[Secure-testing-team] Bug#825856: openntpd: CVE-2016-5117
Salvatore Bonaccorso
carnil at debian.org
Mon May 30 19:58:36 UTC 2016
Source: openntpd
Version: 1:5.7p4-4
Severity: normal
Tags: security upstream patch
Hi,
the following vulnerability was published for openntpd.
CVE-2016-5117[0]:
OpenNTPD not verifying CN during HTTPS constraints request
As far I can tell we though are not affected in default Debian
installations, since constraints not enabled. The source seems though
affected, so this bug is to track the issue. Let me know though if I'm
wrong here.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-5117
[1] http://www.openwall.com/lists/oss-security/2016/05/23/2
[2] http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/constraint.c.diff?r1=1.27&r2=1.28
Regards,
Salvatore
More information about the Secure-testing-team
mailing list