Description
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer
associations of symmetric keys when authenticating packets, which might
allow remote attackers to conduct impersonation attacks via an arbitrary
trusted key, aka a "skeleton key."
Notes
mdeslaur | fedora has an alternate fix
http://lists.ntp.org/pipermail/hackers/2016-January/007416.html |
Package
Upstream: | released
(4.2.8p6)
|
Ubuntu 16.04 ESM: | released
(1:4.2.8p4+dfsg-3ubuntu5.3)
|
Ubuntu 14.04 ESM: | released
(1:4.2.6.p5+dfsg-3ubuntu2.14.04.10)
|
Ubuntu 20.04 FIPS Compliant: | not-affected
(1:4.2.8p4+dfsg-3ubuntu6)
|
Patches:
Updated: 2022-04-13 12:06:47 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)