NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p18 was released on 25 May 2024 and addresses 40 bugs and provides 40 improvements.

Please see the NTP 4.2.8p18 Changelog for details.

Bug 2665 - Weak default key
Summary: Weak default key
Status: RESOLVED FIXED
Alias: None
Product: ntp
Classification: Unclassified
Component: ntpd (show other bugs)
Version: 4.2.6
Hardware: N/A All
: P1 critical
Assignee: Harlan Stenn
URL:
Depends on:
Blocks: 2655
  Show dependency tree
 
Reported: 2014-11-03 00:13 UTC by Harlan Stenn
Modified: 2023-03-30 10:08 UTC (History)
5 users (show)

See Also:
stenn: blocking4.2.6+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Harlan Stenn 2014-11-03 00:13:37 UTC
+++ This bug was initially created as a clone of Bug #2655 +++

ntpd/ntp_config.c:1689 <config_auth> (weak default key)

Proposed fix: remove code.
Comment 1 Harlan Stenn 2014-11-03 00:52:25 UTC
Stephen writes:

The issue with the weak default key (ntpd/ntp_config.c:1689 <config_auth>)
was found by Neel Mehta, could you please credit him when you fix this
issue?
Comment 2 Harlan Stenn 2014-11-03 00:54:35 UTC
This issue seems to have already been fixed in ntp-dev (4.2.7).
Comment 3 Harlan Stenn 2014-11-22 23:41:25 UTC
Specifically, it was fixed in (4.2.7p11) 2010/01/28.
Comment 4 Harlan Stenn 2014-12-12 11:30:53 UTC
Stephen has reconfirmed that he's seeing this issue resolved in ntp-dev.