Bugzilla – Bug 943219
VUL-1: CVE-2015-5195: ntp: ntpd crash when processing config commands with statistics type
Last modified: 2019-05-01 16:51:54 UTC
Quoting from oss-sec: "It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command, for example: ntpq -c ':config statistics timingstats' ntpq -c ':config filegen timingstats' Upstream fix: http://bk.ntp.org/ntp-dev/?PAGE=patch&REV=4d253ed0A400LyhRQIV0u23NJwuGAA https://github.com/ntp-project/ntp/commit/52e977d79a0c4ace997e5c74af429844da2f27be " rh#1254544 References: https://bugzilla.redhat.com/show_bug.cgi?id=1254544 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5195 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5195
bugbot adjusting priority
4.2.4 is not affected. 4.2.8, 4.2.6 is affected. Affects SLE 11 SP4 and SLE 12. Planned update.
An update workflow for this issue was started. This issue was rated as "moderate". Please submit fixed packages until "Jan. 14, 2016". When done, reassign the bug to "security-team@suse.de". /update/121227/.
Are you sure 4.2.8 is affected? The upstream fix mentioned in comment 0 was committed in 2011 to the 4.2.7 devel branch which resulted in the 4.2.8 release in 2015.
(In reply to Reinhard Max from comment #5) > Are you sure 4.2.8 is affected? The upstream fix mentioned in comment 0 was > committed in 2011 to the 4.2.7 devel branch which resulted in the 4.2.8 > release in 2015. My mistake, you are right.
Closing as there are no more targets requiring an update.