1
PublicDateAtUSN: 2015-12-31
2
Candidate: CVE-2015-7975
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975
6
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
7
http://www.talosintel.com/reports/TALOS-2016-0072/
8
https://usn.ubuntu.com/usn/usn-3096-1
10
The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 does not
11
properly validate the length of its input, which allows an attacker to
12
cause a denial of service (application crash).
15
mdeslaur> introduced in 4.2.8 by
16
mdeslaur> https://github.com/ntp-project/ntp/commit/be565bf3c6a5badd4a6ce2f336476d1e1dd98915
18
http://support.ntp.org/bin/view/Main/NtpBug2937
20
Discovered-by: Jonathan Gardner
24
upstream: https://github.com/ntp-project/ntp/commit/12f1323d18c8d74eb14fb5ac5574183d779794c5
25
upstream_ntp: released (4.2.8p6)
26
precise_ntp: not-affected (1:4.2.6.p3+dfsg-1ubuntu3.9)
27
trusty_ntp: not-affected (1:4.2.6.p5+dfsg-3ubuntu2.14.04.8)
28
vivid_ntp: ignored (reached end-of-life)
29
vivid/stable-phone-overlay_ntp: not-affected
30
vivid/ubuntu-core_ntp: DNE
31
wily_ntp: not-affected (1:4.2.6.p5+dfsg-3ubuntu8.2)
32
xenial_ntp: released (1:4.2.8p4+dfsg-3ubuntu5.3)
33
devel_ntp: not-affected (1:4.2.8p4+dfsg-3ubuntu6)