To prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies
Upstream bug report:
Upstream has not released a fix for this issue and has opted for publishing a mitigation instead.
This issue can be mitigated by one of the following methods: adding the noquery option to all restrict entries in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list in your ntp.conf to limit who is allowed to issue ntpq and ntpdc queries. Note that ntpdc queries are disabled by default.
ntp-4.2.6p5-41.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-41.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-41.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.