oem-qa team mailing list archive

Thread
Date

[Bug 379482] Re: Update ntpdate to fix vulnerabilities.

To: oem-qa@xxxxxxxxxxxxxxxxxxx
From: Chris Wayne <chris.wayne@xxxxxxxxxxxxx>
Date: Tue, 16 Jun 2009 19:29:49 -0000
Reply-to: Bug 379482 <379482@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: dell-mini
       Status: New => Confirmed

-- 
Update ntpdate to fix vulnerabilities.
https://bugs.launchpad.net/bugs/379482
You received this bug notification because you are a member of OEM
Services QA, which is subscribed to The Dell Mini Project.

Status in Dell Inspiron Mini with Custom Dell UI: Confirmed

Bug description:
ntpdate in hardy for dell mini (1:4.2.4p4+dfsg-3ubuntu2.1) is affected by 2 vulnerabilities, fixed in generic hardy (1:4.2.4p4+dfsg-3ubuntu2.2)

Changelog 1:4.2.4p4+dfsg-3ubuntu2.2
  * SECURITY UPDATE: stack overflow in ntpd when autokey is enabled
    - debian/patches/CVE-2009-1252.patch: update ntpd/ntp_crypto.c to use
      snprintf() with NTP_MAXSTRLEN when writing to statstr. Also defensively
      adjust ntp_peer.c and ntp_timer.c to do the same.
    - CVE-2009-1252
  * SECURITY UPDATE: stack overflow in ntpq when contacting malicious ntp
    server
    - debian/patches/CVE-2009-0159.patch: increase size of buffer in
      cookedprint() in ntpq/ntpq.c and adjust to use snprintf()
    - CVE-2009-0159

References

[Bug 379482] [NEW] Update ntpdate to fix vulnerabilities.
From: feranick, 2009-05-22