[ntp:security] Query regarding CVE-2013-5211

Steve Kostecke kostecke at ntp.org
Mon Jan 27 14:13:40 UTC 2014


Roocha K Pandya2 said:

>We are running NTP 4.2.4p5 version on our OS. As per NTP site, the fix is
>available in 4.2.7p26 version.
>
>My query is, is it not possible to backport the fix to our NTP version
>4.2.4p5?

tl,dr: No. Add 'noquery' to your default restrictions or use 'disable
monitor'.

NTP 4.2.7p26 was released on 2010/04/24 (over two years ago). Since that
time there have been many changes in the development release series (see
http://archive.ntp.org/ntp4/ChangeLog-dev).

Users of NTP versions before 4.2.7p26 who can not upgrade should either:

1. Use noquery in your default restrictions to block all status queries
2. Use disable monitor to disable the ntpdc -c monlist command while
still allowing other status queries

The 4.2.4* release series of The NTP Reference Implementation was EOLed
on 2009/12/09 by the 4.2.6* release series; free support/bugfixes for
the 4.2.4* release series were terminated as of that date. Please visit
http://networktimefoundation.org/ if you wish to purchase a support
contract for your version of NTP.

The NTP Release Numbering Scheme differs from the usual release
numbering schemes. While virtually all developers utilize the syntax of:

Major_Version.Minor_Version.Point_Version[Release_Tags]

The NTP Project syntax is:

Protocol_Version.Major_Version.Minor_Version[Release_Tags]

So the difference between NTP 4.2.4p5 and NTP 4.2.7p26 is considerably
greater than you might think.

NTP 4.2.4p5 is really NTP Protocol 4 v2.4.5
NTP 4.2.7p26 is really NTP Protocol 4 v2.7.26

There is a particular significance attached to the minor version number.
An even number indicates a production (i.e. "stable") release and an odd
number indicates a development release.

The current stable release series is eligible for security patches and
critical bug fixes. Development, including the introduction of new
features and changes in functionality, is restricted to the current
development release series.

Concurrent with the 4.2.4* production release series there was a lengthy
4.2.5* development release series (which spawned 250 development
snapshots).

The current production release series is 4.2.6*. This release marked the
end of the 4.2.5* development series and EOLed the 4.2.4* release
series.

Development for the next production release (4.2.8*) is being conducted
in the 4.2.7* development release series (which has spawned 414
developement snapshots between 2009/12/09 and 2014/01/20). We anticipate
the release of NTP 4.2.8 in the near future.

-- 
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project http://support.ntp.org/
Public Key at http://support.ntp.org/Users/SteveKostecke


More information about the security mailing list