diff options
| author | Xin LI <delphij@FreeBSD.org> | 2016-04-27 04:43:31 +0000 |
|---|---|---|
| committer | Xin LI <delphij@FreeBSD.org> | 2016-04-27 04:43:31 +0000 |
| commit | 590aa7fa0223a11f289056d970949570d36cd026 (patch) | |
| tree | 306ac90f31a96877f2e69d1106edc194a9030ebe | |
| parent | 09ab1b744e0dd7870c0508c04cd4b3eb8b7d6a81 (diff) | |
| download | ports-590aa7fa0223a11f289056d970949570d36cd026.tar.gz ports-590aa7fa0223a11f289056d970949570d36cd026.zip | |
Notes
| -rw-r--r-- | security/vuxml/vuln.xml | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 8c65cb003aed..82c4177fae97 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -58,6 +58,93 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="b2487d9a-0c30-11e6-acd0-d050996490d0"> + <topic>ntp -- multiple vulnerabilities</topic> + <affects> + <package> + <name>ntp</name> + <range><lt>4.2.8p7</lt></range> + </package> + <package> + <name>ntp-devel</name> + <range><lt>4.3.92</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Network Time Foundation reports:</p> + <blockquote cite="http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security"> + <p>NTF's NTP Project has been notified of the following low- + and medium-severity vulnerabilities that are fixed in + ntp-4.2.8p7, released on Tuesday, 26 April 2016:</p> + <ul> + <li>Bug 3020 / CVE-2016-1551: Refclock impersonation + vulnerability, AKA: refclock-peering. Reported by + Matt Street and others of Cisco ASIG</li> + <li>Bug 3012 / CVE-2016-1549: Sybil vulnerability: + ephemeral association attack, AKA: ntp-sybil - + MITIGATION ONLY. Reported by Matthew Van Gundy + of Cisco ASIG</li> + <li>Bug 3011 / CVE-2016-2516: Duplicate IPs on + unconfig directives will cause an assertion botch. + Reported by Yihan Lian of the Cloud Security Team, + Qihoo 360</li> + <li>Bug 3010 / CVE-2016-2517: Remote configuration + trustedkey/requestkey values are not properly + validated. Reported by Yihan Lian of the Cloud + Security Team, Qihoo 360</li> + <li>Bug 3009 / CVE-2016-2518: Crafted addpeer with + hmode > 7 causes array wraparound with MATCH_ASSOC. + Reported by Yihan Lian of the Cloud Security Team, + Qihoo 360</li> + <li>Bug 3008 / CVE-2016-2519: ctl_getitem() return + value not always checked. Reported by Yihan Lian + of the Cloud Security Team, Qihoo 360</li> + <li>Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, + AKA: nak-dos. Reported by Stephen Gray and + Matthew Van Gundy of Cisco ASIG</li> + <li>Bug 2978 / CVE-2016-1548: Interleave-pivot - + MITIGATION ONLY. Reported by Miroslav Lichvar of + RedHat and separately by Jonathan Gardner of + Cisco ASIG.</li> + <li>Bug 2952 / CVE-2015-7704: KoD fix: peer + associations were broken by the fix for + NtpBug2901, AKA: Symmetric active/passive mode + is broken. Reported by Michael Tatarinov, + NTP Project Developer Volunteer</li> + <li>Bug 2945 / Bug 2901 / CVE-2015-8138: Zero + Origin Timestamp Bypass, AKA: Additional KoD Checks. + Reported by Jonathan Gardner of Cisco ASIG</li> + <li>Bug 2879 / CVE-2016-1550: Improve NTP security + against buffer comparison timing attacks, + authdecrypt-timing, AKA: authdecrypt-timing. + Reported independently by Loganaden Velvindron, + and Matthew Van Gundy and Stephen Gray of + Cisco ASIG.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2015-7704</cvename> + <cvename>CVE-2015-8138</cvename> + <cvename>CVE-2016-1547</cvename> + <cvename>CVE-2016-1548</cvename> + <cvename>CVE-2016-1549</cvename> + <cvename>CVE-2016-1550</cvename> + <cvename>CVE-2016-1551</cvename> + <cvename>CVE-2016-2516</cvename> + <cvename>CVE-2016-2517</cvename> + <cvename>CVE-2016-2518</cvename> + <cvename>CVE-2016-2519</cvename> + <url>http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security</url> + </references> + <dates> + <discovery>2016-04-26</discovery> + <entry>2016-04-27</entry> + </dates> + </vuln> + <vuln vid="92d44f83-a7bf-41cf-91ee-3d1b8ecf579f"> <topic>mozilla -- multiple vulnerabilities</topic> <affects> |