[Pkg-rust-maintainers] Bug#1112511: rust-ntpd: CVE-2025-58066
Salvatore Bonaccorso
carnil at debian.org
Sat Aug 30 10:46:31 BST 2025
Source: rust-ntpd
Version: 1.4.0-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for rust-ntpd.
CVE-2025-58066[0]:
| nptd-rs is a tool for synchronizing your computer's clock,
| implementing the NTP and NTS protocols. In versions between 1.2.0
| and 1.6.1 inclusive servers which allow non-NTS traffic are affected
| by a denial of service vulnerability, where an attacker can induce a
| message storm between two NTP servers running ntpd-rs. Client-only
| configurations are not affected. Affected users are recommended to
| upgrade to version 1.6.2 as soon as possible.
While the issue seem t oaffect versions starting 1.2.0 the
cherry-picked commmit might not be suitable for 1.4.0, so updating
unstable to 1.6.2 might be just better.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58066
https://www.cve.org/CVERecord?id=CVE-2025-58066
[1] https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-4855-q42w-5vr4
[2] https://github.com/pendulum-project/ntpd-rs/commit/da37cf167736cbd4d7804b1ed7ceb572468298e0
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list