MGASA-2015-0413

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2015-0413.html

Import Source

https://advisories.mageia.org/MGASA-2015-0413.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2015-0413

Related

Published

2015-10-25T21:50:36Z

Modified

2015-10-25T21:48:03Z

Summary

Updated ntp packages fixes security vulnerabilities

Details

It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions.

A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time (CVE-2015-5300).

Slow memory leak in CRYPTO_ASSOC with autokey (CVE-2015-7701).

Incomplete autokey data packet length checks could result in crash caused by a crafted packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702).

Clients that receive a KoD should validate the origin timestamp field (CVE-2015-7704).

ntpq atoascii() Memory Corruption Vulnerability could result in ntpd crash caused by a crafted packet (CVE-2015-7852).

Symmetric association authentication bypass via crypto-NAK (CVE-2015-7871).

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / ntp

Package

Name: ntp
Purl: pkg:rpm/mageia/ntp?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.2.6p5-24.2.mga5

Ecosystem specific

{
    "section": "core"
}