To prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies Upstream bug report: http://support.ntp.org/bin/view/Main/NtpBug2946
External References: http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_p6_NTP_Security_Vul http://www.talosintel.com/reports/TALOS-2016-0078/
Upstream has not released a fix for this issue and has opted for publishing a mitigation instead. Mitigation: This issue can be mitigated by one of the following methods: adding the noquery option to all restrict entries in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list in your ntp.conf to limit who is allowed to issue ntpq and ntpdc queries. Note that ntpdc queries are disabled by default.
ntp-4.2.6p5-41.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-41.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
ntp-4.2.6p5-41.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.