Security Advisory: puppetlabs-ntp default configuration does not fully mitigate CVE-2013-5211

17 views

Skip to first unread message

Morgan Haskel

unread,

Nov 24, 2015, 7:04:15 PM11/24/15

Assessed risk level: Low

Previous versions of the puppetlabs-ntp module did not default to using 'disable monitor', which is one of the two configurations required to fully mitigate CVE-2013-5211. The module by default would set 'noquery' for all remote hosts, but the system would still be vulnerable to local attacks.

With the puppetlabs-ntp 4.1.1 release, the default value for the 'disable_monitor' parameter is set to 'true' for all platforms.

No action is required unless you are manually setting 'disable_monitor' to false or you need monitoring enabled in your environment.

Please see https://puppetlabs.com/security/cve/puppetlabs-ntp-nov-2015-advisory for more information.

Morgan Haskel

mor...@puppetlabs.com

Release Engineer

Reply all

Reply to author

Forward

0 new messages