From: Harlan Stenn Date: Thu, 16 Mar 2017 07:48:09 +0000 (+0000) Subject: Updates X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=069c3e594d399524975ecfc73838cc7c959481c7;p=thirdparty%2Fntp.git Updates bk: 58ca4339hIdQIFhej9x-VESWubpd_A --- diff --git a/NEWS b/NEWS index 566838871..dc6a4e73e 100644 --- a/NEWS +++ b/NEWS @@ -5,16 +5,12 @@ Focus: Security, Bug fixes, enhancements. Severity: MEDIUM -This release fixes 5 medium-, 6 low-, and 5 informational-severity -vulnerabilities, and provides 14 other non-security fixes and improvements: - -* [Sec 3393] clang scan-build findings - (We are still documenting these issues. It's not yet clear - if there are security issues, or if this is just code cleanup.) +This release fixes 5 medium-, 6 low-, and 4 informational-severity +vulnerabilities, and provides 15 other non-security fixes and improvements: * NTP-01-016 NTP: Denial of Service via Malformed Config (Medium) - Date Resolved: XX Mar 2017 - References: Sec 3389 / CVE-2017-6464 / VU#XXXX + Date Resolved: 21 Mar 2017 + References: Sec 3389 / CVE-2017-6464 / VU#325339 Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) @@ -33,8 +29,8 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: This weakness was discovered by Cure53. * NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low) - Date Resolved: XX Mar 2017 - References: Sec 3388 / CVE-2017-6462 / VU#XXXX + Date Resolved: 21 Mar 2017 + References: Sec 3388 / CVE-2017-6462 / VU#325339 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P) CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L @@ -58,7 +54,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium) Date Resolved: 21 Mar 2017 - References: Sec 3387 / CVE-2017-6463 / VU#XXXX + References: Sec 3387 / CVE-2017-6463 / VU#325339 Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) @@ -73,12 +69,14 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: Implement BCP-38. Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page + Properly monitor your ntpd instances, and auto-restart + ntpd (without -g) if it stops running. Credit: This weakness was discovered by Cure53. * NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational) Date Resolved: 21 Mar 2017 - References: Sec 3386 / CVE-2017-6461 / VU#XXXX + References: Sec 3386 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N) @@ -105,7 +103,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info) Date Resolved: 21 Mar 2017 - References: Sec 3385 / CVE-2017-6457 + References: Sec 3385 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. Summary: @@ -132,7 +130,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS PPSAPI ONLY) (Low) Date Resolved: 21 Mar 2017 - References: Sec 3384 / CVE-2017-6455 / VU#XXXX + References: Sec 3384 / CVE-2017-6455 / VU#325339 Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. @@ -155,8 +153,8 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS installer ONLY) (Low) - Date Resolved: XX Mar 2017 - References: Sec 3383 / CVE-2017-6452 / VU#XXXX + Date Resolved: 21 Mar 2017 + References: Sec 3383 / CVE-2017-6452 / VU#325339 Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. @@ -182,7 +180,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS installer ONLY) (Low) Date Resolved: 21 Mar 2017 - References: Sec 3382 / CVE-2017-6459 / VU#XXXX + References: Sec 3382 / CVE-2017-6459 / VU#325339 Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. @@ -205,7 +203,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: This weakness was discovered by Cure53. * NTP-01-006 NTP: Copious amounts of Unused Code (Informational) - References: Sec 3381 / CVE-2017-6454 + References: Sec 3381 Summary: The report says: Statically included external projects potentially introduce several problems and the issue of having @@ -254,7 +252,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low) Date Resolved: 21 Mar 2017 - References: Sec 3380 / CVE-2017-6456 / VU#XXXX + References: Sec 3380 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N) @@ -273,7 +271,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium) Date Resolved: 21 Mar 2017 - References: Sec 3379 / CVE-2017-6458 / VU#XXXX + References: Sec 3379 / CVE-2017-6458 / VU#325339 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C) @@ -300,7 +298,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low) Date Resolved: 21 Mar 2017 - References: Sec 3378 / CVE-2017-6451 / VU#XXXX + References: Sec 3378 / CVE-2017-6451 / VU#325339 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P) @@ -333,7 +331,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a malicious ntpd (Medium) Date Resolved: 21 Mar 2017 - References: Sec 3377 / CVE-2017-6460 / VU#XXXX + References: Sec 3377 / CVE-2017-6460 / VU#325339 Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C) @@ -359,7 +357,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational) Date Resolved: 21 Mar 2017 - References: Sec 3376 / CVE-2017-6453 / VU#XXXX + References: Sec 3376 Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94. CVSS2: N/A @@ -387,8 +385,8 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: * 0rigin DoS (Medium) Date Resolved: 21 Mar 2017 - References: Sec 3361 / CVE-2016-9042 / VU#XXXX - Affects: ntp-4.0.9 (DD MMM 201Y), up to but not including ntp-4.2.8p10 + References: Sec 3361 / CVE-2016-9042 / VU#325339 + Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10 CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case) CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case) Summary: @@ -413,6 +411,7 @@ vulnerabilities, and provides 14 other non-security fixes and improvements: Other fixes: +* [Bug 3393] clang scan-build findings * [Bug 3363] Support for openssl-1.1.0 without compatibility modes - rework of patch set from . * [Bug 3356] Bugfix 3072 breaks multicastclient