NTP BUG 2670: receive(): missing return on error
Last update: June 28, 2022 20:06 UTC (57417e17c)
ntp_proto.c:receive() is missing a
return; in the code path where an error was detected, which meant processing did not stop when a specific rare error occurred. We haven’t found a way for this bug to affect system integrity. If there is no way to affect system integrity the base CVSS score for this bug is 0. If there is one avenue through which system integrity can be partially affected, the base score becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5.
- Upgrade to 4.2.8 or later, or
- Remove or comment out all configuration directives beginning with the
crypto keyword in your
This vulnerability was discovered by Stephen Roettger of the Google Security Team.