Assessed risk level: Low Previous versions of the puppetlabs-ntp module did not default to using 'disable monitor', which is one of the two configurations required to fully mitigate CVE-2013-5211. The module by default would set 'noquery' for all remote hosts, but the system would still be vulnerable to local attacks.
With the puppetlabs-ntp 4.1.1 release, the default value for the 'disable_monitor' parameter is set to 'true' for all platforms. No action is required unless you are manually setting 'disable_monitor' to false or you need monitoring enabled in your environment. Please see https://puppetlabs.com/security/cve/puppetlabs-ntp-nov-2015-advisory for more information. -- Morgan Haskel mor...@puppetlabs.com Release Engineer -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CA%2BFnDv0rgnh5p3%3DjFwUDoYo1hWS5rHMA3doQKNa8k8PO7kW1Fw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
