[ntp:security] monlist reflective DDoS

Christian Rossow christian.rossow at gmail.com
Mon Aug 12 08:25:34 UTC 2013


Harlan,

> I'll be getting a CVE number in the morning, unless you can think of
> some reason I should delay.
Two things you may want to take into account:
 * The amplification vulnerability does not only affect `monlist`, but
also other message types. How to proceed? Separate CVEs for those?
 * Ideally we'd state the ntpd version that closed the monlist feature
in the CVE, so that people know to which version they should update.

Christian


More information about the security mailing list