perfSONAR Announcements

[Jason Zurawski <>]

Greetings All;

The year wouldn’t be complete without at least one more security concern for 
everyone to be aware of.  Turn your attention to the following - 
“CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets”:

        https://access.redhat.com/security/cve/CVE-2014-9295

Information is is still scarce on this thus far, we have not seen any word 
come down on the CentOS mailing lists regarding packages.  There is some 
chatter on the actual issue tracker item that is useful:

        https://bugzilla.redhat.com/show_bug.cgi?id=1176037

Their read:

        - “Autokey Authentication”, sometimes used in the /etc/ntp.conf file, 
is at risk.  This is not a default for RHEL, or the perfSONAR Toolkit.  If 
you added any in, you may want to reconsider.  

        - untrusted hosts that are allowed to send control messages can cause 
a buffer overflow.  By default, RHEL and perfSONAR Toolkit permissions allow 
only localhost based control communication.  If you changed this for whatever 
reason, you may want to reconsider.  

        - DOS possibility through special message creation, but will not 
allow any remote code execution.  Will require an upstream patch to fully 
address.  

The perfSONAR project will keep watch on the situation and alert when its 
time to download patches.  We will take this opportunity to remind everyone 
that the 3.4 version of the perfSONAR toolkit has a automatic update feature 
available:

        http://docs.perfsonar.net/manage_update.html#automatic-updates

Consider enabling this if you haven’t done so, and please upgrade to 3.4 if 
you haven’t done so.  

Thanks, and Happy Festivus;  

-jason