NTP needs to be upgraded urgently

[dave@…]

As I type this, my NTPD server is under a DoS attack from a botnet, using a vulnerability known since late 2013. The ports tree urgently needs to be upgraded to NTP 4.2.7.p26; it currently has 4.2.6, which is vulnerable.

I have since firewalled inbound ntp/udp, as I am not peering.

More information at ​http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using

Please address. Thanks.

-- Dave

[dave@…]

Cc Me!

[neverpanic (Clemens Lang)]

You don't need to Cc yourself, if you're the reporter. Instead, you should Cc the maintainer when filing bugs against ports (port info --maintainer ntp).

Good thing upstream didn't bother to release a new stable version that has the problem fixed</irony> :/

Working on this.

[neverpanic (Clemens Lang)]

Updated to latest dev release in r125063.

Maintainer: If you want to solve this in a different way, please attach a patch.

[danielluke (Daniel J. Luke)]

Macports policy is to ship the latest stable upstream version. The conf file we have always shipped with ntp includes settings to prevent ntp from being used as a DDoS amplifier (you will note that the specific command in the CVE linked to is blocked from anything other than localhost) see also ​http://openntpproject.org.

Do you have evidence of a new attack or that the conf we ship isn't effective?

If not, I'm going to revert cal's changes in r125063

[danielluke (Daniel J. Luke)]

r125070 reverted r125063 and r125062

Please reopen this if there's actual evidence of an issue - if so, it needs to be reported upstream as it means the current security advice from ntp.org is invalid and needs to be updated.