diff -Nru ntp-4.2.6.p3+dfsg/debian/changelog ntp-4.2.6.p3+dfsg/debian/changelog --- ntp-4.2.6.p3+dfsg/debian/changelog 2016-01-19 05:21:57.000000000 -0500 +++ ntp-4.2.6.p3+dfsg/debian/changelog 2016-01-25 12:28:47.000000000 -0500 @@ -1,3 +1,10 @@ +ntp (1:4.2.6.p3+dfsg-1ubuntu3.9) precise; urgency=medium + + * ntpd rejects source UDP ports less than 123 as bogus (closes: #691412) + - d/p/reject-UDP-ports-less-than-123-as-bogus.patch (LP: #1479652) + + -- Eric Desrochers Mon, 25 Jan 2016 12:28:25 -0500 + ntp (1:4.2.6.p3+dfsg-1ubuntu3.8) precise; urgency=medium * Use a single lockfile again - instead unlock the file before starting the diff -Nru ntp-4.2.6.p3+dfsg/debian/patches/reject-UDP-ports-less-than-123-as-bogus.patch ntp-4.2.6.p3+dfsg/debian/patches/reject-UDP-ports-less-than-123-as-bogus.patch --- ntp-4.2.6.p3+dfsg/debian/patches/reject-UDP-ports-less-than-123-as-bogus.patch 1969-12-31 19:00:00.000000000 -0500 +++ ntp-4.2.6.p3+dfsg/debian/patches/reject-UDP-ports-less-than-123-as-bogus.patch 2016-01-25 12:27:59.000000000 -0500 @@ -0,0 +1,31 @@ +Description: [Bug 2174] ntpd rejects source UDP ports less than 123 as bogus. + +If an NTP client sends a request with a source port less than 123, the packet +is silently ignored by ntpd. This is occurring in our environment due to NAT. + +Author: davehart@dlh-7551.ad.hartbrothers.com +Bug: http://bugs.ntp.org/show_bug.cgi?id=2174 +--- a/ntpd/ntp_proto.c ++++ b/ntpd/ntp_proto.c +@@ -332,18 +332,15 @@ + * reveals a clogging attack. + */ + sys_received++; +- if (SRCPORT(&rbufp->recv_srcadr) < NTP_PORT) { ++ if (0 == SRCPORT(&rbufp->recv_srcadr)) { + sys_badlength++; + return; /* bogus port */ + } + restrict_mask = restrictions(&rbufp->recv_srcadr); +-#ifdef DEBUG +- if (debug > 1) +- printf("receive: at %ld %s<-%s flags %x restrict %03x\n", ++ DPRINTF(2, ("receive: at %ld %s<-%s flags %x restrict %03x\n", + current_time, stoa(&rbufp->dstadr->sin), + stoa(&rbufp->recv_srcadr), +- rbufp->dstadr->flags, restrict_mask); +-#endif ++ rbufp->dstadr->flags, restrict_mask)); + pkt = &rbufp->recv_pkt; + hisversion = PKT_VERSION(pkt->li_vn_mode); + hisleap = PKT_LEAP(pkt->li_vn_mode); diff -Nru ntp-4.2.6.p3+dfsg/debian/patches/series ntp-4.2.6.p3+dfsg/debian/patches/series --- ntp-4.2.6.p3+dfsg/debian/patches/series 2015-11-10 11:50:28.000000000 -0500 +++ ntp-4.2.6.p3+dfsg/debian/patches/series 2016-01-25 12:26:27.000000000 -0500 @@ -32,3 +32,4 @@ CVE-2015-7855.patch CVE-2015-7871.patch use-after-free-in-routing-socket.patch +reject-UDP-ports-less-than-123-as-bogus.patch