Strange NTP error

[xy16644]

I've just tried to update all my ports and when I list the outdated ports with portmaster -L I get:

===>>> ntp-4.2.6p5_2
===>>> This port is marked FORBIDDEN
===>>> CVE-2013-5211 / VU

Even after updating all my ports I still have this warning. I did have a look in /usr/src/UPDATING but couldn't find anything on NTP.

Any ideas?

 

[worldi]

There are problems with this port and it hasn't been patched yet.

 

[xy16644]

Ah, thanks for that!

 

[DutchDaemon]

It's the same problem as with the base ntpd: http://www.freebsd.org/security/advisor ... 2.ntpd.asc

 

[xy16644]

I just read the FreeBSD Security Advisory regarding this. I wonder if NTP in FreeBSD 10 STABLE will be fixed?

 

[DutchDaemon]

It's already fixed, see 'Corrected:' in SA-14:02.

 

[xy16644]

Great, even more reason to upgrade to FreeBSD 10!

 

[phreak]

According to http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc, the vulnerability was fixed in FreeBSD 10-RELEASE. However, on my FreeBSD 10.0-RELEASE, the pkg version still reports

ntp-4.2.6p5_2                      =

.

I have searched http://www.freshports.org/net/ntp/ which it reports the same version as mine and listed it as FORBIDDEN: CVE-2013-5211 / VU.

I have run pkg upgrade for months and no ntp-4.2.7p26 in sight.

Could anyone enlighten me how to get the fix? Thanks a ton.

 

[SirDice]

The FreeBSD advisory is regarding ntpd(8), not net/ntp.

 

[phreak]

Thanks for your prompt reply.

However, I have got the following warning from pkg audit -F.

Vulnxml file up-to-date.
ntp-4.2.6p5_2 is vulnerable:
ntpd DRDoS / Amplification Attack using ntpdc monlist command
CVE: CVE-2013-5211
WWW: http://portaudit.FreeBSD.org/3d95c9a7-7d5c-11e3-a8c1-206a8a720317.html

How can I get rid of it? Thanks in advance!

 

[SirDice]

How can I get rid of it? Thanks in advance!

pkg delete ntp

 

[phreak]

Many Thanks, @SirDice.

 

[syl]

In case you're interested in the NTP client, you can try ntp-devel, i had to do that on a very fresh 10 install:

portmaster net/ntp-devel

 

[aevertett]

Is this issue related to the fact that NTP 4.2.7p26 is a development release and not a production release of the NTP daemon? It's just that we are getting quite a number of customers conducting security scans on our GPS NTP servers which is reporting NTP 4.2.6 as being an old version of NTPd, which is susceptible to the monlist denial of service attack, and needs to be updated to NTP 4.2.7. However, we are very reluctant to provide an update to NTP 4.2.7 when it is not a stable production version of the NTP protocol.

Everett
http://www.timetoolsglobal.com/

 

[SirDice]

Is this issue related to the fact that NTP 4.2.7p26 is a development release and not a production release of the NTP daemon?

No, it's related to a security issue:
http://networktimefoundation.org/ntp-wi ... s-attacks/

It's just that we are getting quite a number of customers conducting security scans on our GPS NTP servers which is reporting NTP 4.2.6 as being an old version of NTPd, which is susceptible to the monlist denial of service attack, and needs to be updated to NTP 4.2.7. However, we are very reluctant to provide an update to NTP 4.2.7 when it is not a stable production version of the NTP protocol.

I'm afraid you don't have much choice, although you may be able to turn off the monitoring option:
http://support.ntp.org/bin/view/Main/Se ... tack_using

 

[wblock@]

Current versions of FreeBSD base and ports are all fixed, AFAIK. If the security scan only checks the version number, the NTP in base might show a false positive because the version number has not changed even though the bug was fixed. monlist can also be manually disabled.

(That a security tool would check just a version number seems... well, "too trusting" is not quite the right thing to say. "Gullible" might be more accurate. But a lot of these tools do that, apparently.)