[arch-security] [ASA-201507-5] ntp: denial of service
anthraxx at archlinux.org
Tue Jul 7 00:44:18 UTC 2015
Arch Linux Security Advisory ASA-201507-5
Date : 2015-07-07
CVE-ID : CVE-2015-5146
Package : ntp
Type : denial of service
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
The package ntp before version 4.2.8.p3-1 is vulnerable to denial of
Upgrade to 4.2.8.p3-1.
# pacman -Syu "ntp>=4.2.8.p3-1"
The problem has been fixed upstream in version 4.2.8.p3.
Configure ntpd to not allow remote configuration (default setting).
Under limited and specific circumstances an attacker can send a crafted
remote-configuration packet containing a NUL-byte to cause a vulnerable
ntpd instance to crash. This requires each of the following to be true:
- ntpd set up to allow for remote configuration (not allowed by
- knowledge of the configuration password
- access to a computer entrusted to perform remote configuration
A remote attacker is able to send a specially crafted
remote-configuration packet that is leading to an application crash
resulting in denial of service.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the arch-security