NTP BUG 3376: Makefile does not enforce Security Flags
Last update: June 27, 2022 20:45 UTC (51d68a4aa)
||21 Mar 2017
||All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
||Resolved in 4.2.8p10.
The build process for NTP has not, by default, provided compile or link flags to offer “hardened” security options. Package maintainers have always been able to provide hardening security flags for their builds. As of ntp-4.2.8p10, the NTP build system has a way to provide OS-specific hardening flags. Please note that this is still not a really great solution because it is specific to NTP builds. It’s inefficient to have every package supply, track and maintain this information for every target build. It would be much better if there was a common way for OSes to provide this information in a way that arbitrary packages could benefit from it.
- Implement BCP-38.
- Upgrade to 4.2.8p10 or later.
- Properly monitor your
ntpd instances, and auto-restart
-g) if it stops running.
This weakness was discovered by Cure53.