FreeBSD Mail Archives

Date:      Wed, 27 Apr 2016 04:43:31 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r414086 - head/security/vuxml
Message-ID:  <201604270443.u3R4hVOK087896@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: delphij
Date: Wed Apr 27 04:43:31 2016
New Revision: 414086
URL: https://svnweb.freebsd.org/changeset/ports/414086

Log:
  Document NTP multiple vulnerabilities.

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Wed Apr 27 01:18:07 2016	(r414085)
+++ head/security/vuxml/vuln.xml	Wed Apr 27 04:43:31 2016	(r414086)
@@ -58,6 +58,93 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="b2487d9a-0c30-11e6-acd0-d050996490d0">
+    <topic>ntp -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>ntp</name>
+	<range><lt>4.2.8p7</lt></range>
+      </package>
+      <package>
+	<name>ntp-devel</name>
+	<range><lt>4.3.92</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Network Time Foundation reports:</p>
+	<blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security">;
+	  <p>NTF's NTP Project has been notified of the following low-
+	    and medium-severity vulnerabilities that are fixed in
+	    ntp-4.2.8p7, released on Tuesday, 26 April 2016:</p>
+	  <ul>
+	    <li>Bug 3020 / CVE-2016-1551: Refclock impersonation
+	      vulnerability, AKA: refclock-peering. Reported by
+	      Matt Street and others of Cisco ASIG</li>
+	    <li>Bug 3012 / CVE-2016-1549: Sybil vulnerability:
+	      ephemeral association attack, AKA: ntp-sybil -
+	      MITIGATION ONLY. Reported by Matthew Van Gundy
+	      of Cisco ASIG</li>
+	    <li>Bug 3011 / CVE-2016-2516: Duplicate IPs on
+	      unconfig directives will cause an assertion botch.
+	      Reported by Yihan Lian of the Cloud Security Team,
+	      Qihoo 360</li>
+	    <li>Bug 3010 / CVE-2016-2517: Remote configuration
+	      trustedkey/requestkey values are not properly
+	      validated. Reported by Yihan Lian of the Cloud
+	      Security Team, Qihoo 360</li>
+	    <li>Bug 3009 / CVE-2016-2518: Crafted addpeer with
+	      hmode &gt; 7 causes array wraparound with MATCH_ASSOC.
+	      Reported by Yihan Lian of the Cloud Security Team,
+	      Qihoo 360</li>
+	    <li>Bug 3008 / CVE-2016-2519: ctl_getitem() return
+	      value not always checked. Reported by Yihan Lian
+	      of the Cloud Security Team, Qihoo 360</li>
+	    <li>Bug 3007 / CVE-2016-1547: Validate crypto-NAKs,
+	      AKA: nak-dos. Reported by Stephen Gray and
+	      Matthew Van Gundy of Cisco ASIG</li>
+	    <li>Bug 2978 / CVE-2016-1548: Interleave-pivot -
+	      MITIGATION ONLY. Reported by Miroslav Lichvar of
+	      RedHat and separately by Jonathan Gardner of
+	      Cisco ASIG.</li>
+	    <li>Bug 2952 / CVE-2015-7704: KoD fix: peer
+	      associations were broken by the fix for
+	      NtpBug2901, AKA: Symmetric active/passive mode
+	      is broken. Reported by Michael Tatarinov,
+	      NTP Project Developer Volunteer</li>
+	    <li>Bug 2945 / Bug 2901 / CVE-2015-8138: Zero
+	      Origin Timestamp Bypass, AKA: Additional KoD Checks.
+	      Reported by Jonathan Gardner of Cisco ASIG</li>
+	    <li>Bug 2879 / CVE-2016-1550: Improve NTP security
+	      against buffer comparison timing attacks,
+	      authdecrypt-timing, AKA: authdecrypt-timing.
+	      Reported independently by Loganaden Velvindron,
+	      and Matthew Van Gundy and Stephen Gray of
+	      Cisco ASIG.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2015-7704</cvename>
+      <cvename>CVE-2015-8138</cvename>
+      <cvename>CVE-2016-1547</cvename>
+      <cvename>CVE-2016-1548</cvename>
+      <cvename>CVE-2016-1549</cvename>
+      <cvename>CVE-2016-1550</cvename>
+      <cvename>CVE-2016-1551</cvename>
+      <cvename>CVE-2016-2516</cvename>
+      <cvename>CVE-2016-2517</cvename>
+      <cvename>CVE-2016-2518</cvename>
+      <cvename>CVE-2016-2519</cvename>
+      <url>http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security</url>;
+    </references>
+    <dates>
+      <discovery>2016-04-26</discovery>
+      <entry>2016-04-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="92d44f83-a7bf-41cf-91ee-3d1b8ecf579f">
     <topic>mozilla -- multiple vulnerabilities</topic>
     <affects>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201604270443.u3R4hVOK087896>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation