Source: rust-ntp-proto Version: 1.6.2-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for rust-ntp-proto. CVE-2026-26076[0]: | ntpd-rs is a full-featured implementation of the Network Time | Protocol. Prior to 1.7.1, an attacker can remotely induce moderate | increases (2-4 times above normal) in cpu usage. When having NTS | enabled on an ntpd-rs server, an attacker can create malformed NTS | packets that take significantly more effort for the server to | respond to by requesting a large number of cookies. This can lead to | degraded server performance even when a server could otherwise | handle the load. This vulnerability is fixed in 1.7.1. rust-ntpd needs then to be rebuild after fixing rust-ntp-proto, right? IMHO the issue does not warrant a DSA, so once fixed in unstable a fix in trixie va the next point release might be good to have, and taking care of asking SRM to rebuild as well rust-ntpd with the fixed version. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-26076 https://www.cve.org/CVERecord?id=CVE-2026-26076 [1] https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-c7j7-rmvr-fjmv [2] https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d17b666b1142b9fee3ba22c18a841d24 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
