Fedora has issued an advisory on March 28: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4B7BMVXV53EE7XYW2KAVETDHTP452O3Z/ According to the upstream advisory: http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu There's also CVE-2016-9042 and CVE-2017-6460, which RedHat's bugzilla marked as fixed in Fedora, but they don't appear to be addressed. Patched packages uploaded for Mageia 5 and Cauldron. ntp-4.2.6p5-24.8.mga5 ntp-client-4.2.6p5-24.8.mga5 ntp-doc-4.2.6p5-24.8.mga5 from ntp-4.2.6p5-24.8.mga5.src.rpm Holding off pushing to QA until I get more clarity on the missing CVEs (feel free to help).
(In reply to David Walser from comment #0) <snip> > > Holding off pushing to QA until I get more clarity on the missing CVEs (feel > free to help). Now assigning to all packagers collectively, because my assumption that all packagers interested in helping to find CVEs for "nobody's" packages will already have read comment #0, may have been wrong. http://people.mageia.org/g/mga-security.html is much smaller than I had expected, I had expected it to have at least twice as many members (at least six instead of the current 3).
CC: (none) => marja11Assignee: bugsquad => pkg-bugs
(In reply to David Walser from comment #0) > There's also CVE-2016-9042 and CVE-2017-6460, which RedHat's bugzilla marked > as fixed in Fedora, but they don't appear to be addressed. According to https://security-tracker.debian.org/tracker/CVE-2016-9042, CVE-2016-9042 affects the upstream fix for CVE-2015-8138 but, like Debian, Mageia uses a patch from RedHat so Mageia is not affected by CVE-2016-9042. According to https://security-tracker.debian.org/tracker/CVE-2017-6460, Mageia is not affected because the vulnerable code not present in 4.2.6.p5.
CC: (none) => nicolas.salguero
Thanks Nicolas! Assigning to QA. Package list in Comment 0. Advisory: ======================== Updated ntp packages fix security vulnerabilities: A vulnerability was found in NTP, in the legacy MX4200 refclock implementation. If this refclock was compiled in and used, an attacker may be able to induce stack overflow, leading to a crash or potential code execution (CVE-2017-6451). A vulnerability was found in NTP, in the building of response packets with custom fields. If custom fields were configured in ntp.conf with particularly long names, inclusion of these fields in the response packet could cause a buffer overflow, leading to a crash (CVE-2017-6458). A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash (CVE-2017-6462). A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message (CVE-2017-6463). A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message (CVE-2017-6464). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6451 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464 http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4B7BMVXV53EE7XYW2KAVETDHTP452O3Z/
Assignee: pkg-bugs => qa-bugs
In case it helps, the programs provided by these pkgs are, all in /usr/sbin/ :- NTP: ntp-keygen, ntp-wait, ntpd, ntpdc, ntpq, ntpsnmpd, ntpstat, ntptime, ntptrace, sntp, tickadj NTP-CLIENT; ntpdate, ntpdate-wrapper
CC: (none) => lewyssmith
MGA5-32 on Asus A6000VM Xfce No installation issues Ref bug 19843 Comment 1 at CLI: # systemctl restart ntpd # systemctl status ntpd â ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: active (running) since vr 2017-05-05 13:56:57 CEST; 28s ago Process: 11948 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 11950 (ntpd) CGroup: /system.slice/ntpd.service ââ11950 /usr/sbin/ntpd -u ntp:ntp -g mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: Listen and drop on 1 v6wildcard :: UDP 123 mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: Listen normally on 2 lo 127.0.0.1 UDP 123 mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: Listen normally on 3 wlp0s29f7u4 192....23 mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: Listen normally on 4 lo ::1 UDP 123 mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: Listen normally on 5 wlp0s29f7u4 fe80...23 mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: peers refreshed mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: Listening on routing socket on fd #22...es mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: 0.0.0.0 c016 06 restart mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM mei 05 13:56:57 mach6.hviaene.thuis ntpd[11950]: 0.0.0.0 c011 01 freq_not_set Hint: Some lines were ellipsized, use -l to show in full. Clock keeps running OK. Tried also one of the commands: # ntptime ntp_gettime() returns code 0 (OK) time dcb6e602.d6868000 Fri, May 5 2017 13:52:34.837, (.837990), maximum error 125500 us, estimated error 16000000 us, TAI offset 0 ntp_adjtime() returns code 0 (OK) modes 0x0 (), offset 0.000 us, frequency -2.998 ppm, interval 1 s, maximum error 125500 us, estimated error 16000000 us, status 0x0 (), time constant 2, precision 1.000 us, tolerance 500 ppm, Looks good to me.
Whiteboard: (none) => MGA5-32-OKCC: (none) => herman.viaene
Ok on x86_64 too. Advisory committed to svn. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5-32-OK => MGA5-32-OK advisory MGA5-64-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0134.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED