Upstream has issued an advisory in June: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi This is a very minor issue. Basically, someone who has access from a remote machine to configure ntpd can also shut down (crash) ntpd. Remote configuration is also not enabled by default. The RedHat bug for this is here: https://bugzilla.redhat.com/show_bug.cgi?id=1238136 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
A few more minor security issues in ntp have been announced: http://openwall.com/lists/oss-security/2015/08/25/3 Fixes are linked in the message above.
Summary: ntp new security issue CVE-2015-5146 => ntp new security issue CVE-2015-5146, CVE-2015-519[4-6], CVE-2015-5219
Fedora has submitted an update for these issues to their QA: https://bodhi.fedoraproject.org/updates/ntp-4.2.6p5-33.fc22 Advisory: ======================== Updated audit packages fix security vulnerability: A flaw was found in the way ntpd processed certain remote configuration packets. An attacker could use a specially crafted package to cause ntpd to crash if the attacker had authenticated access to remote ntpd configuration (CVE-2015-5146). It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands, for example, ntpq -c ":config logconfig a" (CVE-2015-5194). It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command, for example, ntpq -c ':config statistics timingstats' ntpq -c ':config filegen timingstats' (CVE-2015-5195). It was found that the :config command can be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). For example, ntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' (CVE-2015-5196). It was discovered that sntp would hang in an infinite loop when a crafted NTP packet was received, related to the conversion of the precision value in the packet to double (CVE-2015-5219). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5146 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5219 http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi http://openwall.com/lists/oss-security/2015/08/25/3 ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-15.6.mga4 ntp-client-4.2.6p5-15.6.mga4 ntp-doc-4.2.6p5-15.6.mga4 ntp-4.2.6p5-24.1.mga5 ntp-client-4.2.6p5-24.1.mga5 ntp-doc-4.2.6p5-24.1.mga5 from SRPMS: ntp-4.2.6p5-15.6.mga4.src.rpm ntp-4.2.6p5-24.1.mga5.src.rpm
Version: Cauldron => 5Assignee: bugsquad => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA4TOO
Hi! I'm going to test this update on (in rough order): * MGA5-64 * MGA4-32 * MGA5-32 * MGA4-64 All on VBox VMs.
CC: (none) => shlomif
Marking as MGA5-64-OK.
Whiteboard: MGA4TOO => MGA4TOO MGA5-64-OK
Marking as MGA4-32-OK .
Whiteboard: MGA4TOO MGA5-64-OK => MGA4TOO MGA5-64-OK MGA4-32-OK
Marking as MGA5-32-OK .
Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK => MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK
Marking as MGA4-64-OK. I think the update can be validated.
Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK => MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK
(In reply to Shlomi Fish from comment #7) > I think the update can be validated. Then feel free to do it by added the validated_update keyword. It's not an issue if the advisory has not been uploaded yet, on the contrary it makes the need for it more visible on madb.
(In reply to Rémi Verschelde from comment #8) > (In reply to Shlomi Fish from comment #7) > > I think the update can be validated. > > Then feel free to do it by added the validated_update keyword. It's not an > issue if the advisory has not been uploaded yet, on the contrary it makes > the need for it more visible on madb. Done.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded. s/audit/ntp/
Whiteboard: MGA4TOO MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK => MGA4TOO advisory MGA5-64-OK MGA4-32-OK MGA5-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0348.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for CVE-2015-5194 CVE-2015-5195 CVE-2015-5196 CVE-2015-5219: http://lwn.net/Vulnerabilities/656982/
CVE-2015-5196 is now known as CVE-2015-7703: http://openwall.com/lists/oss-security/2015/10/23/13