Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2016-7433

Published: 13 January 2017

NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."

Notes

AuthorNote
mdeslaur
ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
ntp-4.3.0 up to, but not including ntp-4.3.94. But the
root-distance calculation in general is incorrect in all
versions of ntp-4 until this release.
leosilva
for precise it's not needed since this issue seems to
be caused by some regression and precise hasn't the
code affect changed.
mdeslaur
trusty isn't vulnerable either

Priority

Medium

Cvss 3 Severity Score

5.3

Score breakdown

Status

Package Release Status
ntp
Launchpad, Ubuntu, Debian
precise Ignored
(end of life)
trusty Not vulnerable

upstream
Released (1:4.2.8p9+dfsg-1, ntp-4.2.8p9)
xenial
Released (1:4.2.8p4+dfsg-3ubuntu5.5)
yakkety
Released (1:4.2.8p8+dfsg-1ubuntu2.1)
zesty Not vulnerable
(1:4.2.8p9+dfsg-2ubuntu1)
Patches:
vendor: https://git.centos.org/blob/rpms!ntp.git/4eb1db127a6177011bd913bf4f446e8f701179d6/SOURCES!ntp-4.2.6p5-cve-2016-7433.patch

Severity score breakdown

Parameter Value
Base score 5.3
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact Low
Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L