Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 563774 (CVE-2015-7691)

Summary: <net-misc/ntp-4.2.8_p4: multiple vulnerabilities (CVE-2015-{7691,7692,7701,7702,7703,7704,7705,7848,7849,7850,7851,7852,7853,7854,7855,7871})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: base-system, chutzpah
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 584954    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2015-10-22 10:33:14 UTC
The summary line is too short to hold all CVEs, they are:
CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871

Upstream advisory:

The latest ntp release 4.2.8_p4 fixes various security vulnerabilities. Some of them are related to a research paper from Boston University (worth reading) about NTP security:

Seems no single one of the bugs is super-serious, the most serious one is a crypto bypass for symmetric authentication (which is rarely used as far as I'm aware).

Please bump.
Comment 1 Patrick McLean gentoo-dev 2015-10-23 19:16:53 UTC
I have bumped net-misc/ntp to 4.2.8_p4 after asking WilliamH for permission to touch a base-system package.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 17:37:13 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 3 SpanKY gentoo-dev 2015-11-03 21:07:20 UTC
the code is generally fine, but the tests have gotten ... bad
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:53:34 UTC
This issue was resolved and addressed in
 GLSA 201607-15 at
by GLSA coordinator Aaron Bauman (b-man).