4.2.8p13 Release Announcement
Last update: June 28, 2022 21:06 UTC (1f97faf40)
The NTP Project at Network Time Foundation publicly released ntp-4.2.8p13 on Thursday, 07 March 2019.
This release fixes one security issue in
- MEDIUM: 3565: Crafted null dereference attack from a trusted source with an authenticated mode 6 packet
- A crafted malicious authenticated mode 6 (
ntpq) packet from a permitted network address can trigger a NULL pointer dereference, crashing
ntpd. Note that for this attack to work, the sending system must be on an address that the target’s
ntpd accepts mode 6 packets from, and must properly authenticate the packet with a private key that is specifically listed as being used for mode 6 authorization.
- Reported by Magnus Stubman.
and provides 17 bugfixes and 1 other improvement.
ENotification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.