[ntp:security] [Bug 3118] Mode 6 unauthenticated trap information disclosure and DDoS vector

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Sat Sep 24 18:44:28 UTC 2016


https://bugs.ntp.org/show_bug.cgi?id=3118

Juergen Perlinger <perlinger at ntp.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1461|                            |patchReview?
              Flags|                            |

--- Comment #6 from Juergen Perlinger <perlinger at ntp.org> 2016-09-24 18:44:28 UTC ---
Created attachment 1461
  --> https://bugs.ntp.org/attachment.cgi?id=1461
proposed patch / rev1

As suggested by Matthew, this requires AUTH for the mode 6 packets that change
trap configuration in NTPD. (I also added writing clock vars to the list of
auth-required requests.)

NTPQ itself does not (yet?) implement any trap-related commands, so this a pure
server-side patch.

-- 
Configure bugmail: https://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the security mailing list