From: carnil@debian.org   
      
   Source: rust-ntp-proto   
   Version: 1.6.2-4   
   Severity: important   
   Tags: security upstream   
   X-Debbugs-Cc: carnil@debian.org, Debian Security Team    
      
   Hi,   
      
   The following vulnerability was published for rust-ntp-proto.   
      
   CVE-2026-26076[0]:   
   | ntpd-rs is a full-featured implementation of the Network Time   
   | Protocol. Prior to 1.7.1, an attacker can remotely induce moderate   
   | increases (2-4 times above normal) in cpu usage. When having NTS   
   | enabled on an ntpd-rs server, an attacker can create malformed NTS   
   | packets that take significantly more effort for the server to   
   | respond to by requesting a large number of cookies. This can lead to   
   | degraded server performance even when a server could otherwise   
   | handle the load. This vulnerability is fixed in 1.7.1.   
      
   rust-ntpd needs then to be rebuild after fixing rust-ntp-proto, right?   
      
   IMHO the issue does not warrant a DSA, so once fixed in unstable a fix   
   in trixie va the next point release might be good to have, and taking   
   care of asking SRM to rebuild as well rust-ntpd with the fixed   
   version.   
      
   If you fix the vulnerability please also make sure to include the   
   CVE (Common Vulnerabilities & Exposures) id in your changelog entry.   
      
   For further information see:   
      
   [0] https://security-tracker.debian.org/tracker/CVE-2026-26076   
       https://www.cve.org/CVERecord?id=CVE-2026-26076   
   [1] https://github.com/pendulum-project/ntpd-rs/security/advisor   
   es/GHSA-c7j7-rmvr-fjmv   
   [2] https://github.com/pendulum-project/ntpd-rs/commit/fa73af14d   
   7b666b1142b9fee3ba22c18a841d24   
      
   Please adjust the affected versions in the BTS as needed.   
      
   Regards,   
   Salvatore   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)