group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1479652] Re: [patch] ntpd rejects source UDP ports less than 123 as bogus

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1479652@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Feb 2016 02:04:23 -0000
Reply-to: Bug 1479652 <1479652@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu1

---------------
ntp (1:4.2.8p4+dfsg-3ubuntu1) xenial; urgency=medium

  * Merge from Debian testing. Remaining changes:
    + debian/rules: enable debugging. Ask debian to add this.
    + debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
    + Add enforcing AppArmor profile:
      - debian/control: Add Conflicts/Replaces on apparmor-profiles.
      - debian/control: Add Suggests on apparmor.
      - debian/control: Build-Depends on dh-apparmor.
      - add debian/apparmor-profile*.
      - debian/ntp.dirs: Add apparmor directories.
      - debian/rules: Install apparmor-profile and apparmor-profile.tunable.
      - debian/source_ntp.py: Add filter on AppArmor profile names to prevent
        false positives from denials originating in other packages.
      - debian/README.Debian: Add note on AppArmor.
    + debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
      running ntpdate when an interface comes up, then start again afterwards.
    + debian/ntp.init, debian/rules: Only stop when entering single user mode,
      don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
      get stale. Patch by Simon Déziel.
    + debian/ntp.conf, debian/ntpdate.default: Change default server to
      ntp.ubuntu.com.
    + debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
  * Includes fix for requests with source ports < 123, fixed upstream in
    4.2.8p1 (LP: #1479652).
  * Add PPS support (LP: #1512980):
    + debian/README.Debian: Add a PPS section to the README.Debian,
      removed all PPSkit one.
    + debian/ntp.conf: Add some configuration examples from the offical
      documentation.
    + debian/control: Add Build-Depends on pps-tools
  * Drop Changes:
    + debian/rules: Update config.{guess,sub} for AArch64, because upstream use
      dh_autoreconf now.
    + debian/{control,rules}: Add and enable hardened build for PIE.
      Upstream use fPIC. Options -fPIC and -fPIE are uncompatible, thus this is
      never applied, (cf. dpkg-buildflags manual), checked with Marc
      Deslauriers on freenode #ubuntu-hardened, 2016-01-20~13:11 UTC.
    + debian/rules: Remove update-rcd-params in dh_installinit command. When
      setting up ntp package, the following message is presented to the user
      due to deprecated use:
      "update-rc.d: warning: start and stop actions are no longer
      supported; falling back to defaults". The defaults are taken from the
      init.d script LSB comment header, which contain what we need anyway.
    + debian/rules: Remove ntp/ntp_parser.{c,h} or they don't get properly
      regenerated for some reason. Seems to have been due to ntpd/ntp_parser.y
      patches from CVE-2015-5194 and CVE-2015-5196, already upstreamed.
    + debian/ntpdate.if-up: Drop lockfile mechanism as upstream is using flock
      now.
    + Remove natty timeframe old deltas (transitional code not needed since
      Trusty): Those patches were for an incorrect behaviour of
      system-tools-backend, around natty time
      (https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/83604/comments/23)
      - debian/ntpdate-debian: Disregard empty ntp.conf files.
      - debian/ntp.preinst: Remove empty /etc/ntp.conf on fresh intallation.
    + debian/ntp.dhcp: Rewrite sed rules. This was done incorrectly as pointed
      out in LP 575458. This decision is explained in detail there.
  * All previous ubuntu security patches/fixes have been upstreamed:
    + CVE-2015-5146, CVE-2015-5194, CVE-2015-5195, CVE-2015-5196,
      CVE-2015-7703, CVE-2015-5219, CVE-2015-5300, CVE-2015-7691,
      CVE-2015-7692, CVE-2015-7702, CVE-2015-7701, CVE-2015-7704,
      CVE-2015-7705, CVE-2015-7850, CVE-2015-7852, CVE-2015-7853,
      CVE-2015-7855, CVE-2015-7871, CVE-2015-1798, CVE-2015-1799,
      CVE-2014-9297, CVE-2014-9298, CVE-2014-9293, CVE-2014-9294,
      CVE-2014-9295, CVE-2014-9296
    + Fix to ignore ENOBUFS on routing netlink socket
    + Fix use-after-free in routing socket code
    + ntp-keygen infinite loop or lack of randonmess on big endian platforms

 -- Pierre-André MOREY <pierre-andre.morey@xxxxxxxxxxxxx>  Fri, 5 Feb
2016 18:28:52 +0100

** Changed in: ntp (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9293

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9294

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9295

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9296

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9297

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9298

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1798

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1799

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5146

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5194

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5195

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5196

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5219

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5300

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7691

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7692

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7701

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7702

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7703

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7704

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7705

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7850

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7852

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7853

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7855

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7871

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1479652

Title:
  [patch] ntpd rejects source UDP ports less than 123 as bogus

Status in NTP:
  Fix Released
Status in ntp package in Ubuntu:
  Fix Released
Status in ntp source package in Precise:
  Fix Committed
Status in ntp source package in Trusty:
  Fix Released
Status in ntp source package in Wily:
  Fix Released
Status in ntp source package in Xenial:
  Fix Released
Status in ntp package in Debian:
  New

Bug description:
  [Impact]

  If an NTP client sends a request with a source port less than 123, the
  packet is silently ignored by ntpd. This is occurring in our
  environment due to NAT.

  [Development Fix]

  Fixed by merge of NTP of newer upstream release that includes the fix.
  Stuck in dep-wait in xenial-proposed due to an unrelated issue (pps-
  tools MIR or other resolution).

  [Test Case]

  The problem can easily be reproduced by having an iptable postrouting
  nat forcing the source port to be under 123 set on the client.

  Setup:
   ==> NTP server = y.y.y.y
   ntp.conf configured to be a server.

   ==> NTP client = x.x.x.x
   "ntpdate" used to submmit requests

   #iptable setup to force src port to be lower than 123
   iptables -t nat -A POSTROUTING -p UDP --dport 123  -j SNAT --to-source x.x.x.x:100-122

  ## On the client, set to force src port < 123 (without patch)

  $ ntpdate y.y.y.y
  ntpdate[<PID>]: no server suitable for synchronization found

  ## On the client, set to force src port < 123 (with patch)

  $ ntpdate y.y.y.y
  ntpdate[<PID>]: adjust time server y.y.y.y offset -0.028483 sec

  [Regression Potential]

  The patch comes from upstream:
  http://bugs.ntp.org/show_bug.cgi?id=2174

  A testfix[1] package has been provided to the community before the SRU
  process to bring more confidence for the patch. Positive feedbacks has
  been given by the community to confirm the patch addressed the bug
  [comment #7]

  [1]- https://launchpad.net/~slashd/+archive/ubuntu/bug1479652

  [Original description]

  [Title copied from Debian bug, which was not filed by me. Description
  below is mine.]

  If an NTP client sends a request with a source port less than 123, the
  packet is silently ignored by ntpd. This is occurring in our
  environment due to NAT.

  Attached is the patch already accepted upstream which fixes the issue.
  I've verified it fixes the problem. Debian has been ignoring this
  patch for almost 3 years. Can we get this in Ubuntu please?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1479652/+subscriptions