[Git][NTPsec/ntpsec][master] 3 commits: Release notes for recent vuln fixes

Daniel Fox Franke gitlab at mg.gitlab.com
Fri May 6 20:53:50 UTC 2016


Daniel Fox Franke pushed to branch master at NTPsec / ntpsec


Commits:
a51da0f5 by Daniel Fox Franke at 2016-05-06T16:50:58-04:00
Release notes for recent vuln fixes

- - - - -
592479f0 by Daniel Fox Franke at 2016-05-06T16:51:29-04:00
NTP classic [Bug 2937] was already fixed in 0.9.1

- - - - -
b874b5fb by Daniel Fox Franke at 2016-05-06T16:53:06-04:00
Add missing CVE reference to 0.9.1 release notes

- - - - -


1 changed file:

- NEWS


Changes:

=====================================
NEWS
=====================================
--- a/NEWS
+++ b/NEWS
@@ -10,17 +10,45 @@ on user-visible changes.
 
 The long-deprected Autokey feature has been removed.
 
-The following fixes have been forward-ported from Classic:
+This release contains fixes for three vulnerabilities inherited from
+NTP Classic:
+
+[Bug 3020] (CVE-2016-1551) Refclock impersonation vulnerability
+  (Credit: Matt Street et. al. of Cisco ASIG)
+[Bug 3008] (CVE-2016-2519) ctl_getitem() return value not always checked
+  (Credit: Yihan Lian of the Qihoo 360 cloud security team)
+[Bug 2978] (CVE-2016-1548) Interleave-pivot (Credit: Miroslav Lichvar of
+  RedHat and Jonathan Gardner of Cisco ASIG)
+
+The following non-security fixes have been
+forward-ported from Classic:
 
 [Bug 2772] adj_systime overflows tv_usec
 [Bug 2814] msyslog deadlock when signaled.
 [Bug 2829] Look at pipe_fds in ntpd.c
 [Bug 2887] fudge stratum only accepts values [0..16].
-[Bug 2937] (NTPQ) nextvar() missing length check
 [Bug 2958] ntpq: fatal error messages need a final newline.
 [Bug 2965] Local clock didn't work since 4.2.8p4.
 [Bug 2969] Segfault from ntpq/mrulist when looking at server with lots of clients
 
+We regard NTP Classic's [Bug 3012] (CVE-2016-1549) Sybil
+vulnerability: ephemeral association attack (Credit: Matthew van Gundy
+of Cisco ASIG) as a duplicate of CVE-2015-7974 (see 0.9.1 release
+notes) and it is WONTFIX for the time being: it is
+correct-but-unfortunate behavior consequent to confusing and
+inflexible semantics of ntp.conf's acesss control language, and we
+will address it with a future redesign effort. NTP Classic has
+partially addressed this pair of issues by extending the syntax of
+ntp.keys to support IP ACLing. We are not currently aware of any
+demand for this feature among NTPsec users and have no plans to
+implement it; if you have a need for it, please file a bug at
+https://gitlab.com/groups/NTPsec/issues to let us know you're out
+there.
+
+The remainder of the security issues patched in NTP Classic 4.2.8p7
+either are not believed to impact NTPsec or were already fixed in a
+previous release.
+
 == 2016-03-15: 0.9.2 ==
 
 Point release.
@@ -46,7 +74,7 @@ Point release for security. Fixes:
 * CVE-2015-8139: Origin Leak: ntpq and ntpdc Disclose Origin Timestamp
   to Unauthenticated Clients (Matthew van Gundy)
 * CVE-2015-8158: Potential Infinite Loop in ntpq (Jonathan Gardner)
-* Timing attack on MAC verification (Daniel Franke)
+* CVE-2016-1550: Timing attack on MAC verification (Daniel Franke)
 * Missing length checks in decodearr() and outputarr() (Daniel Franke)
 
 Two additional security issues have been reported to us for which we



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/737e1b94e7c67d296b62c8a5070cd820bf2e75cd...b874b5fba2d29947674a88ef542dd3df260cbc44
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20160506/f8291621/attachment.html>


More information about the vc mailing list