Your message dated Sun, 31 Aug 2025 04:33:59 +0000
with message-id <[email protected]>
and subject line Bug#1112511: fixed in rust-ntpd 1.6.2-1
has caused the Debian Bug report #1112511,
regarding rust-ntpd: CVE-2025-58066
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1112511: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1112511
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-ntpd
Version: 1.4.0-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-ntpd.
CVE-2025-58066[0]:
| nptd-rs is a tool for synchronizing your computer's clock,
| implementing the NTP and NTS protocols. In versions between 1.2.0
| and 1.6.1 inclusive servers which allow non-NTS traffic are affected
| by a denial of service vulnerability, where an attacker can induce a
| message storm between two NTP servers running ntpd-rs. Client-only
| configurations are not affected. Affected users are recommended to
| upgrade to version 1.6.2 as soon as possible.
While the issue seem t oaffect versions starting 1.2.0 the
cherry-picked commmit might not be suitable for 1.4.0, so updating
unstable to 1.6.2 might be just better.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-58066
https://www.cve.org/CVERecord?id=CVE-2025-58066
[1]
https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-4855-q42w-5vr4
[2]
https://github.com/pendulum-project/ntpd-rs/commit/da37cf167736cbd4d7804b1ed7ceb572468298e0
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-ntpd
Source-Version: 1.6.2-1
Done: Peter Michael Green <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-ntpd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Michael Green <[email protected]> (supplier of updated rust-ntpd
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 31 Aug 2025 04:08:42 +0000
Source: rust-ntpd
Architecture: source
Version: 1.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Peter Michael Green <[email protected]>
Closes: 1112511
Changes:
rust-ntpd (1.6.2-1) unstable; urgency=medium
.
* Team upload.
* Package ntpd 1.6.2 from crates.io using debcargo 2.7.8
+ New upstream fixes CVE-2025-58066 (Closes: #1112511)
* Drop disable-other-rustls.diff, upstream now only supports a single
version of rustls.
* Add patch to explicitly select ring backend for rustls.
* Update overridden control file.
* Reduce context in skip-test-validate-good.patch so it applies cleanly
to new upstream.
* Disable pps support because rust-pps-time is not in Debian
* Disable "daemon" tests because they need a running daemon.
Checksums-Sha1:
6aaddab5eb6639f9db722757569b7504dfff496e 3689 rust-ntpd_1.6.2-1.dsc
ee78e8472ea21cc2affbfa4514cfb2defb8403b8 1295984 rust-ntpd_1.6.2.orig.tar.gz
8314114ebd61d5dec8899b12cd4768da879f9a14 6856 rust-ntpd_1.6.2-1.debian.tar.xz
86c03eb039972d9d8260d1b86a6caa193865c6f0 15782
rust-ntpd_1.6.2-1_source.buildinfo
Checksums-Sha256:
998b8faff9711acb14e55bc6f33758720ec5797d1082d2fd61c3354e5cdb9893 3689
rust-ntpd_1.6.2-1.dsc
56429dc3a36ad7e801c810c3bdf2fad1de0b14e025b21d3270d6bffd54bb46d9 1295984
rust-ntpd_1.6.2.orig.tar.gz
c51c3e7a663f1fc74c018744c4d2eb25c6dec44612395953e601f90fd3fdd97c 6856
rust-ntpd_1.6.2-1.debian.tar.xz
9e1d5a90ace7a50f688416fccda65ec3c10756419ef040a31fea56510cc662b8 15782
rust-ntpd_1.6.2-1_source.buildinfo
Files:
c96fdcd24f6aec3c59a4ca3609fe6db8 3689 utils optional rust-ntpd_1.6.2-1.dsc
611cc67c307cf1c51c84af3d21a6be8c 1295984 utils optional
rust-ntpd_1.6.2.orig.tar.gz
19ef748d0a5e472abd393e10a44a1543 6856 utils optional
rust-ntpd_1.6.2-1.debian.tar.xz
2c2fc3c840f34c79d5a626176991a26e 15782 utils optional
rust-ntpd_1.6.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmizy/0UHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XtAlg//WTS5LdCrUXIsUrGEEFfPXN0ITuDI
pGLDw1l0hlmoOmoH3FEdXy/cxlToEl5uVfcgaq8eG2ni/Nidd7MeqHfe9Hs1SG/e
j8p5zkKM61ZTsOvtHgq7iTepMWLkEgp4RMOtb9Z6Ryhg2Skl8Ucsx1pgmdDU4Bgv
INlIZb36CRzGZD+KJshy8OgC8R++pws0DU2S2WXDPtU6s3SXbH2G9RH2lC3YEqMI
TOTFrhnTErzmz+yIz0DA+mm93fry8Q0ZT6uMnU0/WQlqUXweBhrZ3iym5bkJUllc
q/EMXmFu75aovex6C0At7YBoWCpzkI9pCjOeLvyqbM+/xgAHXrpKXc3bxn6m4ZIe
nWr2cluYvlXsJez9akSz9+ZsC2hjwJsq9WMdPkKJO2GNKWuZ7EzTKV77OTzjPNJo
HJEamHtJxriuhgmGhIEVEZYIa4DtDYkSDGUskjtGCTC0GO+gJIpBqEdWFg1zMutQ
SQ79rhT3JeBbLd0Q0TdLa79rPsp4g6naROjiQbrXtLPxp0wMehKELsVc7+ZgE9O2
yPhdj/w45mehTaScNTliPUMSRpXf01HKp1bHbPUKYkEM/pa/wAwS89FJsywIC1xf
gWEF2LOVK6qEUEcNOxSSjBCBRi82FR9c1WTwLoHGqEl37Kl8lxWis5VQCBRp8FaJ
2Yub5e0wtIUOk/s=
=MNFF
-----END PGP SIGNATURE-----
pgpGPVG7F2EnC.pgp
Description: PGP signature
--- End Message ---
