svn commit: r429172 - head/security/vuxml
Mark Felder
feld at FreeBSD.org
Thu Dec 22 17:50:23 UTC 2016
Author: feld
Date: Thu Dec 22 17:50:21 2016
New Revision: 429172
URL: https://svnweb.freebsd.org/changeset/ports/429172
Log:
Document FreeBSD-SA-16:39.ntp
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Thu Dec 22 17:38:19 2016 (r429171)
+++ head/security/vuxml/vuln.xml Thu Dec 22 17:50:21 2016 (r429172)
@@ -58,6 +58,105 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="fcedcdbb-c86e-11e6-b1cf-14dae9d210b8">
+ <topic>FreeBSD -- Multiple vulnerabilities of ntp</topic>
+ <affects>
+ <package>
+ <name>FreeBSD</name>
+ <range><ge>11.0</ge><lt>11.0_6</lt></range>
+ <range><ge>10.3</ge><lt>10.3_15</lt></range>
+ <range><ge>10.2</ge><lt>10.2_28</lt></range>
+ <range><ge>10.1</ge><lt>10.1_45</lt></range>
+ <range><ge>9.3</ge><lt>9.3_53</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <h1>Problem Description:</h1>
+ <p>Multiple vulnerabilities have been discovered in the NTP
+ suite:</p>
+ <p>CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy
+ of Cisco ASIG.</p>
+ <p>CVE-2016-9310: Mode 6 unauthenticated trap information
+ disclosure and DDoS vector. Reported by Matthew Van Gundy
+ of Cisco ASIG.</p>
+ <p>CVE-2016-7427: Broadcast Mode Replay Prevention DoS.
+ Reported by Matthew Van Gundy of Cisco ASIG.</p>
+ <p>CVE-2016-7428: Broadcast Mode Poll Interval Enforcement
+ DoS. Reported by Matthew Van Gundy of Cisco ASIG.</p>
+ <p>CVE-2016-7431: Regression: 010-origin: Zero Origin
+ Timestamp Bypass. Reported by Sharon Goldberg and Aanchal
+ Malhotra of Boston University.</p>
+ <p>CVE-2016-7434: Null pointer dereference in
+ _IO_str_init_static_internal(). Reported by Magnus Stubman.</p>
+ <p>CVE-2016-7426: Client rate limiting and server responses.
+ Reported by Miroslav Lichvar of Red Hat.</p>
+ <p>CVE-2016-7433: Reboot sync calculation problem. Reported
+ independently by Brian Utterback of Oracle, and by Sharon
+ Goldberg and Aanchal Malhotra of Boston University.</p>
+ <h1>Impact:</h1>
+ <p>A remote attacker who can send a specially crafted packet
+ to cause a NULL pointer dereference that will crash ntpd,
+ resulting in a Denial of Service. [CVE-2016-9311]</p>
+ <p>An exploitable configuration modification vulnerability
+ exists in the control mode (mode 6) functionality of ntpd.
+ If, against long-standing BCP recommendations, "restrict
+ default noquery ..." is not specified, a specially crafted
+ control mode packet can set ntpd traps, providing information
+ disclosure and DDoS amplification, and unset ntpd traps,
+ disabling legitimate monitoring by an attacker from remote.
+ [CVE-2016-9310]</p>
+ <p>An attacker with access to the NTP broadcast domain can
+ periodically inject specially crafted broadcast mode NTP
+ packets into the broadcast domain which, while being logged
+ by ntpd, can cause ntpd to reject broadcast mode packets
+ from legitimate NTP broadcast servers. [CVE-2016-7427]</p>
+ <p>An attacker with access to the NTP broadcast domain can
+ send specially crafted broadcast mode NTP packets to the
+ broadcast domain which, while being logged by ntpd, will
+ cause ntpd to reject broadcast mode packets from legitimate
+ NTP broadcast servers. [CVE-2016-7428]</p>
+ <p>Origin timestamp problems were fixed in ntp 4.2.8p6.
+ However, subsequent timestamp validation checks introduced
+ a regression in the handling of some Zero origin timestamp
+ checks. [CVE-2016-7431]</p>
+ <p>If ntpd is configured to allow mrulist query requests
+ from a server that sends a crafted malicious packet, ntpd
+ will crash on receipt of that crafted malicious mrulist
+ query packet. [CVE-2016-7434]</p>
+ <p>An attacker who knows the sources (e.g., from an IPv4
+ refid in server response) and knows the system is (mis)configured
+ in this way can periodically send packets with spoofed
+ source address to keep the rate limiting activated and
+ prevent ntpd from accepting valid responses from its sources.
+ [CVE-2016-7426]</p>
+ <p>Ntp Bug 2085 described a condition where the root delay
+ was included twice, causing the jitter value to be higher
+ than expected. Due to a misinterpretation of a small-print
+ variable in The Book, the fix for this problem was incorrect,
+ resulting in a root distance that did not include the peer
+ dispersion. The calculations and formulas have been reviewed
+ and reconciled, and the code has been updated accordingly.
+ [CVE-2016-7433]</p>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2016-7426</cvename>
+ <cvename>CVE-2016-7427</cvename>
+ <cvename>CVE-2016-7428</cvename>
+ <cvename>CVE-2016-7431</cvename>
+ <cvename>CVE-2016-7433</cvename>
+ <cvename>CVE-2016-7434</cvename>
+ <cvename>CVE-2016-9310</cvename>
+ <cvename>CVE-2016-9311</cvename>
+ <freebsdsa>SA-16:39.ntp</freebsdsa>
+ </references>
+ <dates>
+ <discovery>2016-12-22</discovery>
+ <entry>2016-12-22</entry>
+ </dates>
+ </vuln>
+
<vuln vid="42880202-c81c-11e6-a9a5-b499baebfeaf">
<topic>cURL -- buffer overflow</topic>
<affects>
More information about the svn-ports-all
mailing list