NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

---

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

Definition of a Security Issue

Steve suggested:

• In the extreme, a security bug is one that allows an outside party to execute arbitrary code as the NTP user or gain access to the system.

Rob Austein suggests:

1. a bug in security code (eg, an acl mechanism that doesn't do what it claims to do).
2. a bug that can cause a server to fall over and die, or otherwise gives an attacker leverage by which to dos the server.
3. a bug that allows an attacker to take control of the server or the host on which it's running.
4. probably others that don't leap to mind as quickly.

Harlan asked: Would it be a security bug if you could cause the service to abort?

Steve thinks not.

Rob says:

any bug an attacker can use to force the service to behave badly would be a security bug, so assuming i understand the question, yes, i'd consider that a security bug.

but some security bugs are more equal than others. it's probably best to think in terms of risk management rather than absolutes.