Mailinglist Archive: opensuse-security-announce (29 mails)

< Previous Next >
[security-announce] SUSE-SU-2016:1912-1: important: Security update for ntp
SUSE Security Update: Security update for ntp

Announcement ID: SUSE-SU-2016:1912-1
Rating: important
References: #782060 #784760 #905885 #910063 #916617 #920183
#920238 #920893 #920895 #920905 #924202 #926510
#936327 #943218 #943221 #944300 #951351 #951559
#951629 #952611 #957226 #962318 #962784 #962802
#962960 #962966 #962970 #962988 #962995 #963000
#963002 #975496 #977450 #977451 #977452 #977455
#977457 #977458 #977459 #977461 #977464 #979302
#981422 #982056 #982064 #982065 #982066 #982067
#982068 #988417 #988558 #988565
Cross-References: CVE-2015-1798 CVE-2015-1799 CVE-2015-5194
CVE-2015-5300 CVE-2015-7691 CVE-2015-7692
CVE-2015-7701 CVE-2015-7702 CVE-2015-7703
CVE-2015-7704 CVE-2015-7705 CVE-2015-7848
CVE-2015-7849 CVE-2015-7850 CVE-2015-7851
CVE-2015-7852 CVE-2015-7853 CVE-2015-7854
CVE-2015-7855 CVE-2015-7871 CVE-2015-7973
CVE-2015-7974 CVE-2015-7975 CVE-2015-7976
CVE-2015-7977 CVE-2015-7978 CVE-2015-7979
CVE-2015-8138 CVE-2015-8158 CVE-2016-1547
CVE-2016-1548 CVE-2016-1549 CVE-2016-1550
CVE-2016-1551 CVE-2016-2516 CVE-2016-2517
CVE-2016-2518 CVE-2016-2519 CVE-2016-4953
CVE-2016-4954 CVE-2016-4955 CVE-2016-4956
Affected Products:
SUSE Linux Enterprise Server 10 SP4 LTSS

An update that solves 43 vulnerabilities and has 9 fixes is
now available.


NTP was updated to version 4.2.8p8 to fix several security issues and to
ensure the continued maintainability of the package.

These security issues were fixed:

* CVE-2016-4953: Bad authentication demobilized ephemeral associations
* CVE-2016-4954: Processing spoofed server packets (bsc#982066).
* CVE-2016-4955: Autokey association reset (bsc#982067).
* CVE-2016-4956: Broadcast interleave (bsc#982068).
* CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).
* CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS
* CVE-2016-1548: Prevent the change of time of an ntpd client or
denying service to an ntpd client by forcing it to change from basic
client/server mode to interleaved symmetric mode (bsc#977461).
* CVE-2016-1549: Sybil vulnerability: ephemeral association attack
* CVE-2016-1550: Improve security against buffer comparison timing
attacks (bsc#977464).
* CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y
* CVE-2016-2516: Duplicate IPs on unconfig directives could have
caused an assertion botch in ntpd (bsc#977452).
* CVE-2016-2517: Remote configuration trustedkey/
requestkey/controlkey values are not properly validated (bsc#977455).
* CVE-2016-2518: Crafted addpeer with hmode > 7 causes array
wraparound with MATCH_ASSOC (bsc#977457).
* CVE-2016-2519: ctl_getitem() return value not always checked
* CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).
* CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
* CVE-2015-7979: Off-path Denial of Service (DoS) attack on
authenticated broadcast mode (bsc#962784).
* CVE-2015-7978: Stack exhaustion in recursive traversal of
restriction list (bsc#963000).
* CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
* CVE-2015-7976: ntpq saveconfig command allowed dangerous characters
in filenames (bsc#962802).
* CVE-2015-7975: nextvar() missing length check (bsc#962988).
* CVE-2015-7974: NTP did not verify peer associations of symmetric
keys when authenticating packets, which might have allowed remote
attackers to conduct impersonation attacks via an arbitrary trusted
key, aka a "skeleton" key (bsc#962960).
* CVE-2015-7973: Replay attack on authenticated broadcast mode
* CVE-2015-5300: MITM attacker can force ntpd to make a step larger
than the panic threshold (bsc#951629).
* CVE-2015-5194: Crash with crafted logconfig configuration command
* CVE-2015-7871: NAK to the Future: Symmetric association
authentication bypass via crypto-NAK (bsc#952611).
* CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning
FAIL on some bogus values (bsc#952611).
* CVE-2015-7854: Password Length Memory Corruption Vulnerability
* CVE-2015-7853: Invalid length data provided by a custom refclock
driver could cause a buffer overflow (bsc#952611).
* CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability
* CVE-2015-7851: saveconfig Directory Traversal Vulnerability
* CVE-2015-7850: Clients that receive a KoD now validate the origin
timestamp field (bsc#952611).
* CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).
* CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).
* CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).
* CVE-2015-7703: Configuration directives "pidfile" and "driftfile"
should only be allowed locally (bsc#943221).
* CVE-2015-7704: Clients that receive a KoD should validate the origin
timestamp field (bsc#952611).
* CVE-2015-7705: Clients that receive a KoD should validate the origin
timestamp field (bsc#952611).
* CVE-2015-7691: Incomplete autokey data packet length checks
* CVE-2015-7692: Incomplete autokey data packet length checks
* CVE-2015-7702: Incomplete autokey data packet length checks
* CVE-2015-1798: The symmetric-key feature in the receive function in
ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC
field has a nonzero length, which made it easier for
man-in-the-middle attackers to spoof packets by omitting the MAC
* CVE-2015-1799: The symmetric-key feature in the receive function in
ntp_proto.c in ntpd in NTP performed state-variable updates upon
receiving certain invalid packets, which made it easier for
man-in-the-middle attackers to cause a denial of service
(synchronization loss) by spoofing the source IP address of a peer

These non-security issues were fixed:

* Keep the parent process alive until the daemon has finished
initialisation, to make sure that the PID file exists when the
parent returns.
* bsc#979302: Change the process name of the forking DNS worker
process to avoid the impression that ntpd is started twice.
* bsc#981422: Don't ignore SIGCHILD because it breaks wait().
* Separate the creation of ntp.keys and key #1 in it to avoid problems
when upgrading installations that have the file, but no key #1,
which is needed e.g. by "rcntp addserver".
* bsc#957226: Restrict the parser in the startup script to the first
occurrance of "keys" and "controlkey" in ntp.conf.
* Enable compile-time support for MS-SNTP (--enable-ntp-signd)
* bsc#975496: Fix ntp-sntp-dst.patch.
* bsc#962318: Call /usr/sbin/sntp with full path to synchronize in
start-ntpd. When run as cron job, /usr/sbin/ is not in the path,
which caused the synchronization to fail.
* bsc#782060: Speedup ntpq.
* bsc#951559: Fix the TZ offset output of sntp during DST.
* bsc#916617: Add /var/db/ntp-kod.
* bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might
happen quite a lot on loaded systems.
* Add ntp-fork.patch and build with threads disabled to allow name
resolution even when running chrooted.
* bnc#784760: Remove local clock from default configuration.
* Fix incomplete backporting of "rcntp ntptimemset".
* bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.
* Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.
* bsc#910063: Fix the comment regarding addserver in ntp.conf.
* bsc#944300: Remove "kod" from the restrict line in ntp.conf.
* bsc#905885: Use SHA1 instead of MD5 for symmetric keys.
* bsc#926510: Re-add chroot support, but mark it as deprecated and
disable it by default.
* bsc#920895: Drop support for running chrooted, because it is an
ongoing source of problems and not really needed anymore, given that
ntp now drops privileges and runs under apparmor.
* bsc#920183: Allow -4 and -6 address qualifiers in "server"
* Use upstream ntp-wait, because our version is incompatible with the
new ntpq command line syntax.
* bsc#920905: Adjust to the Perl version on SLE11.
* bsc#920238: Enable ntpdc for backwards compatibility.
* bsc#920893: Don't use %exclude.
* bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes"
* bsc#988565: Ignore errors when removing extra files during
* bsc#988558: Don't blindly guess the value to use for IP_TOS

Security Issues:

* CVE-2016-4953
* CVE-2016-4954
* CVE-2016-4955
* CVE-2016-4956
* CVE-2016-4957
* CVE-2016-1547
* CVE-2016-1548
* CVE-2016-1549
* CVE-2016-1550
* CVE-2016-1551
* CVE-2016-2516
* CVE-2016-2517
* CVE-2016-2518
* CVE-2016-2519
* CVE-2015-8158
* CVE-2015-8138
* CVE-2015-7979
* CVE-2015-7978
* CVE-2015-7977
* CVE-2015-7976
* CVE-2015-7975
* CVE-2015-7974
* CVE-2015-7973
* CVE-2015-5300
* CVE-2015-5194
* CVE-2015-7871
* CVE-2015-7855
* CVE-2015-7854
* CVE-2015-7853
* CVE-2015-7852
* CVE-2015-7851
* CVE-2015-7850
* CVE-2015-7849
* CVE-2015-7848
* CVE-2015-7701
* CVE-2015-7703
* CVE-2015-7704
* CVE-2015-7705
* CVE-2015-7691
* CVE-2015-7692
* CVE-2015-7702
* CVE-2015-1798
* CVE-2015-1799

Package List:

- SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):



To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security-announce+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages