Univention Bugzilla – Full Text Bug Listing |
Summary: | ntp: Multiple issues (4.1) | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Security updates | Assignee: | Arvid Requate <requate> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P2 | CC: | gohmann |
Version: | UCS 4.1 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: |
Description
Arvid Requate
2016-02-24 19:31:29 CET
New issues: * bad authentication demobilizes ephemeral associations (CVE-2016-4953) * partial processing of spoofed packets (CVE-2016-4954) [minor] * autokey association reset (CVE-2016-4955) [minor] Not affected by: CVE-2015-7975 Upstream Debian package version 1:4.2.6.p5+dfsg-2+deb7u7 fixes these additional issues: * Change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode. (CVE-2016-1548) * Timing attack for authenticated packets (CVE-2016-1550) * Duplicate IPs on unconfig directives will cause an assertion failure (CVE-2016-2516) * Crafted addpeer with hmode > 7 causes out-of-bounds reference (CVE-2016-2518) Upstream Debian package version 1:4.2.6.p5+dfsg-2+deb7u7 also fixes: * incorrect handling of crypto NAK packets my result in denial of service (CVE-2016-1547) The following issues have been reported for ntp: * NTP statsdir cleanup cronjob insecure (CVE-2016-0727) [minor issue] * Not affected by CVE-2016-4956 Advisory: ntp.yaml OK - CVE's OK - built with patches OK - update OK - YAML |