Upstream has announced two new security issues today (April 7): http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities There was some discussion of it on oss-security: http://openwall.com/lists/oss-security/2015/04/07/4 Waiting for backported patches from Fedora. Mageia 4 and Mageia 5 are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
Proposed fixes are linked from these bugs: http://bugs.ntp.org/show_bug.cgi?id=2779 http://bugs.ntp.org/show_bug.cgi?id=2781
CC: (none) => oe
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A
ntp-4.2.6p5-15.4.mga4 has been submitted to updates_testing with these patches. Patches has been added in cauldron.
====================================================== Name: CVE-2015-1798 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20150217 Category: Reference: CONFIRM:http://bugs.ntp.org/show_bug.cgi?id=2779 Reference: CONFIRM:http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities Reference: CERT-VN:VU#374268 Reference: URL:http://www.kb.cert.org/vuls/id/374268 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. ====================================================== Name: CVE-2015-1799 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20150217 Category: Reference: CONFIRM:http://bugs.ntp.org/show_bug.cgi?id=2781 Reference: CONFIRM:http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities Reference: CERT-VN:VU#374268 Reference: URL:http://www.kb.cert.org/vuls/id/374268 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.
Thanks. FYI, you misnamed the second patch as CVE-2015-2781 (2781 being the upstream bug number) instead of CVE-2015-1799. I just fixed it in SVN.
(In reply to David Walser from comment #5) > Thanks. FYI, you misnamed the second patch as CVE-2015-2781 (2781 being the > upstream bug number) instead of CVE-2015-1799. I just fixed it in SVN. Oh, thanks.
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated ntp packages fix security vulnerabilities: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (CVE-2015-1798). The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (CVE-2015-1799). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799 http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-15.5.mga4 ntp-client-4.2.6p5-15.5.mga4 ntp-doc-4.2.6p5-15.5.mga4 from ntp-4.2.6p5-15.5.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)Severity: normal => major
URL: (none) => http://lwn.net/Vulnerabilities/639575/
Testing complete mga4 64 # systemctl status ntpd.service ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: active (running) since Fri 2015-04-10 15:25:56 BST; 3min 10s ago # ntptime ntp_gettime() returns code 0 (OK) time d8d25dd3.e5f44cf0 Fri, Apr 10 2015 15:33:55.898, (.898259141), maximum error 147614 us, estimated error 365 us, TAI offset 0 ntp_adjtime() returns code 0 (OK) modes 0x0 (), offset -670.415 us, frequency -35.717 ppm, interval 1 s, maximum error 147614 us, estimated error 365 us, status 0x2001 (PLL,NANO), time constant 6, precision 0.001 us, tolerance 500 ppm,
Whiteboard: (none) => has_procedure mga4-64-ok
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure advisory mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0152.html
Status: NEW => RESOLVEDResolution: (none) => FIXED