On Sat, Feb 14, 2026, at 1:59 PM, Salvatore Bonaccorso wrote: > Source: rust-ntp-proto > Version: 1.6.2-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > Hi, > > The following vulnerability was published for rust-ntp-proto. > > CVE-2026-26076[0]: > | ntpd-rs is a full-featured implementation of the Network Time > | Protocol. Prior to 1.7.1, an attacker can remotely induce moderate > | increases (2-4 times above normal) in cpu usage. When having NTS > | enabled on an ntpd-rs server, an attacker can create malformed NTS > | packets that take significantly more effort for the server to > | respond to by requesting a large number of cookies. This can lead to > | degraded server performance even when a server could otherwise > | handle the load. This vulnerability is fixed in 1.7.1. > > rust-ntpd needs then to be rebuild after fixing rust-ntp-proto, right? > > IMHO the issue does not warrant a DSA, so once fixed in unstable a fix > in trixie va the next point release might be good to have, and taking > care of asking SRM to rebuild as well rust-ntpd with the fixed > version.
Filed s-p-u bug: #1128060
