The severity of this bug should be critical.
The default shipped configuration file /may/ be secure, but does not adequately document /why/ it is secure. Previous versions of the AccessRestrictions documentation (prior to likely someone early this year when the NTP reflection attacks became popular) appeared to advise removing the noquery attribute, and thus many administrators who wanted to provide a public facing server properly followed the guidance to remove it. Since that time there has been no Debian security advisory that this is an insecure modification to the configuration. It is also not something which someone would consider to be related even if they are aware of NTP amplification attacks. I am requesting a change in severity level to critical given that with previously advised (even if not by Debian example) configurations this software "introduces a security hole on systems where you install the package" which may be used to provide a denial of service attack to/from systems with the effected version/configuration. As a temporary solution "disabling monitor" or adding "noquery" to internet facing services is required (and //should be documented as such in config comments// if an update to this package is not provided); however the updated software disables the responses that are used in the reflection attacks without completely disabling other responses that may be useful as an NTP server. The previously supplied freebsd patch appears to provide the same type of improvement and if chosen instead should be documented as such in the example config file (so that it is obvious this is fixed with something not present upstream). http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.1.1.3 . http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Atta ck_using http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211 http://www.kb.cert.org/vuls/id/348126
