Update ntp4 to 4.2.8p4.
pkgsrc change:
* Remove duplicated HTML documents.
* Install some addtional documents.
Changes are too many to write here, please refer NEWS files and this
release fixes security problems.
October 2015 NTP Security Vulnerability Announcement (Medium)
NTF's NTP Project has been notified of the following 13 low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on
Wednesday, 21 October 2015:
* Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association
authentication bypass via crypto-NAK (Cisco ASIG)
* Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning
FAIL on some bogus values (IDA)
* Bug 2921 CVE-2015-7854 Password Length Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock
driver could cause a buffer overflow. (Cisco TALOS)
* Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2918 CVE-2015-7851 saveconfig Directory Traversal
Vulnerability. (OpenVMS) (Cisco TALOS)
* Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS)
* Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS)
* Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS)
* Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable)
* Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile"
should only be allowed locally. (RedHat)
* Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should
validate the origin timestamp field. (Boston University)
* Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey
data packet length checks. (Tenable)
The only generally-exploitable bug in the above list is the crypto-NAK bug,
which has a CVSS2 score of 6.4.
Additionally, three bugs that have already been fixed in ntp-4.2.8 but were
not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all
below 1.8 CVSS score, so we're reporting them here:
* Bug 2382 : Peer precision < -31 gives division by zero
* Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL
* Bug 1593 : ntpd abort in free() with logconfig syntax error
2015-10-23 05:43:31 +02:00
|
|
|
$NetBSD: distinfo,v 1.23 2015/10/23 03:43:31 taca Exp $
|
2001-04-17 13:43:32 +02:00
|
|
|
|
Update ntp4 to 4.2.8p4.
pkgsrc change:
* Remove duplicated HTML documents.
* Install some addtional documents.
Changes are too many to write here, please refer NEWS files and this
release fixes security problems.
October 2015 NTP Security Vulnerability Announcement (Medium)
NTF's NTP Project has been notified of the following 13 low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on
Wednesday, 21 October 2015:
* Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association
authentication bypass via crypto-NAK (Cisco ASIG)
* Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning
FAIL on some bogus values (IDA)
* Bug 2921 CVE-2015-7854 Password Length Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock
driver could cause a buffer overflow. (Cisco TALOS)
* Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption
Vulnerability. (Cisco TALOS)
* Bug 2918 CVE-2015-7851 saveconfig Directory Traversal
Vulnerability. (OpenVMS) (Cisco TALOS)
* Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS)
* Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS)
* Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS)
* Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable)
* Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile"
should only be allowed locally. (RedHat)
* Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should
validate the origin timestamp field. (Boston University)
* Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey
data packet length checks. (Tenable)
The only generally-exploitable bug in the above list is the crypto-NAK bug,
which has a CVSS2 score of 6.4.
Additionally, three bugs that have already been fixed in ntp-4.2.8 but were
not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all
below 1.8 CVSS score, so we're reporting them here:
* Bug 2382 : Peer precision < -31 gives division by zero
* Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL
* Bug 1593 : ntpd abort in free() with logconfig syntax error
2015-10-23 05:43:31 +02:00
|
|
|
SHA1 (ntp-4.2.8p4.tar.gz) = a30f61f87b219ab3613def9e27f5c8e91ce38b0a
|
|
|
|
|
RMD160 (ntp-4.2.8p4.tar.gz) = 94ab0e190f37c55700978a1555473a308e7175e6
|
|
|
|
|
SHA512 (ntp-4.2.8p4.tar.gz) = e5ad7b44921e49b5546aa804dc56c320a3a0beb32b0e6fde40c900bf5e3af40b354a0cecc869b4605b59b5ab58219b9940789b50d747e0f5b50b4e73513d9f23
|
|
|
|
|
Size (ntp-4.2.8p4.tar.gz) = 7104852 bytes
|
2014-01-12 18:01:02 +01:00
|
|
|
SHA1 (patch-aa) = b247569339d09a88f2e143e355033ce7635ffe92
|
Update ntpd4 pacakge to 4.2.8, here is summary for security related fixes.
NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
Focus: Security and Bug fixes, enhancements.
Severity: HIGH
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:
* Weak default key in config_auth().
References: [Sec 2665] / CVE-2014-9293 / VU#852879
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
Vulnerable Versions: all releases prior to 4.2.7p11
Date Resolved: 28 Jan 2010
Summary: If no 'auth' key is set in the configuration file, ntpd
would generate a random key on the fly. There were two
problems with this: 1) the generated key was 31 bits in size,
and 2) it used the (now weak) ntp_random() function, which was
seeded with a 32-bit value and could only provide 32 bits of
entropy. This was sufficient back in the late 1990s when the
code was written. Not today.
Mitigation: Upgrade to 4.2.7p11 or later.
Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
of the Google Security Team.
* Non-cryptographic random number generator with weak seed used by
ntp-keygen to generate symmetric keys.
References: [Sec 2666] / CVE-2014-9294 / VU#852879
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
Vulnerable Versions: All NTP4 releases before 4.2.7p230
Date Resolved: Dev (4.2.7p230) 01 Nov 2011
Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
prepare a random number generator that was of good quality back
in the late 1990s. The random numbers produced was then used to
generate symmetric keys. In ntp-4.2.8 we use a current-technology
cryptographic random number generator, either RAND_bytes from
OpenSSL, or arc4random().
Mitigation: Upgrade to 4.2.7p230 or later.
Credit: This vulnerability was discovered in ntp-4.2.6 by
Stephen Roettger of the Google Security Team.
* Buffer overflow in crypto_recv()
References: Sec 2667 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
file contains a 'crypto pw ...' directive) a remote attacker
can send a carefully crafted packet that can overflow a stack
buffer and potentially allow malicious code to be executed
with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later, or
Disable Autokey Authentication by removing, or commenting out,
all configuration directives beginning with the crypto keyword
in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* Buffer overflow in ctl_putdata()
References: Sec 2668 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: A remote attacker can send a carefully crafted packet that
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* Buffer overflow in configure()
References: Sec 2669 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: A remote attacker can send a carefully crafted packet that
can overflow a stack buffer and potentially allow malicious
code to be executed with the privilege level of the ntpd process.
Mitigation: Upgrade to 4.2.8, or later.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
* receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
Versions: All NTP4 releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
the code path where an error was detected, which meant
processing did not stop when a specific rare error occurred.
We haven't found a way for this bug to affect system integrity.
If there is no way to affect system integrity the base CVSS
score for this bug is 0. If there is one avenue through which
system integrity can be partially affected, the base score
becomes a 5. If system integrity can be partially affected
via all three integrity metrics, the CVSS base score become 7.5.
Mitigation:
Upgrade to 4.2.8, or later,
or Remove or comment out all configuration directives
beginning with the crypto keyword in your ntp.conf file.
Credit: This vulnerability was discovered by Stephen Roettger of the
Google Security Team.
See http://support.ntp.org/security for more information.
2014-12-20 10:45:46 +01:00
|
|
|
SHA1 (patch-configure) = 21466ffa5d0334957a1a93b2a99087e7edaaa4d5
|
|
|
|
|
SHA1 (patch-sntp_configure) = 38357046af0f0c1aeb8b57bb9c653e330d3feadd
|
2014-01-12 18:01:02 +01:00
|
|
|
SHA1 (patch-sntp_loc_pkgsrc) = 6e46ffc0cc2afcfdc1d01297cbe04cb80d103575
|
