Debian has issued an advisory on February 5: https://www.debian.org/security/2015/dsa-3154 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated ntp packages fix security vulnerabilities: Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (CVE-2014-9297). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298 http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities https://www.debian.org/security/2015/dsa-3154 ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-15.3.mga4 ntp-client-4.2.6p5-15.3.mga4 ntp-doc-4.2.6p5-15.3.mga4 from ntp-4.2.6p5-15.3.mga4.src.rpm Reproducible: Steps to Reproduce:
URL: (none) => http://lwn.net/Vulnerabilities/632252/
Testing on Mageia 4x64 real hardware From current packages : --------------------- ntp-4.2.6p5-15.2.mga4 ntp-client-4.2.6p5-15.2.mga4 Stopped ntpd service, changed time, restarted ntpd and verified it corrected wrong time set. To updated packages : ------------------- ntp-4.2.6p5-15.3.mga4 ntp-client-4.2.6p5-15.3.mga4 Restarted ntpd service, verified its status, stopped ntpd, set wrong time, restarted ntpd, verified it set time correctly. OK on Mageia4x64.
CC: (none) => olchalWhiteboard: (none) => MGA4-64-OK
Whiteboard: MGA4-64-OK => has_procedure MGA4-64-OK
Updated packages running on our main server here. Once installed (which restarts the service), waited a while and checked with ntpq -p to verify that it found remote servers and was synchronizing with them (* before one of them). Note that I had to add this to ntp.conf for ntpq to work: # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict ::1 I've added that in SVN and it will be included in the next update. I should have added this in the CVE-2013-5211 update and didn't at the time unfortunately. Testing complete Mageia 4 i586.
Whiteboard: has_procedure MGA4-64-OK => has_procedure MGA4-64-OK MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-64-OK MGA4-32-OK => has_procedure advisory MGA4-64-OK MGA4-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0063.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
These CVEs have been replaced with CVE-2014-9750 and CVE-2014-9751 for some reason: https://bugzilla.redhat.com/show_bug.cgi?id=1184573#c22 https://bugzilla.redhat.com/show_bug.cgi?id=1184572#c12 LWN reference for CVE-2014-9750: http://lwn.net/Vulnerabilities/663111/
Summary: ntp new security issues CVE-2014-9297 and CVE-2014-9298 => ntp new security issues CVE-2014-9297 and CVE-2014-9298 (aka CVE-2014-9750 and CVE-2014-9751)
LWN reference for CVE-2014-9751: http://lwn.net/Vulnerabilities/665250/