| Name | CVE-2015-7976 |
| Description | The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ntp (PTS) | buster | 1:4.2.8p12+dfsg-4 | fixed |
| bullseye | 1:4.2.8p15+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ntp | source | (unstable) | 1:4.2.8p7+dfsg-1 | low |
[jessie] - ntp <no-dsa> (Minor issue, mitigation exists)
[wheezy] - ntp <no-dsa> (Minor issue, can be fixed along in a future update)
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://support.ntp.org/bin/view/Main/NtpBug2938
https://github.com/ntp-project/ntp/commit/3680c2e4d5f88905ce062c7b43305d610a2c9796
https://github.com/ntp-project/ntp/commit/7fe04606062ed674db3b9553d32dedad29504d61