Bug 8951

Summary: [UPDATE REQUEST 2014.1] ntp 4.2.8p11
Product: [ROSA-based products] ROSA Fresh Reporter: Алзим <alzim>
Component: Packages from MainAssignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: andrey.bondrov, v.potapov
Version: FreshFlags: v.potapov: qa_verified+
andrey.bondrov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Platform: --- ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Алзим 2018-04-27 12:26:33 MSK 
The NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.

This release addresses five security issues in ntpd:

LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack
While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11.
Reported by Matt Van Gundy of Cisco.
INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak
Reported by Yihan Lian of Qihoo 360.
LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations
Reported on the questions@ list.
LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state
Reported by Miroslav Lichvar of Red Hat.
LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset authenticated interleaved association
Reported by Miroslav Lichvar of Red Hat.
one security issue in ntpq:

MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write beyond its buffer limit
Reported by Michael Macnair of Thales-esecurity.com.
and provides over 33 bugfixes and 32 other improvements.
Comment 2 Vladimir Potapov 2018-04-27 15:07:39 MSK 
станавливается perl-HTTP-Tiny-0.70.0-1-rosa2014.1.noarch.rpm ntp-client-4.2.8p11-1-rosa2014.1.x86_64.rpm ntp-config-4.2.8p11-1-rosa2014.1.noarch.rpm ntp-4.2.8p11-1-rosa2014.1.x86_64.rpm из /var/cache/urpmi/rpms
Подготовка...                    #########################################################################################################
      1/4: ntp-client            #########################################################################################################
ERROR: 'script' failed for ntp-client-4.2.8p11-1-rosa2014.1.x86_64: 
error: %post(ntp-client-4.2.8p11-1.x86_64) scriptlet failed, exit status 1
Comment 3 Алзим 2018-05-05 18:34:19 MSK 
(In reply to Vladimir Potapov from comment #2)
> станавливается perl-HTTP-Tiny-0.70.0-1-rosa2014.1.noarch.rpm
> ntp-client-4.2.8p11-1-rosa2014.1.x86_64.rpm
> ntp-config-4.2.8p11-1-rosa2014.1.noarch.rpm
> ntp-4.2.8p11-1-rosa2014.1.x86_64.rpm из /var/cache/urpmi/rpms
> Подготовка...                   
> #############################################################################
> ############################
>       1/4: ntp-client           
> #############################################################################
> ############################
> ERROR: 'script' failed for ntp-client-4.2.8p11-1-rosa2014.1.x86_64: 
> error: %post(ntp-client-4.2.8p11-1.x86_64) scriptlet failed, exit status 1

Updated
https://abf.io/build_lists/2926406
https://abf.io/build_lists/2926407
Comment 4 Vladimir Potapov 2018-05-17 14:04:01 MSK 
The update is sent to expanded testing
*************************************
Comment 5 Vladimir Potapov 2018-05-22 16:04:03 MSK 
perl-HTTP-Tiny-0.70.0-1
https://abf.io/build_lists/2926081
https://abf.io/build_lists/2926082

ntp-4.2.8p11-1
https://abf.io/build_lists/2926406
https://abf.io/build_lists/2926407
****************************** Advisory ****************************
ntp updated to 4.2.8p11 with perl-HTTP-Tiny update
********************************************************************
QA Verified