[ntp:security] Query regarding CVE-2013-5211

Harlan Stenn stenn at ntp.org
Tue Jan 28 00:52:07 UTC 2014


I do not see Roocha listed in the recipient list - that's good because
replying like this would be horrifically bad form.

H
Steve Kostecke writes:
> Roocha K Pandya2 said:
> 
> >We are running NTP 4.2.4p5 version on our OS. As per NTP site, the fix is
> >available in 4.2.7p26 version.
> >
> >My query is, is it not possible to backport the fix to our NTP version
> >4.2.4p5?
> 
> tl,dr: No. Add 'noquery' to your default restrictions or use 'disable
> monitor'.
> 
> NTP 4.2.7p26 was released on 2010/04/24 (over two years ago). Since that
> time there have been many changes in the development release series (see
> http://archive.ntp.org/ntp4/ChangeLog-dev).
> 
> Users of NTP versions before 4.2.7p26 who can not upgrade should either:
> 
> 1. Use noquery in your default restrictions to block all status queries
> 2. Use disable monitor to disable the ntpdc -c monlist command while
> still allowing other status queries
> 
> The 4.2.4* release series of The NTP Reference Implementation was EOLed
> on 2009/12/09 by the 4.2.6* release series; free support/bugfixes for
> the 4.2.4* release series were terminated as of that date. Please visit
> http://networktimefoundation.org/ if you wish to purchase a support
> contract for your version of NTP.
> 
> The NTP Release Numbering Scheme differs from the usual release
> numbering schemes. While virtually all developers utilize the syntax of:
> 
> Major_Version.Minor_Version.Point_Version[Release_Tags]
> 
> The NTP Project syntax is:
> 
> Protocol_Version.Major_Version.Minor_Version[Release_Tags]
> 
> So the difference between NTP 4.2.4p5 and NTP 4.2.7p26 is considerably
> greater than you might think.
> 
> NTP 4.2.4p5 is really NTP Protocol 4 v2.4.5
> NTP 4.2.7p26 is really NTP Protocol 4 v2.7.26
> 
> There is a particular significance attached to the minor version number.
> An even number indicates a production (i.e. "stable") release and an odd
> number indicates a development release.
> 
> The current stable release series is eligible for security patches and
> critical bug fixes. Development, including the introduction of new
> features and changes in functionality, is restricted to the current
> development release series.
> 
> Concurrent with the 4.2.4* production release series there was a lengthy
> 4.2.5* development release series (which spawned 250 development
> snapshots).
> 
> The current production release series is 4.2.6*. This release marked the
> end of the 4.2.5* development series and EOLed the 4.2.4* release
> series.
> 
> Development for the next production release (4.2.8*) is being conducted
> in the 4.2.7* development release series (which has spawned 414
> developement snapshots between 2009/12/09 and 2014/01/20). We anticipate
> the release of NTP 4.2.8 in the near future.
> 
> -- 
> Steve Kostecke <kostecke at ntp.org>
> NTP Public Services Project http://support.ntp.org/
> Public Key at http://support.ntp.org/Users/SteveKostecke
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security
> 


More information about the security mailing list