MGASA-2016-0277

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2016-0277.html

Import Source

https://advisories.mageia.org/MGASA-2016-0277.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2016-0277

Related

CVE-2016-6301

Published

2016-08-09T08:58:37Z

Modified

2016-08-09T08:26:49Z

Summary

Updated openntpd/busybox packages fix security vulnerability

Details

The busybox NTP implementation doesn't check the NTP mode of packets received on the server port and responds to any packet with the right size. This includes responses from another NTP server. An attacker can send a packet with a spoofed source address in order to create an infinite loop of responses between two busybox NTP servers. Adding more packets to the loop increases the traffic between the servers until one of them has a fully loaded CPU and/or network (CVE-2016-6301).

The affected code originated from openntpd, which had fixed it upstream, but the fix had not made it into Mageia's openntpd package. It has also been patched with the fix in this update.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:5 / openntpd

Package

Name: openntpd
Purl: pkg:rpm/mageia/openntpd?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.9p1-11.1.mga5

Ecosystem specific

{
    "section": "core"
}

Mageia:5 / busybox

Package

Name: busybox
Purl: pkg:rpm/mageia/busybox?distro=mageia-5

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.22.1-5.3.mga5

Ecosystem specific

{
    "section": "core"
}