From URL: ---- NTF's NTP Project has been notified of a minor vulnerability in the processing of a crafted remote-configuration packet. Remote configuration is disabled by default. This issue was discovered and reported by Aleksis Kauppinen of Codenomicon. Summary: Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true: ntpd set up to allow for remote configuration (not allowed by default), and knowledge of the configuration password, and access to a computer entrusted to perform remote configuration. ---- Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25 The site reads: "ntp-4.2.8p3 was released on 29 June 2015, and addresses leap-second issues and a minor security issue." There may be leap-second bugs in previous versions of ntp fixed by the new release. Maintainers, please import 4.2.8p3. Thanks. Reproducible: Always
*** Bug 553686 has been marked as a duplicate of this bug. ***
Commit message: Version bump http://sources.gentoo.org/net-misc/ntp/ntp-4.2.8_p3.ebuild?rev=1.1
(In reply to SpanKY from comment #2) > Commit message: Version bump > http://sources.gentoo.org/net-misc/ntp/ntp-4.2.8_p3.ebuild?rev=1.1 is it ok to go stable?
yes, should be fine
Please test and mark stable: =net-misc/ntp-4.2.8_p3 target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
Stable for HPPA PPC64.
x86 stable
Stable on alpha.
arm stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Arches, Thank you for your work. New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), please drop the vulnerable version(s).
This issue was resolved and addressed in GLSA 201509-01 at https://security.gentoo.org/glsa/201509-01 by GLSA coordinator Kristian Fiskerstrand (K_F).
Re-Opening for cleanup. Maintainer(s), please drop the vulnerable version(s).
With base-system owning this, can this be cleaned up. Or can security clean up. We have quite a few vulnerable versions in tree.
Arches and Maintainer(s), Thank you for your work. Closing