[ntp:security] NTP Security Vulnerabilities issue CVE-2015-5300 :

Sue Graves sgraves at nwtime.org
Wed Jan 6 21:29:27 UTC 2016


HI Ashish,

The release will be available in by the end of this week.

If you or the organization you are working with depends on NTP, we would
encourage you to support us by donating, or becoming a member for
Advanced Security Notifications.

Best,
Sue

On 1/6/2016 11:39 AM, ashish jaiswal wrote:
> Hi Harlan ,
> 
> Thank you for your quick response.
> 
> Please can you tell me the approximate schedule for that patch availability.
> 
> 
> Thanks and Regards,
> Ashish 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Thanks and Regards
>  
> Ashish Jaiswal
> 
> On Wed, Jan 6, 2016 at 3:39 PM, Harlan Stenn <stenn at nwtime.org
> <mailto:stenn at nwtime.org>> wrote:
> 
>     Hi Ashish,
> 
>     I believe the patch from Red Hat is incomplete and does not properly fix
>     the problem for any version of NTP-4.
> 
>     We will soon be publishing our patch for this issue.
> 
>     If you are asking this because your company or your company's customers
>     rely on NTP for accurate time, I urge you to work towards having your
>     company and, if appropriate, your customers to become members of Network
>     Time Foundation's NTP Consortium.  Institutional members get early
>     notification of security problems, and members at the Partner and
>     Premier level get early access to security patches.
> 
>     H
> 
>     On 1/5/16 10:13 PM, ashish jaiswal wrote:
>     > Hi All,
>     >
>     > This is regarding patch submitted for NTP Security Vulnerabilities
>     issue
>     > mentioned in
>     > https://bugzilla.redhat.com/show_bug.cgi?id=1271076
>     >
>     > As per the comments, CVE-2015-5300  patch is applicable for 4.2.6
>     and will
>     > be available in NTP 4.2.8. But
>     > 4.2.8p4's change log does not mention about merge history of this
>     patch or
>     > issue fix .
>     >
>     > Could someone clarify more about this ? Is the patch not
>     applicable in this
>     > case or is it planned for
>     > future release ?
>     >
>     > Issue tiltle :  CVE-2015-5300 ntp: MITM attacker can force ntpd to
>     make a
>     > step larger than the panic threshold
>     >
>     >
>     >
>     > References for more information  :
>     >
>     > https://www.vulnerabilitycenter.com/#!vul=54015
>     > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300
>     >
>     >
>     >
>     > Thanks and Regards
>     >
>     > Ashish Jaiswal
>     >
>     >
>     >
>     > ---------- Forwarded message ----------
>     > From: TWiki Administrator <webmaster at ntp.org
>     <mailto:webmaster at ntp.org>>
>     > Date: Wed, Jan 6, 2016 at 11:29 AM
>     > Subject: TWiki password reset for Ashish Jaiswal
>     > To: AshishJaiswal <ashu.cs178 at gmail.com <mailto:ashu.cs178 at gmail.com>>
>     >
>     >
>     > Dear Ashish Jaiswal
>     >
>     >
>     >
>     > Login name "AshishJaiswal"
>     > Your password has been changed to "b7gU8roE".
>     >
>     > If you have any questions, please contact webmaster at ntp.org
>     <mailto:webmaster at ntp.org>.
>     >
>     >
>     >
>     > _______________________________________________
>     > security mailing list
>     > security at lists.ntp.org <mailto:security at lists.ntp.org>
>     > http://lists.ntp.org/listinfo/security
>     >
> 
>     --
>     Harlan Stenn <stenn at nwtime.org <mailto:stenn at nwtime.org>>
>     http://networktimefoundation.org - be a member!
> 
> 
> 
> 
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security
> 

-- 
Knowing the correct time isn't always important - until it is.
Join Network Time Consortium http://nwtime.org/join



More information about the security mailing list