[SECURITY] [DSA 3223-1] ntp security update

ID DEBIAN:DSA-3223-1:2BB15
Type debian
Reporter Debian
Modified 2015-04-12T16:29:33


Debian Security Advisory DSA-3223-1 security@debian.org http://www.debian.org/security/ Alessandro Ghedini April 12, 2015 http://www.debian.org/security/faq

Package : ntp CVE ID : CVE-2015-1798 CVE-2015-1799 Debian Bug : 782095

Multiple vulnerabilities were discovered in ntp, an implementation of the Network Time Protocol:


When configured to use a symmetric key with an NTP peer, ntpd would
accept packets without MAC as if they had a valid MAC. This could
allow a remote attacker to bypass the packet authentication and send
malicious packets without having to know the symmetric key.


When peering with other NTP hosts using authenticated symmetric
association, ntpd would update its internal state variables before
the MAC of the NTP messages was validated. This could allow a remote
attacker to cause a denial of service by impeding synchronization
between NTP peers.

Additionally, it was discovered that generating MD5 keys using ntp-keygen on big endian machines would either trigger an endless loop, or generate non-random keys.

For the stable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u4.

For the unstable distribution (sid), these problems have been fixed in version 1:4.2.6.p5+dfsg-7.

We recommend that you upgrade your ntp packages.

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org