Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zN3hxLXE0MnAtcnYzcM4AA1fc
ntpd has Dependency on Vulnerable Third-Party Component
During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.
Impact
This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS
Patches
Affected users are recommended to upgrade to version 0.3.7
References
See also https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md
Permalink: https://github.com/advisories/GHSA-37xq-q42p-rv3pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zN3hxLXE0MnAtcnYzcM4AA1fc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 8 months ago
Updated: 8 months ago
CVSS Score: 2.6
CVSS vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L
Identifiers: GHSA-37xq-q42p-rv3p
References:
- https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-37xq-q42p-rv3p
- https://github.com/pendulum-project/ntpd-rs/commit/927952a440176a18f3ded132eb831ae7f7ac5c00
- https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md
- https://github.com/advisories/GHSA-37xq-q42p-rv3p
Blast Radius: 1.0
Affected Packages
cargo:ntpd
Dependent packages: 0Dependent repositories: 0
Downloads: 7,390 total
Affected Version Ranges: < 0.3.7
Fixed in: 0.3.7
All affected versions: 0.1.0, 0.1.1, 0.3.1, 0.3.2, 0.3.3, 0.3.5, 0.3.6
All unaffected versions: 0.3.7, 1.0.0, 1.1.0, 1.1.1, 1.1.2