Bugzilla – Bug 943219
VUL-1: CVE-2015-5195: ntp: ntpd crash when processing config commands with statistics type
Last modified: 2019-05-01 16:51:54 UTC
Quoting from oss-sec:
"It was found that ntpd exits with a segmentation fault when a statistics
type that was not enabled during compilation (e.g. timingstats) is
referenced by the statistics or filegen configuration command, for example:
ntpq -c ':config statistics timingstats'
ntpq -c ':config filegen timingstats'
bugbot adjusting priority
4.2.4 is not affected.
4.2.8, 4.2.6 is affected.
Affects SLE 11 SP4 and SLE 12.
An update workflow for this issue was started.
This issue was rated as "moderate".
Please submit fixed packages until "Jan. 14, 2016".
When done, reassign the bug to "firstname.lastname@example.org".
Are you sure 4.2.8 is affected? The upstream fix mentioned in comment 0 was committed in 2011 to the 4.2.7 devel branch which resulted in the 4.2.8 release in 2015.
(In reply to Reinhard Max from comment #5)
> Are you sure 4.2.8 is affected? The upstream fix mentioned in comment 0 was
> committed in 2011 to the 4.2.7 devel branch which resulted in the 4.2.8
> release in 2015.
My mistake, you are right.
Closing as there are no more targets requiring an update.