Name | CVE-2015-7974 |
Description | NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DLA-559-1, DSA-3629-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
ntp (PTS) | jessie, jessie (lts) | 1:4.2.6.p5+dfsg-7+deb8u3 | fixed |
stretch | 1:4.2.8p10+dfsg-3+deb9u2 | fixed | |
buster, buster (lts) | 1:4.2.8p12+dfsg-4+deb10u1 | fixed | |
bullseye | 1:4.2.8p15+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
ntp | source | wheezy | 1:4.2.6.p5+dfsg-2+deb7u7 | DLA-559-1 | ||
ntp | source | jessie | 1:4.2.6.p5+dfsg-7+deb8u2 | DSA-3629-1 | ||
ntp | source | (unstable) | 1:4.2.8p7+dfsg-1 | low |
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://support.ntp.org/bin/view/Main/NtpBug2936