| Summary: | ntp new security issue CVE-2013-5211 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | cooker, davidwhodgins, mageia, oe, sysadmin-bugs, tmb |
| Version: | 3 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/580994/ | ||
| Whiteboard: | advisory MGA3-64-OK MGA3-32-OK | ||
| Source RPM: | ntp-4.2.6p5-14.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-01-16 17:06:07 CET
David Walser
2014-01-16 17:08:02 CET
CC:
(none) =>
mageia Gentoo has issued an advisory for this on January 16: http://www.gentoo.org/security/en/glsa/glsa-201401-08.xml They modified the default configuration in their package, so that appears to be the correct solution. Also, IIRC, ntp 4.2.7 is a development branch. URL:
(none) =>
http://lwn.net/Vulnerabilities/580994/
David Walser
2014-01-17 17:26:19 CET
Blocks:
(none) =>
11726 https://bugzilla.redhat.com/show_bug.cgi?id=1047854#c8 Parts of that patch (ntpq-subs.c, ntp_request.c, ntp_scanner.c) has to be backported manually. I'd vote for a fix like: https://bugzilla.redhat.com/show_bug.cgi?id=1047854#c5 But this has also to be added to the /etc/ntp.conf file by force in the %post script if so, unless the user adds it him/herself by looking at a possible /etc/ntp.conf.rpmnew file. CC:
(none) =>
oe I think adjusting the default configuration (looks like RedHat's already has) and giving instructions in the advisory (like Gentoo did) would be sufficient. The patch completely removes the monlist functionality, which isn't necessary. Blocks:
(none) =>
11726
Johnny A. Solbu
2014-01-22 15:23:39 CET
CC:
(none) =>
cooker I've added this to the default ntp.conf in SVN (from Fedora): # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default nomodify notrap nopeer noquery Modified packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated ntp packages work around security vulnerability: The "monlist" command of the NTP protocol is currently abused in a DDoS reflection attack. This is done by spoofing packets from addresses to which the attack is directed to. The ntp installations itself are not target of the attack, but they are part of the DDoS network which the attacker is driving (CVE-2013-5211). ** IMPORTANT ** Note: the workaround for this issue is not a change in the software, but instead is a change in the default configuration. In most cases, the configuration change will need to be made manually by administrators in the /etc/ntp.conf file, as the package will only install the updated configuration as /etc/ntp.conf.rpmnew. The following lines should be added to the end of /etc/ntp.conf: # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default nomodify notrap nopeer noquery References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211 http://www.kb.cert.org/vuls/id/348126 http://support.ntp.org/bin/view/Main/SecurityNotice#DRDoS_Amplification_Attack_using http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00005.html ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-12.1.mga3 ntp-client-4.2.6p5-12.1.mga3 ntp-doc-4.2.6p5-12.1.mga3 Version:
Cauldron =>
3 Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 12326.adv to updates. Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0032.html Status:
NEW =>
RESOLVED |