CVE-2016-9042

NameCVE-2016-9042
DescriptionAn exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ntp (PTS)jessie, jessie (lts)1:4.2.6.p5+dfsg-7+deb8u3fixed
stretch1:4.2.8p10+dfsg-3+deb9u2fixed
buster1:4.2.8p12+dfsg-4fixed
bullseye1:4.2.8p15+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ntpsourcewheezy(not affected)
ntpsourcejessie(not affected)
ntpsource(unstable)1:4.2.8p10+dfsg-1

Notes

[jessie] - ntp <not-affected> (Doesn't use the affected upstream patch)
[wheezy] - ntp <not-affected> (Doesn't use the affected upstream patch)
http://www.talosintelligence.com/reports/TALOS-2016-0260/
http://support.ntp.org/bin/view/Main/NtpBug3361
This vulnerability affects the upstream fix for CVE-2015-8138, but Debian
jessie and wheezy use a less invasive patch by Miroslav Lichvar
of Red Hat, as available here:
http://pkgs.fedoraproject.org/cgit/rpms/ntp.git/tree/ntp-4.2.6p5-cve-2015-8138.patch?h=f24

Search for package or bug name: Reporting problems