oss-sec mailing list archives

Re: ntp security release today

From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 07 Apr 2015 10:49:21 -0600

On 04/07/2015 09:48 AM, Marcus Meissner wrote:

Hi,

ntp.org has released ntp advisories today, CVE-2015-1798 and CVE-2015-1799, CERT VU#374268

http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

CVE-2015-1798 seems version limited to
Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses 
symmetric keys to authenticate remote associations. .

Ciao, Marcus


Was just about to post a note about this, you beat me to it =)

These issues were discovered by Miroslav Lichvár of Red Hat, more info
in our BZ's:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1798
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1799

Also note that CVE-2015-1799 also affects chrony, different code base so
different CVE:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1853

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

ntp security release today Marcus Meissner (Apr 07)
- Re: ntp security release today Kurt Seifried (Apr 07)