touch-packages team mailing list archive

Thread
Date

[Bug 1405404] [NEW] ntp vulnerabilities

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1405404@xxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Dec 2014 12:19:35 -0000
Reply-to: Bug 1405404 <1405404@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You have been subscribed to a public bug:

Network Time Protocol (NTP) Project NTP daemon (ntpd) contains multiple
vulnerabilities

The NTP Project ntpd version 4.2.7 and pervious versions allow attackers to overflow several buffers in a way that may allow malicious code to be executed. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities affect ntpd acting as a server or client.
Description

The Network Time Protocol (NTP) provides networked systems with a way to
synchronize time for various services and applications. The reference
implementation produced by the NTP Project (ntp.org) contains several
vulnerabilities.

http://www.kb.cert.org/vuls/id/852879
https://access.redhat.com/security/cve/CVE-2014-9295

The backport for 4.0 is also needed.

** Affects: ntp (Ubuntu)
     Importance: Critical
     Assignee: MOS Linux (mos-linux)
         Status: Confirmed


** Tags: customer-found cve-2014-9295 ntp
-- 
ntp vulnerabilities
https://bugs.launchpad.net/bugs/1405404
You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu.