Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Apr 2015 08:55:36 +0200
From: Gsunde Orangen <gsunde.orangen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request for some NTP stuff

This is just a "cleanup" notice for those two ntp vulnerabilities that
were resolved on Feb 4th:

On 2015-02-05, 00:03 Gsunde Orangen wrote:
> Hi Kurt,
> 
> On 2015-02-04, 23:24 Kurt Seifried wrote:
>> I haven't seen any CVE's for these yet:
> 
>> http://bugs.ntp.org/show_bug.cgi?id=2671 vallen is not validated,
>> leading to potential info leak
> CVE-2014-9297 (according to 
> http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities)
>
>
>
>
> 
> 
>> http://bugs.ntp.org/show_bug.cgi?id=2655 Multiple vulnerabilities
>> in ntpd
> This bug lists 8 different bugs, Bugs #1 - #7 are tracked in 
> different ids (#7 is the one above: id=2671) The remaining bug #8 
> is defined as CVE-2014-9298 as in 
> http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
>
>
>
>
> Note however, that the Cert VNDB 
> (http://www.kb.cert.org/vuls/id/852879) uses the same CVEs for
> bugs #7 and #8, but mutually exchanged! Either ntp.org or cert.org
> is wrong...

cert.org was wrong but had apparently fixed it immediately after that
notice.

> 
> 
>> Thanks.
> 
> You're welcome ;-)
> 
> 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ