[Secure-testing-commits] r42677 - data/CVE

Moritz Muehlenhoff jmm at moszumanska.debian.org
Tue Jun 21 18:15:20 UTC 2016 

Author: jmm
Date: 2016-06-21 18:15:20 +0000 (Tue, 21 Jun 2016)
New Revision: 42677

Modified:
   data/CVE/list
Log:
more ntp triage


Modified: data/CVE/list
===================================================================
--- data/CVE/list	2016-06-21 17:44:22 UTC (rev 42676)
+++ data/CVE/list	2016-06-21 18:15:20 UTC (rev 42677)
@@ -2423,6 +2423,7 @@
 CVE-2016-4953
 	RESERVED
 	- ntp 1:4.2.8p8+dfsg-1
+	[jessie] - ntp <not-affected> (Fix for CVE-2016-1547 or CVE-2015-7979 wasn't backported)
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3045
 CVE-2016-5117 [OpenNTPD not verifying CN during HTTPS constraints request]
@@ -9344,6 +9345,7 @@
 CVE-2016-2519 [ctl_getitem() return value not always checked]
 	RESERVED
 	- ntp 1:4.2.8p7+dfsg-1
+	[jessie] - ntp <no-dsa> (Minor issue)
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
 CVE-2016-2518 [Crafted addpeer with hmode > 7 causes out-of-bounds reference]
 	RESERVED
@@ -9352,9 +9354,10 @@
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
 CVE-2016-2517 [Remote configuration trustedkey/requestkey/controlkey values are not properly validated]
 	RESERVED
-	- ntp 1:4.2.8p7+dfsg-1
-	NOTE: CVE-2016-2517 is for a regression caused by the patch for CVE-2016-2516
+	- ntp 1:4.2.8p7+dfsg-1 (unimportant)
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
+	NOTE: not a security issue, anyone with the privileges for remote configuration can
+	NOTE: cause trouble anyway
 CVE-2016-2516 [Duplicate IPs on unconfig directives will cause an assertion failure]
 	RESERVED
 	- ntp 1:4.2.8p7+dfsg-1
@@ -12928,8 +12931,9 @@
 CVE-2016-1549 [Sybil attack with trustedkey]
 	RESERVED
 	- ntp 1:4.2.8p7+dfsg-1
+	[jessie] - ntp <no-dsa> (Minor issue)
+	[wheezy] - ntp <no-dsa> (Minor issue)
 	NOTE: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
-	TODO: check
 CVE-2016-1548 [Change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.]
 	RESERVED
 	- ntp 1:4.2.8p7+dfsg-1

More information about the Secure-testing-commits mailing list