ALAS-2015-496

Amazon Linux 1 Security Advisory: ALAS-2015-496
Advisory Release Date: 2015-03-23 08:31 Pacific
Advisory Updated Date: 2015-03-23 08:57 Pacific

Severity: Medium

References: CVE-2014-9297 CVE-2014-9298
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

It was reported (http://bugs.ntp.org/show_bug.cgi?id=2671) that ntp misses validation of vallen value, leading to various information leaks. See for more details. (CVE-2014-9297)

It was reported (http://bugs.ntp.org/show_bug.cgi?id=2672) that ntp allows bypassing source IP ACLs on some OSes when ::1 spoofed. (CVE-2014-9298)

Affected Packages:

ntp

Issue Correction:
Run yum update ntp to update your system.

New Packages:

i686:
    ntp-debuginfo-4.2.6p5-27.23.amzn1.i686
    ntp-4.2.6p5-27.23.amzn1.i686
    ntpdate-4.2.6p5-27.23.amzn1.i686

noarch:
    ntp-perl-4.2.6p5-27.23.amzn1.noarch
    ntp-doc-4.2.6p5-27.23.amzn1.noarch

src:
    ntp-4.2.6p5-27.23.amzn1.src

x86_64:
    ntpdate-4.2.6p5-27.23.amzn1.x86_64
    ntp-4.2.6p5-27.23.amzn1.x86_64
    ntp-debuginfo-4.2.6p5-27.23.amzn1.x86_64

Additional References

Red Hat: CVE-2014-9297, CVE-2014-9298

Mitre: CVE-2014-9297, CVE-2014-9298