[ntp:questions] What to do for clients less than 4.2.8?

brian utterback brian.utterback at oracle.com
Wed Dec 24 20:25:07 UTC 2014

On 12/22/2014 11:05 PM, Harlan Stenn wrote:
> Martin Burnicki writes:
>> Rob wrote:
>>> Martin Burnicki <martin.burnicki at meinberg.de> wrote:
>>>> And of course, the information flow was really bad here, so that it is
>>>> very hard to figure out which systems are affected.
>>> Indeed.  Only after 3 days there was a statement on the pool mailing list
>>> that the problem only affected servers that can be queried.  Well, that
>>> had better be stated in the original release, so that 99.9% of the users
>>> of ntpd could immediately move it to "not for me" and not be worried.
>> Yes. I agree that this information should have been available 
>> immediately with the first alert. This would have avoided much trouble.
> And if we had realized all of this at first alert we would have.
> The announcement came out 3 days' later than I wanted.  I'd been working
> on this for 2 solid weeks by then.

So, can we get a definitive statement, perhaps as an update to
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/NEWS as to what an admin
can do to mitigate the problem until an update can be performed and
whether or not the same CVE's apply to xntpd?

Brian Utterback
Solaris RPE, Oracle Corporation.
Ph:603-262-3916, Em:brian.utterback at oracle.com

More information about the questions mailing list