Arch Linux Security Advisory ASA-201507-5 ========================================= Severity: Low Date : 2015-07-07 CVE-ID : CVE-2015-5146 Package : ntp Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package ntp before version 4.2.8.p3-1 is vulnerable to denial of service. Resolution ========== Upgrade to 4.2.8.p3-1. # pacman -Syu "ntp>=4.2.8.p3-1" The problem has been fixed upstream in version 4.2.8.p3. Workaround ========== Configure ntpd to not allow remote configuration (default setting). Description =========== Under limited and specific circumstances an attacker can send a crafted remote-configuration packet containing a NUL-byte to cause a vulnerable ntpd instance to crash. This requires each of the following to be true: - ntpd set up to allow for remote configuration (not allowed by default) - knowledge of the configuration password - access to a computer entrusted to perform remote configuration Impact ====== A remote attacker is able to send a specially crafted remote-configuration packet that is leading to an application crash resulting in denial of service. References ========== https://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_... https://access.redhat.com/security/cve/CVE-2015-5146