[ntp:security] [Bug 3007] Check to see if crypto-NAK is valid

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Fri Apr 29 13:19:44 UTC 2016


Miroslav Lichvar <mlichvar at redhat.com> changed:

           What    |Removed                     |Added
                 CC|                            |mlichvar at redhat.com

--- Comment #9 from Miroslav Lichvar <mlichvar at redhat.com> 2016-04-29 13:19:44 UTC ---
I think it would be good to extend the fix that was added in 4.2.8p7 for
authenticated associations. Ignoring crypto NAK when authentication is disabled
does make sense, but it should also check if the originate timestamp matches
the request to prevent DoS attacks on authenticated client and symmetric

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list