Description: | Summary: Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs:
CVE-2015-5146 A flaw was found in the way ntpd processed certain remote configuration packets. An attacker could use a specially crafted package to cause ntpd to crash if:
ntpd enabled remote configurationThe attacker had the knowledge of the configuration password...The attacker had access to a computer entrusted to perform remote configuration Note that remote configuration is disabled by default in NTP.
CVE-2015-5194 It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands.
Description truncated. Please see the references for more information.
Affected Software/OS: ntp on Debian Linux
Solution: For the oldstable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u6.
For the stable distribution (jessie), these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u1.
For the testing distribution (stretch), these problems have been fixed in version 1:4.2.8p4+dfsg-3.
For the unstable distribution (sid), these problems have been fixed in version 1:4.2.8p4+dfsg-3.
We recommend that you upgrade your ntp packages.
CVSS Score: 7.5
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
|