ntp, ntpdate security update

ID CESA-2017:3071
Type centos
Reporter CentOS Project
Modified 2017-10-26T11:47:10


CentOS Errata and Security Advisory CESA-2017:3071

The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.

Security Fix(es):

  • Two vulnerabilities were discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. (CVE-2017-6463, CVE-2017-6464)

  • A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash. (CVE-2017-6462)

Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues.

Merged security bulletin from advisories: http://lists.centos.org/pipermail/centos-announce/2017-October/034646.html

Affected packages: ntp ntp-doc ntp-perl ntpdate

Upstream details at: