Issue Overview:
It was reported (http://bugs.ntp.org/show_bug.cgi?id=2671) that ntp misses validation of vallen value, leading to various information leaks. See for more details. (CVE-2014-9297)
It was reported (http://bugs.ntp.org/show_bug.cgi?id=2672) that ntp allows bypassing source IP ACLs on some OSes when ::1 spoofed. (CVE-2014-9298)
Affected Packages:
ntp
Issue Correction:
Run yum update ntp to update your system.
New Packages:
i686:
ntp-debuginfo-4.2.6p5-27.23.amzn1.i686
ntp-4.2.6p5-27.23.amzn1.i686
ntpdate-4.2.6p5-27.23.amzn1.i686
noarch:
ntp-perl-4.2.6p5-27.23.amzn1.noarch
ntp-doc-4.2.6p5-27.23.amzn1.noarch
src:
ntp-4.2.6p5-27.23.amzn1.src
x86_64:
ntpdate-4.2.6p5-27.23.amzn1.x86_64
ntp-4.2.6p5-27.23.amzn1.x86_64
ntp-debuginfo-4.2.6p5-27.23.amzn1.x86_64
Red Hat: CVE-2014-9297, CVE-2014-9298
Mitre: CVE-2014-9297, CVE-2014-9298
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | ntp-debuginfo | < 4.2.6p5-27.23.amzn1 | ntp-debuginfo-4.2.6p5-27.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ntp | < 4.2.6p5-27.23.amzn1 | ntp-4.2.6p5-27.23.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ntpdate | < 4.2.6p5-27.23.amzn1 | ntpdate-4.2.6p5-27.23.amzn1.i686.rpm |
Amazon Linux | 1 | noarch | ntp-perl | < 4.2.6p5-27.23.amzn1 | ntp-perl-4.2.6p5-27.23.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | ntp-doc | < 4.2.6p5-27.23.amzn1 | ntp-doc-4.2.6p5-27.23.amzn1.noarch.rpm |
Amazon Linux | 1 | x86_64 | ntpdate | < 4.2.6p5-27.23.amzn1 | ntpdate-4.2.6p5-27.23.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | ntp | < 4.2.6p5-27.23.amzn1 | ntp-4.2.6p5-27.23.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | ntp-debuginfo | < 4.2.6p5-27.23.amzn1 | ntp-debuginfo-4.2.6p5-27.23.amzn1.x86_64.rpm |