[ntp:security] monlist reflective DDoS
Christian Rossow
christian.rossow at gmail.com
Mon Aug 12 08:25:34 UTC 2013
Harlan,
> I'll be getting a CVE number in the morning, unless you can think of
> some reason I should delay.
Two things you may want to take into account:
* The amplification vulnerability does not only affect `monlist`, but
also other message types. How to proceed? Separate CVEs for those?
* Ideally we'd state the ntpd version that closed the monlist feature
in the CVE, so that people know to which version they should update.
Christian
More information about the security
mailing list