Control: found -1 1.4.0-4 (AFAICT)
On Sat, 14 Feb 2026 13:59:24 +0100 Salvatore Bonaccorso <[email protected]> wrote: > Source: rust-ntp-proto > Version: 1.6.2-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for rust-ntp-proto. > > CVE-2026-26076[0]: > | ntpd-rs is a full-featured implementation of the Network Time > | Protocol. Prior to 1.7.1, an attacker can remotely induce moderate > | increases (2-4 times above normal) in cpu usage. When having NTS > | enabled on an ntpd-rs server, an attacker can create malformed NTS > | packets that take significantly more effort for the server to > | respond to by requesting a large number of cookies. This can lead to > | degraded server performance even when a server could otherwise > | handle the load. This vulnerability is fixed in 1.7.1. > > rust-ntpd needs then to be rebuild after fixing rust-ntp-proto, right? yes, but in this case since both have new upstream versions I'd just bump both to the latest for unstable. > IMHO the issue does not warrant a DSA, so once fixed in unstable a fix > in trixie va the next point release might be good to have, and taking > care of asking SRM to rebuild as well rust-ntpd with the fixed > version. for trixie, a backport of the fix in rust-ntp-proto and rebuild of rust-ntpd seems like the best course of action, yes. I'll prepare those and then file a s-p-u bug. Fabian
