Hi,
Whats going on with Fedora and the NTP vulnerability ?
Both of my F20 machines don't seem to have ntp installed.
Many thanks in advance,
Aaron
On 12/21/2014 07:24 PM, Aaron Gray wrote:
Hi,
Whats going on with Fedora and the NTP vulnerability ?
Both of my F20 machines don't seem to have ntp installed.
What surprises me more, is seeing a bugfix update addressing this issue (ntp-4.2.6p5-25) pending in testing for f20, but not for f21.
Ralf
It should be 4.2.8 now as there are new vulnerabilities !
On 21 December 2014 at 18:33, Ralf Corsepius rc040203@freenet.de wrote:
On 12/21/2014 07:24 PM, Aaron Gray wrote:
Hi,
Whats going on with Fedora and the NTP vulnerability ?
Both of my F20 machines don't seem to have ntp installed.
What surprises me more, is seeing a bugfix update addressing this issue (ntp-4.2.6p5-25) pending in testing for f20, but not for f21.
Ralf
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
On 21 December 2014 at 18:43, Aaron Gray aaronngray.lists@gmail.com wrote:
It should be 4.2.8 now as there are new vulnerabilities !
On 21 December 2014 at 18:33, Ralf Corsepius rc040203@freenet.de wrote:
On 12/21/2014 07:24 PM, Aaron Gray wrote:
Hi,
Whats going on with Fedora and the NTP vulnerability ?
Both of my F20 machines don't seem to have ntp installed.
What surprises me more, is seeing a bugfix update addressing this issue (ntp-4.2.6p5-25) pending in testing for f20, but not for f21.
Ralf
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Cheers !
On 21 December 2014 at 20:48, Ed Greshko ed.greshko@greshko.com wrote:
On 12/22/14 02:46, Aaron Gray wrote:
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
The default time sync package is now chrony.
ntp is available in the F20 repos.
-- If you can't laugh at yourself, others will gladly oblige. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On Mon, 2014-12-22 at 04:48 +0800, Ed Greshko wrote:
On 12/22/14 02:46, Aaron Gray wrote:
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
The default time sync package is now chrony.
ntp is available in the F20 repos.
AFAIK chrony still connects to NTP servers, however the vulnerability in question is not with NTP as such but with ntpd, which as you say is no longer part of Fedora.
poc
On 12/22/14 20:50, Patrick O'Callaghan wrote:
On Mon, 2014-12-22 at 04:48 +0800, Ed Greshko wrote:
On 12/22/14 02:46, Aaron Gray wrote:
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
The default time sync package is now chrony.
ntp is available in the F20 repos.
AFAIK chrony still connects to NTP servers, however the vulnerability in question is not with NTP as such but with ntpd, which as you say is no longer part of Fedora.
Of course I didn't quite say that "ntpd is no longer part of Fedora".
I did say (or meant to say) that for new installs chrony is used by default over ntpd. But, ntpd is still available in the repos. And, if you happen to have been using ntpd in earlier versions of Fedora and doing updates instead of a new install you'd still be using ntpd.
On 12/22/2014 08:32 AM, Ed Greshko wrote:
On 12/22/14 20:50, Patrick O'Callaghan wrote:
On Mon, 2014-12-22 at 04:48 +0800, Ed Greshko wrote:
On 12/22/14 02:46, Aaron Gray wrote:
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
The default time sync package is now chrony.
ntp is available in the F20 repos.
AFAIK chrony still connects to NTP servers, however the vulnerability in question is not with NTP as such but with ntpd, which as you say is no longer part of Fedora.
Of course I didn't quite say that "ntpd is no longer part of Fedora".
I did say (or meant to say) that for new installs chrony is used by default over ntpd. But, ntpd is still available in the repos. And, if you happen to have been using ntpd in earlier versions of Fedora and doing updates instead of a new install you'd still be using ntpd.
I'm on F20 (by fedup) with ntp. I just ran yum to install chrony. yum didn't remove ntp* as part of the install.
How do you move to chrony?
sean
On Mon, 2014-12-22 at 21:32 +0800, Ed Greshko wrote:
On 12/22/14 20:50, Patrick O'Callaghan wrote:
On Mon, 2014-12-22 at 04:48 +0800, Ed Greshko wrote:
On 12/22/14 02:46, Aaron Gray wrote:
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
The default time sync package is now chrony.
ntp is available in the F20 repos.
AFAIK chrony still connects to NTP servers, however the vulnerability in question is not with NTP as such but with ntpd, which as you say is no longer part of Fedora.
Of course I didn't quite say that "ntpd is no longer part of Fedora".
I did say (or meant to say) that for new installs chrony is used by default over ntpd. But, ntpd is still available in the repos. And, if you happen to have been using ntpd in earlier versions of Fedora and doing updates instead of a new install you'd still be using ntpd.
My bad. I should have said "ntpd is no longer the default in Fedora".
poc
On 12/22/2014 01:50 PM, Patrick O'Callaghan wrote:
On Mon, 2014-12-22 at 04:48 +0800, Ed Greshko wrote:
On 12/22/14 02:46, Aaron Gray wrote:
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
The default time sync package is now chrony.
ntp is available in the F20 repos.
AFAIK chrony still connects to NTP servers, however the vulnerability in question is not with NTP as such but with ntpd, which as you say is no longer part of Fedora.
Of course, ntp is part of Fedora:
# repoquery -q ntp ntp-0:4.2.6p5-23.fc21.x86_64
It's just that it's not installed by default.
Ralf
On Tue, 2014-12-23 at 03:54 +0100, Ralf Corsepius wrote:
On 12/22/2014 01:50 PM, Patrick O'Callaghan wrote:
On Mon, 2014-12-22 at 04:48 +0800, Ed Greshko wrote:
On 12/22/14 02:46, Aaron Gray wrote:
There are no ntp or ntpd or systemd-timesyncd packages on F20 !
The default time sync package is now chrony.
ntp is available in the F20 repos.
AFAIK chrony still connects to NTP servers, however the vulnerability in question is not with NTP as such but with ntpd, which as you say is no longer part of Fedora.
Of course, ntp is part of Fedora:
I said *ntpd*. Not the protocol but the daemon.
# repoquery -q ntp ntp-0:4.2.6p5-23.fc21.x86_64
It's just that it's not installed by default.
Yes, already corrected.
poc
On 12/21/14 19:43, Aaron Gray wrote:
It should be 4.2.8 now as there are new vulnerabilities !
The following updates was submitted for testing at 2014-12-19.
For F19 in updates-testing ntp-4.2.6p5-13.fc19
For F20 in updates-testing ntp-4.2.6p5-19.fc20
For F21 in updates testing ntp-4.2.6p5-25.fc21
All fixes the following bugs 1176191 - CVE-2014-9296: CVE-2014-9294 CVE-2014-9295 CVE-2014-9293 ntp: various flaws [fedora-all] 1176032 - CVE-2014-9293: ntp: automatic generation of weak default key in config_auth() 1176035 - CVE-2014-9294: ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys 1176037 - CVE-2014-9295: ntp: Multiple buffer overflows via specially-crafted packets 1176040 - CVE-2014-9296: ntp: receive() missing return on error
If you are interested in NTP, install the test updates, and test them, and then give good (or bad) karma for faster release at https://admin.fedoraproject.org/updates
Lars