Hi All, Currently CentOS site contains the below version of ntpd. ntp-4.2.6p5-3.el6.centos.x86_64.rpm<http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm> :- 16 mar 2015. Does anybody have any information about when the new version of ntpd is expected to release containing new vulnerabilities fixes? Thanks Vijendra.
On 06/07/15 12:04, Vijendra Agarwal (vijagarw) wrote:> Hi All, > Currently CentOS site contains the below version of ntpd. > ntp-4.2.6p5-3.el6.centos.x86_64.rpm<http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm> :- 16 mar 2015. > > Does anybody have any information about when the new version of ntpd is expected to release containing new vulnerabilities fixes? > > Thanks > Vijendra.That is the current version for el6. What new vulnerabilities?
On Mon, Jul 06, 2015 at 11:04:25AM +0000, Vijendra Agarwal (vijagarw) wrote:> > Hi All, > Currently CentOS site contains the below version of ntpd. > ntp-4.2.6p5-3.el6.centos.x86_64.rpm<http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm> :- 16 mar 2015. > > Does anybody have any information about when the new version of ntpd is expected to release containing new vulnerabilities fixes?If you're talking about this: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi Then you'd probably be best tracking the RHEL CVE entry: https://access.redhat.com/security/cve/CVE-2015-5146 which is currently marked as **RESERVED**. It's marked as "Low" impact. -- Jonathan Billings <billings at negate.org>
RedHat/CentOS does not upgrade packages based on version numbers. Please read https://access.redhat.com/security/updates/backporting Understanding this is essential to running a RedHat/CentOS server. ? Brian Mathis @orev On Mon, Jul 6, 2015 at 7:04 AM, Vijendra Agarwal (vijagarw) < vijagarw at cisco.com> wrote:> Hi All, > Currently CentOS site contains the below version of ntpd. > ntp-4.2.6p5-3.el6.centos.x86_64.rpm< > http://mirror.centos.org/centos/6.6/updates/x86_64/Packages/ntp-4.2.6p5-3.el6.centos.x86_64.rpm> > :- 16 mar 2015. > > Does anybody have any information about when the new version of ntpd is > expected to release containing new vulnerabilities fixes? > > Thanks > Vijendra. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >
On Jul 6, 2015, at 4:59 PM, Brian Mathis <brian.mathis+centos at betteradmin.com> wrote:> RedHat/CentOS does not upgrade packages based on version numbers. Please > read https://access.redhat.com/security/updates/backporting Understanding > this is essential to running a RedHat/CentOS server.While this is true, the NTPd web site says the CVE ?...Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25?. The version in RHEL6/CentOS6 is 4.2.6p5. The fix will most likely be backported, though. -- Jonathan Billings <billings at negate.org>