[ntp:hackers] Security fixes in ntp-4.2.8p6

Kurt Roeckx kurt at roeckx.be
Sun Jan 24 22:58:20 UTC 2016


On Thu, Jan 21, 2016 at 11:30:08AM +0100, Miroslav Lichvar wrote:
> I've already added comments to the bugzilla and Harlan knows about it,
> but I thought downstream maintainers and other people watching this
> list would like to know.
> 
> It seems 4.2.8p6 doesn't actually fix the issue with zero origin
> timestamp (CVE-2015-8138). The problem is in the change that was
> supposed to fix symmetric associations after the fix that was added
> for the KoD issue (CVE-2015-7704).
> 
> The KoD issue is still not fully fixed. Symmetric associations can be
> started, but they break when a packet is lost between the peers.

So can someone tell me what the status of the various security
issues is in the 4.2.8p6 version?  I seem to be losing track.  Are
their any patches for them?

CVE-2015-7704: A fix is available, will be part of p7, but hasn't
been commited to the stable branch yet?
CVE-2015-5300: Broken when using the LOCAL driver?
CVE-2015-8138: The attempted fix for CVE-2015-7704 broke symmetric
associations (Bug 2952), that's still broken on packet loss, and
it also breaks the fix for CVE-2015-8138?


Kurt



More information about the hackers mailing list