CVE-2014-9750
Published: 6 October 2015
ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field.
Notes
Author | Note |
---|---|
sbeattie | autokey auth is not configured on by default |
mdeslaur | this used to be known as CVE-2014-9297, patches were released in USN-2497-1 |
Priority
Status
Package | Release | Status |
---|---|---|
ntp Launchpad, Ubuntu, Debian |
upstream |
Released
(1:4.2.6.p5+dfsg-5)
|
precise |
Not vulnerable
|
|
trusty |
Not vulnerable
|
|
vivid |
Not vulnerable
|
|
wily |
Not vulnerable
|
|
xenial |
Not vulnerable
|
|
Patches: upstream: https://github.com/ntp-project/ntp/commit/348fc9fa390c7894f589104fbca4d635868b7a45 upstream: https://github.com/ntp-project/ntp/commit/158d5aa33f5ce3c10f99cdef364ce8e2cb05c4c5 upstream: https://github.com/ntp-project/ntp/commit/5e08c9af76a5e4214bc8369ddf01ee0e86747b3a |