MGASA-2015-0413

Source
https://advisories.mageia.org/MGASA-2015-0413.html
Import Source
https://advisories.mageia.org/MGASA-2015-0413.json
JSON Data
https://api.test.osv.dev/v1/vulns/MGASA-2015-0413
Related
Published
2015-10-25T21:50:36Z
Modified
2015-10-25T21:48:03Z
Summary
Updated ntp packages fixes security vulnerabilities
Details

It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions.

A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time (CVE-2015-5300).

Slow memory leak in CRYPTO_ASSOC with autokey (CVE-2015-7701).

Incomplete autokey data packet length checks could result in crash caused by a crafted packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702).

Clients that receive a KoD should validate the origin timestamp field (CVE-2015-7704).

ntpq atoascii() Memory Corruption Vulnerability could result in ntpd crash caused by a crafted packet (CVE-2015-7852).

Symmetric association authentication bypass via crypto-NAK (CVE-2015-7871).

References
Credits

Affected packages

Mageia:5 / ntp

Package

Name
ntp
Purl
pkg:rpm/mageia/ntp?distro=mageia-5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.6p5-24.2.mga5

Ecosystem specific

{
    "section": "core"
}