From: Harlan Stenn Date: Mon, 22 Dec 2014 02:52:42 +0000 (+0000) Subject: NEWS file update X-Git-Tag: NTP_4_2_8P1_BETA1~6 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7cc6e5559e3ec67f5b515ceaff0df530b52e742c;p=thirdparty%2Fntp.git NEWS file update bk: 5497877aKwwrmq7VeI30Zh29PQtTMA --- diff --git a/NEWS b/NEWS index efd488f30..9761435a6 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,24 @@ Severity: HIGH In addition to bug fixes and enhancements, this release fixes the following high-severity vulnerabilities: +************************** vv NOTE WELL vv ***************************** + +The vulnerabilities listed below can be significantly mitigated by +following the BCP of putting + + restrict default ... noquery + +in the ntp.conf file. With the exception of: + + receive(): missing return on error + References: Sec 2670 / CVE-2014-9296 / VU#852879 + +below (which is a limited-risk vulnerability), none of the recent +vulnerabilities listed below can be exploited if the source IP is +restricted from sending a 'query'-class packet by your ntp.conf file. + +************************** ^^ NOTE WELL ^^ ***************************** + * Weak default key in config_auth(). References: [Sec 2665] / CVE-2014-9293 / VU#852879 @@ -23,7 +41,9 @@ following high-severity vulnerabilities: entropy. This was sufficient back in the late 1990s when the code was written. Not today. - Mitigation: Upgrade to 4.2.7p11 or later. + Mitigation - any of: + - Upgrade to 4.2.7p11 or later. + - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta of the Google Security Team. @@ -43,7 +63,9 @@ following high-severity vulnerabilities: cryptographic random number generator, either RAND_bytes from OpenSSL, or arc4random(). - Mitigation: Upgrade to 4.2.7p230 or later. + Mitigation - any of: + - Upgrade to 4.2.7p230 or later. + - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. Credit: This vulnerability was discovered in ntp-4.2.6 by Stephen Roettger of the Google Security Team. @@ -61,10 +83,11 @@ following high-severity vulnerabilities: buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. - Mitigation: Upgrade to 4.2.8, or later, or - Disable Autokey Authentication by removing, or commenting out, - all configuration directives beginning with the crypto keyword - in your ntp.conf file. + Mitigation - any of: + - Upgrade to 4.2.8, or later, or + - Disable Autokey Authentication by removing, or commenting out, + all configuration directives beginning with the crypto keyword + in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. @@ -80,7 +103,9 @@ following high-severity vulnerabilities: can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. - Mitigation: Upgrade to 4.2.8, or later. + Mitigation - any of: + - Upgrade to 4.2.8, or later. + - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. @@ -96,7 +121,9 @@ following high-severity vulnerabilities: can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. - Mitigation: Upgrade to 4.2.8, or later. + Mitigation - any of: + - Upgrade to 4.2.8, or later. + - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. @@ -118,10 +145,10 @@ following high-severity vulnerabilities: becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5. - Mitigation: - Upgrade to 4.2.8, or later, - or Remove or comment out all configuration directives - beginning with the crypto keyword in your ntp.conf file. + Mitigation - any of: + - Upgrade to 4.2.8, or later, + - Remove or comment out all configuration directives + beginning with the crypto keyword in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team.