[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-13817 as not affecting ntpsec source wise
Salvatore Bonaccorso
carnil at debian.org
Fri Aug 14 20:20:26 BST 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ad3ccc0f by Salvatore Bonaccorso at 2020-08-14T21:18:00+02:00
Mark CVE-2020-13817 as not affecting ntpsec source wise
ntpsec implements/covers already
<https://tools.ietf.org/html/draft-ietf-ntp-data-minimization-04>.
Quoting the upstream answer:
> That bug talks about feeding bogus time to a system by guessing the transmit
> time stamp.
>
> When ntpd gets a response, it drops responses where the time-stamp it sent
> doesn't match the corresponding slot in the reply. The idea is that most of
> the bits in that slot are predictable so an off path attacker has a good
> chance of getting a bogus response through by guessing the value the server is
> expecting.
>
> There is a draft in the pipeline:
> https://tools.ietf.org/html/draft-ietf-ntp-data-minimization-04
> We implement that.
>
> I don't know if the authors considered this particular case, but they covered
> it. We send a random value in that slot (and keep the time in our back
> pocket) so similar attacks are unlikley to work
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -22395,11 +22395,11 @@ CVE-2020-13817 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remo
[buster] - ntp <ignored> (Minor issue)
[stretch] - ntp <ignored> (Minor issue)
[jessie] - ntp <ignored> (Too intrusive to backport, requires new configuration)
+ - ntpsec <not-affected> (Doesn't affect ntpsec per upstream, #964395)
NOTE: http://support.ntp.org/bin/view/Main/NtpBug3596
NOTE: https://bugs.ntp.org/show_bug.cgi?id=3596
NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e312021VVVkyioYBR_aeIP1LqMCVg (4.2.8p14)
NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e4a536dzxRWAzMw-KsKjm04l6joNA (4.2.8p14)
- TODO: check ntpsec, cf. #964395
CVE-2020-13816
REJECTED
CVE-2020-13815 (An issue was discovered in Foxit Reader and PhantomPDF before 9.7.1. I ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad3ccc0fd9b446ad086d00bb1575ade6e80afb51
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad3ccc0fd9b446ad086d00bb1575ade6e80afb51
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200814/d93a6f6e/attachment.html>
More information about the debian-security-tracker-commits
mailing list