Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ntp: CVE-2016-0727: NTP statsdir cleanup cronjob insecure

Related Vulnerabilities: CVE-2016-0727  

Source

Debian Bug report logs - #839998
ntp: CVE-2016-0727: NTP statsdir cleanup cronjob insecure

version graph

Package: src:ntp; Maintainer for src:ntp is Debian NTP Team <ntp@packages.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 7 Oct 2016 11:12:02 UTC

Severity: normal

Tags: patch, security

Found in version ntp/1:4.2.6.p5+dfsg-2

Fixed in versions ntp/1:4.2.8p8+dfsg-1.1, ntp/1:4.2.8p9+dfsg-2

Done: Kurt Roeckx <kurt@roeckx.be>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#839998; Package src:ntp. (Fri, 07 Oct 2016 11:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Fri, 07 Oct 2016 11:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ntp: CVE-2016-0727: NTP statsdir cleanup cronjob insecure
Date: Fri, 07 Oct 2016 13:09:50 +0200
Source: ntp
Version: 1:4.2.6.p5+dfsg-2
Severity: normal
Tags: security patch

Hi,

the following vulnerability was published for ntp.

CVE-2016-0727[0]:
NTP statsdir cleanup cronjob insecure

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-0727
[1] http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#839998; Package src:ntp. (Sat, 08 Oct 2016 17:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Sat, 08 Oct 2016 17:45:02 GMT) (full text, mbox, link).

Message #10 received at 839998@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 839998@bugs.debian.org
Subject: ntp: diff for NMU version 1:4.2.8p8+dfsg-1.1
Date: Sat, 8 Oct 2016 19:40:21 +0200
[Message part 1 (text/plain, inline)]
Control: tags 839998 + pending

Hi  Kurt and Peter,

I've prepared an NMU for ntp (versioned as 1:4.2.8p8+dfsg-1.1) and
uploaded it to DELAYED/10. Please feel free to tell me if I
should delay it longer.

I would like to see this fixed, since it's the only remaining CVE
unfixed in unstable for src:ntp at the moment.

Regards,
Salvatore

[ntp-4.2.8p8+dfsg-1.1-nmu.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to 839998-submit@bugs.debian.org. (Sat, 08 Oct 2016 17:45:03 GMT) (full text, mbox, link).

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Tue, 18 Oct 2016 19:00:09 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 18 Oct 2016 19:00:10 GMT) (full text, mbox, link).

Message #17 received at 839998-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 839998-close@bugs.debian.org
Subject: Bug#839998: fixed in ntp 1:4.2.8p8+dfsg-1.1
Date: Tue, 18 Oct 2016 18:57:09 +0000
Source: ntp
Source-Version: 1:4.2.8p8+dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 839998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ntp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 08 Oct 2016 19:32:52 +0200
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: all source
Version: 1:4.2.8p8+dfsg-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 839998
Description: 
 ntp        - Network Time Protocol daemon and utility programs
 ntp-doc    - Network Time Protocol documentation
 ntpdate    - client for setting system time from NTP servers
Changes:
 ntp (1:4.2.8p8+dfsg-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2016-0727: NTP statsdir cleanup cronjob insecure (Closes: #839998)
     (LP: #1528050)
Checksums-Sha1: 
 d12f8b6adc3d31664f0bc26281787db3c292fc92 2393 ntp_4.2.8p8+dfsg-1.1.dsc
 e7fcc569e0e7926b4a8646a77cdc660254aa981a 53420 ntp_4.2.8p8+dfsg-1.1.debian.tar.xz
 c37fd67ecacc9fc774c5f1a04315d09331dde646 1190010 ntp-doc_4.2.8p8+dfsg-1.1_all.deb
Checksums-Sha256: 
 f9ab13800eb8b1edf9330cd5d90365c0119caf9ef2eee0a8a7a8437048dd34f9 2393 ntp_4.2.8p8+dfsg-1.1.dsc
 f75ffa7ab398f6caa1faf94dbb08ad356c493206b4cdb7a27266cc2b0be24110 53420 ntp_4.2.8p8+dfsg-1.1.debian.tar.xz
 7a5f751c26a7a7eb2c6b459440bc938dfb13c34316c69794c60c6c86dadb6bc7 1190010 ntp-doc_4.2.8p8+dfsg-1.1_all.deb
Files: 
 88fe3afecb191f9f6022d569683a247f 2393 net optional ntp_4.2.8p8+dfsg-1.1.dsc
 ef2ca139599bd41cfd92abd1365f8f87 53420 net optional ntp_4.2.8p8+dfsg-1.1.debian.tar.xz
 aa6ffab47634960c141e92536cbbd4dc 1190010 doc optional ntp-doc_4.2.8p8+dfsg-1.1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKPBAEBCgB5BQJX+S7zXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0EhxjYXJuaWxAZGViaWFuLm9yZwAKCRAFTLjzE0PPRCPY
D/4ivumlc64S0WDJl0R90EzdHZSRS/90c2EWaFEaWEv8EARSHZeFknBE4PeQDYPN
FBNsvj9+s5c5dNh0iUxVi0gQEEDR5cfUhWns+0/o/dScQRX/91tHWAtTdDmC8KLg
vWYaWV4wn/xXBwmfzfO6M+8Cfv42MityRL/S0EbnKRJC9KP69TUaJqtrvwwwnvEE
NkPl+qRfsAU7rw0ujJfa4owW+Rb6orShCQCfkMpfrzB1rz67IsACseIQY446yd97
5EakCX5hbSmGNSmHUFg6qjhlfYtYabYkT5iC33u9Vw25V6yDqKFsG6fn0k3XRrEM
CiPlLALY58z+Jr3pILUykB2DSL74v+2XoZi6DIIk8iRbDTqJ5wCISeo5XmHLOMfB
UK4q3DAB2se6L6lYJRpzaLcVExyXV4rgownxGHRWgnRpJObHcHpl0LMsKwyO0+1/
AYrRzJSsWmgXXw6UWUk3e8yvGfzGlw1NpjoJPzx98qqXi0bhgTo5okWhJWoY46UY
/y0lYGDI6On7L/Dd0eOJ5I3XVn8ESirkT63ucuiIudQ5+lKUvpko7kfdMag/HeAX
6BmtyY0WQfXVl0DafWb+7ifc+oD+mA+Yc4imSvf55D8BsA5ZbcIwmRurRpF/8rgF
iMp8D/M7XsD2sG9WfZG8pQ/g7lI6tpgANhzA2KcWYnqfjA==
=52jP
-----END PGP SIGNATURE-----

Reply sent to Kurt Roeckx <kurt@roeckx.be>:
You have taken responsibility. (Mon, 21 Nov 2016 19:21:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 21 Nov 2016 19:21:05 GMT) (full text, mbox, link).

Message #22 received at 839998-close@bugs.debian.org (full text, mbox, reply):

From: Kurt Roeckx <kurt@roeckx.be>
To: 839998-close@bugs.debian.org
Subject: Bug#839998: fixed in ntp 1:4.2.8p9+dfsg-2
Date: Mon, 21 Nov 2016 19:19:48 +0000
Source: ntp
Source-Version: 1:4.2.8p9+dfsg-2

We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 839998@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kurt Roeckx <kurt@roeckx.be> (supplier of updated ntp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 21 Nov 2016 20:09:17 +0100
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source
Version: 1:4.2.8p9+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>
Changed-By: Kurt Roeckx <kurt@roeckx.be>
Description:
 ntp        - Network Time Protocol daemon and utility programs
 ntp-doc    - Network Time Protocol documentation
 ntpdate    - client for setting system time from NTP servers
Closes: 839998
Changes:
 ntp (1:4.2.8p9+dfsg-2) unstable; urgency=medium
 .
   * CVE-2016-0727: NTP statsdir cleanup cronjob insecure (Closes: #839998)
     Patch by Salvatore Bonaccorso <carnil@debian.org>. Patch was dropped
     in 1:4.2.8p9+dfsg-1.
Checksums-Sha1:
 8dde0a4b583d19cefbd5753667551e35f020d5d6 2227 ntp_4.2.8p9+dfsg-2.dsc
 5c198057a8f79d6b5f9606adc612bcce152f68c2 53900 ntp_4.2.8p9+dfsg-2.debian.tar.xz
Checksums-Sha256:
 16ed698d33884718a9f2c8f799215768e091b22e954b33ff17924e87007d350a 2227 ntp_4.2.8p9+dfsg-2.dsc
 9cb06c11359f00f39376d3df43f62c9393ed788222e55e0edd368ee61bba04c8 53900 ntp_4.2.8p9+dfsg-2.debian.tar.xz
Files:
 24820d1d18b1f9143935ce8344e24426 2227 net optional ntp_4.2.8p9+dfsg-2.dsc
 7e4f04cacd7904d91a985d94a5ff6ddf 53900 net optional ntp_4.2.8p9+dfsg-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYM0ckAAoJEOPE3c0eTBJEHqQQAIFPMyylKib6gkI7YzwAncUt
DjsHS5zuLrKX6GfWoJqB7dksAeL4KVwc7ifFXiVGie+HSP1wb1R9/6UcpwAWAbP3
qw3o0G0rtx0/xeLg6pMXSHmieVgR6FegIrPxGjco44e8Gxa0QdVTQizv1WJgAsOt
C1de2bsrr4PUKdaXSB7Ql26XGr8q96l6iOfBR8xK2P0WcwJ8nnNDZENxPueia+jh
AjiVI+sG7QK1NC6cjvdnvWz5ZK5J9shGpukUNvVOB4tg5ZfBmfLNROEpI67kBlrE
tficoJDtum9xWYFABTrO8FQsf8GGXtAwCroqcrkbZ+8LjDYbVLDtvnJEqCfNCOGV
aSBSsYUdnDYb6BuXiy08uWxhbLX6YqAFlNyHpUi2+2jnauFxFRvh0EZoy05byu+m
+R0sw3KWYItDUDu6rAIexKtW/prNfNOrkJNRUMzvt+VnuJD8xIY3M7GWWGF5UXEs
LeB3SMe8RjO4cUjLqdomHSFo0JTX2UcTjnK2nCqEXsqwecM/frCIeTADPT4YWFqK
mzn//3SWLTW898vJBuhDvzzcbDNbBbn2OyXJR6eeIYhtU8NIQRoCeE8vxIBEeNaJ
BfTFLRFf1IvQcPJuVFYPRjt5HvV16tTvW3D+wXVoejyKLSSlY5ZqVnD03PNlaazF
Clklwahtac6UCOnbNqRB
=tdbB
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2016 09:56:31 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:23:05 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started