On 01 Nov 2013, at 17:31, Tom Evans <tevans...@googlemail.com> wrote: > On Fri, Nov 1, 2013 at 4:05 PM, Karl Pielorz <kpielorz_...@tdx.co.uk> wrote: >> >> Hi, >> >> A friend who uses linux a lot happened to notice on a FreeBSD box I >> installed the other day and updated to 9.2-R that it's using ntpd 4.2.4p8. >> >> They reckon that's had a lot of issues (e.g. CVE reports) against it - and >> it should be newer. >> >> I'm sure the one it has been 'updated' with is secure - and just reports >> that version, but if someone can confirm that'd be great, >> > > Don't take anything I say as confirmation, but I would have thought, > looking at this page [1], that he is wrong. All the CVEs listed there > say they apply to "before 4.2.4p8" or a lower version. > > Cheers > > Tom > > [1] http://www.cvedetails.com/vulnerability-list/vendor_id-2153/NTP.html
That page lists a bunch of CVEs, and the relevant ones have already had FreeBSD security advisories: CVE-2009-3563 http://www.freebsd.org/security/advisories/FreeBSD-SA-10:02.ntpd.asc CVE-2009-1252 http://www.freebsd.org/security/advisories/FreeBSD-SA-09:11.ntpd.asc CVE-2009-0159 not relevant, NTP before 4.2.4p7-RC2 CVE-2009-0021 not relevant, NTP before 4.2.4p5 CVE-2004-0657 not relevant, NTP before 4.0 -DImitry
signature.asc
Description: Message signed with OpenPGP using GPGMail
