Security update for ntp
Announcement ID: | SUSE-SU-2016:1175-1 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves 12 vulnerabilities and has eight security fixes can now be installed.
Description:
ntp was updated to version 4.2.8p6 to fix 12 security issues.
These security issues were fixed: - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).
These non-security issues were fixed: - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. - bsc#784760: Remove local clock from default configuration
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server 11 SP4
zypper in -t patch slessp4-ntp-12533=1
-
SLES for SAP Applications 11-SP4
zypper in -t patch slessp4-ntp-12533=1
Package List:
-
SUSE Linux Enterprise Server 11 SP4 (s390x x86_64 i586 ppc64 ia64)
- ntp-doc-4.2.8p6-8.2
- ntp-4.2.8p6-8.2
-
SLES for SAP Applications 11-SP4 (ppc64 x86_64)
- ntp-doc-4.2.8p6-8.2
- ntp-4.2.8p6-8.2
References:
- https://www.suse.com/security/cve/CVE-2015-5300.html
- https://www.suse.com/security/cve/CVE-2015-7973.html
- https://www.suse.com/security/cve/CVE-2015-7974.html
- https://www.suse.com/security/cve/CVE-2015-7975.html
- https://www.suse.com/security/cve/CVE-2015-7976.html
- https://www.suse.com/security/cve/CVE-2015-7977.html
- https://www.suse.com/security/cve/CVE-2015-7978.html
- https://www.suse.com/security/cve/CVE-2015-7979.html
- https://www.suse.com/security/cve/CVE-2015-8138.html
- https://www.suse.com/security/cve/CVE-2015-8139.html
- https://www.suse.com/security/cve/CVE-2015-8140.html
- https://www.suse.com/security/cve/CVE-2015-8158.html
- https://bugzilla.suse.com/show_bug.cgi?id=782060
- https://bugzilla.suse.com/show_bug.cgi?id=784760
- https://bugzilla.suse.com/show_bug.cgi?id=916617
- https://bugzilla.suse.com/show_bug.cgi?id=951559
- https://bugzilla.suse.com/show_bug.cgi?id=951629
- https://bugzilla.suse.com/show_bug.cgi?id=956773
- https://bugzilla.suse.com/show_bug.cgi?id=962318
- https://bugzilla.suse.com/show_bug.cgi?id=962784
- https://bugzilla.suse.com/show_bug.cgi?id=962802
- https://bugzilla.suse.com/show_bug.cgi?id=962960
- https://bugzilla.suse.com/show_bug.cgi?id=962966
- https://bugzilla.suse.com/show_bug.cgi?id=962970
- https://bugzilla.suse.com/show_bug.cgi?id=962988
- https://bugzilla.suse.com/show_bug.cgi?id=962994
- https://bugzilla.suse.com/show_bug.cgi?id=962995
- https://bugzilla.suse.com/show_bug.cgi?id=962997
- https://bugzilla.suse.com/show_bug.cgi?id=963000
- https://bugzilla.suse.com/show_bug.cgi?id=963002
- https://bugzilla.suse.com/show_bug.cgi?id=975496
- https://bugzilla.suse.com/show_bug.cgi?id=975981