Your message dated Sat, 14 Feb 2026 21:52:06 +0000
with message-id <[email protected]>
and subject line Bug#1127929: fixed in rust-ntp-proto 1.7.1-1
has caused the Debian Bug report #1127929,
regarding rust-ntp-proto: CVE-2026-26076
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127929: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127929
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-ntp-proto
Version: 1.6.2-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-ntp-proto.
CVE-2026-26076[0]:
| ntpd-rs is a full-featured implementation of the Network Time
| Protocol. Prior to 1.7.1, an attacker can remotely induce moderate
| increases (2-4 times above normal) in cpu usage. When having NTS
| enabled on an ntpd-rs server, an attacker can create malformed NTS
| packets that take significantly more effort for the server to
| respond to by requesting a large number of cookies. This can lead to
| degraded server performance even when a server could otherwise
| handle the load. This vulnerability is fixed in 1.7.1.
rust-ntpd needs then to be rebuild after fixing rust-ntp-proto, right?
IMHO the issue does not warrant a DSA, so once fixed in unstable a fix
in trixie va the next point release might be good to have, and taking
care of asking SRM to rebuild as well rust-ntpd with the fixed
version.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26076
https://www.cve.org/CVERecord?id=CVE-2026-26076
[1]
https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv
[2]
https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-ntp-proto
Source-Version: 1.7.1-1
Done: Fabian Grünbichler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-ntp-proto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Grünbichler <[email protected]> (supplier of updated
rust-ntp-proto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Feb 2026 22:40:42 +0100
Source: rust-ntp-proto
Architecture: source
Version: 1.7.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Fabian Grünbichler <[email protected]>
Closes: 1127929
Changes:
rust-ntp-proto (1.7.1-1) unstable; urgency=medium
.
* Team upload.
* Package ntp-proto 1.7.1 from crates.io using debcargo 2.7.11
* Fix CVE-2026-26076 - increased load while processing malformed NTS packets
(Closes: #1127929)
Checksums-Sha1:
d370d9bc4575cfd54fdf132652d4816096bd937a 3335 rust-ntp-proto_1.7.1-1.dsc
9709214b16d812bfbce8de0a3f0a9630e21734c7 129669
rust-ntp-proto_1.7.1.orig.tar.gz
fdea3f57cd229333faaed64c4a8e296d3f5c6769 4468
rust-ntp-proto_1.7.1-1.debian.tar.xz
66189b065cdbcfebc5a19a533c16aa76507bba75 7879
rust-ntp-proto_1.7.1-1_source.buildinfo
Checksums-Sha256:
f3013ae4af02f32b8bfbb0a277d1d8e88833e8990f57bc86183013f50abd3ff8 3335
rust-ntp-proto_1.7.1-1.dsc
b26e04a0fc6e11f787e4b1b1372a1c968fb7024a155001ec7f98756f0fbc3cf2 129669
rust-ntp-proto_1.7.1.orig.tar.gz
969735eace83c70c629c544c5cd68a94d9ea8d0cec1fbd441f18a83357e3aabf 4468
rust-ntp-proto_1.7.1-1.debian.tar.xz
17114d16ae8ba1ea58fa8614bf675c7165a44bf7027b9152bb453d7e08781c01 7879
rust-ntp-proto_1.7.1-1_source.buildinfo
Files:
60b6534f917927b0878cce6fe57c2b68 3335 rust optional rust-ntp-proto_1.7.1-1.dsc
79f68edd08e338c611f766ec95303ef1 129669 rust optional
rust-ntp-proto_1.7.1.orig.tar.gz
85a21b8825bfcabefdf41ef20c9cf682 4468 rust optional
rust-ntp-proto_1.7.1-1.debian.tar.xz
9170a5199e75cf93b3a33c0692c09be8 7879 rust optional
rust-ntp-proto_1.7.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJVBAEBCgA/FiEEbdkGe7ToK0Amc9ppdh5TKjcTRTAFAmmQ6+khHGRlYmlhbkBm
YWJpYW4uZ3J1ZW5iaWNobGVyLmVtYWlsAAoJEHYeUyo3E0UwfLkP/RmnBEQ0iRA6
v1t5JG1UmqHY1094xGjiqENOqQyoYEYnh3/wf2rgII/uqh9k0MeQ5jfjV3b2FAEi
NJ7ezcmr25owQ6omabeAymlInSh3PWaBdkKOIgvDWXOqKhT73rEv56nG5+cGnvvx
j/U9OmX5nYtf1BzBazne4tip/3Hzyt8xhPbemhoW3h9X7W/GtZc5onmkd93iD2Xj
7A3R7dtJhaFP9njhOagig74gw3G4eAFKXQ6ozXLY/kiJqepbDPbUaGmRv9KdkSXL
GXxm37gvQ58wR+u5ess1qeCdkeYoo8MSwoQr9YpfywQnnYEiyiPIFru9KMWPI4ZL
3QqK4l5WqAwWAPSnpDA9wQTyBWqmCxWfoiQuL2oZpD/yHFbKCY0KWzcYjn2lU7+C
7Ue0S6HIdkCtKnWNB34Sr78d9md1Lf8Rcu5ndRp+Aa/byF2B3NDoGQD+ugR0Doer
UsVpdXN+khhWSg9eE51m1oeASschoXxPLEjBWoAe8qOJ+tiN1tVCLoEWh5CQ3waT
4iDhCpXViYD9RUOCJA8pvWRHTU1Owm5MgkegI2rtQobdLH+YWWGSE3/Nf8h8ISxy
2/2c8Wkbv+6xV02DTwi6zvF3+DEtb3UIs8RtbVPKgv00l4iPhe+ghHaDGdEAK1QV
aCxhRwXdy1Gm6eI2pfdwKyLuTKwaAak6
=6E7J
-----END PGP SIGNATURE-----
pgpfXzchx5reO.pgp
Description: PGP signature
--- End Message ---
