Patch NTP against DoS, again

The Network Time Protocol (NTP) organisation pushed out a bunch of patches last Thursday, including one high-severity bug.

The vulnerabilities in question are CVE-2016-4957 (another vulnerability in Crypto-NAK found by Cisco), and from Red Hat there's CVE-2016-4953 (an authentication bug), CVE-2016-4954 (server packet spoofing), CVE-2016-4955 (autokey association reset) and CVE-2016-4956 (a broadcast interleave bug).

Its the Crypto-NAK bug that's rated high severity, because it creates a denial-of-service vulnerability.

The ntp.org notice is here, and the fixes are addressed in ntp-4.2.8p8.

At this stage, US-Cert is awaiting vendor responses to determine which third-party products are also vulnerable. ®