{"id":"MGASA-2015-0413","summary":"Updated ntp packages fixes security vulnerabilities","details":"It was found that ntpd did not correctly implement the threshold\nlimitation for the '-g' option, which is used to set the time without any\nrestrictions.\n\nA man-in-the-middle attacker able to intercept NTP traffic between a\nconnecting client and an NTP server could use this flaw to force that\nclient to make multiple steps larger than the panic threshold, effectively\nchanging the time to an arbitrary value at any time (CVE-2015-5300).\n\nSlow memory leak in CRYPTO_ASSOC with autokey (CVE-2015-7701).\n\nIncomplete autokey data packet length checks could result in crash caused\nby a crafted packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702).\n\nClients that receive a KoD should validate the origin timestamp field\n(CVE-2015-7704).\n\nntpq atoascii() Memory Corruption Vulnerability could result in ntpd crash\ncaused by a crafted packet (CVE-2015-7852).\n\nSymmetric association authentication bypass via crypto-NAK\n(CVE-2015-7871).\n","modified":"2026-01-31T13:27:59.440628Z","published":"2015-10-25T21:50:36Z","related":["CVE-2015-5300","CVE-2015-7691","CVE-2015-7692","CVE-2015-7701","CVE-2015-7702","CVE-2015-7704","CVE-2015-7852","CVE-2015-7871"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2015-0413.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=16999"},{"type":"REPORT","url":"http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner"}],"affected":[{"package":{"name":"ntp","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/ntp?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.2.6p5-24.2.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2015-0413.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}