Debian Security Advisory

DLA-2201-1 ntp -- LTS security update

Date Reported:
05 May 2020
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2020-11868.
More information:

A Denial of Service (DoS) vulnerability was discovered in the network time protocol server/client, ntp.

ntp allowed an "off-path" attacker to block unauthenticated synchronisation via a server mode packet with a spoofed source IP address because transmissions were rescheduled even if a packet lacked a valid "origin timestamp"

  • CVE-2020-11868

    ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp

For Debian 8 Jessie, these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u3.

We recommend that you upgrade your ntp packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: