security issues in ntp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ntp (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Precise |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Trusty |
Fix Released
|
Medium
|
Marc Deslauriers | ||
Utopic |
Fix Released
|
Medium
|
Marc Deslauriers |
Bug Description
http://
lists 4 issues:
Buffer overflow in crypto_recv()
References: Sec 2667 / CVE-2014-9295 / VU#852879
CVSS: (AV:N/AC:
Versions: All releases before 4.2.8
Date Resolved: Stable (4.2.8) 18 Dec 2014
Buffer overflow in ctl_putdata()
References: Sec 2668 / CVE-2014-9295 / VU#852879
Versions: All NTP4 releases before 4.2.8
CVSS: (AV:N/AC:
Date Resolved: Stable (4.2.8) 18 Dec 2014
Buffer overflow in configure()
References: Sec 2669 / CVE-2014-9295 / VU#852879
Versions: All NTP4 releases before 4.2.8
CVSS: (AV:N/AC:
Date Resolved: Stable (4.2.8) 18 Dec 2014
receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879
Versions: All NTP4 releases before 4.2.8
CVSS: (AV:N/AC:
Date Resolved: Stable (4.2.8) 18 Dec 2014
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: ntp 1:4.2.6.
ProcVersionSign
Uname: Linux 3.13.0-
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Sun Dec 21 13:24:35 2014
InstallationDate: Installed on 2012-08-23 (849 days ago)
InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1)
KernLog:
SourcePackage: ntp
UpgradeStatus: Upgraded to trusty on 2014-03-02 (293 days ago)
modified.
mtime.conffile.
Thanks for the bug. These issues are being tracked here: people. canonical. com/~ubuntu- security/ cve/2014/ CVE-2014- 9293.html people. canonical. com/~ubuntu- security/ cve/2014/ CVE-2014- 9294.html people. canonical. com/~ubuntu- security/ cve/2014/ CVE-2014- 9295.html people. canonical. com/~ubuntu- security/ cve/2014/ CVE-2014- 9296.html
http://
http://
http://
http://
and there are test packages here: /launchpad. net/~ubuntu- security- proposed/ +archive/ ubuntu/ ppa/+packages
https:/
Note: Ubuntu has mitigations in the default install that lesson the severity of two of the CVEs.