ntpd vulnerability

Nounou Dadoun nounou.dadoun at avigilon.com
Tue Dec 20 17:26:53 UTC 2016


My apologies, I was looking at the main busybox page and I see now that that patch is incorporated in 1.25.1 from October 2016.  We'll update to that one, thanks ... N


Nou Dadoun
Senior Firmware Developer, Security Specialist


Office: 604.629.5182 ext 2632 
Support: 888.281.5182  |  avigilon.com
Follow Twitter  |  Follow LinkedIn


This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.



-----Original Message-----
From: Daniel Thompson [mailto:daniel.thompson at linaro.org] 
Sent: Tuesday, December 20, 2016 4:16 AM
To: Nounou Dadoun <nounou.dadoun at avigilon.com>; busybox at busybox.net
Subject: Re: ntpd vulnerability

On 19/12/16 18:24, Nounou Dadoun wrote:
> Just saw this vulnerability come across the CERT mailing list this morning:
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6301
>
> The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.
>
> Any plans for a patch? ... N

I am a bit puzzled by this question. There are links on the CERT page you highlight that directly linking to a patch that has been applied to the codebase since August.

What plans for a patch do expect?


Daniel.


> -----Original Message-----
> From: busybox [mailto:busybox-bounces at busybox.net] On Behalf Of Nounou 
> Dadoun
> Sent: Tuesday, November 22, 2016 2:05 PM
> To: busybox at busybox.net
> Subject: ntpd vulnerability
>
> Hi folks, we use BusyBox v1.22.1 currently and I'm just trying to 
> determine whether or not busybox has the recently announced ntpd DoS 
> vulnerability (http://www.kb.cert.org/vuls/id/633847 ) - it looks like 
> ntpd.c is "based on" openNTPD so it's not entirely clear.  Anybody 
> know?  Thanks .. N
>
>
> Nou Dadoun
> Senior Firmware Developer, Security Specialist
>
>
> Office: 604.629.5182 ext 2632
> Support: 888.281.5182  |  avigilon.com Follow Twitter  |  Follow 
> LinkedIn
>
>
> This email, including any files attached hereto (the "email"), contains privileged and confidential information and is only for the intended addressee(s). If this email has been sent to you in error, such sending does not constitute waiver of privilege and we request that you kindly delete the email and notify the sender. Any unauthorized use or disclosure of this email is prohibited. Avigilon and certain other trade names used herein are the registered and/or unregistered trademarks of Avigilon Corporation and/or its affiliates in Canada and other jurisdictions worldwide.
>
>
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
> _______________________________________________
> busybox mailing list
> busybox at busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
>



More information about the busybox mailing list