{"id":"MGASA-2016-0277","summary":"Updated openntpd/busybox packages fix security vulnerability","details":"The busybox NTP implementation doesn't check the NTP mode of packets\nreceived on the server port and responds to any packet with the right\nsize. This includes responses from another NTP server. An attacker can\nsend a packet with a spoofed source address in order to create an infinite\nloop of responses between two busybox NTP servers. Adding more packets to\nthe loop increases the traffic between the servers until one of them has a\nfully loaded CPU and/or network (CVE-2016-6301).\n\nThe affected code originated from openntpd, which had fixed it upstream,\nbut the fix had not made it into Mageia's openntpd package.  It has also\nbeen patched with the fix in this update.\n","modified":"2026-01-31T04:44:20.080163Z","published":"2016-08-09T08:58:37Z","related":["CVE-2016-6301"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0277.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=19128"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1363710"}],"affected":[{"package":{"name":"openntpd","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/openntpd?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.9p1-11.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0277.json"}},{"package":{"name":"busybox","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/busybox?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.22.1-5.3.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0277.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}