[ntp:security] EXT :Re: CVE Question

Kloepping, Mark E (IS) mark.kloepping at ngc.com
Fri Oct 30 20:49:13 UTC 2015


Thank you for your response.

Background:  We're building and running ntp in a Windows environment.  

I received a customer notification that the ntp software was effected by CVE-2015-5300.  I don't yet see the CVE in the NVD or Mitre CVE databases; however, a Google search revealed that Red Hat posted a description of the issue [1] along with a fix [2].  The fix appears to be a one liner in the ntp_loopfilter.c file.  It appears that ntp 4.2.8p4 source bundle from ntp.org does not contain the same fix that Red Hat implemented.  The Red Hat fix was against ntp 4.2.6p5.  Is this fix applicable to ntp 4.2.8p4?  Is ntp 4.2.8p4 vulnerable to CVE-2015-5300? 

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1271076
[2]  https://bugzilla.redhat.com/attachment.cgi?id=1082271


-----Original Message-----
From: Sue Graves [mailto:sgraves at nwtime.org] 
Sent: Thursday, October 29, 2015 7:39 PM
To: Kloepping, Mark E (IS); security at ntp.org
Cc: Serrano, Joel (IS)
Subject: EXT :Re: [ntp:security] CVE Question

Hi Mark and Joel,

It isn't clear what part of the BU paper CVE-2015-5300 is pointing to.
I assume you've asked Debian this question? Is NGC running Debian?

Please let us know what version of Debian OS or NTP you are running. Our
ntp4.2.8-4 did address the KoD issue and there will be further info coming out on this.


On 10/29/2015 12:47 PM, Kloepping, Mark E (IS) wrote:
> NTP Support Team
> Is NTP effected by CVE-2015-5300.  If so, does NTP 4.2.8p4 resolve 
> CVE-2015-5300?
> Thanks,
> Mark
> *Mark Kloepping*
> Software Engineer
> ______________________________
> *Northrop Grumman - IS*
> *Work:**703.561.3679
> Cell: 412.716.7240*
> *Email:* mark.kloepping at ngc.com <mailto:Mark.kloepping at ngc.com>
> *Address: 2340 Dulles Corner Blvd,
>                   Herndon, VA 20171*
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security

Knowing the correct time isn't always important - until it is.
Join Network Time Consortium http://nwtime.org/join

More information about the security mailing list