[ntp:questions] What to do for clients less than 4.2.8?

brian utterback brian.utterback at oracle.com
Wed Dec 24 20:25:07 UTC 2014


On 12/22/2014 11:05 PM, Harlan Stenn wrote:
> Martin Burnicki writes:
>> Rob wrote:
>>> Martin Burnicki <martin.burnicki at meinberg.de> wrote:
>>>> And of course, the information flow was really bad here, so that it is
>>>> very hard to figure out which systems are affected.
>>> Indeed.  Only after 3 days there was a statement on the pool mailing list
>>> that the problem only affected servers that can be queried.  Well, that
>>> had better be stated in the original release, so that 99.9% of the users
>>> of ntpd could immediately move it to "not for me" and not be worried.
>> Yes. I agree that this information should have been available 
>> immediately with the first alert. This would have avoided much trouble.
> And if we had realized all of this at first alert we would have.
>
> The announcement came out 3 days' later than I wanted.  I'd been working
> on this for 2 solid weeks by then.

So, can we get a definitive statement, perhaps as an update to
http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/NEWS as to what an admin
can do to mitigate the problem until an update can be performed and
whether or not the same CVE's apply to xntpd?

-- 
Brian Utterback
Solaris RPE, Oracle Corporation.
Ph:603-262-3916, Em:brian.utterback at oracle.com



More information about the questions mailing list