Published: 13 January 2017
NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."
CVSS 3 base score: 5.3
Launchpad, Ubuntu, Debian
|Ubuntu 16.04 ESM (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94. But the root-distance calculation in general is incorrect in all versions of ntp-4 until this release.
for precise it's not needed since this issue seems to be caused by some regression and precise hasn't the code affect changed.
trusty isn't vulnerable either