Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 563774 (CVE-2015-7691) - <net-misc/ntp-4.2.8_p4: multiple vulnerabilities (CVE-2015-{7691,7692,7701,7702,7703,7704,7705,7848,7849,7850,7851,7852,7853,7854,7855,7871})
Summary: <net-misc/ntp-4.2.8_p4: multiple vulnerabilities (CVE-2015-{7691,7692,7701,77...
Status: RESOLVED FIXED
Alias: CVE-2015-7691
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://support.ntp.org/bin/view/Main/...
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957
Blocks:
  Show dependency tree
 
Reported: 2015-10-22 10:33 UTC by Hanno Boeck
Modified: 2016-07-20 11:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Boeck gentoo-dev 2015-10-22 10:33:14 UTC
The summary line is too short to hold all CVEs, they are:
CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871

Upstream advisory:
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

The latest ntp release 4.2.8_p4 fixes various security vulnerabilities. Some of them are related to a research paper from Boston University (worth reading) about NTP security:
http://www.cs.bu.edu/~goldbe/papers/NTPattack.pdf

Seems no single one of the bugs is super-serious, the most serious one is a crypto bypass for symmetric authentication (which is rarely used as far as I'm aware).

Please bump.
Comment 1 Patrick McLean gentoo-dev 2015-10-23 19:16:53 UTC
I have bumped net-misc/ntp to 4.2.8_p4 after asking WilliamH for permission to touch a base-system package.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-03 17:37:13 UTC
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
Comment 3 SpanKY gentoo-dev 2015-11-03 21:07:20 UTC
the code is generally fine, but the tests have gotten ... bad
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:53:34 UTC
This issue was resolved and addressed in
 GLSA 201607-15 at https://security.gentoo.org/glsa/201607-15
by GLSA coordinator Aaron Bauman (b-man).