[Secure-testing-team] Bug#773576: ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 20 05:37:02 UTC 2014
Source: ntp
Version: 1:4.2.6.p2+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for ntp.
CVE-2014-9293[0]:
automatic generation of weak default key in config_auth()
CVE-2014-9294[1]:
ntp-keygen uses weak random number generator and seed when generating MD5 keys
CVE-2014-9295[2]:
Multiple buffer overflows via specially-crafted packets
CVE-2014-9296[3]:
receive() missing return on error
The corresponding Red Hat bugzilla entries contain as well some more
informations.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-9293
[1] https://security-tracker.debian.org/tracker/CVE-2014-9294
[2] https://security-tracker.debian.org/tracker/CVE-2014-9295
[3] https://security-tracker.debian.org/tracker/CVE-2014-9296
Regards,
Salvatore
More information about the Secure-testing-team
mailing list