20.12.2014, 19.57, Philip Gladstone kirjoitti:
I have found that both centos and some versions of ubuntu have now
issued patched versions (well, they pushed out an update within the last
24 hours). Unfortunately (and this is a big issue) they kept the old
version number. This means that you have to use the compile date to
determine if it has been patched.
For example, for an old system:
ntpq [email protected] Sat Dec 20 02:52:15 UTC 2014 (1)
and a more recent one:
ntpq [email protected] Sat Dec 20 02:53:43 UTC 2014 (1)
I can't speak for Ubuntu, but this is the normal procedure for CentOS.
Fixes are backported, and the version number is left unchanged. See
https://access.redhat.com/security/updates/backporting/ for more details.
On a CentOS 7 system, "rpm -q --changelog ntpd" tells me the following:
* Fri Dec 19 2014 Miroslav Lichvar <[email protected]> 4.2.6p5-19
- don't generate weak control key for resolver (CVE-2014-9293)
- don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294)
- fix buffer overflows via specially-crafted packets (CVE-2014-9295)
- don't mobilize passive association when authentication fails
(CVE-2014-9296)
Relying on the compile date is not a good idea. If you want to know if
you are vulnerable to some vulnerability, grep its CVE from the
changelog. Sometimes a CentOS package is not vulnerable to some specific
vulnerability, because the version is either too old or new to contain
the vulnerability, or the vulnerable functionality has not been enabled
at compile time. In this case the CVE is naturally not mentioned in the
changelog, because there is nothing to fix.
Searching bugzilla.redhat.com for the CVEs may also be useful. Some links:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9293
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9294
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9295
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-9296
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
