Your message dated Tue, 03 Mar 2026 20:47:10 +0000
with message-id <[email protected]>
and subject line Bug#1127929: fixed in rust-ntp-proto 1.4.0-4+deb13u1
has caused the Debian Bug report #1127929,
regarding rust-ntp-proto: CVE-2026-26076
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1127929: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127929
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: rust-ntp-proto
Version: 1.6.2-4
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for rust-ntp-proto.
CVE-2026-26076[0]:
| ntpd-rs is a full-featured implementation of the Network Time
| Protocol. Prior to 1.7.1, an attacker can remotely induce moderate
| increases (2-4 times above normal) in cpu usage. When having NTS
| enabled on an ntpd-rs server, an attacker can create malformed NTS
| packets that take significantly more effort for the server to
| respond to by requesting a large number of cookies. This can lead to
| degraded server performance even when a server could otherwise
| handle the load. This vulnerability is fixed in 1.7.1.
rust-ntpd needs then to be rebuild after fixing rust-ntp-proto, right?
IMHO the issue does not warrant a DSA, so once fixed in unstable a fix
in trixie va the next point release might be good to have, and taking
care of asking SRM to rebuild as well rust-ntpd with the fixed
version.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-26076
https://www.cve.org/CVERecord?id=CVE-2026-26076
[1]
https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv
[2]
https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: rust-ntp-proto
Source-Version: 1.4.0-4+deb13u1
Done: Fabian Grünbichler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
rust-ntp-proto, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Grünbichler <[email protected]> (supplier of updated
rust-ntp-proto package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Feb 2026 19:39:13 +0100
Source: rust-ntp-proto
Architecture: source
Version: 1.4.0-4+deb13u1
Distribution: trixie
Urgency: high
Maintainer: Debian Rust Maintainers
<[email protected]>
Changed-By: Fabian Grünbichler <[email protected]>
Closes: 1127929
Changes:
rust-ntp-proto (1.4.0-4+deb13u1) trixie; urgency=high
.
* Fix CVE-2026-26076 - increased load while processing malformed NTS packets
(Closes: #1127929)
Checksums-Sha1:
d1c260cfe5b46869743e0972b63cdc6387f073ae 3106
rust-ntp-proto_1.4.0-4+deb13u1.dsc
a2dd2b8410ee3cff915fb42b6389ae522e830c7a 5140
rust-ntp-proto_1.4.0-4+deb13u1.debian.tar.xz
a469acea9361f6e0ed3331c7794496496ac25b8f 7980
rust-ntp-proto_1.4.0-4+deb13u1_source.buildinfo
Checksums-Sha256:
b80f5fa63dc0c099cedb52d5916c8b7b4c2b6fad567f918529c741b90cbcd233 3106
rust-ntp-proto_1.4.0-4+deb13u1.dsc
bab4d41a4c94e7d11c5f2d10dfa9936076ec8d5e21ce3f832c4947a50ed9cdd0 5140
rust-ntp-proto_1.4.0-4+deb13u1.debian.tar.xz
2bbb23539bbd14fb60c79def4d76d2999fdb644aee1c75bff3e79f8ee0c3ccb1 7980
rust-ntp-proto_1.4.0-4+deb13u1_source.buildinfo
Files:
37fdca4dfccee971b0075ff860b0c694 3106 rust optional
rust-ntp-proto_1.4.0-4+deb13u1.dsc
d12bda64a2ca56d8be841fa71d4ebda2 5140 rust optional
rust-ntp-proto_1.4.0-4+deb13u1.debian.tar.xz
14de70706e17a25a98d5c296a334ac1e 7980 rust optional
rust-ntp-proto_1.4.0-4+deb13u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
wsG7BAEBCgBvBYJpkcutCRB2HlMqNxNFMEcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmdlyrA9BCFTz05C0bMhW/n+ZrNa48FKPJE/+WuhNIqq
PRYhBG3ZBnu06CtAJnPaaXYeUyo3E0UwAAArVg/+JEqnRvWN7qDyswqgCpOUtnwl
LcqOsalGUy/vNRam9bM/iLMK5BaeFuHd1UA27OIweCk3prUw32HnV2T3Cs0tNcxD
doHhDIzWD6Sh2HcBIgVG8Z7q6iaH/e5G9elSlsf/AWMCgKkOEaH4DIn9e6flXzCO
PDfKeV+fl9nQ8CwFUzKXrU/AbFJDw3DN87sXir4w/okzncOPIpFpUq5DuVhAeCPW
EQ33f/Xg0n2FBcqCcqsOSuFYaf67xZes4Fii4P0IofZM0XWC5SJIO73tmWTCBTj/
XydKqaIvUSy7yzZg+RaJFzpzYdieC5WtVv+p2dmUaHqm1lDGssn/hIqP4wg2aWpI
LBclcWtAguFbjAJaoc2ZjjEik9cZNcWOImBNPgPZOkTmk6jK0vnKfIDsM2H8tHcT
/lUQRdJTqaiCzHoS7OVAQyhVP8tqX+Vsq3me6hGUe30lHLT9Afz91vn84VZ3Q2r+
nyonOEv2OpZKUh6ZUrtMvlM3ayVAQIvbkkU+mJJvedn3ju/HJYLkjsx25inI92C3
3Ekbp7W0qlPTUcZpBIzNi1SWzw1gXOj7wdJ4W6d4G6xkIMMDSjLI3x4U92UlKVeS
a4ZHbRgxI4fg9xWAZszdZEGdyDmoArMRimn8BVRYlSpkAXJrMs1NS/6VRhhvYmyr
kd6reSTPfPApKvhk5SU=
=S539
-----END PGP SIGNATURE-----
pgpnozgfeGxde.pgp
Description: PGP signature
--- End Message ---
