As per upstream NTP security advisory: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to prepare a random number generator that was of good quality back in the late 1990s. The random numbers produced was then used to generate symmetric keys. In ntp-4.2.8 we use a current-technology cryptographic random number generator, either RAND_bytes from OpenSSL, or arc4random(). Mitigation: Upgrade to 4.2.7p230 or later. This vulnerability was discovered in ntp-4.2.6 by Stephen Roettger of the Google Security Team.
Upstream change to the NEWS file with details quoted in comment 0: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=5493dc3dofY6drKJde9W-5O1M3s4eg This seems to be the seeding fix applied between 4.2.7p229 and 4.2.7p230: http://bk1.ntp.org/ntp-dev/util/ntp-keygen.c?PAGE=diffs&REV=4eae1b72298KRoBQmX-y8URCiRPH5g Upstream bug: http://bugs.ntp.org/show_bug.cgi?id=2666 There is another recent change in 4.2.8 which makes ntp use OpenSSL or arc4random for key generation: http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548db6ddlELn4rnqUZ4kKGOjvtXwbQ
External References: https://access.redhat.com/articles/1305723 http://support.ntp.org/bin/view/Main/SecurityNotice#non_cryptographic_random_number
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1176191]
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:2025 https://rhn.redhat.com/errata/RHSA-2014-2025.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:2024 https://rhn.redhat.com/errata/RHSA-2014-2024.html
ntp-4.2.6p5-19.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-25.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-13.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 EUS - Server and Compute Node Only Via RHSA-2015:0104 https://rhn.redhat.com/errata/RHSA-2015-0104.html