pkgsrc/net/ntp4/distinfo
taca c64b6edc46 Update ntp4 to 4.2.8p4.
pkgsrc change:
* Remove duplicated HTML documents.
* Install some addtional documents.

Changes are too many to write here, please refer NEWS files and this
release fixes security problems.


October 2015 NTP Security Vulnerability Announcement (Medium)

NTF's NTP Project has been notified of the following 13 low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on
Wednesday, 21 October 2015:

* Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association
  authentication bypass via crypto-NAK (Cisco ASIG)
* Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning
  FAIL on some bogus values (IDA)
* Bug 2921 CVE-2015-7854 Password Length Memory Corruption
  Vulnerability. (Cisco TALOS)
* Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock
  driver could cause a buffer overflow. (Cisco TALOS)
* Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption
  Vulnerability. (Cisco TALOS)
* Bug 2918 CVE-2015-7851 saveconfig Directory Traversal
  Vulnerability. (OpenVMS) (Cisco TALOS)
* Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS)
* Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS)
* Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS)
* Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable)
* Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile"
  should only be allowed locally. (RedHat)
* Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should
  validate the origin timestamp field. (Boston University)
* Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey
  data packet length checks. (Tenable)

The only generally-exploitable bug in the above list is the crypto-NAK bug,
which has a CVSS2 score of 6.4.

Additionally, three bugs that have already been fixed in ntp-4.2.8 but were
not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all
below 1.8 CVSS score, so we're reporting them here:

* Bug 2382 : Peer precision < -31 gives division by zero
* Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL
* Bug 1593 : ntpd abort in free() with logconfig syntax error
2015-10-23 03:43:31 +00:00

10 lines
666 B
Text

$NetBSD: distinfo,v 1.23 2015/10/23 03:43:31 taca Exp $
SHA1 (ntp-4.2.8p4.tar.gz) = a30f61f87b219ab3613def9e27f5c8e91ce38b0a
RMD160 (ntp-4.2.8p4.tar.gz) = 94ab0e190f37c55700978a1555473a308e7175e6
SHA512 (ntp-4.2.8p4.tar.gz) = e5ad7b44921e49b5546aa804dc56c320a3a0beb32b0e6fde40c900bf5e3af40b354a0cecc869b4605b59b5ab58219b9940789b50d747e0f5b50b4e73513d9f23
Size (ntp-4.2.8p4.tar.gz) = 7104852 bytes
SHA1 (patch-aa) = b247569339d09a88f2e143e355033ce7635ffe92
SHA1 (patch-configure) = 21466ffa5d0334957a1a93b2a99087e7edaaa4d5
SHA1 (patch-sntp_configure) = 38357046af0f0c1aeb8b57bb9c653e330d3feadd
SHA1 (patch-sntp_loc_pkgsrc) = 6e46ffc0cc2afcfdc1d01297cbe04cb80d103575