CVS commit: pkgsrc/net/ntp4

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/ntp4
From: "Takahiro Kambe" <taca%netbsd.org@localhost>
Date: Fri, 24 Mar 2017 03:41:08 +0000

Module Name:    pkgsrc
Committed By:   taca
Date:           Fri Mar 24 03:41:08 UTC 2017

Modified Files:
        pkgsrc/net/ntp4: Makefile distinfo

Log Message:
Update ntp4 to 4.2.8p10 including security fixes.

NTF's NTP Project is releasing ntp-4.2.8p10, which addresses:

* 6 MEDIUM severity vulnerabilities (1 is about the Windows PPSAPI DLL)
* 5 LOW severity vulnerabilities (2 are in the Windows Installer)
* 4 Informational-level vulnerabilities
* 15 other non-security fixes and improvements

All of the security issues in this release are listed in VU#633849.

ntp-4.2.8p10 was released on 21 March 2017.

* Sec 3389 / CVE-2017-6464 / VU#325339: NTP-01-016 NTP: Denial of Service via
  Malformed Config (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3388 / CVE-2017-6462 / VU#325339: NTP-01-014 NTP: Buffer Overflow in
  DPTS Clock (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3387 / CVE-2017-6463 / VU#325339: NTP-01-012 NTP: Authenticated DoS via
  Malicious Config Option (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3386: NTP-01-011 NTP: ntpq_stripquotes() returns incorrect Value
  (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3385: NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Pentest
  report 01.2017)
  - Reported by Cure53.

* Sec 3384 / CVE-2017-6455 / VU#325339: NTP-01-009 NTP: Windows: Privileged
  execution of User Library code (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3383 / CVE-2017-6452 / VU#325339: NTP-01-008 NTP: Windows Installer:
  Stack Buffer Overflow from Command Line (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3382 / CVE-2017-6459 / VU#325339: NTP-01-007 NTP: Windows Installer:
  Data Structure terminated insufficiently (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3381: NTP-01-006 NTP: Copious amounts of Unused Code (Pentest report
  01.2017)
  - Reported by Cure53.

* Sec 3380: NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Pentest report
  01.2017)
  - Reported by Cure53.

* Sec 3379 / CVE-2017-6458 / VU#325339: NTP-01-004 NTP: Potential Overflows in
  ctl_put() functions (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3378 / CVE-2017-6451 / VU#325339: NTP-01-003 Improper use of snprintf()
  in mx4200_send() (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3377 / CVE-2017-6460 / VU#325339: NTP-01-002 Buffer Overflow in ntpq
  when fetching reslist (Pentest report 01.2017)
  - Reported by Cure53.

* Sec 3376: NTP-01-001 Makefile does not enforce Security Flags (Pentest
  report 01.2017)
  - Reported by Cure53.

* Sec 3361 / CVE-2016-9042 / VU#325339: 0rigin
  - Reported by Matthew Van Gundy of Cisco ASIG.


To generate a diff of this commit:
cvs rdiff -u -r1.97 -r1.98 pkgsrc/net/ntp4/Makefile
cvs rdiff -u -r1.28 -r1.29 pkgsrc/net/ntp4/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/ntp4/Makefile
diff -u pkgsrc/net/ntp4/Makefile:1.97 pkgsrc/net/ntp4/Makefile:1.98
--- pkgsrc/net/ntp4/Makefile:1.97       Mon Dec  5 15:49:59 2016
+++ pkgsrc/net/ntp4/Makefile    Fri Mar 24 03:41:08 2017
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.97 2016/12/05 15:49:59 taca Exp $
+# $NetBSD: Makefile,v 1.98 2017/03/24 03:41:08 taca Exp $
 #
 
-DISTNAME=      ntp-4.2.8p9
+DISTNAME=      ntp-4.2.8p10
 PKGNAME=       ${DISTNAME:S/-dev-/-/}
 CATEGORIES=    net time
 MASTER_SITES=  http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/

Index: pkgsrc/net/ntp4/distinfo
diff -u pkgsrc/net/ntp4/distinfo:1.28 pkgsrc/net/ntp4/distinfo:1.29
--- pkgsrc/net/ntp4/distinfo:1.28       Mon Dec  5 15:49:59 2016
+++ pkgsrc/net/ntp4/distinfo    Fri Mar 24 03:41:08 2017
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.28 2016/12/05 15:49:59 taca Exp $
+$NetBSD: distinfo,v 1.29 2017/03/24 03:41:08 taca Exp $
 
-SHA1 (ntp-4.2.8p9.tar.gz) = 032e58e7e416ffa1cbdcbb81021785fce4ed4d4b
-RMD160 (ntp-4.2.8p9.tar.gz) = 73dcdf8c1c13d26b3eda18123cc95014d8b13ce3
-SHA512 (ntp-4.2.8p9.tar.gz) = ffd9e34060210d1cfb8ca0d89f2577df1c5fbe3ba63c620cdadc3ccc3c9d07f518783c6b91e57bffc77b08f449fdbab12faf226672ebd2dde5a0b4a783322a04
-Size (ntp-4.2.8p9.tar.gz) = 7231884 bytes
+SHA1 (ntp-4.2.8p10.tar.gz) = 503d68cfd3e6a9354e0e28dd38b39d850b1228b2
+RMD160 (ntp-4.2.8p10.tar.gz) = c341340b93a5e1b5d88621a9e9d7eb6551f26c5e
+SHA512 (ntp-4.2.8p10.tar.gz) = 67e01ab533c3dfabb0bdd3ced848bdd239980bde28fdb2791d167b7e9690ab3b3759e1bd99e9fddcce03ddef4cd63a47eb85941bb127ceb79b7ecff22cce9c05
+Size (ntp-4.2.8p10.tar.gz) = 6998648 bytes
 SHA1 (patch-include-ntp__syscall.h) = b247569339d09a88f2e143e355033ce7635ffe92
 SHA1 (patch-sntp_loc_pkgsrc) = 6e46ffc0cc2afcfdc1d01297cbe04cb80d103575

Prev by Date: CVS commit: [pkgsrc-2016Q4] pkgsrc/doc
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: [pkgsrc-2016Q4] pkgsrc/doc
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index