Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 584954 (CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957)

Summary: <net-misc/ntp-4.2.8_p8: Multiple vulnerabilities (CVE-2016-{4953,4954,4955,4956,4957})
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: base-system
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 563774, 572452, 581528    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-03 18:18:22 UTC 
NTF's NTP Project has been notified of the following 1 high- and 4 low-severity vulnerabilities, which are fixed in ntp-4.2.8p8.

ntp-4.2.8p8 is scheduled to be released on 2 June 2016.

    Sec 3046 / CVE-2016-4957 / VU#321640: Crypto-NAK crash
        Reported by Nicolas Edet of Cisco. 
    Sec 3045 / CVE-2016-4953 / VU#321640: Bad authentication demobilizes ephemeral associations
        Reported by Miroslav Lichvar of Red Hat. 
    Sec 3044 / CVE-2016-4954 / VU#321640: Processing spoofed server packets
        Reported by Jakub Prokes of Red Hat. 
    Sec 3043 / CVE-2016-4955 / VU#321640: Autokey association reset
        Reported by Miroslav Lichvar of Red Hat. 
    Sec 3042 / CVE-2016-4956 / VU#321640: Broadcast interleave
        Reported by Miroslav Lichvar of Red Hat. 

Timeline:

    160602: ntp-4.2.8p8 released.
    160526: CERT notification, including availability of pre-release patches. See: https://www.kb.cert.org/vuls/id/321640
    160524: NTP Consortium members at the Partner and Premier levels received pre-release patch access.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-03 18:21:01 UTC 
Fixed version already in tree, arches, please stabilize:
=net-misc/ntp-ntp-4.2.8_p8
stable arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Richard Freeman gentoo-dev 2016-06-04 11:05:27 UTC 
amd64 stable
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-06 11:31:55 UTC 
Stable on alpha.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-07 06:23:38 UTC 
Stable for PPC64.
Comment 5 Markus Meier gentoo-dev 2016-06-11 13:21:28 UTC 
arm stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-15 15:38:33 UTC 
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-27 08:50:44 UTC 
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-07-08 07:58:57 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 10:07:29 UTC 
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 12:06:41 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:53:57 UTC 
This issue was resolved and addressed in
 GLSA 201607-15 at https://security.gentoo.org/glsa/201607-15
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-07-20 12:02:40 UTC 
@maintainer(s), reopening for cleanup.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2016-09-10 00:56:16 UTC 
Maintainer(s), please drop the vulnerable version(s).

Please Drop: 4.2.8_p3, 4.2.8_p6, 4.2.8_p7
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-10-10 11:31:27 UTC 
Any reason these still cannot be cleaned?
Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-10-10 11:38:53 UTC 
commit 5a50c3c8835393a878e462614bdc162127de1d60
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Oct 10 13:36:55 2016

    net-misc/ntp: Security cleanup (bug #584954).

    Package-Manager: portage-2.3.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2016-10-10 11:54:10 UTC 
Thanks!