Description
The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 does not
properly validate the length of its input, which allows an attacker to
cause a denial of service (application crash).
Notes
mdeslaur | introduced in 4.2.8 by
https://github.com/ntp-project/ntp/commit/be565bf3c6a5badd4a6ce2f336476d1e1dd98915 |
Package
Upstream: | released
(4.2.8p6)
|
Ubuntu 16.04 ESM: | released
(1:4.2.8p4+dfsg-3ubuntu5.3)
|
Ubuntu 14.04 ESM: | not-affected
(1:4.2.6.p5+dfsg-3ubuntu2.14.04.8)
|
Ubuntu 20.04 FIPS Compliant: | not-affected
(1:4.2.8p4+dfsg-3ubuntu6)
|
Patches:
Updated: 2022-04-13 12:06:47 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)