NTP BUG 2666: random number generator with weak seed used to generate keys
Last update: June 28, 2022 20:06 UTC (57417e17c)
Prior to ntp-4.2.7p230
ntp-keygen used a weak seed to prepare a random number generator that was of good quality back in the late 1990s. The random numbers produced was then used to generate symmetric keys. In ntp-4.2.8 we use a current-technology cryptographic random number generator, either
RAND_bytes from OpenSSL, or
- Upgrade to 4.2.7p230 or later.
restrict ... noquery in your
ntp.conf file, for non-trusted senders.
This vulnerability was discovered in ntp-4.2.6 by Stephen Roettger of the Google Security Team.