[pkg-ntp-maintainers] Bug#733940: Bug#733940: ntp: CVE-2013-5211
Kurt Roeckx
kurt at roeckx.be
Thu Jan 2 17:58:25 UTC 2014
On Thu, Jan 02, 2014 at 02:04:04PM +0100, Moritz Muehlenhoff wrote:
> Package: ntp
> Severity: important
> Tags: security
>
> This was assigned CVE-2013-5211:
> https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
> http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
>
> Upstream ripped out monlist in favour of mrulist:
> http://bugs.ntp.org/show_bug.cgi?id=1531
> http://bugs.ntp.org/show_bug.cgi?id=1532
Which just means they need to send a different packet to do this?
> The default configuration in Debian uses "noquery" and thus doesn't allow
> monlist:
>
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
>
> For unstable we should update to 4.2.7. What's your suggesttion on this for stable?
4.2.7 is not a release it's a development branch that has had over
400 releases. It also has known issues, like it dies after 5
minutes for a lot of people. People really should stop suggesting
using the 4.2.7 version. The release will be 4.2.8.
> We could
> - Provide 4.2.7 for stable-security (or backport the changes if not too
> intrusive)
> - Ignore this for stable-security and offer 4.2.7 in backports.debian.org for
> those sites which run a public NTP server
> - Ignore this altogether since it doesn't affect the standard configuration and
> operators of large public NTP servers most definitely have updated to 4.2.7
> already or deployed other workarounds.
I'm really going to go for ignore on this. People should just use
the noquery option and only allow it from trusted IP addresses.
That is the only real fix.
Kurt
More information about the pkg-ntp-maintainers
mailing list