[Pkg-rust-maintainers] Bug#1127929: rust-ntp-proto: CVE-2026-26076
Salvatore Bonaccorso
carnil at debian.org
Sat Feb 14 12:59:24 GMT 2026
Source: rust-ntp-proto
Version: 1.6.2-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for rust-ntp-proto.
CVE-2026-26076[0]:
| ntpd-rs is a full-featured implementation of the Network Time
| Protocol. Prior to 1.7.1, an attacker can remotely induce moderate
| increases (2-4 times above normal) in cpu usage. When having NTS
| enabled on an ntpd-rs server, an attacker can create malformed NTS
| packets that take significantly more effort for the server to
| respond to by requesting a large number of cookies. This can lead to
| degraded server performance even when a server could otherwise
| handle the load. This vulnerability is fixed in 1.7.1.
rust-ntpd needs then to be rebuild after fixing rust-ntp-proto, right?
IMHO the issue does not warrant a DSA, so once fixed in unstable a fix
in trixie va the next point release might be good to have, and taking
care of asking SRM to rebuild as well rust-ntpd with the fixed
version.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26076
https://www.cve.org/CVERecord?id=CVE-2026-26076
[1] https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv
[2] https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-rust-maintainers
mailing list