing list