[ntp:questions] NTP internal server?

Richard B. Gilbert rgilbert88 at comcast.net
Mon Oct 30 14:23:52 UTC 2006


Maarten Wiltink wrote:

> "Harlan Stenn" <stenn at ntp.isc.org> wrote in message
> news:ywn9ac3eipyd.fsf at ntp1.isc.org...
> 
>>>>>In article <4544ed4b$0$331$e4fe514c at news.xs4all.nl>, "Maarten Wiltink"
> 
> <maarten at kittensandcats.net> writes:
> 
> 
>>>>All right, there are, or were, fifteen reported exploits.  None is
>>>>dated more recently than 2004 and some seem to be complaining about
>>>>ten year old software distributed by companies such as Sun, Redhat,
>>>>Debian, etc.
>>
>>Maarten> Still distributed right now, yes. For all those people who
>>Maarten> aren't allowed to run something not backed by RFCs, and then
>>Maarten> come here with questions about something called xntp. Sound
>>Maarten> familiar?
>>
>>What's your point?  I don't see how what you just said applies to the
>>thread.
> 
> 
> I object to Richard's statement that old vulnerabilities are irrelevant
> and no cause for concern. More than most other software, NTP is haunted
> by users of old versions.
> 

Old vulnerabilities that have been fixed are not a problem of much 
concern to me.  I run a recent version of ntpd that does not exhibit 
these vulnerabilities.  If people chose, for whatever reason, to run a 
ten year old version of ntpd they must accept the associated risks and 
inferior performance.  Since the modern, improved and fixed version is 
freely available to all I don't see any reason why anyone who needs NTP 
and is concerned about security should not run it.




More information about the questions mailing list