Format: 1.8
Date: Wed, 01 Jun 2016 12:25:07 -0400
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source
Version: 1:4.2.6.p5+dfsg-3ubuntu2.14.04.9
Distribution: trusty-security
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers@ubuntu.com>
Description: 
 ntp        - Network Time Protocol daemon and utility programs
 ntp-doc    - Network Time Protocol documentation
 ntpdate    - client for setting system time from NTP servers
Launchpad-Bugs-Fixed: 1528050
Changes: 
 ntp (1:4.2.6.p5+dfsg-3ubuntu2.14.04.9) trusty-security; urgency=medium
 .
   * SECURITY UPDATE: Deja Vu replay attack on authenticated broadcast mode
     - debian/patches/CVE-2015-7973.patch: improve timestamp verification in
       include/ntp.h, ntpd/ntp_proto.c.
     - CVE-2015-7973
   * SECURITY UPDATE: impersonation between authenticated peers
     - debian/patches/CVE-2015-7974.patch: check key ID in ntpd/ntp_proto.c.
     - CVE-2015-7974
   * SECURITY UPDATE: ntpq saveconfig command allows dangerous characters in
     filenames
     - debian/patches/CVE-2015-7976.patch: check filename in
       ntpd/ntp_control.c.
     - CVE-2015-7976
   * SECURITY UPDATE: restrict list denial of service
     - debian/patches/CVE-2015-7977-7978.patch: improve restrict list
       processing in ntpd/ntp_request.c.
     - CVE-2015-7977
     - CVE-2015-7978
   * SECURITY UPDATE: authenticated broadcast mode off-path denial of
     service
     - debian/patches/CVE-2015-7979.patch: add more checks to
       ntpd/ntp_proto.c.
     - CVE-2015-7979
     - CVE-2016-1547
   * SECURITY UPDATE: Zero Origin Timestamp Bypass
     - debian/patches/CVE-2015-8138.patch: check p_org in ntpd/ntp_proto.c.
     - CVE-2015-8138
   * SECURITY UPDATE: potential infinite loop in ntpq
     - debian/patches/CVE-2015-8158.patch: add time checks to ntpdc/ntpdc.c,
       ntpq/ntpq.c.
     - CVE-2015-8158
   * SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
     - debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
     - CVE-2016-0727
   * SECURITY UPDATE: time spoofing via interleaved symmetric mode
     - debian/patches/CVE-2016-1548.patch: check for bogus packets in
       ntpd/ntp_proto.c.
     - CVE-2016-1548
   * SECURITY UPDATE: buffer comparison timing attacks
     - debian/patches/CVE-2016-1550.patch: use CRYPTO_memcmp in
       libntp/a_md5encrypt.c, sntp/crypto.c.
     - CVE-2016-1550
   * SECURITY UPDATE: DoS via duplicate IPs on unconfig directives
     - debian/patches/CVE-2016-2516.patch: improve logic in
       ntpd/ntp_request.c.
     - CVE-2016-2516
   * SECURITY UPDATE: denial of service via crafted addpeer
     - debian/patches/CVE-2016-2518.patch: check mode value in
       ntpd/ntp_request.c.
     - CVE-2016-2518
Checksums-Sha1: 
 6b54a3901210a792d6ec7b80c697f9d7c71d8f3a 2367 ntp_4.2.6.p5+dfsg-3ubuntu2.14.04.9.dsc
 f9395188f8143fcb5450fb1201c90790b6a57330 146441 ntp_4.2.6.p5+dfsg-3ubuntu2.14.04.9.debian.tar.gz
Checksums-Sha256: 
 08c56d5f03ba7d4710a556f3f49ac5a8ae4f5aadee25ee8d564f6ffe3c859c69 2367 ntp_4.2.6.p5+dfsg-3ubuntu2.14.04.9.dsc
 fec336fcc5a44beb9d748631c1a1df2113af30cd53fbbb4fbf1bf021cb12e14f 146441 ntp_4.2.6.p5+dfsg-3ubuntu2.14.04.9.debian.tar.gz
Files: 
 6daa8456ee9c00014f2aae6c12772426 2367 net optional ntp_4.2.6.p5+dfsg-3ubuntu2.14.04.9.dsc
 1a2f2e3f8e23d6d6671a6e14941bc42e 146441 net optional ntp_4.2.6.p5+dfsg-3ubuntu2.14.04.9.debian.tar.gz
Original-Maintainer: Debian NTP Team <pkg-ntp-maintainers@lists.alioth.debian.org>