DSA-3108-1 ntp -- ntpID: oval:org.secpod.oval:def:601883 | Date: (C)2014-12-29 (M)2023-12-07 |
Class: PATCH | Family: unix |
Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol. CVE-2014-9293 ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd . CVE-2014-9294 The ntp-keygen utility generated weak MD5 keys with insufficient entropy. CVE-2014-9295 ntpd had several buffer overflows , allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code. CVE-2014-9296 The general packet processing function in ntpd did not handle an error case correctly. The default ntpd configuration in Debian restricts access to localhost . Keys explicitly generated by "ntp-keygen -M" should be regenerated.