CVE-2016-7433

Priority
Description
NTP before 4.2.8p9 does not properly perform the initial sync calculations,
which allows remote attackers to unspecified impact via unknown vectors,
related to a "root distance that did not include the peer dispersion."
Notes
mdeslaurntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
ntp-4.3.0 up to, but not including ntp-4.3.94. But the
root-distance calculation in general is incorrect in all
versions of ntp-4 until this release.
leosilvafor precise it's not needed since this issue seems to
be caused by some regression and precise hasn't the
code affect changed.
mdeslaurtrusty isn't vulnerable either
Package
Source: ntp (LP Ubuntu Debian)
Upstream:released (1:4.2.8p9+dfsg-1, ntp-4.2.8p9)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):not-affected
Ubuntu 16.04 LTS (Xenial Xerus):released (1:4.2.8p4+dfsg-3ubuntu5.5)
Patches:
Vendor:https://git.centos.org/blob/rpms!ntp.git/4eb1db127a6177011bd913bf4f446e8f701179d6/SOURCES!ntp-4.2.6p5-cve-2016-7433.patch
More Information

Updated: 2020-07-28 19:58:19 UTC (commit d26b6ca9f5b3adb89bb036ce73ae7dab894935ec)