Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 584954 (CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957) - <net-misc/ntp-4.2.8_p8: Multiple vulnerabilities (CVE-2016-{4953,4954,4955,4956,4957})
Summary: <net-misc/ntp-4.2.8_p8: Multiple vulnerabilities (CVE-2016-{4953,4954,4955,49...
Status: RESOLVED FIXED
Alias: CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://support.ntp.org/bin/view/Main/...
Whiteboard: A3 [glsa cve]
Keywords:
Depends on:
Blocks: CVE-2015-7691 CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158 CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519
  Show dependency tree
 
Reported: 2016-06-03 18:18 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2016-10-10 11:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-03 18:18:22 UTC
NTF's NTP Project has been notified of the following 1 high- and 4 low-severity vulnerabilities, which are fixed in ntp-4.2.8p8.

ntp-4.2.8p8 is scheduled to be released on 2 June 2016.

    Sec 3046 / CVE-2016-4957 / VU#321640: Crypto-NAK crash
        Reported by Nicolas Edet of Cisco. 
    Sec 3045 / CVE-2016-4953 / VU#321640: Bad authentication demobilizes ephemeral associations
        Reported by Miroslav Lichvar of Red Hat. 
    Sec 3044 / CVE-2016-4954 / VU#321640: Processing spoofed server packets
        Reported by Jakub Prokes of Red Hat. 
    Sec 3043 / CVE-2016-4955 / VU#321640: Autokey association reset
        Reported by Miroslav Lichvar of Red Hat. 
    Sec 3042 / CVE-2016-4956 / VU#321640: Broadcast interleave
        Reported by Miroslav Lichvar of Red Hat. 

Timeline:

    160602: ntp-4.2.8p8 released.
    160526: CERT notification, including availability of pre-release patches. See: https://www.kb.cert.org/vuls/id/321640
    160524: NTP Consortium members at the Partner and Premier levels received pre-release patch access.
Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-06-03 18:21:01 UTC
Fixed version already in tree, arches, please stabilize:
=net-misc/ntp-ntp-4.2.8_p8
stable arches: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 2 Richard Freeman gentoo-dev 2016-06-04 11:05:27 UTC
amd64 stable
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2016-06-06 11:31:55 UTC
Stable on alpha.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-07 06:23:38 UTC
Stable for PPC64.
Comment 5 Markus Meier gentoo-dev 2016-06-11 13:21:28 UTC
arm stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-06-15 15:38:33 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-27 08:50:44 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-07-08 07:58:57 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 10:07:29 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 12:06:41 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:53:57 UTC
This issue was resolved and addressed in
 GLSA 201607-15 at https://security.gentoo.org/glsa/201607-15
by GLSA coordinator Aaron Bauman (b-man).
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-07-20 12:02:40 UTC
@maintainer(s), reopening for cleanup.
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2016-09-10 00:56:16 UTC
Maintainer(s), please drop the vulnerable version(s).

Please Drop: 4.2.8_p3, 4.2.8_p6, 4.2.8_p7
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-10-10 11:31:27 UTC
Any reason these still cannot be cleaned?
Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-10-10 11:38:53 UTC
commit 5a50c3c8835393a878e462614bdc162127de1d60
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Oct 10 13:36:55 2016

    net-misc/ntp: Security cleanup (bug #584954).

    Package-Manager: portage-2.3.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Comment 16 Aaron Bauman (RETIRED) gentoo-dev 2016-10-10 11:54:10 UTC
Thanks!