Date: Wed, 28 Feb 2018 07:35:27 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r463184 - head/security/vuxml Message-ID: <201802280735.w1S7ZRD3038358@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Feb 28 07:35:27 2018 New Revision: 463184 URL: https://svnweb.freebsd.org/changeset/ports/463184 Log: Document multiple NTP vulnerabilities. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Feb 28 07:16:35 2018 (r463183) +++ head/security/vuxml/vuln.xml Wed Feb 28 07:35:27 2018 (r463184) @@ -58,6 +58,68 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="af485ef4-1c58-11e8-8477-d05099c0ae8c"> + <topic>ntp -- multiple vulnerabilities</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>11.1</ge><lt>11.1_7</lt></range> + <range><ge>10.4</ge><lt>10.4_6</lt></range> + <range><ge>10.3</ge><lt>10.3_27</lt></range> + </package> + <package> + <name>ntp</name> + <range><lt>4.2.8p11</lt></range> + </package> + <package> + <name>ntp-devel</name> + <range><gt>0</gt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Network Time Foundation reports:</p> + <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S">; + <p>The NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.</p> + <p>This release addresses five security issues in ntpd:</p> + <ul> + <li>LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil + vulnerability: ephemeral association attack</li> + <li>INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: + ctl_getitem(): buffer read overrun leads to undefined + behavior and information leak</li> + <li>LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple + authenticated ephemeral associations</li> + <li>LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved + symmetric mode cannot recover from bad state</li> + <li>LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: + Unauthenticated packet can reset authenticated interleaved + association</li> + </ul> + <p>one security issue in ntpq:</p> + <ul> + <li>MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: + ntpq:decodearr() can write beyond its buffer limit</li> + </ul> + <p>and provides over 33 bugfixes and 32 other improvements.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1549</cvename> + <cvename>CVE-2018-7182</cvename> + <cvename>CVE-2018-7170</cvename> + <cvename>CVE-2018-7184</cvename> + <cvename>CVE-2018-7185</cvename> + <cvename>CVE-2018-7183</cvename> + <url>http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S</url>; + </references> + <dates> + <discovery>2018-02-27</discovery> + <entry>2018-02-28</entry> + </dates> + </vuln> + <vuln vid="abfc932e-1ba8-11e8-a944-54ee754af08e"> <topic>chromium -- vulnerability</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201802280735.w1S7ZRD3038358>