Package: ntp Version: 1:4.2.8p4+dfsg-3 Severity: wishlist Dear Maintainer,
NTP version ntp-4.2.8p6 is available upstream and includes fixes for 9 CVE's listed below. Though they are mostly minor the cumulative effect of removing these from our stream would be beneficial. We should consider updating ntp in sid/stretch to incorporate these security fixes. http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities CVEs listed as fixed in upstream: CVE-2015-8158: Potential Infinite Loop in ntpq CVE-2015-8138: origin: Zero Origin Timestamp Bypass CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list CVE-2015-7977: reslist NULL pointer dereference CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames CVE-2015-7975: nextvar() missing length check CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode -- Nicholas Luedtke HPE Linux, Hewlett-Packard Enterprise
signature.asc
Description: OpenPGP digital signature
