This bug was fixed in the package ntp - 1:4.2.8p4+dfsg-3ubuntu6
---------------
ntp (1:4.2.8p4+dfsg-3ubuntu6) yakkety; urgency=medium
* SECURITY UPDATE: Deja Vu replay attack on authenticated broadcast mode
- debian/patches/CVE-2015-7973.patch: improve timestamp verification in
include/ntp.h, ntpd/ntp_proto.c.
- CVE-2015-7973
* SECURITY UPDATE: impersonation between authenticated peers
- debian/patches/CVE-2015-7974.patch: check key ID in ntpd/ntp_proto.c.
- CVE-2015-7974
* SECURITY UPDATE: ntpq buffer overflow
- debian/patches/CVE-2015-7975.patch: add length check to ntpq/ntpq.c.
- CVE-2015-7975
* SECURITY UPDATE: ntpq saveconfig command allows dangerous characters in
filenames
- debian/patches/CVE-2015-7976.patch: check filename in
ntpd/ntp_control.c.
- CVE-2015-7976
* SECURITY UPDATE: restrict list denial of service
- debian/patches/CVE-2015-7977-7978.patch: improve restrict list
processing in ntpd/ntp_request.c.
- CVE-2015-7977
- CVE-2015-7978
* SECURITY UPDATE: authenticated broadcast mode off-path denial of
service
- debian/patches/CVE-2015-7979.patch: add more checks to
ntpd/ntp_proto.c.
- CVE-2015-7979
- CVE-2016-1547
* SECURITY UPDATE: Zero Origin Timestamp Bypass
- debian/patches/CVE-2015-8138.patch: check p_org in ntpd/ntp_proto.c.
- CVE-2015-8138
* SECURITY UPDATE: potential infinite loop in ntpq
- debian/patches/CVE-2015-8158.patch: add time checks to ntpdc/ntpdc.c,
ntpq/ntpq.c.
- CVE-2015-8158
* SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
- debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
- CVE-2016-0727
* SECURITY UPDATE: time spoofing via interleaved symmetric mode
- debian/patches/CVE-20xx-xxxx.patch: check for bogus packets in
ntpd/ntp_proto.c.
- CVE-2016-1548
* SECURITY UPDATE: buffer comparison timing attacks
- debian/patches/CVE-2016-1550.patch: use CRYPTO_memcmp in
libntp/a_md5encrypt.c, sntp/crypto.c.
- CVE-2016-1550
* SECURITY UPDATE: DoS via duplicate IPs on unconfig directives
- debian/patches/CVE-2016-2516.patch: improve logic in
ntpd/ntp_request.c.
- CVE-2016-2516
* SECURITY UPDATE: denial of service via crafted addpeer
- debian/patches/CVE-2016-2518.patch: check mode value in
ntpd/ntp_request.c.
- CVE-2016-2518
-- Marc Deslauriers <marc.deslauri...@ubuntu.com> Wed, 01 Jun 2016
08:38:07 -0400
** Changed in: ntp (Ubuntu)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7973
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7974
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7975
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7976
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7977
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7978
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-7979
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8138
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-8158
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1547
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1548
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-1550
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2516
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2518
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1528050
Title:
NTP statsdir cleanup cronjob insecure
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
