On Jul 6, 2015, at 4:59 PM, Brian Mathis <brian.mathis+centos at betteradmin.com> wrote: > RedHat/CentOS does not upgrade packages based on version numbers. Please > read https://access.redhat.com/security/updates/backporting Understanding > this is essential to running a RedHat/CentOS server. While this is true, the NTPd web site says the CVE “...Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25”. The version in RHEL6/CentOS6 is 4.2.6p5. The fix will most likely be backported, though. -- Jonathan Billings <billings at negate.org>