Bug 31790

Summary: ntp new security issues CVE-2023-2655[1-5]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: jean-pierre, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ntp-4.2.8p15-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-04-13 16:56:47 CEST 
Advisories were posted a few days ago here:
https://github.com/spwpun/ntp-4.2.8p15-cves

with very little detail.  I've been told by a security guy from SUSE that "our engineer review says the the mstolfp ones are only callable via ntpq (so would need to have someone point ntpq at a malicious server) and the last one is in a specific ntp reference clock driver" so these may not be a big deal.
Comment 1 Lewis Smith 2023-04-13 21:36:06 CEST 
Assigning globally as no particular packager in view; CC'ing Jean-Pierre who did the most recent correction to ntp.

Assignee: bugsquad => pkg-bugs
CC: (none) => jean-pierre

Comment 2 David Walser 2023-05-11 18:00:39 CEST 
SUSE has issued an advisory for this on May 9:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014820.html
Comment 3 Nicolas Salguero 2023-05-12 10:51:24 CEST 
Hi,

The patch from openSUSE that solves CVE-2023-2655[1-4] was committed to SVN.  For the moment, there is no fix for CVE-2023-26555.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 4 Nicolas Salguero 2024-01-12 10:45:47 CET 
Mageia 8 EOL

Status: NEW => RESOLVED
Resolution: (none) => OLD