Debian Bug report logs -
ntp: CVE-2016-0727: NTP statsdir cleanup cronjob insecure
Maintainer for src:ntp is Debian NTP Team <ntp@packagesdebianorg>;
Reported by: Salvatore Bonaccorso <carnil@debianorg>
Date: Fri, 7 Oct 2016 11:12:02 UTC
Tags: patch, security
Found in v ...
The crontab script in the ntp package before 1:426p3+dfsg-1ubuntu311 on Ubuntu 1204 LTS, before 1:426p5+dfsg-3ubuntu2140410 on Ubuntu 1404 LTS, on Ubuntu Wily, and before 1:428p4+dfsg-3ubuntu53 on Ubuntu 1604 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vector ...
The cronjob script bundled with ntp package is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp Thus all steps are performed with ro ...
Several security issues were fixed in NTP ...