31790 – ntp new security issues CVE-2023-2655[1-5]

Bug 31790 - ntp new security issues CVE-2023-2655[1-5]

Summary: ntp new security issues CVE-2023-2655[1-5]

Status:	RESOLVED OLD

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	All Packagers
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-04-13 16:56 CEST by David Walser
Modified:	2024-01-12 10:45 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	ntp-4.2.8p15-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-04-13 16:56:47 CEST

Advisories were posted a few days ago here:
https://github.com/spwpun/ntp-4.2.8p15-cves

with very little detail.  I've been told by a security guy from SUSE that "our engineer review says the the mstolfp ones are only callable via ntpq (so would need to have someone point ntpq at a malicious server) and the last one is in a specific ntp reference clock driver" so these may not be a big deal.

Comment 1 Lewis Smith 2023-04-13 21:36:06 CEST

Assigning globally as no particular packager in view; CC'ing Jean-Pierre who did the most recent correction to ntp.

Assignee: bugsquad => pkg-bugs
CC: (none) => jean-pierre

Comment 2 David Walser 2023-05-11 18:00:39 CEST

SUSE has issued an advisory for this on May 9:
https://lists.suse.com/pipermail/sle-security-updates/2023-May/014820.html

Comment 3 Nicolas Salguero 2023-05-12 10:51:24 CEST

Hi,

The patch from openSUSE that solves CVE-2023-2655[1-4] was committed to SVN.  For the moment, there is no fix for CVE-2023-26555.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 4 Nicolas Salguero 2024-01-12 10:45:47 CET

Mageia 8 EOL

Status: NEW => RESOLVED
Resolution: (none) => OLD

Note You need to log in before you can comment on or make changes to this bug.