[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-13817 as not affecting ntpsec source wise

Salvatore Bonaccorso carnil at debian.org
Fri Aug 14 20:20:26 BST 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ad3ccc0f by Salvatore Bonaccorso at 2020-08-14T21:18:00+02:00
Mark CVE-2020-13817 as not affecting ntpsec source wise

ntpsec implements/covers already
<https://tools.ietf.org/html/draft-ietf-ntp-data-minimization-04>.
Quoting the upstream answer:

	> That bug talks about feeding bogus time to a system by guessing the transmit
	> time stamp.
	>
	> When ntpd gets a response, it drops responses where the time-stamp it sent
	> doesn't match the corresponding slot in the reply.  The idea is that most of
	> the bits in that slot are predictable so an off path attacker has a good
	> chance of getting a bogus response through by guessing the value the server is
	> expecting.
	>
	> There is a draft in the pipeline:
	>   https://tools.ietf.org/html/draft-ietf-ntp-data-minimization-04
	> We implement that.
	>
	> I don't know if the authors considered this particular case, but they covered
	> it.  We send a random value in that slot (and keep the time in our back
	> pocket) so similar attacks are unlikley to work

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -22395,11 +22395,11 @@ CVE-2020-13817 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remo
 	[buster] - ntp <ignored> (Minor issue)
 	[stretch] - ntp <ignored> (Minor issue)
 	[jessie] - ntp <ignored> (Too intrusive to backport, requires new configuration)
+	- ntpsec <not-affected> (Doesn't affect ntpsec per upstream, #964395)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3596
 	NOTE: https://bugs.ntp.org/show_bug.cgi?id=3596
 	NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e312021VVVkyioYBR_aeIP1LqMCVg (4.2.8p14)
 	NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e4a536dzxRWAzMw-KsKjm04l6joNA (4.2.8p14)
-	TODO: check ntpsec, cf. #964395
 CVE-2020-13816
 	REJECTED
 CVE-2020-13815 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.1. I ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad3ccc0fd9b446ad086d00bb1575ade6e80afb51

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad3ccc0fd9b446ad086d00bb1575ade6e80afb51
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200814/d93a6f6e/attachment.html>

More information about the debian-security-tracker-commits mailing list