NTP BUG 3376: Makefile does not enforce Security Flags
Last update: April 22, 2024 18:49 UTC (7e7bd5857)
Summary
| Resolved |
4.2.8p10 |
21 Mar 2017 |
| References |
Bug 3376 |
|
| Affects |
All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. |
Resolved in 4.2.8p10. |
| CVSS2 Score |
N/A |
|
| CVSS3 Score |
N/A |
|
Description
The build process for NTP has not, by default, provided compile or link flags to offer “hardened” security options. Package maintainers have always been able to provide hardening security flags for their builds. As of ntp-4.2.8p10, the NTP build system has a way to provide OS-specific hardening flags. Please note that this is still not a really great solution because it is specific to NTP builds. It’s inefficient to have every package supply, track and maintain this information for every target build. It would be much better if there was a common way for OSes to provide this information in a way that arbitrary packages could benefit from it.
Mitigation
- Implement BCP-38.
- Upgrade to 4.2.8p10 or later.
- Properly monitor your
ntpd instances, and auto-restart ntpd (without -g) if it stops running.
Credit
This weakness was discovered by Cure53.
Timeline