[pkg-ntp-maintainers] Bug#733940: Bug#733940: ntp: CVE-2013-5211
Kurt Roeckx
kurt at roeckx.be
Mon Jan 27 17:31:40 UTC 2014
On Mon, Jan 27, 2014 at 03:53:32PM +0100, martin f krafft wrote:
> also sprach Moritz Mühlenhoff <jmm at inutil.org> [2014-01-16 22:46 +0100]:
> > Ok, let's ignore it. Marked as such in the Debian Security Tracker.
>
> Please reconsider this decision. Operators of most of the public NTP
> servers (pool.ntp.org *was* founded by a DD!) don't just deploy
> software aside from their distro and effectively, I think that by
> ignoring the problem, Debian is actively being a part of the
> vastly-increasing problem of dDoS-reflection/amplification attacks.
I'm not sure what you're suggesting. We ship a default config for
*years* that doesn't have this problems. If Debian systems are
also part of the problem, it's because the administrator changed
the defaults, and changing the defaults again isn't going to fix
it.
I'm also not sure uploading a 4.2.7 development snapshot to
stable-security is a good idea, it's not even in unstable yet
since it's not yet a stable release, and I know it still has
problems.
You might also want to look at http://openntpproject.org/
If you think people from the pool are still vulnerable to this, I
suggest you contact Ask Bjørn Hansen <ask at ntppool.org> to get a
IP address and contacts.
Kurt
More information about the pkg-ntp-maintainers
mailing list