CVE-2005-2496

NameCVE-2005-2496
DescriptionThe xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-801-1
NVD severitymedium (attack range: local)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ntp (PTS)wheezy (security), wheezy1:4.2.6.p5+dfsg-2+deb7u6fixed
jessie (security), jessie1:4.2.6.p5+dfsg-7+deb8u1fixed
stretch1:4.2.8p4+dfsg-3fixed
sid1:4.2.8p7+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ntpsource(unstable)1:4.2.0a+stable-2sarge1medium
ntpsourceetch1:4.2.0a+stable-2sarge1medium
ntpsourcesarge1:4.2.0a+stable-2sarge1mediumDSA-801-1
ntpsourcewoody(not affected)DSA-801-1

Notes

I suspect DSA-801 is fixed by the non-root patches from Ubuntu??

Search for package or bug name: Reporting problems