NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to use in a distributed denial-of-service (DDoS) attack. Please also take this opportunity to defeat denial-of-service attacks by implementing ingress and Egress filtering through BCP38.
The final two security bugs reported by Google's Security Team have been fixed as of ntp-4.2.8p1.
A new set of mode 6 vulnerabilities has been discovered and, while these vulnerabilities can be reduced by making sure you have
restrict default … noquery in your
ntp.conf file, the best and most complete way to avoid these vulnerabilities is to install and deploy
ntp-4.2.8p1 which was released on 04 February 2015.
Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
Embedded Version String Content
While fixing Bug #683
it was noted that the version string in the code takes the form:
Version @ CSet [ build-flags ] date buildnumber
- the version string, eg
- A number indicating the latest changeset in the repository
- for OpenSSL support
- the date and time of program linkage
n counts the number of times the program has been linked in this directory
Note that previous versions of NTP used different values for
and the file
- As of
4.2.7p272, 12 April 2012, the
mkver script uses
VER_SUFFIX, and the value
-o means we have OpenSSL.
- As of 6 Aug 2004, 4.2.1, a suffix of
-o means we have
-? means some other crypto library is available.
- As of 4 May 2000, the suffix
-a meant Autokey was supported, in additon to
-r for RSA.
- As of 25 Feb 2000, the suffix was changed to
- As of 24 Feb 2000, the suffix was changed to
- 4.0.99: In July of 1999, the suffix
RSAREF meant that the RSA libraries were available.
It has been suggested that some users are confused by the information after the
. While the remaining information is important and useful, it is not part of the software version.
The following suggestions have been made in this regard:
- Leave it alone
- Get rid of the information after the
- Harlan says not without finding somewhere else for the info
- Change the
@ to something else:
- 4.2.3p29; 1.123-o
- 4.2.3p29, build 1.123-o
- 22 Aug 2006
(added -a for Autokey) - 23 May 2010