[Secure-testing-team] Bug#733940: ntp: CVE-2013-5211
Moritz Muehlenhoff
jmm at inutil.org
Thu Jan 2 13:04:04 UTC 2014
Package: ntp
Severity: important
Tags: security
This was assigned CVE-2013-5211:
https://cert.litnet.lt/en/docs/ntp-distributed-reflection-dos-attacks
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launching-large-scale-ntp-reflection-attacks
Upstream ripped out monlist in favour of mrulist:
http://bugs.ntp.org/show_bug.cgi?id=1531
http://bugs.ntp.org/show_bug.cgi?id=1532
The default configuration in Debian uses "noquery" and thus doesn't allow
monlist:
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery
For unstable we should update to 4.2.7. What's your suggesttion on this for stable?
We could
- Provide 4.2.7 for stable-security (or backport the changes if not too
intrusive)
- Ignore this for stable-security and offer 4.2.7 in backports.debian.org for
those sites which run a public NTP server
- Ignore this altogether since it doesn't affect the standard configuration and
operators of large public NTP servers most definitely have updated to 4.2.7
already or deployed other workarounds.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list