CVE-2014-9294

util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ntp	14.10 utopic	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.10.1
	14.04 LTS trusty	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1
	12.04 LTS precise	Fixed 1:4.2.6.p3+dfsg-1ubuntu3.2
	10.04 LTS lucid	Fixed 1:4.2.4p8+dfsg-1ubuntu2.2

Notes

mdeslaur

Red Hat has a slightly less-intrusive backport

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ntp	Upstream: http://bk1.ntp.org/ntp-dev/util/ntp-keygen.c?PAGE=diffs&REV=4eae1b72298KRoBQmX-y8URCiRPH5g Upstream: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548db6ddlELn4rnqUZ4kKGOjvtXwbQ Vendor: https://git.centos.org/blob/rpms!ntp.git/c054b85192ea340529fc9a659cac7ea6b893b50e/SOURCES!ntp-4.2.6p5-cve-2014-9294.patch

References

Related Ubuntu Security Notices (USN)

USN-2449-1
NTP vulnerabilities
22 December 2014

Status

Notes

Patch details

References

Related Ubuntu Security Notices (USN)

Other references