[ntp:hackers] Security fixes in ntp-4.2.8p6

Miroslav Lichvar mlichvar at redhat.com
Thu Jan 21 10:30:08 UTC 2016

I've already added comments to the bugzilla and Harlan knows about it,
but I thought downstream maintainers and other people watching this
list would like to know.

It seems 4.2.8p6 doesn't actually fix the issue with zero origin
timestamp (CVE-2015-8138). The problem is in the change that was
supposed to fix symmetric associations after the fix that was added
for the KoD issue (CVE-2015-7704).

The KoD issue is still not fully fixed. Symmetric associations can be
started, but they break when a packet is lost between the peers.

Miroslav Lichvar

More information about the hackers mailing list