* [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11
@ 2018-03-06 17:00 Baruch Siach
2018-03-06 18:03 ` Peter Korsgaard
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Baruch Siach @ 2018-03-06 17:00 UTC (permalink / raw)
To: buildroot
Fixed or improved security issues:
CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
malicious authenticated peer can create arbitrarily-many ephemeral
associations in order to win the clock selection algorithm
CVE-2018-7182: Buffer read overrun leads to undefined behavior and
information leak
CVE-2018-7170: Multiple authenticated ephemeral associations
CVE-2018-7184: Interleaved symmetric mode cannot recover from bad
state
CVE-2018-7185: Unauthenticated packet can reset authenticated
interleaved association
CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit
Drop patch #3. libntpq_a_CFLAGS now includes NTP_HARD_CFLAGS via
AM_CFLAGS.
Add license file hash.
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
---
package/ntp/0003-ntpq-fpic.patch | 23 -----------------------
package/ntp/ntp.hash | 7 ++++---
package/ntp/ntp.mk | 3 +--
3 files changed, 5 insertions(+), 28 deletions(-)
delete mode 100644 package/ntp/0003-ntpq-fpic.patch
diff --git a/package/ntp/0003-ntpq-fpic.patch b/package/ntp/0003-ntpq-fpic.patch
deleted file mode 100644
index 6e05a677c596..000000000000
--- a/package/ntp/0003-ntpq-fpic.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-ntpq/Makefile.am: add NTP_HARD_CFLAGS
-
-Pass NTP_HARD_CFLAGS when building ntpq, like in all other ntp
-modules, to make sure -fPIC is passed.
-
-Originally taken from
-https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=494143c3b4921a5c8b8596d58f2c8b98296bf688.
-
-Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
-
-Index: b/ntpq/Makefile.am
-===================================================================
---- a/ntpq/Makefile.am
-+++ b/ntpq/Makefile.am
-@@ -23,7 +23,7 @@
- ntpq_LDADD += $(LDADD_NTP)
- noinst_HEADERS= ntpq.h
- noinst_LIBRARIES= libntpq.a
--libntpq_a_CFLAGS= -DNO_MAIN_ALLOWED -DBUILD_AS_LIB
-+libntpq_a_CFLAGS= $(NTP_HARD_CFLAGS) -DNO_MAIN_ALLOWED -DBUILD_AS_LIB
- CLEANFILES=
- DISTCLEANFILES= .version version.c config.log $(man_MANS)
- ETAGS_ARGS= Makefile.am
diff --git a/package/ntp/ntp.hash b/package/ntp/ntp.hash
index d8b7083c47be..ea86c1586fdb 100644
--- a/package/ntp/ntp.hash
+++ b/package/ntp/ntp.hash
@@ -1,4 +1,5 @@
-# From https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz.md5
-md5 745384ed0dedb3f66b33fe84d66466f9 ntp-4.2.8p10.tar.gz
+# From https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p11.tar.gz.md5
+md5 00950ca2855579541896513e78295361 ntp-4.2.8p11.tar.gz
# Calculated based on the hash above
-sha256 ddd2366e64219b9efa0f7438e06800d0db394ac5c88e13c17b70d0dcdf99b99f ntp-4.2.8p10.tar.gz
+sha256 f14a39f753688252d683ff907035ffff106ba8d3db21309b742e09b5c3cd278e ntp-4.2.8p11.tar.gz
+sha256 62c87b269365b38b55359b16dfde7ec28c683c722ef489db90afd0f2e478e4a1 COPYRIGHT
diff --git a/package/ntp/ntp.mk b/package/ntp/ntp.mk
index cc363269c369..1f66ad996b8e 100644
--- a/package/ntp/ntp.mk
+++ b/package/ntp/ntp.mk
@@ -5,7 +5,7 @@
################################################################################
NTP_VERSION_MAJOR = 4.2
-NTP_VERSION = $(NTP_VERSION_MAJOR).8p10
+NTP_VERSION = $(NTP_VERSION_MAJOR).8p11
NTP_SITE = https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-$(NTP_VERSION_MAJOR)
NTP_DEPENDENCIES = host-pkgconf libevent $(if $(BR2_PACKAGE_BUSYBOX),busybox)
NTP_LICENSE = NTP
@@ -20,7 +20,6 @@ NTP_CONF_OPTS = \
--disable-local-libevent
# 0002-ntp-syscalls-fallback.patch
-# 0003-ntpq-fpic.patch
NTP_AUTORECONF = YES
ifeq ($(BR2_PACKAGE_LIBOPENSSL),y)
--
2.16.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11
2018-03-06 17:00 [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11 Baruch Siach
@ 2018-03-06 18:03 ` Peter Korsgaard
2018-03-30 19:30 ` Peter Korsgaard
2018-04-10 20:43 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-03-06 18:03 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixed or improved security issues:
> CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
> malicious authenticated peer can create arbitrarily-many ephemeral
> associations in order to win the clock selection algorithm
> CVE-2018-7182: Buffer read overrun leads to undefined behavior and
> information leak
> CVE-2018-7170: Multiple authenticated ephemeral associations
> CVE-2018-7184: Interleaved symmetric mode cannot recover from bad
> state
> CVE-2018-7185: Unauthenticated packet can reset authenticated
> interleaved association
> CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit
> Drop patch #3. libntpq_a_CFLAGS now includes NTP_HARD_CFLAGS via
> AM_CFLAGS.
> Add license file hash.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11
2018-03-06 17:00 [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11 Baruch Siach
2018-03-06 18:03 ` Peter Korsgaard
@ 2018-03-30 19:30 ` Peter Korsgaard
2018-04-10 20:43 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-03-30 19:30 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixed or improved security issues:
> CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
> malicious authenticated peer can create arbitrarily-many ephemeral
> associations in order to win the clock selection algorithm
> CVE-2018-7182: Buffer read overrun leads to undefined behavior and
> information leak
> CVE-2018-7170: Multiple authenticated ephemeral associations
> CVE-2018-7184: Interleaved symmetric mode cannot recover from bad
> state
> CVE-2018-7185: Unauthenticated packet can reset authenticated
> interleaved association
> CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit
> Drop patch #3. libntpq_a_CFLAGS now includes NTP_HARD_CFLAGS via
> AM_CFLAGS.
> Add license file hash.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2018.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11
2018-03-06 17:00 [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11 Baruch Siach
2018-03-06 18:03 ` Peter Korsgaard
2018-03-30 19:30 ` Peter Korsgaard
@ 2018-04-10 20:43 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2018-04-10 20:43 UTC (permalink / raw)
To: buildroot
>>>>> "Baruch" == Baruch Siach <baruch@tkos.co.il> writes:
> Fixed or improved security issues:
> CVE-2016-1549 (fixed in 4.2.8p7; this release adds protection): A
> malicious authenticated peer can create arbitrarily-many ephemeral
> associations in order to win the clock selection algorithm
> CVE-2018-7182: Buffer read overrun leads to undefined behavior and
> information leak
> CVE-2018-7170: Multiple authenticated ephemeral associations
> CVE-2018-7184: Interleaved symmetric mode cannot recover from bad
> state
> CVE-2018-7185: Unauthenticated packet can reset authenticated
> interleaved association
> CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit
> Drop patch #3. libntpq_a_CFLAGS now includes NTP_HARD_CFLAGS via
> AM_CFLAGS.
> Add license file hash.
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Committed to 2017.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-04-10 20:43 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-06 17:00 [Buildroot] [PATCH] ntp: security bump to version 4.2.8p11 Baruch Siach
2018-03-06 18:03 ` Peter Korsgaard
2018-03-30 19:30 ` Peter Korsgaard
2018-04-10 20:43 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.