Launchpad CVE tracker

CVE 2016-0727

The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.

Related bugs and status

CVE-2016-0727 (Candidate) is related to these bugs:

Bug #1528050: NTP statsdir cleanup cronjob insecure

		In	Importance	Status
1528050	NTP statsdir cleanup cronjob insecure	ntp (Ubuntu)	Undecided	Fix Released
1528050	NTP statsdir cleanup cronjob insecure	ntp (Ubuntu Wily)	Undecided	Won't Fix
1528050	NTP statsdir cleanup cronjob insecure	ntp (Ubuntu Xenial)	Undecided	Fix Released

Bug #1567540: ntpd crashed with SIGABRT (was: ntp crashes everytime the network goes up or down.)

		In	Importance	Status
1567540	ntpd crashed with SIGABRT (was: ntp crashes everytime the network goes up or down.)	ntp (Ubuntu)	High	Fix Released
1567540	ntpd crashed with SIGABRT (was: ntp crashes everytime the network goes up or down.)	NTP	High	Fix Released
1567540	ntpd crashed with SIGABRT (was: ntp crashes everytime the network goes up or down.)	ntp (Ubuntu Xenial)	High	Fix Released

Bug #1582767: apparmor permissions missing for winbind

		In	Importance	Status
1582767	apparmor permissions missing for winbind	ntp (Ubuntu)	Medium	Fix Released
1582767	apparmor permissions missing for winbind	ntp (Ubuntu Xenial)	Undecided	Won't Fix
1582767	apparmor permissions missing for winbind	ntp (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2016-0727

References