Mirantis OpenStack

Vulnerable NTP package on Ubuntu slave nodes

Bug #1663135 reported by Adam Heczko
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mirantis OpenStack
Fix Released
High
MOS Linux
Mirantis OpenStack 9.2-mu-1

Bug Description

NTP package on Ubuntu slave nodes is vulnerable.
https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-October/003579.html

BTW, I'm curious why we are providing own NTP rather using Ubuntu delivered ones?

apt-cache policy ntp
ntp:
  Installed: 2:4.2.6.p5+dfsg-3~u14.04+mos1
  Candidate: 2:4.2.6.p5+dfsg-3~u14.04+mos1
  Version table:
 *** 2:4.2.6.p5+dfsg-3~u14.04+mos1 0
       1050 http://mirror.fuel-infra.org/mos-repos/ubuntu/9.0/ mos9.0-updates/main amd64 Packages
       1050 http://10.20.16.2:8080/mitaka-9.0/ubuntu/x86_64/ mos9.0/main amd64 Packages
        100 /var/lib/dpkg/status
     1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1:4.2.6.p5+dfsg-3ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

root@node-22:~# apt-cache policy ntpdate
ntpdate:
  Installed: 2:4.2.6.p5+dfsg-3~u14.04+mos1
  Candidate: 2:4.2.6.p5+dfsg-3~u14.04+mos1
  Version table:
 *** 2:4.2.6.p5+dfsg-3~u14.04+mos1 0
       1050 http://mirror.fuel-infra.org/mos-repos/ubuntu/9.0/ mos9.0-updates/main amd64 Packages
       1050 http://10.20.16.2:8080/mitaka-9.0/ubuntu/x86_64/ mos9.0/main amd64 Packages
        100 /var/lib/dpkg/status
     1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 0
        500 http://archive.ubuntu.com/ubuntu/ trusty-security/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
     1:4.2.6.p5+dfsg-3ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

Adam Heczko (aheczko-mirantis)
Changed in mos:
assignee: nobody → MOS Maintenance (mos-maintenance)
Anton Matveev (amatveev)
tags: added: customer-found sla1
Denis Meltsaykin (dmeltsaykin)
Changed in mos:
assignee: MOS Maintenance (mos-maintenance) → MOS Linux (mos-linux)
Vitaly Sedelnik (vsedelnik)
Changed in mos:
status: New → Confirmed
tags: added: area-linux
Ivan Suzdal (isuzdal)
Changed in mos:
status: Confirmed → In Progress
Denis Meltsaykin (dmeltsaykin)
Changed in mos:
milestone: 9.x-updates → 9.2-mu-1
Denis Meltsaykin (dmeltsaykin)
Changed in mos:
status: In Progress → Fix Committed
Revision history for this message
Ekaterina Shutova (eshutova) wrote :

Verified on 9.2 mu1 updates.
New package installed:
ntp:
  Installed: 2:4.2.6.p5+dfsg-3~u14.04+mos3
ntpdate:
  Installed: 2:4.2.6.p5+dfsg-3~u14.04+mos3

Changed in mos:
status: Fix Committed → Fix Released
Denis Meltsaykin (dmeltsaykin)
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.