On Mon, Jan 27, 2014 at 03:53:32PM +0100, martin f krafft wrote: > also sprach Moritz Mühlenhoff <j...@inutil.org> [2014-01-16 22:46 +0100]: > > Ok, let's ignore it. Marked as such in the Debian Security Tracker. > > Please reconsider this decision. Operators of most of the public NTP > servers (pool.ntp.org *was* founded by a DD!) don't just deploy > software aside from their distro and effectively, I think that by > ignoring the problem, Debian is actively being a part of the > vastly-increasing problem of dDoS-reflection/amplification attacks.
I'm not sure what you're suggesting. We ship a default config for *years* that doesn't have this problems. If Debian systems are also part of the problem, it's because the administrator changed the defaults, and changing the defaults again isn't going to fix it. I'm also not sure uploading a 4.2.7 development snapshot to stable-security is a good idea, it's not even in unstable yet since it's not yet a stable release, and I know it still has problems. You might also want to look at http://openntpproject.org/ If you think people from the pool are still vulnerable to this, I suggest you contact Ask Bjørn Hansen <a...@ntppool.org> to get a IP address and contacts. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
