[ntp:security] monlist reflective DDoS

Christian Rossow christian.rossow at gmail.com
Mon Aug 12 08:25:34 UTC 2013


> I'll be getting a CVE number in the morning, unless you can think of
> some reason I should delay.
Two things you may want to take into account:
 * The amplification vulnerability does not only affect `monlist`, but
also other message types. How to proceed? Separate CVEs for those?
 * Ideally we'd state the ntpd version that closed the monlist feature
in the CVE, so that people know to which version they should update.


More information about the security mailing list