Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 563774 (CVE-2015-7691)

Summary: <net-misc/ntp-4.2.8_p4: multiple vulnerabilities (CVE-2015-{7691,7692,7701,7702,7703,7704,7705,7848,7849,7850,7851,7852,7853,7854,7855,7871})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system, chutzpah
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 584954    
Bug Blocks:    

Description Hanno Böck gentoo-dev 2015-10-22 10:33:14 UTC 
The summary line is too short to hold all CVEs, they are:
CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871

Upstream advisory:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

The latest ntp release 4.2.8_p4 fixes various security vulnerabilities. Some of them are related to a research paper from Boston University (worth reading) about NTP security:
http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf

Seems no single one of the bugs is super-serious, the most serious one is a crypto bypass for symmetric authentication (which is rarely used as far as I'm aware).

Please bump.
Comment 1 Patrick McLean gentoo-dev 2015-10-23 19:16:53 UTC 
I have bumped net-misc/ntp to 4.2.8_p4 after asking WilliamH for permission to touch a base-system package.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2015-11-03 17:37:13 UTC 
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 3 SpanKY gentoo-dev 2015-11-03 21:07:20 UTC 
the code is generally fine, but the tests have gotten ... bad
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:53:34 UTC 
This issue was resolved and addressed in
 GLSA 201607-15 at https://security.gentoo.org/glsa/201607-15
by GLSA coordinator Aaron Bauman (b-man).