CVE-2023-4012

NameCVE-2023-4012
Descriptionntpd will crash if the server is not NTS-enabled (no certificate) and it receives an NTS-enabled client request (mode 3).
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5466-1
Debian Bugs1038422

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ntpsec (PTS)buster1.1.3+dfsg1-2+deb10u1fixed
bullseye1.2.0+dfsg1-4fixed
bookworm (security), bookworm1.2.2+dfsg1-1+deb12u1fixed
sid, trixie1.2.3+dfsg1-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ntpsecsourcebuster(not affected)
ntpsecsourcebullseye(not affected)
ntpsecsourcebookworm1.2.2+dfsg1-1+deb12u1DSA-5466-1
ntpsecsource(unstable)1.2.2+dfsg1-21038422

Notes

[bullseye] - ntpsec <not-affected> (Vulnerable code introduced later)
[buster] - ntpsec <not-affected> (Vulnerable code introduced later)
https://gitlab.com/NTPsec/ntpsec/-/issues/794
https://blog.ntpsec.org/2023/08/03/version-1.2.2a.html

Search for package or bug name: Reporting problems