DescriptionNTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ntp (PTS)buster1:4.2.8p12+dfsg-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ntpsourcewheezy(not affected)
ntpsourcejessie(not affected)


[jessie] - ntp <not-affected> (Vulnerable code introduced in ntp-4.2.7p385)
[wheezy] - ntp <not-affected> (Vulnerable code introduced in ntp-4.2.7p385)
Although the CVE is only for the issue introduced by the fix for, he root-distance calculation
itself in general is incorrect in all version of ntp-4 until ntp-4.2.8p9

Search for package or bug name: Reporting problems