Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2016:0780-01] Moderate: ntp security and bug fix update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: ntp security and bug fix update

Advisory ID: RHSA-2016:0780-01

Product: Red Hat Enterprise Linux

Advisory URL: https://rhn.redhat.com/errata/RHSA-2016-0780.html

Issue date: 2016-05-10

CVE Names: CVE-2015-5194 CVE-2015-5195 CVE-2015-5219

CVE-2015-7691 CVE-2015-7692 CVE-2015-7701

CVE-2015-7702 CVE-2015-7703 CVE-2015-7852

CVE-2015-7977 CVE-2015-7978

=====================================================================

 

1. Summary:

 

An update for ntp is now available for Red Hat Enterprise Linux 6.

 

Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.

 

2. Relevant releases/architectures:

 

Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64

Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64

Red Hat Enterprise Linux HPC Node (v. 6) - x86_64

Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64

Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64

Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64

Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64

 

3. Description:

 

The Network Time Protocol (NTP) is used to synchronize a computer's time

with another referenced time source. These packages include the ntpd

service which continuously adjusts system time and utilities used to query

and configure the ntpd service.

 

Security Fix(es):

 

* It was found that the fix for CVE-2014-9750 was incomplete: three issues

were found in the value length checks in NTP's ntp_crypto.c, where a packet

with particular autokey operations that contained malicious data was not

always being completely validated. A remote attacker could use a specially

crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692,

CVE-2015-7702)

 

* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was

configured to use autokey authentication, an attacker could send packets to

ntpd that would, after several days of ongoing attack, cause it to run out

of memory. (CVE-2015-7701)

 

* An off-by-one flaw, leading to a buffer overflow, was found in

cookedprint functionality of ntpq. A specially crafted NTP packet could

potentially cause ntpq to crash. (CVE-2015-7852)

 

* A NULL pointer dereference flaw was found in the way ntpd processed

'ntpdc reslist' commands that queried restriction lists with a large amount

of entries. A remote attacker could potentially use this flaw to crash

ntpd. (CVE-2015-7977)

 

* A stack-based buffer overflow flaw was found in the way ntpd processed

'ntpdc reslist' commands that queried restriction lists with a large amount

of entries. A remote attacker could use this flaw to crash ntpd.

(CVE-2015-7978)

 

* It was found that ntpd could crash due to an uninitialized variable when

processing malformed logconfig configuration commands. (CVE-2015-5194)

 

* It was found that ntpd would exit with a segmentation fault when a

statistics type that was not enabled during compilation (e.g. timingstats)

was referenced by the statistics or filegen configuration command.

(CVE-2015-5195)

 

* It was discovered that the sntp utility could become unresponsive due to

being caught in an infinite loop when processing a crafted NTP packet.

(CVE-2015-5219)

 

* It was found that NTP's :config command could be used to set the pidfile

and driftfile paths without any restrictions. A remote attacker could use

this flaw to overwrite a file on the file system with a file containing the

pid of the ntpd process (immediately) or the current estimated drift of the

system clock (in hourly intervals). (CVE-2015-7703)

 

The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav

Lichvár (Red Hat).

 

For detailed information on changes in this release, see the Red Hat

Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8

Technical Notes linked from the References section.

 

4. Solution:

 

For details on how to apply this update, which includes the changes

described in this advisory, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1254542 - CVE-2015-5194 ntp: crash with crafted logconfig configuration command

1254544 - CVE-2015-5195 ntp: ntpd crash when processing config commands with statistics type

1254547 - CVE-2015-7703 ntp: config command can be used to set the pidfile and drift file paths

1255118 - CVE-2015-5219 ntp: infinite loop in sntp processing crafted packet

1274254 - CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c

1274255 - CVE-2015-7701 ntp: slow memory leak in CRYPTO_ASSOC

1274261 - CVE-2015-7852 ntp: ntpq atoascii memory corruption vulnerability

1286969 - ntpstat reports synchronized even when the local ntpd doesn't synchronize with any time server.

1300269 - CVE-2015-7977 ntp: restriction list NULL pointer dereference

1300270 - CVE-2015-7978 ntp: stack exhaustion in recursive traversal of restriction list

 

6. Package List:

 

Red Hat Enterprise Linux Desktop (v. 6):

 

Source:

ntp-4.2.6p5-10.el6.src.rpm

 

i386:

ntp-4.2.6p5-10.el6.i686.rpm

ntp-debuginfo-4.2.6p5-10.el6.i686.rpm

ntpdate-4.2.6p5-10.el6.i686.rpm

 

x86_64:

ntp-4.2.6p5-10.el6.x86_64.rpm

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntpdate-4.2.6p5-10.el6.x86_64.rpm

 

Red Hat Enterprise Linux Desktop Optional (v. 6):

 

i386:

ntp-debuginfo-4.2.6p5-10.el6.i686.rpm

ntp-perl-4.2.6p5-10.el6.i686.rpm

 

noarch:

ntp-doc-4.2.6p5-10.el6.noarch.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntp-perl-4.2.6p5-10.el6.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node (v. 6):

 

Source:

ntp-4.2.6p5-10.el6.src.rpm

 

x86_64:

ntp-4.2.6p5-10.el6.x86_64.rpm

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntpdate-4.2.6p5-10.el6.x86_64.rpm

 

Red Hat Enterprise Linux HPC Node Optional (v. 6):

 

noarch:

ntp-doc-4.2.6p5-10.el6.noarch.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntp-perl-4.2.6p5-10.el6.x86_64.rpm

 

Red Hat Enterprise Linux Server (v. 6):

 

Source:

ntp-4.2.6p5-10.el6.src.rpm

 

i386:

ntp-4.2.6p5-10.el6.i686.rpm

ntp-debuginfo-4.2.6p5-10.el6.i686.rpm

ntpdate-4.2.6p5-10.el6.i686.rpm

 

ppc64:

ntp-4.2.6p5-10.el6.ppc64.rpm

ntp-debuginfo-4.2.6p5-10.el6.ppc64.rpm

ntpdate-4.2.6p5-10.el6.ppc64.rpm

 

s390x:

ntp-4.2.6p5-10.el6.s390x.rpm

ntp-debuginfo-4.2.6p5-10.el6.s390x.rpm

ntpdate-4.2.6p5-10.el6.s390x.rpm

 

x86_64:

ntp-4.2.6p5-10.el6.x86_64.rpm

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntpdate-4.2.6p5-10.el6.x86_64.rpm

 

Red Hat Enterprise Linux Server Optional (v. 6):

 

i386:

ntp-debuginfo-4.2.6p5-10.el6.i686.rpm

ntp-perl-4.2.6p5-10.el6.i686.rpm

 

noarch:

ntp-doc-4.2.6p5-10.el6.noarch.rpm

 

ppc64:

ntp-debuginfo-4.2.6p5-10.el6.ppc64.rpm

ntp-perl-4.2.6p5-10.el6.ppc64.rpm

 

s390x:

ntp-debuginfo-4.2.6p5-10.el6.s390x.rpm

ntp-perl-4.2.6p5-10.el6.s390x.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntp-perl-4.2.6p5-10.el6.x86_64.rpm

 

Red Hat Enterprise Linux Workstation (v. 6):

 

Source:

ntp-4.2.6p5-10.el6.src.rpm

 

i386:

ntp-4.2.6p5-10.el6.i686.rpm

ntp-debuginfo-4.2.6p5-10.el6.i686.rpm

ntpdate-4.2.6p5-10.el6.i686.rpm

 

x86_64:

ntp-4.2.6p5-10.el6.x86_64.rpm

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntpdate-4.2.6p5-10.el6.x86_64.rpm

 

Red Hat Enterprise Linux Workstation Optional (v. 6):

 

i386:

ntp-debuginfo-4.2.6p5-10.el6.i686.rpm

ntp-perl-4.2.6p5-10.el6.i686.rpm

 

noarch:

ntp-doc-4.2.6p5-10.el6.noarch.rpm

 

x86_64:

ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm

ntp-perl-4.2.6p5-10.el6.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2015-5194

https://access.redhat.com/security/cve/CVE-2015-5195

https://access.redhat.com/security/cve/CVE-2015-5219

https://access.redhat.com/security/cve/CVE-2015-7691

https://access.redhat.com/security/cve/CVE-2015-7692

https://access.redhat.com/security/cve/CVE-2015-7701

https://access.redhat.com/security/cve/CVE-2015-7702

https://access.redhat.com/security/cve/CVE-2015-7703

https://access.redhat.com/security/cve/CVE-2015-7852

https://access.redhat.com/security/cve/CVE-2015-7977

https://access.redhat.com/security/cve/CVE-2015-7978

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Release_Notes/index.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/6.8_Technical_Notes/index.html

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2016 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFXMi83XlSAg2UNWIIRAv9ZAJ9yqsR4x0WYMl50890odO9fRs+uaQCgqasG

WLKXMEfadJmFxKSW7Qy6ZmA=

=DRWk

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×