Hi All, Currently CentOS site contains the below version of ntpd. ntp-4.2.6p5-3.el6.centos.x86_64.rpmhttp://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm :- 16 mar 2015.
Does anybody have any information about when the new version of ntpd is expected to release containing new vulnerabilities fixes?
Thanks Vijendra.
On 06/07/15 12:04, Vijendra Agarwal (vijagarw) wrote:
Hi All, Currently CentOS site contains the below version of ntpd. ntp-4.2.6p5-3.el6.centos.x86_64.rpmhttp://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm :- 16 mar 2015.
Does anybody have any information about when the new version of ntpd is expected to release containing new vulnerabilities fixes?
Thanks Vijendra.
That is the current version for el6.
What new vulnerabilities?
On Mon, Jul 06, 2015 at 11:04:25AM +0000, Vijendra Agarwal (vijagarw) wrote:
Hi All, Currently CentOS site contains the below version of ntpd. ntp-4.2.6p5-3.el6.centos.x86_64.rpmhttp://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm :- 16 mar 2015.
Does anybody have any information about when the new version of ntpd is expected to release containing new vulnerabilities fixes?
If you're talking about this:
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_V...
Then you'd probably be best tracking the RHEL CVE entry:
https://access.redhat.com/security/cve/CVE-2015-5146
which is currently marked as **RESERVED**. It's marked as "Low" impact.
RedHat/CentOS does not upgrade packages based on version numbers. Please read https://access.redhat.com/security/updates/backporting Understanding this is essential to running a RedHat/CentOS server.
❧ Brian Mathis @orev
On Mon, Jul 6, 2015 at 7:04 AM, Vijendra Agarwal (vijagarw) < vijagarw@cisco.com> wrote:
Hi All, Currently CentOS site contains the below version of ntpd. ntp-4.2.6p5-3.el6.centos.x86_64.rpm< http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el... :- 16 mar 2015.
Does anybody have any information about when the new version of ntpd is expected to release containing new vulnerabilities fixes?
Thanks Vijendra. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Jul 6, 2015, at 4:59 PM, Brian Mathis brian.mathis+centos@betteradmin.com wrote:
RedHat/CentOS does not upgrade packages based on version numbers. Please read https://access.redhat.com/security/updates/backporting Understanding this is essential to running a RedHat/CentOS server.
While this is true, the NTPd web site says the CVE “...Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25”. The version in RHEL6/CentOS6 is 4.2.6p5. The fix will most likely be backported, though.
-- Jonathan Billings billings@negate.org
-
Brian Mathis -
Jonathan Billings -
Ned Slider -
Vijendra Agarwal (vijagarw)