Summary: | <net-misc/ntp-4.2.8_p10: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | base-system, xmw |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=net-misc/ntp-4.2.8_p10-r1
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2017-03-22 15:21:38 UTC
Umm, /bin/sh ../libtool --tag=CC --mode=link x86_64-pc-linux-gnu-gcc -ffunction-sections -fdata-sections -Wall -Wcast-align -Wcast-qual -Wmissing-prototypes -Wpointer-arith -Wshadow -Winit-self -Wstrict-overflow -Wno-strict-prototypes -pie -fPIE -fPIC -fstack-protector-all -O1 -O2 -pipe -march=native -z relro -z now -Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed -o ntpsnmpd netsnmp_daemonize.o ntpsnmpd.o ntpSnmpSubagentObject.o ntpsnmpd-opts.o ../ntpq/libntpq.a ../libntp/libntp.a -L/usr/lib64 -lnetsnmpmibs -ldl -lnetsnmpagent -lwrap -lnetsnmp -lcrypto -lm -Wl,--gc-sections -lm -pthread -lssl -ldl -lz -lcrypto -ldl -lz ../sntp/libopts/libopts.la libtool: link: x86_64-pc-linux-gnu-gcc -ffunction-sections -fdata-sections -Wall -Wcast-align -Wcast-qual -Wmissing-prototypes -Wpointer-arith -Wshadow -Winit-self -Wstrict-overflow -Wno-strict-prototypes -pie -fPIE -fPIC -fstack-protector-all -O1 -O2 -pipe -march=native -z relro -z now -Wl,--hash-style=gnu -Wl,-O1 -Wl,--as-needed -o ntpsnmpd netsnmp_daemonize.o ntpsnmpd.o ntpSnmpSubagentObject.o ntpsnmpd-opts.o -Wl,--gc-sections -pthread ../ntpq/libntpq.a ../libntp/libntp.a -L/usr/lib64 -lnetsnmpmibs -lnetsnmpagent -lwrap -lnetsnmp -lm -lssl -lcrypto -ldl -lz ../sntp/libopts/.libs/libopts.a -pthread /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../ntpq/libntpq.a(libntpq_a-libntpq.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../ntpq/libntpq.a(libntpq_a-libntpq_subs.o): relocation R_X86_64_32 against symbol `g_varlist' can not be used when making a shared object; recompile with -fPIC /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: ../ntpq/libntpq.a(libntpq_a-libntpq_subs.o): warning: relocation against `free@@GLIBC_2.2.5' in readonly section `.text' /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/../../../../x86_64-pc-linux-gnu/bin/ld: final link failed: Nonrepresentable section on output collect2: error: ld returned 1 exit status (In reply to Michael Weber from comment #1) > Umm, nvm, apparently fixed by commit 494143c3b4921a5c8b8596d58f2c8b98296bf688 Author: Patrick McLean <chutzpah@gentoo.org> Date: Wed Mar 22 11:52:01 2017 -0700 net-misc/ntp: Add patch to fix build with gcc-4.9 Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. The ntp-4.2.8_p10 ebuild in the tree currently does not include the libressl patch that was included in the ntp-4.2.8_p9 ebuild. This is a problem because the _p10 ebuild does not build with libressl (for the same reasons as the _p9 did not build without the patch). The impact of this is that users like myself with libressl installed cannot upgrade to this ebuild and thus have to remain vulnerable. IMHO this needs to be fixed before we can stabilise the package. commit ce3be83bafb6e93161bf5808ffe097d53655f6b0 Author: Patrick McLean <chutzpah@gentoo.org> Date: Thu Mar 30 17:12:55 2017 -0700 net-misc/ntp: Add patch to build 4.2.8_p10 with libressl Package-Manager: Portage-2.3.5, Repoman-2.3.2 Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself. Will call for stabilization on June 17 if not done by maintainer before. Security, please fix CVE-2017-9042 - this is a binutils CVE [1,2] tracked by [3]. Removing alias. [1] https://access.redhat.com/security/cve/cve-2017-9042 [2] https://nvd.nist.gov/vuln/detail/CVE-2017-9042 [3] https://bugs.gentoo.org/show_bug.cgi?id=618826 @ Arches, please test and mark stable: =net-misc/ntp-4.2.8_p10-r1 amd64 stable x86 stable sparc stable ia64 stable arm stable ppc64 stable Stable on alpha. ppc stable Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR hppa stable @maintainers, please clean the vulnerable versions. commit 6d5d02e1341ffa76de4b26a6963d99699afba0c6 (HEAD -> master, origin/master, origin/HEAD) Author: Lars Wendler <polynomial-c@gentoo.org> Date: Fri Oct 20 11:05:20 2017 net-misc/ntp: Security cleanup (bug #613550). Package-Manager: Portage-2.3.12, Repoman-2.3.3 |