MGASA-2015-0152

Source
https://advisories.mageia.org/MGASA-2015-0152.html
Import Source
https://advisories.mageia.org/MGASA-2015-0152.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2015-0152
Related
Published
2015-04-15T09:01:28Z
Modified
2015-04-15T08:49:01Z
Summary
Updated ntp packages fix security vulnerabilities
Details

Updated ntp packages fix security vulnerabilities:

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (CVE-2015-1798).

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (CVE-2015-1799).

References
Credits

Affected packages

Mageia:4 / ntp

Package

Name
ntp
Purl
pkg:rpm/mageia/ntp?distro=mageia-4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.6p5-15.5.mga4

Ecosystem specific

{
    "section": "core"
}