From ${URL} : Upstream patch: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/constraint.c.diff?r1=1.27&r2=1.28 Affected versions: All OpenNTPD versions containing constraints before May 21st 2016 are affected. OpenBSD 5.9 is affected. Description: OpenNTPD constraints is an experimental functionality to mitigate NTP man-in-the-middle attacks. When enabled (by default on OpenBSD base install), it request timestamps from trusted HTTPS servers through HTTP Date: header and the average of the values obtained are used to filter out deviating NTP responses. Common Name verification was disabled while configuring the HTTPS request, allowing upstream network attackers to intercept and forward the request to a malicious server that could provide forged timestamp constraints presenting valid certificates without the server noticing it. The vulnerable function is httpsdate_init at /src/usr.sbin/ntpd/constraint.c on OpenBSD source: [...] /* XXX we have to pre-resolve, so name and host are not equal */ tls_config_insecure_noverifyname(httpsdate->tls_config); [...] @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream released 6.0p1 as the official fix, there won't be a 5.9 release with the patch. 6.0p1 includes another fix I was thinking of backporting to 5.9_p1 anyway, so rather than backport that and the security fix to the currently unstable 5.9p1 I've attached a portage patch to add a 6.0p1 ebuild. I was planning to stabilize 5.9p1 shortly, so after 6.0p1 sits for the requisite 30 days I'm going to look at stabilizing it instead. The bug is only present with USE=libressl, and there is no stable version of libressl, so this bug doesn't currently apply to a stable system in any case.
Created attachment 435894 [details, diff] Add openntpd-6.0_p1 ebuild
(In reply to Paul B. Henson from comment #2) > Created attachment 435894 [details, diff] [details, diff] > Add openntpd-6.0_p1 ebuild make a PR?
(In reply to Agostino Sarubbo from comment #3) > (In reply to Paul B. Henson from comment #2) > > Created attachment 435894 [details, diff] [details, diff] [details, diff] > > Add openntpd-6.0_p1 ebuild > > make a PR? a pull request (in particular if referring to a github variant) isn't a requirement for workflow in Gentoo (although I would like to see more use of git request-pull in general). For review purposes a unified diff to the latest version is often helpful in addition to the ebuild itself though
(In reply to Agostino Sarubbo from comment #3) > (In reply to Paul B. Henson from comment #2) > > Created attachment 435894 [details, diff] [details, diff] [details, diff] > > Add openntpd-6.0_p1 ebuild > > make a PR? I'm a proxy maintainer for openntpd, Ottxor usually commits stuff for me. I could add a diff between the ebuild versions but it would be empty as pretty much the only change this time around was renaming it :). Every dev seems to have their own preference for how they want patches to be submitted for packages they maintain, when you mostly submit one offs here and there it's hard to know in advance which way to go.
For reference, I prefer PR on github as well, but: commit 3b3cb584e265efd23d1a59c6ef85c3a3eb5407f4 Author: Paul B. Henson <henson@acm.org> Date: Mon May 30 20:31:35 2016 -0700 net-misc/openntpd: Bump to 6.0_p1, fix bug #584508 @security: "All OpenNTPD versions containing constraints before May 21st 2016 are affected." (CVE-2016-5117). Hence stable openntpd-5.7_p4-r2 is also affected. I think we should quick stabilize openntpd-6.0_p1 (or back-port the patch to openntpd-5.7_p4-r2).
(In reply to Christoph Junghans from comment #6) > For reference, I prefer PR on github as well, but: Hmm, hadn't heard that before, but so noted. > affected. I think we should quick stabilize openntpd-6.0_p1 (or back-port > the patch to openntpd-5.7_p4-r2). I'd prefer to stabilize openntpd-6.0_p1, I was just about to stabilize 5.9p1, and 6.0_p1 despite the major rev change only has a few differences relative to 5.9p1.From the release announcement: Changes since OpenNTPD 5.9p1 ============================ * Fixed a link failure on older Linux distributions and a build failure on FreeBSD. * Set MOD_MAXERROR to avoid unsynced time status when using ntp_adjtime. * Fixed HTTP Timestamp header parsing to use strptime in a more portable fashion. * Hardened TLS for ntpd constraints, enabling server name verification. Thanks to Luis M. Merino.
Arches, please test and mark stable: =net-misc/openntpd-6.0_p1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
x86 stable
Stable on alpha.
I don't appear to be able to upgrade to this version... # emerge -u1 openntpd Calculating dependencies... done! >>> Verifying ebuild manifests !!! Digest verification failed: !!! /usr/portage/net-misc/openntpd/openntpd-6.0_p1.ebuild !!! Reason: Filesize does not match recorded size !!! Got: 2971 !!! Expected: 2972 >>> Emerging (1 of 1) net-misc/openntpd-6.0_p1::gentoo !!! Digest verification failed: !!! /usr/portage/net-misc/openntpd/openntpd-6.0_p1.ebuild !!! Reason: Filesize does not match recorded size !!! Got: 2971 !!! Expected: 2972 >>> Failed to emerge net-misc/openntpd-6.0_p1 * * The following package has failed to build, install, or execute postinst: * * (net-misc/openntpd-6.0_p1:0/0::gentoo, ebuild scheduled for merge) *
I can verify this: # ls -l /usr/portage/net-misc/openntpd/openntpd-6.0_p1.ebuild -rw-r--r-- 1 portage portage 2971 Jun 1 08:18 /usr/portage/net-misc/openntpd/openntpd-6.0_p1.ebuild # grep openntpd-6.0_p1.ebuild /usr/portage/net-misc/openntpd/Manifest EBUILD openntpd-6.0_p1.ebuild 2972 Whoever last touched it seems to have left it corrupted. # tail /usr/portage/net-misc/openntpd/ChangeLog 01 Jun 2016; Agostino Sarubbo <ago@gentoo.org> openntpd-6.0_p1.ebuild: x86 stable wrt bug #584508 Package-Manager: portage-2.2.28 RepoMan-Options: --include-arches="x86" Signed-off-by: Agostino Sarubbo <ago@gentoo.org> ago? Think you updated the manifest before you marked it stable? That would explain the 1 character size discrepancy :).
Well, Manifest in git don't include the ebuilds: https://github.com/gentoo/gentoo/blob/master/net-misc/openntpd/Manifest
(In reply to Christoph Junghans from comment #14) > Well, Manifest in git don't include the ebuilds: > https://github.com/gentoo/gentoo/blob/master/net-misc/openntpd/Manifest Umm. Where does it get added then? Is there a broken automated process somewhere?
Stable for PPC64.
arm stable
Stable for HPPA.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
commit 109249d85bf67f406203b8e7ace75e3e0dc62810 Author: Christoph Junghans <ottxor@gentoo.org> Date: Fri Jul 8 09:05:25 2016 -0600 net-misc/openntpd: drop <6 (bug #584508 Package-Manager: portage-2.2.28
GLSA Vote: No
