My apologies, I was looking at the main busybox page and I see now that that patch is incorporated in 1.25.1 from October 2016. We'll update to that one, thanks ... N
Nou Dadoun Senior Firmware Developer, Security Specialist Office: 604.629.5182 ext 2632 Support: 888.281.5182 | avigilon.com Follow Twitter | Follow LinkedIn This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide. -----Original Message----- From: Daniel Thompson [mailto:[email protected]] Sent: Tuesday, December 20, 2016 4:16 AM To: Nounou Dadoun <[email protected]>; [email protected] Subject: Re: ntpd vulnerability On 19/12/16 18:24, Nounou Dadoun wrote: > Just saw this vulnerability come across the CERT mailing list this morning: > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6301 > > The recv_and_process_client_pkt function in networking/ntpd.c in busybox > allows remote attackers to cause a denial of service (CPU and bandwidth > consumption) via a forged NTP packet, which triggers a communication loop. > > Any plans for a patch? ... N I am a bit puzzled by this question. There are links on the CERT page you highlight that directly linking to a patch that has been applied to the codebase since August. What plans for a patch do expect? Daniel. > -----Original Message----- > From: busybox [mailto:[email protected]] On Behalf Of Nounou > Dadoun > Sent: Tuesday, November 22, 2016 2:05 PM > To: [email protected] > Subject: ntpd vulnerability > > Hi folks, we use BusyBox v1.22.1 currently and I'm just trying to > determine whether or not busybox has the recently announced ntpd DoS > vulnerability (http://www.kb.cert.org/vuls/id/633847 ) - it looks like > ntpd.c is "based on" openNTPD so it's not entirely clear. Anybody > know? Thanks .. N > > > Nou Dadoun > Senior Firmware Developer, Security Specialist > > > Office: 604.629.5182 ext 2632 > Support: 888.281.5182 | avigilon.com Follow Twitter | Follow > LinkedIn > > > This email, including any files attached hereto (the "email"), contains > privileged and confidential information and is only for the intended > addressee(s). If this email has been sent to you in error, such sending does > not constitute waiver of privilege and we request that you kindly delete the > email and notify the sender. Any unauthorized use or disclosure of this email > is prohibited. Avigilon and certain other trade names used herein are the > registered and/or unregistered trademarks of Avigilon Corporation and/or its > affiliates in Canada and other jurisdictions worldwide. > > > _______________________________________________ > busybox mailing list > [email protected] > http://lists.busybox.net/mailman/listinfo/busybox > _______________________________________________ > busybox mailing list > [email protected] > http://lists.busybox.net/mailman/listinfo/busybox > _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
