Advisories » MGASA-2015-0063

Updated ntp packages fix security vulnerabilities

Publication date: 11 Feb 2015
Modification date: 11 Feb 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-9297 , CVE-2014-9298

Description

Updated ntp packages fix security vulnerabilities:

Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE
Security Team and Harlan Stenn of Network Time Foundation discovered that the
length value in extension fields is not properly validated in several code
paths in ntp_crypto.c, which could lead to information leakage or denial of
service (CVE-2014-9297).

Stephen Roettger of the Google Security Team reported that ACLs based on IPv6
::1 (localhost) addresses can be bypassed (CVE-2014-9298).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15214
• http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
• https://www.debian.org/security/2015/dsa-3154
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9298

SRPMS

4/core

• ntp-4.2.6p5-15.3.mga4