NEWS file update for bug 2853

author Harlan Stenn <stenn@ntp.org>

Mon, 29 Jun 2015 19:33:22 +0000 (19:33 +0000)

committer Harlan Stenn <stenn@ntp.org>

Mon, 29 Jun 2015 19:33:22 +0000 (19:33 +0000)
author Harlan Stenn <stenn@ntp.org>
Mon, 29 Jun 2015 19:33:22 +0000 (19:33 +0000)
committer Harlan Stenn <stenn@ntp.org>
Mon, 29 Jun 2015 19:33:22 +0000 (19:33 +0000)
diff --git a/NEWS b/NEWS

index 83d05e5b0781e2f613297ef16a620f644b1cfafc..4e61d1b80bb7a6cd370f7c460af5adb1a9c955c6 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,25 @@
  ---
-NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/xx) 
+NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 
  
-Focus: Bug fixes and enhancements.  Leap-second improvements.
+Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
  
  Severity: MEDIUM
  
+Security Fix:
+
+* [Sec 2853] Crafted remote config packet can crash some versions of
+  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
+
+Under specific circumstances an attacker can send a crafted packet to
+cause a vulnerable ntpd instance to crash. This requires each of the
+following to be true:
+
+1) ntpd set up to allow remote configuration (not allowed by default), and
+2) knowledge of the configuration password, and
+3) access to a computer entrusted to perform remote configuration. 
+
+This vulnerability is considered low-risk.
+
  New features in this release:
  
  Optional (disabled by default) support to have ntpd provide smeared
author	Harlan Stenn <stenn@ntp.org>
	Mon, 29 Jun 2015 19:33:22 +0000 (19:33 +0000)
committer	Harlan Stenn <stenn@ntp.org>
	Mon, 29 Jun 2015 19:33:22 +0000 (19:33 +0000)