Your submission was sent successfully! Close

CVE-2016-7433

Published: 13 January 2017

NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."

Notes

AuthorNote
mdeslaur
ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
ntp-4.3.0 up to, but not including ntp-4.3.94. But the
root-distance calculation in general is incorrect in all
versions of ntp-4 until this release.
leosilva
for precise it's not needed since this issue seems to
be caused by some regression and precise hasn't the
code affect changed.
mdeslaur
trusty isn't vulnerable either
Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
ntp
Launchpad, Ubuntu, Debian
precise Not vulnerable

trusty Not vulnerable

upstream
Released (1:4.2.8p9+dfsg-1, ntp-4.2.8p9)
xenial
Released (1:4.2.8p4+dfsg-3ubuntu5.5)
yakkety
Released (1:4.2.8p8+dfsg-1ubuntu2.1)
zesty Not vulnerable
(1:4.2.8p9+dfsg-2ubuntu1)
Patches:
vendor: https://git.centos.org/blob/rpms!ntp.git/4eb1db127a6177011bd913bf4f446e8f701179d6/SOURCES!ntp-4.2.6p5-cve-2016-7433.patch