Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296

Related Vulnerabilities: CVE-2014-9293   CVE-2014-9294   CVE-2014-9295   CVE-2014-9296   CVE-2014-9293   CVE-2014-9294   CVE-2014-9295   CVE-2014-9296  

Source

Debian Bug report logs - #773576
ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296

version graph

Package: src:ntp; Maintainer for src:ntp is Debian NTP Team <ntp@packages.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 20 Dec 2014 05:39:07 UTC

Severity: grave

Tags: fixed-upstream, security, upstream

Merged with 773575

Found in version ntp/1:4.2.6.p2+dfsg-1

Fixed in versions ntp/1:4.2.6.p5+dfsg-2+deb7u1, ntp/1:4.2.6.p2+dfsg-1+deb6u1, ntp/1:4.2.6.p5+dfsg-3.2

Done: <noahm@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#773576; Package src:ntp. (Sat, 20 Dec 2014 05:39:12 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Sat, 20 Dec 2014 05:39:12 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
Date: Sat, 20 Dec 2014 06:37:02 +0100
Source: ntp
Version: 1:4.2.6.p2+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream

Hi,

the following vulnerabilities were published for ntp.

CVE-2014-9293[0]:
automatic generation of weak default key in config_auth()

CVE-2014-9294[1]:
ntp-keygen uses weak random number generator and seed when generating MD5 keys

CVE-2014-9295[2]:
Multiple buffer overflows via specially-crafted packets

CVE-2014-9296[3]:
receive() missing return on error

The corresponding Red Hat bugzilla entries contain as well some more
informations.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2014-9293
[1] https://security-tracker.debian.org/tracker/CVE-2014-9294
[2] https://security-tracker.debian.org/tracker/CVE-2014-9295
[3] https://security-tracker.debian.org/tracker/CVE-2014-9296

Regards,
Salvatore

Marked as fixed in versions ntp/1:4.2.6.p5+dfsg-2+deb7u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 20 Dec 2014 20:45:10 GMT) (full text, mbox, link).

Marked as fixed in versions ntp/1:4.2.6.p2+dfsg-1+deb6u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 20 Dec 2014 21:36:04 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#773576; Package src:ntp. (Sun, 21 Dec 2014 18:03:12 GMT) (full text, mbox, link).

Acknowledgement sent to Christoph Anton Mitterer <calestyo@scientia.net>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Sun, 21 Dec 2014 18:03:12 GMT) (full text, mbox, link).

Message #14 received at 773576@bugs.debian.org (full text, mbox, reply):

From: Christoph Anton Mitterer <calestyo@scientia.net>
To: 773576@bugs.debian.org
Subject: Re: ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
Date: Sun, 21 Dec 2014 18:59:10 +0100
[Message part 1 (text/plain, inline)]
What about fixes for unstable?

Cheers,
Chris.

[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#773576; Package src:ntp. (Sun, 21 Dec 2014 18:09:07 GMT) (full text, mbox, link).

Acknowledgement sent to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Sun, 21 Dec 2014 18:09:07 GMT) (full text, mbox, link).

Message #19 received at 773576@bugs.debian.org (full text, mbox, reply):

From: Michael Gilbert <mgilbert@debian.org>
To: 773576@bugs.debian.org
Subject: Re: Bug#773576: ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
Date: Sun, 21 Dec 2014 13:05:04 -0500
On Sun, Dec 21, 2014 at 12:59 PM, Christoph Anton Mitterer wrote:
> What about fixes for unstable?

What about asking for an RFS?

Best wishes,
Mike

Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#773576; Package src:ntp. (Sun, 21 Dec 2014 18:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Sun, 21 Dec 2014 18:21:04 GMT) (full text, mbox, link).

Message #24 received at 773576@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>
To: Michael Gilbert <mgilbert@debian.org>, 773576@bugs.debian.org
Subject: Re: Bug#773576: ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
Date: Sun, 21 Dec 2014 10:16:37 -0800
[Message part 1 (text/plain, inline)]
On Sun, Dec 21, 2014 at 01:05:04PM -0500, Michael Gilbert wrote:
> > What about fixes for unstable?
> 
> What about asking for an RFS?

I'm putting an NMU targeting sid/jessie together now. Unless someone
beats me to it, I should be uploading today.

noah


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>:
Bug#773576; Package src:ntp. (Sun, 21 Dec 2014 19:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>. (Sun, 21 Dec 2014 19:27:04 GMT) (full text, mbox, link).

Message #29 received at 773576@bugs.debian.org (full text, mbox, reply):

From: Noah Meyerhans <noahm@debian.org>
To: Michael Gilbert <mgilbert@debian.org>, 773576@bugs.debian.org
Subject: Re: Bug#773576: ntp: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
Date: Sun, 21 Dec 2014 11:25:27 -0800
[Message part 1 (text/plain, inline)]
On Sun, Dec 21, 2014 at 10:16:37AM -0800, Noah Meyerhans wrote:
> I'm putting an NMU targeting sid/jessie together now. Unless someone
> beats me to it, I should be uploading today.

Not sure why, but I don't have commit access to the ntp svn repo. Going
to upload anyway, and will follow up with svn after. For the record, the
diff is attached. Since the upstream version is unchanged between wheezy
and sid, the patches from stable applied directly to unstable.

 changelog                               |   11 +++++++++
 patches/ntp-4.2.6p5-cve-2014-9293.patch |   37 ++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9294.patch |  111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9295.patch |  107 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 patches/ntp-4.2.6p5-cve-2014-9296.patch |   15 ++++++++++++
 patches/series                          |    4 +++
 6 files changed, 285 insertions(+)



[ntp-1:4.2.6.p5+dfsg-5.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Reply sent to <noahm@debian.org>:
You have taken responsibility. (Sun, 21 Dec 2014 22:09:14 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 21 Dec 2014 22:09:14 GMT) (full text, mbox, link).

Message #34 received at 773576-close@bugs.debian.org (full text, mbox, reply):

From: <noahm@debian.org>
To: 773576-close@bugs.debian.org
Subject: Bug#773576: fixed in ntp 1:4.2.6.p5+dfsg-3.2
Date: Sun, 21 Dec 2014 22:05:29 +0000
Source: ntp
Source-Version: 1:4.2.6.p5+dfsg-3.2

We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 773576@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
noahm@debian.org (supplier of updated ntp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 21 Dec 2014 12:01:50 -0800
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source all amd64
Version: 1:4.2.6.p5+dfsg-3.2
Distribution: unstable
Urgency: medium
Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>
Changed-By: noahm@debian.org
Description:
 ntp        - Network Time Protocol daemon and utility programs
 ntp-doc    - Network Time Protocol documentation
 ntpdate    - client for setting system time from NTP servers
Closes: 773576
Changes:
 ntp (1:4.2.6.p5+dfsg-3.2) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Apply fixes for security updates (Closes: 773576)
     - cve-2014-9293
     - cve-2014-9294
     - cve-2014-9295
     - cve-2014-9296
Checksums-Sha1:
 3b5bfc45af6ec5a9cfbc39f632e9fe1c37f8863e 2209 ntp_4.2.6.p5+dfsg-3.2.dsc
 7328a1ab364077efaefb08246eaa9014a8f5a119 76972 ntp_4.2.6.p5+dfsg-3.2.debian.tar.xz
 6ba63d2b572d3d717dd5613fc44e10facbed0ec9 1030170 ntp-doc_4.2.6.p5+dfsg-3.2_all.deb
 86be86e764104444f097c82419e70fbde1b1352d 390738 ntp_4.2.6.p5+dfsg-3.2_amd64.deb
 81576247f57af71e63293fdf7b077e48413237e9 74026 ntpdate_4.2.6.p5+dfsg-3.2_amd64.deb
Checksums-Sha256:
 a7f9cde056e1094b0ced5dfa29247cc0230ef0fe3169cc1043619271707d8482 2209 ntp_4.2.6.p5+dfsg-3.2.dsc
 1232317376426add7741d68991c12aeb01a582e0d17fa02a718478ac35acade1 76972 ntp_4.2.6.p5+dfsg-3.2.debian.tar.xz
 f30e3e28e9c135c30fb6d63fc16ea376495aef0c9cf7e1ba5acccdd972c07673 1030170 ntp-doc_4.2.6.p5+dfsg-3.2_all.deb
 5456e3fbb0fee9785119e8932e2d17df13e317b23b26f268667d3d6f4a8e7619 390738 ntp_4.2.6.p5+dfsg-3.2_amd64.deb
 04ec8136a760e3e64a4c326de7ea9c0b9a65cada5654966ebabdb030582482f4 74026 ntpdate_4.2.6.p5+dfsg-3.2_amd64.deb
Files:
 b7f0a7352281653cca0d9644f1468bfb 2209 net optional ntp_4.2.6.p5+dfsg-3.2.dsc
 640c712b0d4d173cf594478d3b0f2317 76972 net optional ntp_4.2.6.p5+dfsg-3.2.debian.tar.xz
 300720dc8a7df5e98af7683a7dd62e06 1030170 doc optional ntp-doc_4.2.6.p5+dfsg-3.2_all.deb
 5508c6ceb67438be76693febeefe284b 390738 net optional ntp_4.2.6.p5+dfsg-3.2_amd64.deb
 3eb7621e244e4c2476deaf5127a99b5a 74026 net optional ntpdate_4.2.6.p5+dfsg-3.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBVJcyyPYw89L1q13TAQjpmRAAuX4tPiph48IYplUnfmZRod8JZReuSRXL
eVRnwAU5dRXGy5QIdU2y53juhPLAR4ZwJt4pEDzjIf1xU8CpSwrFj4nOAmPLyNt9
gaQUZS6oYzgiY1HGvYNoqNKMFUt637jlcbcvx5RyD4HMGzh5DpryD76C8JmPv/cA
WuHrdxUj9aNIQt9loFMzAqFf3OQTHdmY1Nl549j9/4vPkuhK5wb+ftzc9SigcyEF
jfmvXMYndBVVL9KpcCX908HyqQiz+ybMEAgMFkOxO1rQXmfGFPmogGDX45n76MKN
yK0WZa7izBsSMYGxj5Mv5jlkIEENrJ71ELF0gCv9eTHVDNQ8jAhEkU78jeOGBKCs
UJytb/ivZsYMiOlmcCmy4EPBjtYhWCVqXrokUn0qq//RwrosV/TB5we1FddaJUsY
YhD1IYV/5ORpQPIGN4d1PJPQpxDCyZg83zWF1wBanN9YJzZrl1K8ywN/yu8jBqo6
LSv9PIsATPSF/X3vGlc6Ab++a2NYxbZtC5SniEeqHyNX+inOURAbEcNDwi47uQvY
Xun0O8wQ+DGyZysG2YbGZ5hJ/hTFqPGO84gXtXkHw9Xf+SMuc0inLNNEm5y9TbZQ
kAzsJ0Dgxip3jQg9oRqM2Qt4FIXOP2cWaKYX8bNAfQORGKPSS8nKo2NXtXws9i+7
M+8L56291zc=
=m8k5
-----END PGP SIGNATURE-----

Merged 773575 773576 Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Mon, 22 Dec 2014 07:36:37 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 21 Jan 2015 07:28:39 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:34:42 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started