Debian Long Term Support / LTS Security Information / 2020 / Security Information -- DLA-2201-1 ntp

Debian Security Advisory

DLA-2201-1 ntp -- LTS security update

Date Reported:

05 May 2020

Affected Packages:

ntp

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2020-11868.

More information:

A Denial of Service (DoS) vulnerability was discovered in the network time protocol server/client, ntp.

ntp allowed an "off-path" attacker to block unauthenticated synchronisation via a server mode packet with a spoofed source IP address because transmissions were rescheduled even if a packet lacked a valid "origin timestamp"

• CVE-2020-11868

  ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp

For Debian 8 Jessie, these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u3.

We recommend that you upgrade your ntp packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS