touch-packages team mailing list archive

Thread
Date
[Bug 1404648] Re: security issues in ntp

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Sun, 21 Dec 2014 17:25:15 -0000
Reply-to: Bug 1404648 <1404648@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Thanks for the bug. These issues are being tracked here:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9293.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9294.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9295.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9296.html

and there are test packages here:
https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Note: Ubuntu has mitigations in the default install that lesson the
severity of two of the CVEs.

** Information type changed from Private Security to Public Security

** Changed in: ntp (Ubuntu)
       Status: New => In Progress

** Also affects: ntp (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: ntp (Ubuntu Lucid)
   Importance: Undecided
       Status: New

** Also affects: ntp (Ubuntu Utopic)
   Importance: Undecided
       Status: New

** Also affects: ntp (Ubuntu Trusty)
   Importance: Undecided
       Status: New

** Changed in: ntp (Ubuntu Lucid)
       Status: New => In Progress

** Changed in: ntp (Ubuntu Lucid)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu Lucid)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ntp (Ubuntu Precise)
       Status: New => In Progress

** Changed in: ntp (Ubuntu Precise)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu Precise)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ntp (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: ntp (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu Trusty)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** Changed in: ntp (Ubuntu Utopic)
       Status: New => In Progress

** Changed in: ntp (Ubuntu Utopic)
   Importance: Undecided => Medium

** Changed in: ntp (Ubuntu Utopic)
     Assignee: (unassigned) => Marc Deslauriers (mdeslaur)

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9293

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9294

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9295

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9296

** Changed in: ntp (Ubuntu)
       Status: In Progress => Triaged

** Changed in: ntp (Ubuntu)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1404648

Title:
  security issues in ntp

Status in ntp package in Ubuntu:
  Triaged
Status in ntp source package in Lucid:
  In Progress
Status in ntp source package in Precise:
  In Progress
Status in ntp source package in Trusty:
  In Progress
Status in ntp source package in Utopic:
  In Progress

Bug description:
  http://support.ntp.org/bin/view/Main/SecurityNotice
  lists 4 issues:

  Buffer overflow in crypto_recv()
  References: Sec 2667 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Buffer overflow in ctl_putdata()
  References: Sec 2668 / CVE-2014-9295 / VU#852879
  Versions: All NTP4 releases before 4.2.8
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Buffer overflow in configure()
  References: Sec 2669 / CVE-2014-9295 / VU#852879
  Versions: All NTP4 releases before 4.2.8
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  receive(): missing return on error
  References: Sec 2670 / CVE-2014-9296 / VU#852879
  Versions: All NTP4 releases before 4.2.8
  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: ntp 1:4.2.6.p5+dfsg-3ubuntu2
  ProcVersionSignature: Ubuntu 3.13.0-39.66-lowlatency 3.13.11.8
  Uname: Linux 3.13.0-39-lowlatency x86_64
  ApportVersion: 2.14.1-0ubuntu3.6
  Architecture: amd64
  Date: Sun Dec 21 13:24:35 2014
  InstallationDate: Installed on 2012-08-23 (849 days ago)
  InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
  KernLog:
   
  SourcePackage: ntp
  UpgradeStatus: Upgraded to trusty on 2014-03-02 (293 days ago)
  modified.conffile..etc.ntp.conf: [modified]
  mtime.conffile..etc.ntp.conf: 2014-06-02T17:06:11.921841

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1404648/+subscriptions