[pkg-ntp-maintainers] Bug#733940: Bug#733940: ntp: CVE-2013-5211
Moritz Mühlenhoff
jmm at inutil.org
Thu Jan 16 21:46:42 UTC 2014
On Thu, Jan 02, 2014 at 06:58:25PM +0100, Kurt Roeckx wrote:
> On Thu, Jan 02, 2014 at 02:04:04PM +0100, Moritz Muehlenhoff wrote:
> > Package: ntp
> > Severity: important
> > Tags: security
> >
> > This was assigned CVE-2013-5211:
> > https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
> > http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
> >
> > Upstream ripped out monlist in favour of mrulist:
> > http://bugs.ntp.org/show_bug.cgi?id=1531
> > http://bugs.ntp.org/show_bug.cgi?id=1532
>
> Which just means they need to send a different packet to do this?
Apparently mrulist is not affected by the amplification attack.
> > We could
> > - Provide 4.2.7 for stable-security (or backport the changes if not too
> > intrusive)
> > - Ignore this for stable-security and offer 4.2.7 in backports.debian.org for
> > those sites which run a public NTP server
> > - Ignore this altogether since it doesn't affect the standard configuration and
> > operators of large public NTP servers most definitely have updated to 4.2.7
> > already or deployed other workarounds.
>
> I'm really going to go for ignore on this. People should just use
> the noquery option and only allow it from trusted IP addresses.
> That is the only real fix.
Ok, let's ignore it. Marked as such in the Debian Security Tracker.
Cheers,
Moritz
More information about the pkg-ntp-maintainers
mailing list