security issues in ntp

Bug #1404648 reported by Ralf Hildebrandt on 2014-12-21
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ntp (Ubuntu)
Medium
Unassigned
Lucid
Medium
Marc Deslauriers
Precise
Medium
Marc Deslauriers
Trusty
Medium
Marc Deslauriers
Utopic
Medium
Marc Deslauriers

Bug Description

http://support.ntp.org/bin/view/Main/SecurityNotice
lists 4 issues:

Buffer overflow in crypto_recv()
References: Sec 2667 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Versions: All releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014

Buffer overflow in ctl_putdata()
References: Sec 2668 / CVE-2014-9295 / VU#852879
Versions: All NTP4 releases before 4.2.8
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Date Resolved: Stable (4.2.8) 18 Dec 2014

Buffer overflow in configure()
References: Sec 2669 / CVE-2014-9295 / VU#852879
Versions: All NTP4 releases before 4.2.8
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
Date Resolved: Stable (4.2.8) 18 Dec 2014

receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879
Versions: All NTP4 releases before 4.2.8
CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
Date Resolved: Stable (4.2.8) 18 Dec 2014

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: ntp 1:4.2.6.p5+dfsg-3ubuntu2
ProcVersionSignature: Ubuntu 3.13.0-39.66-lowlatency 3.13.11.8
Uname: Linux 3.13.0-39-lowlatency x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Sun Dec 21 13:24:35 2014
InstallationDate: Installed on 2012-08-23 (849 days ago)
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
KernLog:

SourcePackage: ntp
UpgradeStatus: Upgraded to trusty on 2014-03-02 (293 days ago)
modified.conffile..etc.ntp.conf: [modified]
mtime.conffile..etc.ntp.conf: 2014-06-02T17:06:11.921841

Jamie Strandboge (jdstrand) wrote :
information type: Private Security → Public Security
Changed in ntp (Ubuntu):
status: New → In Progress
Changed in ntp (Ubuntu Lucid):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ntp (Ubuntu Precise):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ntp (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ntp (Ubuntu Utopic):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in ntp (Ubuntu):
status: In Progress → Triaged
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :
Changed in ntp (Ubuntu Lucid):
status: In Progress → Fix Released
Changed in ntp (Ubuntu Precise):
status: In Progress → Fix Released
Changed in ntp (Ubuntu Trusty):
status: In Progress → Fix Released
Changed in ntp (Ubuntu Utopic):
status: In Progress → Fix Released
Changed in ntp (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers