A security issue affecting busybox's ntpd implementation was announced: https://bugzilla.redhat.com/show_bug.cgi?id=1363710 Apparently the code came from openntpd, which fixed the issue in 2009, but the fix never made it into busybox until recently. It also never made it into our openntpd package, because apparently it's an old version and an unmaintained package. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated busybox and openntpd packages fix security vulnerability: The busybox NTP implementation doesn't check the NTP mode of packets received on the server port and responds to any packet with the right size. This includes responses from another NTP server. An attacker can send a packet with a spoofed source address in order to create an infinite loop of responses between two busybox NTP servers. Adding more packets to the loop increases the traffic between the servers until one of them has a fully loaded CPU and/or network (CVE-2016-6301). The affected code originated from openntpd, which had fixed it upstream, but the fix had not made it into Mageia's openntpd package. It has also been patched with the fix in this update. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6301 https://bugzilla.redhat.com/show_bug.cgi?id=1363710 ======================== Updated packages in core/updates_testing: ======================== busybox-1.22.1-5.3.mga5 busybox-static-1.22.1-5.3.mga5 openntpd-3.9p1-11.1.mga5 from SRPMS: busybox-1.22.1-5.3.mga5.src.rpm openntpd-3.9p1-11.1.mga5.src.rpm
Tested busybox using "busybox ntpd -d -q -p pool.ntp.org", but openntpd hangs on start with PID file /var/run/ntpd.pid not readable (yet?) after start. The /etc/rc.d/init.d/ntpd script has # pidfile: /var/run/ntpd.pid No ntpd.pid file is created in /var/run/ Removing the pidfile line from the chkconfig settings in the start script fixes the problem. I haven't checked to see if this is a regression.
CC: (none) => davidwhodginsWhiteboard: (none) => feedback
Let's just pass this along. openntpd has never been maintained since it was imported into Mageia and probably has other bugs too. I added it to task-obsolete in Cauldron SVN.
Whiteboard: feedback => (none)
Keywords: (none) => validated_updateWhiteboard: (none) => advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0277.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/696815/
Oops, forgot to note that this update also fixed Bug 17071 for busybox.
Blocks: (none) => 17071