http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54922b65gDSbE4G7c3JjkuK1Tv33qQ
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5492d2879rotbnnuVch_ZC3RAfS8AA
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5496213frLaEz5PHLZVhuYjM7Lalkw
http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54c2228bpOp4_zrX9aGXdMEZJEGzkg

diff -up ntp-4.2.6p5/ntpd/ntp_io.c.cve-2014-9298 ntp-4.2.6p5/ntpd/ntp_io.c
--- ntp-4.2.6p5/ntpd/ntp_io.c.cve-2014-9298	2015-02-04 11:49:30.506083987 +0100
+++ ntp-4.2.6p5/ntpd/ntp_io.c	2015-02-04 12:09:12.638449788 +0100
@@ -3498,6 +3498,29 @@ read_network_packet(
 		    fd, buflen, stoa(&rb->recv_srcadr)));
 
 	/*
+	** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
+	*/
+
+	if (AF_INET6 == itf->family) {
+		DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
+			stoa(&rb->recv_srcadr),
+			IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)),
+			stoa(&itf->sin),
+			!IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
+			));
+
+		if (   IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
+		    && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
+		   ) {
+			packets_dropped++;
+			DPRINTF(2, ("DROPPING that packet\n"));
+			freerecvbuf(rb);
+			return buflen;
+		}
+		DPRINTF(2, ("processing that packet\n"));
+	}
+
+	/*
 	 * Got one.  Mark how and when it got here,
 	 * put it on the full list and do bookkeeping.
 	 */