Summary: | <net-misc/ntp-4.2.8_p11: multiple vulnerabilities (CVE-2018-{7170,7182,7183,7184,7185}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa++ cve] | ||
Package list: |
net-misc/ntp-4.2.8_p11
|
Runtime testing required: | --- |
Description
Agostino Sarubbo
2018-03-05 09:14:41 UTC
*** Bug 650016 has been marked as a duplicate of this bug. *** @ Arches, please test and mark stable: =net-misc/ntp-4.2.8_p11 CVE-2018-7185 (https://nvd.nist.gov/vuln/detail/CVE-2018-7185): The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the "other side" of an interleaved association causing the victim ntpd to reset its association. CVE-2018-7184 (https://nvd.nist.gov/vuln/detail/CVE-2018-7184): ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the "received" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. CVE-2018-7182 (https://nvd.nist.gov/vuln/detail/CVE-2018-7182): The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. CVE-2018-7170 (https://nvd.nist.gov/vuln/detail/CVE-2018-7170): ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. amd64 stable x86 stable commit 267748ba25eb7b80df44cde7d8d07a50c4f09b83 Author: Rolf Eike Beer <eike@sf-mail.de> Date: Wed Mar 14 08:13:27 2018 +0100 net-misc/ntp: stable 4.2.8_p11 for sparc, bug #649612 ia64 stable alpha stable arm64 does not have any ntp version stable.. hppa stable arm stable ppc/ppc64 stable, old dropped GLSA request filed This issue was resolved and addressed in GLSA 201805-12 at https://security.gentoo.org/glsa/201805-12 by GLSA coordinator Christopher Diaz Riveros (chrisadr). This issue was resolved and addressed in GLSA 201805-12 at https://security.gentoo.org/glsa/201805-12 by GLSA coordinator Aaron Bauman (b-man). |