projects / feed / packages.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e7089e3)
ntpd: update to 4.2.8p7
authorPeter Wagner <tripolar@gmx.at>
Wed, 4 May 2016 16:49:28 +0000 (18:49 +0200)
committerPeter Wagner <tripolar@gmx.at>
Wed, 4 May 2016 16:49:28 +0000 (18:49 +0200)
Fixes the following CVEs:

    Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering
        Reported by Matt Street and others of Cisco ASIG
    Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY
        Reported by Matthew Van Gundy of Cisco ASIG
    Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
        Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
    Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY
        Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG
    Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken
        Reported by Michael Tatarinov, NTP Project Developer Volunteer
    Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
        Reported by Jonathan Gardner of Cisco ASIG
    Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
        Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.

Signed-off-by: Peter Wagner <tripolar@gmx.at>
net/ntpd/Makefile patch | blob | history

diff --git a/net/ntpd/Makefile b/net/ntpd/Makefile
index 3b1b6c0fd411bb237a355dc7b272ff67011fb771..82eb178ea1df1caa27798a038eed5ed99f12b06b 100644 (file)
--- a/net/ntpd/Makefile
+++ b/net/ntpd/Makefile
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=ntp
-PKG_VERSION:=4.2.8p6
+PKG_VERSION:=4.2.8p7
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/
-PKG_MD5SUM:=60049f51e9c8305afe30eb22b711c5c6
+PKG_MD5SUM:=46dfba933c3e4bc924d8e55068797578
 
 PKG_LICENSE:=Unique
 PKG_LICENSE_FILES:=COPYRIGHT html/copyright.html
Mirror of packages feed