Security update for ntp

Announcement ID:	SUSE-SU-2016:1311-1
Rating:	important
References:	bsc#782060 bsc#784760 bsc#905885 bsc#910063 bsc#916617 bsc#920183 bsc#920238 bsc#926510 bsc#936327 bsc#937837 bsc#942441 bsc#942587 bsc#943216 bsc#943218 bsc#944300 bsc#946386 bsc#951351 bsc#951559 bsc#951608 bsc#951629 bsc#954982 bsc#956773 bsc#962318 bsc#962784 bsc#962802 bsc#962960 bsc#962966 bsc#962970 bsc#962988 bsc#962994 bsc#962995 bsc#962997 bsc#963000 bsc#963002 bsc#975496 bsc#975981
Cross-References:	CVE-2015-5194 CVE-2015-5219 CVE-2015-5300 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7705 CVE-2015-7848 CVE-2015-7849 CVE-2015-7850 CVE-2015-7851 CVE-2015-7852 CVE-2015-7853 CVE-2015-7854 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8139 CVE-2015-8140 CVE-2015-8158
CVSS scores:	CVE-2015-5194 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-5219 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-5219 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7691 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7692 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7701 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7702 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2015-7704 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7705 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-7849 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2015-7850 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2015-7851 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2015-7852 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7853 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-7854 ( NVD ): 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVE-2015-7855 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2015-7871 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-7973 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2015-7973 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H CVE-2015-7974 ( NVD ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N CVE-2015-7977 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7977 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7979 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-8138 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:	SUSE Cloud 5 SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2 SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 SUSE Manager Proxy 2.1 SUSE Manager Server 2.1

An update that solves 30 vulnerabilities and has six security fixes can now be installed.

Description:

This network time protocol server ntp was updated to 4.2.8p6 to fix the following issues:

Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837)

Major functional changes: - The "sntp" commandline tool changed its option handling in a major way. - "controlkey 1" is added during update to ntp.conf to allow sntp to work. - The local clock is being disabled during update. - ntpd is no longer running chrooted.

Other functional changes: - ntp-signd is installed. - "enable mode7" can be added to the configuration to allow ntdpc to work as compatibility mode option. - "kod" was removed from the default restrictions. - SHA1 keys are used by default instead of MD5 keys.

These security issues were fixed: - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608). - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608). - CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608). - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608). - CVE-2015-7850: remote config logfile-keyfile (bsc#951608). - CVE-2015-7849: trusted key use-after-free (bsc#951608). - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608). - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608). - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should only be allowed locally (bsc#951608). - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608). - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608).

These non-security issues were fixed: - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. - Add a controlkey line to /etc/ntp.conf if one does not already exist to allow runtime configuuration via ntpq. - bsc#946386: Temporarily disable memlock to avoid problems due to high memory usage during name resolution. - bsc#905885: Use SHA1 instead of MD5 for symmetric keys. - Improve runtime configuration: * Read keytype from ntp.conf * Don't write ntp keys to syslog. - Fix legacy action scripts to pass on command line arguments. - bsc#944300: Remove "kod" from the restrict line in ntp.conf. - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd. - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser. - Disable mode 7 (ntpdc) again, now that we don't use it anymore. - Add "addserver" as a new legacy action. - bsc#910063: Fix the comment regarding addserver in ntp.conf. - bsc#926510: Disable chroot by default. - bsc#920238: Enable ntpdc for backwards compatibility. - bsc#784760: Remove local clock from default configuration. - bsc#942441/fate#319496: Require perl-Socket6. - Improve runtime configuration: * Read keytype from ntp.conf * Don't write ntp keys to syslog. - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives. - Use upstream ntp-wait, because our version is incompatible with the new ntpq command line syntax.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2
  zypper in -t patch slessp2-ntp-12561=1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3
  zypper in -t patch slessp3-ntp-12561=1
• SUSE Cloud 5
  zypper in -t patch sleclo50sp3-ntp-12561=1
• SUSE Manager Server 2.1
  zypper in -t patch sleman21-ntp-12561=1
• SUSE Manager Proxy 2.1
  zypper in -t patch slemap21-ntp-12561=1

Package List:

• SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2 (s390x x86_64 i586)
  • ntp-4.2.8p6-41.1
  • ntp-doc-4.2.8p6-41.1
• SUSE Linux Enterprise Server 11 SP2 LTSS 11-SP2 (noarch)
  • yast2-ntp-client-2.17.14.1-1.12.1
• SUSE Linux Enterprise Server 11 SP3 LTSS 11-SP3 (s390x x86_64 i586)
  • ntp-4.2.8p6-41.1
  • ntp-doc-4.2.8p6-41.1
• SUSE Cloud 5 (x86_64)
  • ntp-4.2.8p6-41.1
  • ntp-doc-4.2.8p6-41.1
• SUSE Manager Server 2.1 (s390x x86_64)
  • ntp-4.2.8p6-41.1
  • ntp-doc-4.2.8p6-41.1
• SUSE Manager Proxy 2.1 (x86_64)
  • ntp-4.2.8p6-41.1
  • ntp-doc-4.2.8p6-41.1

References:

• https://www.suse.com/security/cve/CVE-2015-5194.html
• https://www.suse.com/security/cve/CVE-2015-5219.html
• https://www.suse.com/security/cve/CVE-2015-5300.html
• https://www.suse.com/security/cve/CVE-2015-7691.html
• https://www.suse.com/security/cve/CVE-2015-7692.html
• https://www.suse.com/security/cve/CVE-2015-7701.html
• https://www.suse.com/security/cve/CVE-2015-7702.html
• https://www.suse.com/security/cve/CVE-2015-7703.html
• https://www.suse.com/security/cve/CVE-2015-7704.html
• https://www.suse.com/security/cve/CVE-2015-7705.html
• https://www.suse.com/security/cve/CVE-2015-7848.html
• https://www.suse.com/security/cve/CVE-2015-7849.html
• https://www.suse.com/security/cve/CVE-2015-7850.html
• https://www.suse.com/security/cve/CVE-2015-7851.html
• https://www.suse.com/security/cve/CVE-2015-7852.html
• https://www.suse.com/security/cve/CVE-2015-7853.html
• https://www.suse.com/security/cve/CVE-2015-7854.html
• https://www.suse.com/security/cve/CVE-2015-7855.html
• https://www.suse.com/security/cve/CVE-2015-7871.html
• https://www.suse.com/security/cve/CVE-2015-7973.html
• https://www.suse.com/security/cve/CVE-2015-7974.html
• https://www.suse.com/security/cve/CVE-2015-7975.html
• https://www.suse.com/security/cve/CVE-2015-7976.html
• https://www.suse.com/security/cve/CVE-2015-7977.html
• https://www.suse.com/security/cve/CVE-2015-7978.html
• https://www.suse.com/security/cve/CVE-2015-7979.html
• https://www.suse.com/security/cve/CVE-2015-8138.html
• https://www.suse.com/security/cve/CVE-2015-8139.html
• https://www.suse.com/security/cve/CVE-2015-8140.html
• https://www.suse.com/security/cve/CVE-2015-8158.html
• https://bugzilla.suse.com/show_bug.cgi?id=782060
• https://bugzilla.suse.com/show_bug.cgi?id=784760
• https://bugzilla.suse.com/show_bug.cgi?id=905885
• https://bugzilla.suse.com/show_bug.cgi?id=910063
• https://bugzilla.suse.com/show_bug.cgi?id=916617
• https://bugzilla.suse.com/show_bug.cgi?id=920183
• https://bugzilla.suse.com/show_bug.cgi?id=920238
• https://bugzilla.suse.com/show_bug.cgi?id=926510
• https://bugzilla.suse.com/show_bug.cgi?id=936327
• https://bugzilla.suse.com/show_bug.cgi?id=937837
• https://bugzilla.suse.com/show_bug.cgi?id=942441
• https://bugzilla.suse.com/show_bug.cgi?id=942587
• https://bugzilla.suse.com/show_bug.cgi?id=943216
• https://bugzilla.suse.com/show_bug.cgi?id=943218
• https://bugzilla.suse.com/show_bug.cgi?id=944300
• https://bugzilla.suse.com/show_bug.cgi?id=946386
• https://bugzilla.suse.com/show_bug.cgi?id=951351
• https://bugzilla.suse.com/show_bug.cgi?id=951559
• https://bugzilla.suse.com/show_bug.cgi?id=951608
• https://bugzilla.suse.com/show_bug.cgi?id=951629
• https://bugzilla.suse.com/show_bug.cgi?id=954982
• https://bugzilla.suse.com/show_bug.cgi?id=956773
• https://bugzilla.suse.com/show_bug.cgi?id=962318
• https://bugzilla.suse.com/show_bug.cgi?id=962784
• https://bugzilla.suse.com/show_bug.cgi?id=962802
• https://bugzilla.suse.com/show_bug.cgi?id=962960
• https://bugzilla.suse.com/show_bug.cgi?id=962966
• https://bugzilla.suse.com/show_bug.cgi?id=962970
• https://bugzilla.suse.com/show_bug.cgi?id=962988
• https://bugzilla.suse.com/show_bug.cgi?id=962994
• https://bugzilla.suse.com/show_bug.cgi?id=962995
• https://bugzilla.suse.com/show_bug.cgi?id=962997
• https://bugzilla.suse.com/show_bug.cgi?id=963000
• https://bugzilla.suse.com/show_bug.cgi?id=963002
• https://bugzilla.suse.com/show_bug.cgi?id=975496
• https://bugzilla.suse.com/show_bug.cgi?id=975981