Advisories ยป MGASA-2018-0195

Updated ntp packages fix security vulnerabilities

Publication date: 06 Apr 2018
Type: security
Affected Mageia releases : 6
CVE: CVE-2016-1549 , CVE-2018-7182 , CVE-2018-7170 , CVE-2018-7184 , CVE-2018-7185 , CVE-2018-7183


This release addresses five security issues in ntpd for Mageia 6:

LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability:
ephemeral association attack While fixed in ntp-4.2.8p7, there are
significant additional protections for this issue in 4.2.8p11.
Reported by Matt Van Gundy of Cisco.

INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer
read overrun leads to undefined behavior and information leak
Reported by Yihan Lian of Qihoo 360.

LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated
ephemeral associations. Reported on the questions@ list.

LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode
cannot recover from bad state. Reported by Miroslav Lichvar of Red Hat.

LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet
can reset authenticated interleaved association.
Reported by Miroslav Lichvar of Red Hat.

one security issue in ntpq:
MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write
beyond its buffer limit. Reported by Michael Macnair of

and provides over 33 bugfixes and 32 other improvements. ENotification
of these issues were delivered to our Institutional members on a rolling
basis as they were reported and as progress was made.