NTP Bug 3376

NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)

  • Date Resolved: 21 Mar 2017
  • References: Sec 3376
  • Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
  • CVSS2: N/A
  • CVSS3: N/A
  • Summary: The build process for NTP has not, by default, provided compile or link flags to offer "hardened" security options. Package maintainers have always been able to provide hardening security flags for their builds. As of ntp-4.2.8p10, the NTP build system has a way to provide OS-specific hardening flags. Please note that this is still not a really great solution because it is specific to NTP builds. It's inefficient to have every package supply, track and maintain this information for every target build. It would be much better if there was a common way for OSes to provide this information in a way that arbitrary packages could benefit from it.
  • Mitigation:
  • Credit: This weakness was reported by Cure53.

This topic: Main > SecurityNotice > NtpBug3376
Topic revision: r2 - 2017-03-27 - 23:05:04 - SueGraves
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback