| Package | ntp |
|---|---|
| Version | 1:4.2.8p12+dfsg-4+deb10u1 (buster) |
| Related CVEs | CVE-2020-11868 CVE-2020-15025 CVE-2023-26555 |
Multiple vulnerabilities were discovered in ntp, a Network Time Protocol daemon and set of utility programs.
CVE-2020-11868
It was possible for an off-path attacker to block unauthenticated synchronisation via a server mode packet with a spoofed source IP address.
CVE-2020-15025
A remote attacker could cause a denial-of-service because of a memory leak in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file.
CVE-2023-26555
The clock driver for the Trimble Palisade GPS timing receiver contained an out-of-bounds write, which could cause memory corruption or a crash.
For Debian 10 buster, these problems have been fixed in version 1:4.2.8p12+dfsg-4+deb10u1.
We recommend that you upgrade your ntp packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.