# Outdated NTPD in FreeBSD-8.1



## AlexJ (Sep 12, 2010)

I did an upgrade from 8.0 to 8.1 a few weeks ago and found out that it included NTPD (and all supplied utilities) and that it still has an outdated vulnerable version 4.2.4p5-a

Here is a prove on that : 
http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode

Before submitting this issue as a PR, I want to ask community â€“ Is there a reason to keep an old version of NTPD?

BTW, maybe somebody knows - Why are scripts from /usr/src/contrib/ntp/scripts not installed in the system? I believe some scripts can be very useful, especially ntp-wait.

Regards,
Alex.


----------



## mix_room (Sep 13, 2010)

Are you talking about the version included in release or the one in ports? 

The one included in the release will, by definition, lag behind current developments. Replace it with the one from ports, which should be newer.


----------



## aragon (Sep 13, 2010)

AlexJ said:
			
		

> Before submitting this issue as a PR, I want to ask community â€“ Is there a reason to keep an old version of NTPD?


The FreeBSD Project handles security fixes in a different way to many other open OSes.  If a vulnerability is found in 3rd party software that's in base, upgrading to the latest version is avoided because new versions of software usually change functionality/behavior in addition to fixing the bug, which is undesirable.  In most cases the same version is kept, but a security patch is applied to fix _only_ the vulnerability without affecting any other parts of the software.

In this case, your NTPd is not vulnerable.  It was addressed a few months ago and the FreeBSD advisory is at:

http://security.freebsd.org/advisories/FreeBSD-SA-10:02.ntpd.asc


----------



## AlexJ (Sep 14, 2010)

mix_room said:
			
		

> Are you talking about the version included in release or the one in ports?


I'm taking about version that is included in release.



			
				aragon said:
			
		

> The FreeBSD Project handles security fixes in a different way to many other open OSes.


Yes, I know that.



			
				aragon said:
			
		

> In this case, your NTPd is not vulnerable.  It was addressed a few months ago and the FreeBSD advisory is at:
> 
> http://security.freebsd.org/advisories/FreeBSD-SA-10:02.ntpd.asc



*Thanks a lot* for this link, I missed it.


----------

