[ntp:questions] What to do for clients less than 4.2.8?

Harlan Stenn stenn at ntp.org
Mon Dec 22 03:57:48 UTC 2014


Are you willing to improve your deportment?

You are performing an active dis-service.  I find your posts too often
to be destructive, not constructive.  See below.

William Unruh writes:
> On 2014-12-21, Jochen Bern <Jochen.Bern at LINworks.de> wrote:
> > On 12/21/2014 12:38 PM, Rob wrote:
> >> David Woolley <david at ex.djwhome.demon.invalid> wrote:
> >>> On 21/12/14 10:48, Rob wrote:
> >>>> People say "disable crypto" but there is no clear direction in the docs
> >>>> on how to do that.
> >>>
> >>> I would assume by not enabling it.
> >> 
> >> Ok, but in that case why the worry about the "millions of vulnerable
> >> servers" on the internet, I think most users who just want to get and
> >> serve time don't spend the week of time needed to get the crypto working
> >> and to coordinate with other servers doing the same.
> >
> > According to what I read on
> >
> > http://support.ntp.org/bin/view/Main/SecurityNotice#Resolved_Vulnerabilitie
> s
> >
> > -- CVE-2014-9293 *might* be exploitable on ntpd's that do *not* have
> >    explicit crypto settings in the config (but might be stopped by
> >    proper restrictions, it doesn't say),
> > -- CVE-2014-9294 is irrelevant for non-crypto setups,
> > -- *One third* of CVE-2014-9295 (the crypto_recv() part) requires an
> >    autokey setup, but the other two might not, and there's no statement
> >    of other requirements beyond basic reachability, and
> > -- CVE-2014-9296 is *probably* unexploitable.
> >
> > As far as I'm concerned, 0.66 * -9295 is enough for me to grab the
> > backports from the repos for our outward-serving ntpds right now ...
> > 								J. Bern
> There are lots of people who are strongly interested in having good
> time, but cannot simply upgrade to 4.2.8. Many businesses have long
> testing cycles to make sure a "fix" does not screw everything up
> instead.

There are times when quick action is needed and there are times when
planning and discussion are needed.

Successful (ie, those that survive) people and businesses know this.

An active security vulnerability is not the right time for long testing
cycles.  Indeed, I have previously stated that 4.2.7 has undergone a
very long and thorough testing cycle.  One of the 6 patches has problems
for some people, and one of the diagnostic updates for a pending patch
had problems for some people.

> Telling people how to protect their systems even if they cannot
> immediately bring up 4.2.8 is crucial. The lack of informtion is a
> severe disservice to the users. 

The information on how to do that is in the security notice:


See the section on "Resolved Vulnerabilities".

> The exploits are out there already.

Where?  I have see several reports like this but so far nobody has told
me of any actual cases.  I'm not saying they are not there, I'm just
saying nobody has told me about them.

> "My building is on fire, where are
> the extinguishers" "We cannot tell you that because it might allow
> firebugs to know how to set fires, just build a new building". "But my
> building is on fire right now!"

Yes, so follow the mitigation steps on the security release page, which
lists some alternatives to an upgrade.

Better still, let's get more *constructive* help going on.


More information about the questions mailing list