[pkg-ntp-maintainers] Bug#820470: ntp: upstream version ntp-4.2.8p6
Nicholas Luedtke
nicholas.luedtke at hpe.com
Fri Apr 8 18:26:59 UTC 2016
Package: ntp
Version: 1:4.2.8p4+dfsg-3
Severity: wishlist
Dear Maintainer,
NTP version ntp-4.2.8p6 is available upstream and includes fixes for 9
CVE's listed below. Though they are mostly minor the cumulative effect
of removing these from our stream would be beneficial. We should
consider updating ntp in sid/stretch to incorporate these security fixes.
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
CVEs listed as fixed in upstream:
CVE-2015-8158: Potential Infinite Loop in ntpq
CVE-2015-8138: origin: Zero Origin Timestamp Bypass
CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated
broadcast mode
CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
CVE-2015-7977: reslist NULL pointer dereference
CVE-2015-7976: ntpq saveconfig command allows dangerous characters in
filenames
CVE-2015-7975: nextvar() missing length check
CVE-2015-7974: Skeleton Key: Missing key check allows impersonation
between authenticated peers
CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
--
Nicholas Luedtke
HPE Linux, Hewlett-Packard Enterprise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ntp-maintainers/attachments/20160408/362d840b/attachment.sig>
More information about the pkg-ntp-maintainers
mailing list