openwrt-packages-dist

History

Peter Wagner 82055305b3 ntpd: update to 4.2.8p7 Fixes the following CVEs: Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering Reported by Matt Street and others of Cisco ASIG Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY Reported by Matthew Van Gundy of Cisco ASIG Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken Reported by Michael Tatarinov, NTP Project Developer Volunteer Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks Reported by Jonathan Gardner of Cisco ASIG Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. Signed-off-by: Peter Wagner <tripolar@gmx.at>	9 years ago
..
files	ntpd: fix typo	10 years ago
Makefile	ntpd: update to 4.2.8p7	9 years ago

Peter Wagner 82055305b3 ntpd: update to 4.2.8p7

Fixes the following CVEs:

    Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering
        Reported by Matt Street and others of Cisco ASIG
    Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY
        Reported by Matthew Van Gundy of Cisco ASIG
    Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked
        Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
    Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
        Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
    Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY
        Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG
    Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken
        Reported by Michael Tatarinov, NTP Project Developer Volunteer
    Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
        Reported by Jonathan Gardner of Cisco ASIG
    Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
        Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.

Signed-off-by: Peter Wagner <tripolar@gmx.at>

9 years ago

files

ntpd: fix typo

10 years ago

Makefile

ntpd: update to 4.2.8p7

9 years ago