Bug 12326 - ntp new security issue CVE-2013-5211
Summary: ntp new security issue CVE-2013-5211
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 3
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/580994/
Whiteboard: advisory MGA3-64-OK MGA3-32-OK
Keywords: validated_update
Depends on:
Reported: 2014-01-16 17:06 CET by David Walser
Modified: 2014-01-31 18:08 CET (History)
6 users (show)

See Also:
Source RPM: ntp-4.2.6p5-14.mga4.src.rpm
Status comment:


Description David Walser 2014-01-16 17:06:07 CET
The issue is fixed upstream in 4.2.7p26.  A possible alternative to update it would be to mitigate this in the default configuration:

This vulnerability is being actively exploited in the wild and has received press attention:


Steps to Reproduce:
David Walser 2014-01-16 17:08:02 CET

CC: (none) => mageia
Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-01-17 17:06:48 CET
Gentoo has issued an advisory for this on January 16:

They modified the default configuration in their package, so that appears to be the correct solution.  Also, IIRC, ntp 4.2.7 is a development branch.

URL: (none) => http://lwn.net/Vulnerabilities/580994/

David Walser 2014-01-17 17:26:19 CET

Blocks: (none) => 11726

Comment 2 Oden Eriksson 2014-01-17 17:56:49 CET

Parts of that patch (ntpq-subs.c, ntp_request.c, ntp_scanner.c) has to be backported manually.

I'd vote for a fix like:


But this has also to be added to the /etc/ntp.conf file by force in the %post script if so, unless the user adds it him/herself by looking at a possible /etc/ntp.conf.rpmnew file.

CC: (none) => oe
Blocks: 11726 => (none)

Comment 3 David Walser 2014-01-17 18:08:00 CET
I think adjusting the default configuration (looks like RedHat's already has) and giving instructions in the advisory (like Gentoo did) would be sufficient.  The patch completely removes the monlist functionality, which isn't necessary.

Blocks: (none) => 11726

Johnny A. Solbu 2014-01-22 15:23:39 CET

CC: (none) => cooker

Comment 4 David Walser 2014-01-23 21:33:34 CET
I've added this to the default ntp.conf in SVN (from Fedora):
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery
Comment 5 David Walser 2014-01-23 23:44:17 CET
Modified packages uploaded for Mageia 3 and Cauldron.


Updated ntp packages work around security vulnerability:

The "monlist" command of the NTP protocol is currently abused in a DDoS
reflection attack. This is done by spoofing packets from addresses to which
the attack is directed to. The ntp installations itself are not target of
the attack, but they are part of the DDoS network which the attacker is
driving (CVE-2013-5211).


Note: the workaround for this issue is not a change in the software, but
instead is a change in the default configuration.  In most cases, the
configuration change will need to be made manually by administrators in the
/etc/ntp.conf file, as the package will only install the updated configuration
as /etc/ntp.conf.rpmnew.  The following lines should be added to the end of

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery


Updated packages in core/updates_testing:

Version: Cauldron => 3
Blocks: 11726 => (none)
Assignee: bugsquad => qa-bugs
Whiteboard: MGA3TOO => (none)

Comment 6 Dave Hodgins 2014-01-31 02:50:39 CET
Testing complete on Mageia 3 i586 and x86_64.

Someone from the sysadmin team please push 12326.adv to updates.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 7 Thomas Backlund 2014-01-31 18:08:12 CET
Update pushed:

CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.