Patch NTP against DoS, again
The Network Time Protocol (NTP) organisation pushed out a bunch of patches last Thursday, including one high-severity bug.
The vulnerabilities in question are CVE-2016-4957 (another vulnerability in Crypto-NAK found by Cisco), and from Red Hat there's CVE-2016-4953 (an authentication bug), CVE-2016-4954 (server packet spoofing), CVE-2016-4955 (autokey association reset) and CVE-2016-4956 (a broadcast interleave bug).
Its the Crypto-NAK bug that's rated high severity, because it creates a denial-of-service vulnerability.
The ntp.org notice is here, and the fixes are addressed in ntp-4.2.8p8.
At this stage, US-Cert is awaiting vendor responses to determine which third-party products are also vulnerable. ®