It was found that NTP's decodenetnum() would abort with an assertion failure when processing a mode 6 or mode 7 packet containing an unusually long data value where a network address was expected. This could allow an authenticated attacker to crash ntpd. External References: https://github.com/ntp-project/ntp/blob/stable/NEWS#L295 http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Upstream patch: https://github.com/ntp-project/ntp/commit/ba716a464ecb20618560075f2e4e1051e5b6f24f
Created ntp tracking bugs for this issue: Affects: fedora-all [bug 1296162]
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they do not include support for the mrulist feature, which exposes the decodenetnum() function.