group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #00746
[Bug 1479652] Re: [patch] ntpd rejects source UDP ports less than 123 as bogus
This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu1
---------------
ntp (1:4.2.8p4+dfsg-3ubuntu1) xenial; urgency=medium
* Merge from Debian testing. Remaining changes:
+ debian/rules: enable debugging. Ask debian to add this.
+ debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
+ Add enforcing AppArmor profile:
- debian/control: Add Conflicts/Replaces on apparmor-profiles.
- debian/control: Add Suggests on apparmor.
- debian/control: Build-Depends on dh-apparmor.
- add debian/apparmor-profile*.
- debian/ntp.dirs: Add apparmor directories.
- debian/rules: Install apparmor-profile and apparmor-profile.tunable.
- debian/source_ntp.py: Add filter on AppArmor profile names to prevent
false positives from denials originating in other packages.
- debian/README.Debian: Add note on AppArmor.
+ debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
running ntpdate when an interface comes up, then start again afterwards.
+ debian/ntp.init, debian/rules: Only stop when entering single user mode,
don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
get stale. Patch by Simon Déziel.
+ debian/ntp.conf, debian/ntpdate.default: Change default server to
ntp.ubuntu.com.
+ debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
* Includes fix for requests with source ports < 123, fixed upstream in
4.2.8p1 (LP: #1479652).
* Add PPS support (LP: #1512980):
+ debian/README.Debian: Add a PPS section to the README.Debian,
removed all PPSkit one.
+ debian/ntp.conf: Add some configuration examples from the offical
documentation.
+ debian/control: Add Build-Depends on pps-tools
* Drop Changes:
+ debian/rules: Update config.{guess,sub} for AArch64, because upstream use
dh_autoreconf now.
+ debian/{control,rules}: Add and enable hardened build for PIE.
Upstream use fPIC. Options -fPIC and -fPIE are uncompatible, thus this is
never applied, (cf. dpkg-buildflags manual), checked with Marc
Deslauriers on freenode #ubuntu-hardened, 2016-01-20~13:11 UTC.
+ debian/rules: Remove update-rcd-params in dh_installinit command. When
setting up ntp package, the following message is presented to the user
due to deprecated use:
"update-rc.d: warning: start and stop actions are no longer
supported; falling back to defaults". The defaults are taken from the
init.d script LSB comment header, which contain what we need anyway.
+ debian/rules: Remove ntp/ntp_parser.{c,h} or they don't get properly
regenerated for some reason. Seems to have been due to ntpd/ntp_parser.y
patches from CVE-2015-5194 and CVE-2015-5196, already upstreamed.
+ debian/ntpdate.if-up: Drop lockfile mechanism as upstream is using flock
now.
+ Remove natty timeframe old deltas (transitional code not needed since
Trusty): Those patches were for an incorrect behaviour of
system-tools-backend, around natty time
(https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/83604/comments/23)
- debian/ntpdate-debian: Disregard empty ntp.conf files.
- debian/ntp.preinst: Remove empty /etc/ntp.conf on fresh intallation.
+ debian/ntp.dhcp: Rewrite sed rules. This was done incorrectly as pointed
out in LP 575458. This decision is explained in detail there.
* All previous ubuntu security patches/fixes have been upstreamed:
+ CVE-2015-5146, CVE-2015-5194, CVE-2015-5195, CVE-2015-5196,
CVE-2015-7703, CVE-2015-5219, CVE-2015-5300, CVE-2015-7691,
CVE-2015-7692, CVE-2015-7702, CVE-2015-7701, CVE-2015-7704,
CVE-2015-7705, CVE-2015-7850, CVE-2015-7852, CVE-2015-7853,
CVE-2015-7855, CVE-2015-7871, CVE-2015-1798, CVE-2015-1799,
CVE-2014-9297, CVE-2014-9298, CVE-2014-9293, CVE-2014-9294,
CVE-2014-9295, CVE-2014-9296
+ Fix to ignore ENOBUFS on routing netlink socket
+ Fix use-after-free in routing socket code
+ ntp-keygen infinite loop or lack of randonmess on big endian platforms
-- Pierre-André MOREY <pierre-andre.morey@xxxxxxxxxxxxx> Fri, 5 Feb
2016 18:28:52 +0100
** Changed in: ntp (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9293
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9294
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9295
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9296
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9297
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9298
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1798
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1799
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5146
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5194
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5195
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5196
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5219
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-5300
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7691
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7692
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7701
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7702
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7703
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7704
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7705
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7850
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7852
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7853
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7855
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7871
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1479652
Title:
[patch] ntpd rejects source UDP ports less than 123 as bogus
Status in NTP:
Fix Released
Status in ntp package in Ubuntu:
Fix Released
Status in ntp source package in Precise:
Fix Committed
Status in ntp source package in Trusty:
Fix Released
Status in ntp source package in Wily:
Fix Released
Status in ntp source package in Xenial:
Fix Released
Status in ntp package in Debian:
New
Bug description:
[Impact]
If an NTP client sends a request with a source port less than 123, the
packet is silently ignored by ntpd. This is occurring in our
environment due to NAT.
[Development Fix]
Fixed by merge of NTP of newer upstream release that includes the fix.
Stuck in dep-wait in xenial-proposed due to an unrelated issue (pps-
tools MIR or other resolution).
[Test Case]
The problem can easily be reproduced by having an iptable postrouting
nat forcing the source port to be under 123 set on the client.
Setup:
==> NTP server = y.y.y.y
ntp.conf configured to be a server.
==> NTP client = x.x.x.x
"ntpdate" used to submmit requests
#iptable setup to force src port to be lower than 123
iptables -t nat -A POSTROUTING -p UDP --dport 123 -j SNAT --to-source x.x.x.x:100-122
## On the client, set to force src port < 123 (without patch)
$ ntpdate y.y.y.y
ntpdate[<PID>]: no server suitable for synchronization found
## On the client, set to force src port < 123 (with patch)
$ ntpdate y.y.y.y
ntpdate[<PID>]: adjust time server y.y.y.y offset -0.028483 sec
[Regression Potential]
The patch comes from upstream:
http://bugs.ntp.org/show_bug.cgi?id=2174
A testfix[1] package has been provided to the community before the SRU
process to bring more confidence for the patch. Positive feedbacks has
been given by the community to confirm the patch addressed the bug
[comment #7]
[1]- https://launchpad.net/~slashd/+archive/ubuntu/bug1479652
[Original description]
[Title copied from Debian bug, which was not filed by me. Description
below is mine.]
If an NTP client sends a request with a source port less than 123, the
packet is silently ignored by ntpd. This is occurring in our
environment due to NAT.
Attached is the patch already accepted upstream which fixes the issue.
I've verified it fixes the problem. Debian has been ignoring this
patch for almost 3 years. Can we get this in Ubuntu please?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ntp/+bug/1479652/+subscriptions