On Sun, Dec 21, 2014 at 10:57 PM, Sadiq Saif <[email protected]> wrote:
> > >> I have not seen security updates for Debian/Ubuntu yet, are they > >> affected? I cannot access the support.ntp.org page to check. > > > > Debian should have patches now. I had trouble accessing the > > support.ntp.org site 24 hours ago, but it was fine again after I woke up > > about 13 hours ago. I can confirm that Ubuntu Vivid has an updated ntpd: Changelog for ntpdate ( http://changelogs.ubuntu.com/changelogs/pool/main/n/ntp/ntp_4.2.6.p5+dfsg-3ubuntu3/changelog) [101 kB] ntp (1:4.2.6.p5+dfsg-3ubuntu3) vivid; urgency=medium * SECURITY UPDATE: weak default key in config_auth() - debian/patches/CVE-2014-9293.patch: use openssl for random key in ntpd/ntp_config.c, ntpd/ntpd.c. - CVE-2014-9293 * SECURITY UPDATE: non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys - debian/patches/CVE-2014-9294.patch: use openssl for random key in include/ntp_random.h, libntp/ntp_random.c, util/ntp-keygen.c. - CVE-2014-9294 * SECURITY UPDATE: buffer overflows in crypto_recv(), ctl_putdata(), configure() - debian/patches/CVE-2014-9295.patch: check lengths in ntpd/ntp_control.c, ntpd/ntp_crypto.c. - CVE-2014-9295 * SECURITY UPDATE: missing return on error in receive() - debian/patches/CVE-2015-9296.patch: add missing return in ntpd/ntp_proto.c. - CVE-2014-9296 -- Marc Deslauriers <[email protected]> Sat, 20 Dec 2014 05:47:10 -0500 -- Sanjeev Gupta +65 98551208 http://www.linkedin.com/in/ghane _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
