A C wrote:
I saw the advisory about the potential issues in ntpd before 4.2.8 but I
don't quite understand whether it affects a pure client (not serving
time to the outside) or not.
If the issue does affect client-only operation, what can be done for
systems that can't be upgraded?
As far as I understand the reports on bugzilla the main vulnerabilities
are in functions where signed packets (symmetric key or autokey) are
received/checked, or dynamic/remote configuration via ntpq and/or ntpdc
is enabled, which, as far as I know also requires some sort of crypto
top be enabled.
So from my understanding disabling crypto in ntp.conf should avoid the
main vulnerabilities as a first, quick step.
Martin
_______________________________________________
questions mailing list
questions@lists.ntp.org
http://lists.ntp.org/listinfo/questions