Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 904337 (CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554, CVE-2023-26555) - <net-misc/ntp-4.2.8_p16: Multiple vulnerabilities
Summary: <net-misc/ntp-4.2.8_p16: Multiple vulnerabilities
Alias: CVE-2023-26551, CVE-2023-26552, CVE-2023-26553, CVE-2023-26554, CVE-2023-26555
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [stable]
Depends on: 909110
  Show dependency tree
Reported: 2023-04-14 19:13 UTC by Sebastian Pipping
Modified: 2023-06-25 05:14 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Pipping gentoo-dev 2023-04-14 19:13:53 UTC
Patches not yet available to my best knowledge, see URL above for latest developments.  Mostly opening this ticket so you know what's coming.
Comment 1 Sebastian Pipping gentoo-dev 2023-04-14 20:41:30 UTC
PS: Given the state of net-misc/ntp upstream and downstream, I wonder if we should hard mask it for future removal and recommend use of net-misc/ntpsec instead.  Based on what says about "dummy transitional package to transition to NTPsec", the upcoming Debian stable seems to have gone that very route.
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 23:29:15 UTC
Ping, maintainers? Shall we last rite?
Comment 3 Mike Gilbert gentoo-dev 2023-05-01 00:28:40 UTC
No, I don't think we will last rite over a bug in the rarely used ntpq utility.
Comment 4 Sebastian Pipping gentoo-dev 2023-05-01 00:51:03 UTC
Hi Mike, what do you suggest how to deal best with absence of patches to vulnerabilities and no upstream release for near three years?
Wouldn't it be great if users migrated to something less zombie like ntpsec or chrony, instead?
Comment 5 Mike Gilbert gentoo-dev 2023-05-01 01:08:28 UTC
(In reply to Sebastian Pipping from comment #4)
> Hi Mike, what do you suggest how to deal best with absence of patches to
> vulnerabilities and no upstream release for near three years?

It's been ~3 weeks since the references CVEs were published. What's the rush?

> Wouldn't it be great if users migrated to something less zombie like ntpsec
> or chrony, instead?

There is nothing stopping users from migrating.
Comment 6 Mike Gilbert gentoo-dev 2023-05-01 01:19:33 UTC
Eh, I guess ntpsec is basically a drop-in replacement, so there's no strong reason to keep ntp around. Objection withdrawn.
Comment 7 Sebastian Pipping gentoo-dev 2023-05-01 01:28:28 UTC
Thank you!
Comment 8 Patrick McLean gentoo-dev 2023-05-15 20:28:30 UTC
I have a minor concern. ntpsec took quite a bit longer than other packages to add openssl-3.0 compatibility. If they are going to be this slow to library updates in the future, then it may be worth keeping ntp around so users have an option.
Comment 9 Mike Gilbert gentoo-dev 2023-05-15 20:36:21 UTC
(In reply to Patrick McLean from comment #8)

Slow updates from ntpsec are better than no updates from ntp.

The handbook recommends net-misc/chrony anyway.
Comment 10 Larry the Git Cow gentoo-dev 2023-06-02 00:25:22 UTC
The bug has been referenced in the following commit(s):

commit 709240c79986e92294e0329e66b99f20dd05b1de
Author:     Sam James <>
AuthorDate: 2023-06-01 23:47:47 +0000
Commit:     Sam James <>
CommitDate: 2023-06-02 00:24:32 +0000

    net-misc/ntp: add 4.2.8_p16
    We don't need to generate our own man pages, see:
     * CMP: =net-misc/ntp-4.2.8_p15-r6 with net-misc/ntp-4.2.8_p16/image
     *  FILES:-usr/share/man/man8/keygen.8.xz
     *  FILES:-usr/share/man/man8/ntpd.8.xz
     *  FILES:-usr/share/man/man8/ntpdate.8.xz
     *  FILES:-usr/share/man/man8/ntpdc.8.xz
     *  FILES:-usr/share/man/man8/ntpdsim.8.xz
     *  FILES:-usr/share/man/man8/ntpq.8.xz
     *  FILES:-usr/share/man/man8/ntptime.8.xz
     *  FILES:-usr/share/man/man8/ntptrace.8.xz
     *  FILES:-usr/share/man/man8/tickadj.8.xz
     *   SIZE: 18.14MiB -> 18.17MiB, 305 -> 296 files
     * ------> FILES(-9) SIZE(+0.16%)
    ... but man pages remain in man1.
    Signed-off-by: Sam James <>

 net-misc/ntp/Manifest             |   1 +
 net-misc/ntp/ntp-4.2.8_p16.ebuild | 158 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 159 insertions(+)
Comment 11 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-06-02 00:37:51 UTC

NTP 4.2.8p16 (Harlan Stenn <>, 2023 May 30)

Focus: Security, Bug fixes

Severity: LOW

This release:

- fixes 4 vulnerabilities (3 LOW and 1 None severity), 
- fixes 46 bugs
- includes 15 general improvements
- adds support for OpenSSL-3.0