Description
This release addresses five security issues in ntpd for Mageia 6:
LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability:
ephemeral association attack While fixed in ntp-4.2.8p7, there are
significant additional protections for this issue in 4.2.8p11.
Reported by Matt Van Gundy of Cisco.
INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer
read overrun leads to undefined behavior and information leak
Reported by Yihan Lian of Qihoo 360.
LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated
ephemeral associations. Reported on the questions@ list.
LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode
cannot recover from bad state. Reported by Miroslav Lichvar of Red Hat.
LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet
can reset authenticated interleaved association.
Reported by Miroslav Lichvar of Red Hat.
one security issue in ntpq:
MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write
beyond its buffer limit. Reported by Michael Macnair of Thales-esecurity.com.
and provides over 33 bugfixes and 32 other improvements. ENotification
of these issues were delivered to our Institutional members on a rolling
basis as they were reported and as progress was made.