#1112511 rust-ntpd: CVE-2025-58066

Package:
src:rust-ntpd
Source:
src:rust-ntpd
Submitter:
Salvatore Bonaccorso
Date:
2025-08-31 04:35:03 UTC
Severity:
normal
Tags:
#1112511#5
Date:
2025-08-30 09:46:31 UTC
From:
To:
Hi,

The following vulnerability was published for rust-ntpd.

CVE-2025-58066[0]:
| nptd-rs is a tool for synchronizing your computer's clock,
| implementing the NTP and NTS protocols. In versions between 1.2.0
| and 1.6.1 inclusive servers which allow non-NTS traffic are affected
| by a denial of service vulnerability, where an attacker can induce a
| message storm between two NTP servers running ntpd-rs. Client-only
| configurations are not affected. Affected users are recommended to
| upgrade to version 1.6.2 as soon as possible.

While the issue seem t oaffect versions starting 1.2.0 the
cherry-picked commmit might not be suitable for 1.4.0, so updating
unstable to  1.6.2 might be just better.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-58066
https://www.cve.org/CVERecord?id=CVE-2025-58066
[1] https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-4855-q42w-5vr4
[2] https://github.com/pendulum-project/ntpd-rs/commit/da37cf167736cbd4d7804b1ed7ceb572468298e0

Regards,
Salvatore

#1112511#10
Date:
2025-08-31 04:33:59 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
rust-ntpd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1112511@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Michael Green <plugwash@debian.org> (supplier of updated rust-ntpd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 31 Aug 2025 04:08:42 +0000
Source: rust-ntpd
Architecture: source
Version: 1.6.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Rust Maintainers <pkg-rust-maintainers@alioth-lists.debian.net>
Changed-By: Peter Michael Green <plugwash@debian.org>
Closes: 1112511
Changes:
 rust-ntpd (1.6.2-1) unstable; urgency=medium
 .
   * Team upload.
   * Package ntpd 1.6.2 from crates.io using debcargo 2.7.8
     + New upstream fixes CVE-2025-58066 (Closes: #1112511)
   * Drop disable-other-rustls.diff, upstream now only supports a single
     version of rustls.
   * Add patch to explicitly select ring backend for rustls.
   * Update overridden control file.
   * Reduce context in skip-test-validate-good.patch so it applies cleanly
     to new upstream.
   * Disable pps support because rust-pps-time is not in Debian
   * Disable "daemon" tests because they need a running daemon.
Checksums-Sha1:
 6aaddab5eb6639f9db722757569b7504dfff496e 3689 rust-ntpd_1.6.2-1.dsc
 ee78e8472ea21cc2affbfa4514cfb2defb8403b8 1295984 rust-ntpd_1.6.2.orig.tar.gz
 8314114ebd61d5dec8899b12cd4768da879f9a14 6856 rust-ntpd_1.6.2-1.debian.tar.xz
 86c03eb039972d9d8260d1b86a6caa193865c6f0 15782 rust-ntpd_1.6.2-1_source.buildinfo
Checksums-Sha256:
 998b8faff9711acb14e55bc6f33758720ec5797d1082d2fd61c3354e5cdb9893 3689 rust-ntpd_1.6.2-1.dsc
 56429dc3a36ad7e801c810c3bdf2fad1de0b14e025b21d3270d6bffd54bb46d9 1295984 rust-ntpd_1.6.2.orig.tar.gz
 c51c3e7a663f1fc74c018744c4d2eb25c6dec44612395953e601f90fd3fdd97c 6856 rust-ntpd_1.6.2-1.debian.tar.xz
 9e1d5a90ace7a50f688416fccda65ec3c10756419ef040a31fea56510cc662b8 15782 rust-ntpd_1.6.2-1_source.buildinfo
Files:
 c96fdcd24f6aec3c59a4ca3609fe6db8 3689 utils optional rust-ntpd_1.6.2-1.dsc
 611cc67c307cf1c51c84af3d21a6be8c 1295984 utils optional rust-ntpd_1.6.2.orig.tar.gz
 19ef748d0a5e472abd393e10a44a1543 6856 utils optional rust-ntpd_1.6.2-1.debian.tar.xz
 2c2fc3c840f34c79d5a626176991a26e 15782 utils optional rust-ntpd_1.6.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEU0DQATYMplbjSX63DEjqKnqP/XsFAmizy/0UHHBsdWd3YXNo
QGRlYmlhbi5vcmcACgkQDEjqKnqP/XtAlg//WTS5LdCrUXIsUrGEEFfPXN0ITuDI
pGLDw1l0hlmoOmoH3FEdXy/cxlToEl5uVfcgaq8eG2ni/Nidd7MeqHfe9Hs1SG/e
j8p5zkKM61ZTsOvtHgq7iTepMWLkEgp4RMOtb9Z6Ryhg2Skl8Ucsx1pgmdDU4Bgv
INlIZb36CRzGZD+KJshy8OgC8R++pws0DU2S2WXDPtU6s3SXbH2G9RH2lC3YEqMI
TOTFrhnTErzmz+yIz0DA+mm93fry8Q0ZT6uMnU0/WQlqUXweBhrZ3iym5bkJUllc
q/EMXmFu75aovex6C0At7YBoWCpzkI9pCjOeLvyqbM+/xgAHXrpKXc3bxn6m4ZIe
nWr2cluYvlXsJez9akSz9+ZsC2hjwJsq9WMdPkKJO2GNKWuZ7EzTKV77OTzjPNJo
HJEamHtJxriuhgmGhIEVEZYIa4DtDYkSDGUskjtGCTC0GO+gJIpBqEdWFg1zMutQ
SQ79rhT3JeBbLd0Q0TdLa79rPsp4g6naROjiQbrXtLPxp0wMehKELsVc7+ZgE9O2
yPhdj/w45mehTaScNTliPUMSRpXf01HKp1bHbPUKYkEM/pa/wAwS89FJsywIC1xf
gWEF2LOVK6qEUEcNOxSSjBCBRi82FR9c1WTwLoHGqEl37Kl8lxWis5VQCBRp8FaJ
2Yub5e0wtIUOk/s=
=MNFF
-----END PGP SIGNATURE-----