On Thu, Oct 22, 2015 at 07:27:25PM +0200, Kurt Roeckx wrote:
> On Thu, Oct 22, 2015 at 10:33:03AM +0200, Miroslav Lichvar wrote:
> > Harlan, attached is a proper fix. It applies to 4.2.6p5 and 4.2.8p3.
> > It would be good if you could make a quick 4.2.8p5 release. Maybe even
> > include the one-liner for CVE-2015-5300.
>
> That patch does not apply to 4.2.8p4, I've attached a patch that
> does.
That won't fix the problem with symmetric associations. I'd suggest to
revert the original fix first (commit 21d57dc in the github ntp repo).
> Index: ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c
> ===================================================================
> --- ntp-4.2.8p4+dfsg.orig/ntpd/ntp_proto.c
> +++ ntp-4.2.8p4+dfsg/ntpd/ntp_proto.c
> @@ -206,7 +206,8 @@ int kiss_code_check(u_char hisleap, u_ch
>
> if ( hismode == MODE_SERVER
> && hisleap == LEAP_NOTINSYNC
> - && hisstratum == STRATUM_UNSPEC) {
> + && hisstratum == STRATUM_UNSPEC
> + && !(peer->flash & PKT_TEST_MASK)) {
> if(memcmp(&refid,"RATE", 4) == 0) {
> return (RATEKISS);
> }
--
Miroslav Lichvar
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
