Posted November 24, 2015
Assessed Risk Level: Low
Previous versions of the puppetlabs-ntp module did not default to using 'disable monitor', which is one of the two configurations required to fully mitigate CVE-2013-5211. The module by default would set 'noquery' for all remote hosts, but the system would still be vulnerable to local attacks.
With the puppetlabs-ntp 4.1.1 release, the default value for the 'disable_monitor' parameter is set to 'true' for all platforms.
No action is required unless you are manually setting 'disable_monitor' to false or you need monitoring enabled in your environment.
Affected Software Versions:
- puppetlabs-ntp 4.1.0 and earlier
- puppetlabs-ntp 4.1.1