Bug 17041

Summary: ntp more security issues fixed upstream in ntp-4.2.8p4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/661765/
Whiteboard: advisory MGA5-64-OK
Source RPM: ntp-4.2.6p5-24.2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-10-28 18:57:40 CET 
Ubuntu has issued an advisory on October 27:
http://www.ubuntu.com/usn/usn-2783-1/

They patched three more CVEs that Fedora missed.

Patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated ntp packages fix security vulnerabilities:

Yves Younan discovered that NTP incorrectly handled logfile and keyfile
directives. In a non-default configuration, a remote authenticated attacker
could possibly use this issue to cause NTP to enter a loop, resulting in a
denial of service (CVE-2015-7850).

Yves Younan discovered that NTP incorrectly handled reference clock memory.
A malicious refclock could possibly use this issue to cause NTP to crash,
resulting in a denial of service, or possibly execute arbitrary code
(CVE-2015-7853).

John D "Doug" Birdwell discovered that NTP incorrectly handled decoding
certain bogus values. An attacker could possibly use this issue to cause
NTP to crash, resulting in a denial of service (CVE-2015-7855).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855
http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
http://www.ubuntu.com/usn/usn-2783-1/
========================

Updated packages in core/updates_testing:
========================
ntp-4.2.6p5-24.3.mga5
ntp-client-4.2.6p5-24.3.mga5
ntp-doc-4.2.6p5-24.3.mga5

from ntp-4.2.6p5-24.3.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Dave Hodgins 2015-10-29 05:54:24 CET

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 1 Mageia Robot 2015-10-30 21:12:08 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0418.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED