{"id":"MGASA-2016-0219","summary":"Updated ntp packages fix security vulnerability","details":"ntpq and ntpdc disclose the origin timestamp to unauthenticated clients,\nwhich may allow an attacker to impersonate a legitimate peer\n(CVE-2015-8139).\n\nAn attacker who is able to spoof packets with correct origin timestamps\nfrom enough servers before the expected response packets arrive at the\ntarget machine can affect some peer variables and, for example, cause a\nfalse leap indication to be set (CVE-2016-4954).\n\nAn attacker who is able to spoof a packet with a correct origin timestamp\nbefore the expected response packet arrives at the target machine can send\na CRYPTO_NAK or a bad MAC and cause the association's peer variables to be\ncleared. If this can be done often enough, it will prevent that\nassociation from working (CVE-2016-4955).\n\nThe fix for CVE-2016-1548 does not cover broadcast associations, so\nbroadcast clients can be triggered to flip into interleave mode\n(CVE-2016-4956).\n","modified":"2026-04-16T06:26:22.134988706Z","published":"2016-06-07T21:39:50Z","upstream":["CVE-2015-8139","CVE-2016-4954","CVE-2016-4955","CVE-2016-4956"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0219.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=18617"},{"type":"WEB","url":"http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi"}],"affected":[{"package":{"name":"ntp","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/ntp?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.2.6p5-24.6.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0219.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}