From: Harlan Stenn <stenn@ntp.org>
Date: Sat, 1 Oct 2016 09:18:25 +0000 (+0000)
Subject: Update NEWS for 3082
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=09559be8b76db8ce88c9f40210f62d0b73734d2a;p=thirdparty%2Fntp.git

Update NEWS for 3082

bk: 57ef7f61v6R8L_80E1pmwxyQS_Raig
---

diff --git a/NEWS b/NEWS
index 2adf9544d..8000d1efc 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,23 @@ Severity: HIGH
 In addition to bug fixes and enhancements, this release fixes the
 following X high- and Y low-severity vulnerabilities:
 
+* null pointer dereference in _IO_str_init_static_internal()
+   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
+X  References: Sec 3082 / CVE-2016-XXXX / VU#XXXXX
+X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
+X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
+X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+X  Summary: 
+X  Mitigation:
+        Implement BCP-38.
+        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page
+        If you cannot upgrade from 4.2.8p7, the only other alternatives
+	    are to patch your code or filter CRYPTO_NAK packets.
+        Properly monitor your ntpd instances, and auto-restart ntpd
+	    (without -g) if it stops running. 
+   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+
 * Attack on interface selection
    Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
 X  References: Sec 3072 / CVE-2016-XXXX / VU#XXXXX