MGASA-2014-0032

Source
https://advisories.mageia.org/MGASA-2014-0032.html
Import Source
https://advisories.mageia.org/MGASA-2014-0032.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2014-0032
Related
Published
2014-01-31T16:44:56Z
Modified
2014-01-31T16:44:50Z
Summary
Updated ntp packages work around security vulnerability
Details

The "monlist" command of the NTP protocol is currently abused in a DDoS reflection attack. This is done by spoofing packets from addresses to which the attack is directed to. The ntp installations itself are not target of the attack, but they are part of the DDoS network which the attacker is driving (CVE-2013-5211).

* IMPORTANT *

Note: the workaround for this issue is not a change in the software, but instead is a change in the default configuration. In most cases, the configuration change will need to be made manually by administrators in the /etc/ntp.conf file, as the package will only install the updated configuration as /etc/ntp.conf.rpmnew. The following lines should be added to the end of /etc/ntp.conf:

Permit time synchronization with our time source, but do not

permit the source to query or modify the service on this system.

restrict default nomodify notrap nopeer noquery

References
Credits

Affected packages

Mageia:3 / ntp

Package

Name
ntp
Purl
pkg:rpm/mageia/ntp?distro=mageia-3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.6p5-12.1.mga3

Ecosystem specific

{
    "section": "core"
}