CVE-2015-1799

Publication date 8 April 2015

Last updated 24 July 2024

Ubuntu priority

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ntp	14.10 utopic	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.10.3
	14.04 LTS trusty	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.04.3
	12.04 LTS precise	Fixed 1:4.2.6.p3+dfsg-1ubuntu3.4
	10.04 LTS lucid	Ignored

Notes

mdeslaur

we will not be backporting this issue to the codebase in lucid before it goes end-of-life. Marking as ignored.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ntp	Upstream: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A

References

Related Ubuntu Security Notices (USN)