Advisories » MGASA-2015-0152

Updated ntp packages fix security vulnerabilities

Publication date: 15 Apr 2015
Modification date: 15 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1798 , CVE-2015-1799

Description

Updated ntp packages fix security vulnerabilities:

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in
NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero
length, which makes it easier for man-in-the-middle attackers to spoof packets
by omitting the MAC (CVE-2015-1798).

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in
NTP before 4.2.8p2 performs state-variable updates upon receiving certain
invalid packets, which makes it easier for man-in-the-middle attackers to
cause a denial of service (synchronization loss) by spoofing the source IP
address of a peer (CVE-2015-1799).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=15646
• http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799

SRPMS

4/core

• ntp-4.2.6p5-15.5.mga4