[ntp:hackers] Security fixes in ntp-4.2.8p6

Harlan Stenn stenn at ntp.org
Mon Jan 25 06:24:06 UTC 2016


Kurt Roeckx writes:
> On Thu, Jan 21, 2016 at 11:30:08AM +0100, Miroslav Lichvar wrote:
> > I've already added comments to the bugzilla and Harlan knows about it,
> > but I thought downstream maintainers and other people watching this
> > list would like to know.
> > 
> > It seems 4.2.8p6 doesn't actually fix the issue with zero origin
> > timestamp (CVE-2015-8138). The problem is in the change that was
> > supposed to fix symmetric associations after the fix that was added
> > for the KoD issue (CVE-2015-7704).
> > 
> > The KoD issue is still not fully fixed. Symmetric associations can be
> > started, but they break when a packet is lost between the peers.
> 
> So can someone tell me what the status of the various security
> issues is in the 4.2.8p6 version?  I seem to be losing track.  Are
> their any patches for them?
> 
> CVE-2015-7704: A fix is available, will be part of p7, but hasn't
> been commited to the stable branch yet?
> CVE-2015-5300: Broken when using the LOCAL driver?
> CVE-2015-8138: The attempted fix for CVE-2015-7704 broke symmetric
> associations (Bug 2952), that's still broken on packet loss, and
> it also breaks the fix for CVE-2015-8138?

I'm working on fixing the problems and getting the next release out.

I'd prefer to keep working on these instead of shifting gears and
getting you the answers you have asked for.

I think some of the items above are already fixed.  More fixes will be
ready soon.

I'd repeat my request for competent and collaborative help and financial
support so we can hire more folks to work on that, but you've said my
asking for these things is counter-productive.

How about you test -dev and see if the issues that are supposed to be
fixed in that release are, indeed, working as expected?

H


More information about the hackers mailing list