[ntp/f19] don't mobilize passive association when authentication fails (CVE-2014-9296)
Miroslav Lichvar
mlichvar at fedoraproject.org
Fri Dec 19 19:01:24 UTC 2014
commit 8fe8f2ec07c0e739775c10c22a4e45f6ba14fcf9
Author: Miroslav Lichvar <mlichvar at redhat.com>
Date: Fri Dec 19 19:43:10 2014 +0100
don't mobilize passive association when authentication fails (CVE-2014-9296)
ntp-4.2.6p5-cve-2014-9296.patch | 14 ++++++++++++++
ntp.spec | 3 +++
2 files changed, 17 insertions(+), 0 deletions(-)
---
diff --git a/ntp-4.2.6p5-cve-2014-9296.patch b/ntp-4.2.6p5-cve-2014-9296.patch
new file mode 100644
index 0000000..323c67b
--- /dev/null
+++ b/ntp-4.2.6p5-cve-2014-9296.patch
@@ -0,0 +1,14 @@
+2014-12-12 11:24:22+00:00, stenn at psp-fb1.ntp.org +1 -0
+ [Sec 2670] Missing return; from error clause
+
+--- 1.350/ntpd/ntp_proto.c 2014-11-21 11:06:57 +00:00
++++ 1.351/ntpd/ntp_proto.c 2014-12-12 11:24:22 +00:00
+@@ -1089,6 +1089,7 @@ receive(
+ fast_xmit(rbufp, MODE_ACTIVE, 0,
+ restrict_mask);
+ sys_restricted++;
++ return;
+ }
+ }
+
+
diff --git a/ntp.spec b/ntp.spec
index 3029fdd..c995e71 100644
--- a/ntp.spec
+++ b/ntp.spec
@@ -93,6 +93,8 @@ Patch24: ntp-4.2.6p5-cve-2014-9294.patch
Patch25: ntp-4.2.6p5-cve-2014-9293.patch
# ntpbz #2667
Patch26: ntp-4.2.6p5-cve-2014-9295.patch
+# ntpbz #2670
+Patch27: ntp-4.2.6p5-cve-2014-9296.patch
# handle unknown clock types
Patch50: ntpstat-0.2-clksrc.patch
@@ -204,6 +206,7 @@ This package contains NTP documentation in HTML format.
%patch24 -p1 -b .cve-2014-9294
%patch25 -p1 -b .cve-2014-9293
%patch26 -p1 -b .cve-2014-9295
+%patch27 -p1 -b .cve-2014-9296
# ntpstat patches
%patch50 -p1 -b .clksrc
More information about the scm-commits
mailing list