Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] SUSE-SU-2016:1912-1: important: Security update for ntp

Recommended Posts

SUSE Security Update: Security update for ntp

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2016:1912-1

Rating: important

References: #782060 #784760 #905885 #910063 #916617 #920183

#920238 #920893 #920895 #920905 #924202 #926510

#936327 #943218 #943221 #944300 #951351 #951559

#951629 #952611 #957226 #962318 #962784 #962802

#962960 #962966 #962970 #962988 #962995 #963000

#963002 #975496 #977450 #977451 #977452 #977455

#977457 #977458 #977459 #977461 #977464 #979302

#981422 #982056 #982064 #982065 #982066 #982067

#982068 #988417 #988558 #988565

Cross-References: CVE-2015-1798 CVE-2015-1799 CVE-2015-5194

CVE-2015-5300 CVE-2015-7691 CVE-2015-7692

CVE-2015-7701 CVE-2015-7702 CVE-2015-7703

CVE-2015-7704 CVE-2015-7705 CVE-2015-7848

CVE-2015-7849 CVE-2015-7850 CVE-2015-7851

CVE-2015-7852 CVE-2015-7853 CVE-2015-7854

CVE-2015-7855 CVE-2015-7871 CVE-2015-7973

CVE-2015-7974 CVE-2015-7975 CVE-2015-7976

CVE-2015-7977 CVE-2015-7978 CVE-2015-7979

CVE-2015-8138 CVE-2015-8158 CVE-2016-1547

CVE-2016-1548 CVE-2016-1549 CVE-2016-1550

CVE-2016-1551 CVE-2016-2516 CVE-2016-2517

CVE-2016-2518 CVE-2016-2519 CVE-2016-4953

CVE-2016-4954 CVE-2016-4955 CVE-2016-4956

CVE-2016-4957

Affected Products:

SUSE Linux Enterprise Server 10 SP4 LTSS

______________________________________________________________________________

 

An update that solves 43 vulnerabilities and has 9 fixes is

now available.

 

Description:

 

 

NTP was updated to version 4.2.8p8 to fix several security issues and to

ensure the continued maintainability of the package.

 

These security issues were fixed:

 

* CVE-2016-4953: Bad authentication demobilized ephemeral associations

(bsc#982065).

* CVE-2016-4954: Processing spoofed server packets (bsc#982066).

* CVE-2016-4955: Autokey association reset (bsc#982067).

* CVE-2016-4956: Broadcast interleave (bsc#982068).

* CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

* CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS

(bsc#977459).

* CVE-2016-1548: Prevent the change of time of an ntpd client or

denying service to an ntpd client by forcing it to change from basic

client/server mode to interleaved symmetric mode (bsc#977461).

* CVE-2016-1549: Sybil vulnerability: ephemeral association attack

(bsc#977451).

* CVE-2016-1550: Improve security against buffer comparison timing

attacks (bsc#977464).

* CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y

* CVE-2016-2516: Duplicate IPs on unconfig directives could have

caused an assertion botch in ntpd (bsc#977452).

* CVE-2016-2517: Remote configuration trustedkey/

requestkey/controlkey values are not properly validated (bsc#977455).

* CVE-2016-2518: Crafted addpeer with hmode > 7 causes array

wraparound with MATCH_ASSOC (bsc#977457).

* CVE-2016-2519: ctl_getitem() return value not always checked

(bsc#977458).

* CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).

* CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).

* CVE-2015-7979: Off-path Denial of Service (DoS) attack on

authenticated broadcast mode (bsc#962784).

* CVE-2015-7978: Stack exhaustion in recursive traversal of

restriction list (bsc#963000).

* CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).

* CVE-2015-7976: ntpq saveconfig command allowed dangerous characters

in filenames (bsc#962802).

* CVE-2015-7975: nextvar() missing length check (bsc#962988).

* CVE-2015-7974: NTP did not verify peer associations of symmetric

keys when authenticating packets, which might have allowed remote

attackers to conduct impersonation attacks via an arbitrary trusted

key, aka a "skeleton" key (bsc#962960).

* CVE-2015-7973: Replay attack on authenticated broadcast mode

(bsc#962995).

* CVE-2015-5300: MITM attacker can force ntpd to make a step larger

than the panic threshold (bsc#951629).

* CVE-2015-5194: Crash with crafted logconfig configuration command

(bsc#943218).

* CVE-2015-7871: NAK to the Future: Symmetric association

authentication bypass via crypto-NAK (bsc#952611).

* CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning

FAIL on some bogus values (bsc#952611).

* CVE-2015-7854: Password Length Memory Corruption Vulnerability

(bsc#952611).

* CVE-2015-7853: Invalid length data provided by a custom refclock

driver could cause a buffer overflow (bsc#952611).

* CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability

(bsc#952611).

* CVE-2015-7851: saveconfig Directory Traversal Vulnerability

(bsc#952611).

* CVE-2015-7850: Clients that receive a KoD now validate the origin

timestamp field (bsc#952611).

* CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).

* CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).

* CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).

* CVE-2015-7703: Configuration directives "pidfile" and "driftfile"

should only be allowed locally (bsc#943221).

* CVE-2015-7704: Clients that receive a KoD should validate the origin

timestamp field (bsc#952611).

* CVE-2015-7705: Clients that receive a KoD should validate the origin

timestamp field (bsc#952611).

* CVE-2015-7691: Incomplete autokey data packet length checks

(bsc#952611).

* CVE-2015-7692: Incomplete autokey data packet length checks

(bsc#952611).

* CVE-2015-7702: Incomplete autokey data packet length checks

(bsc#952611).

* CVE-2015-1798: The symmetric-key feature in the receive function in

ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC

field has a nonzero length, which made it easier for

man-in-the-middle attackers to spoof packets by omitting the MAC

(bsc#924202).

* CVE-2015-1799: The symmetric-key feature in the receive function in

ntp_proto.c in ntpd in NTP performed state-variable updates upon

receiving certain invalid packets, which made it easier for

man-in-the-middle attackers to cause a denial of service

(synchronization loss) by spoofing the source IP address of a peer

(bsc#924202).

 

These non-security issues were fixed:

 

* Keep the parent process alive until the daemon has finished

initialisation, to make sure that the PID file exists when the

parent returns.

* bsc#979302: Change the process name of the forking DNS worker

process to avoid the impression that ntpd is started twice.

* bsc#981422: Don't ignore SIGCHILD because it breaks wait().

* Separate the creation of ntp.keys and key #1 in it to avoid problems

when upgrading installations that have the file, but no key #1,

which is needed e.g. by "rcntp addserver".

* bsc#957226: Restrict the parser in the startup script to the first

occurrance of "keys" and "controlkey" in ntp.conf.

* Enable compile-time support for MS-SNTP (--enable-ntp-signd)

* bsc#975496: Fix ntp-sntp-dst.patch.

* bsc#962318: Call /usr/sbin/sntp with full path to synchronize in

start-ntpd. When run as cron job, /usr/sbin/ is not in the path,

which caused the synchronization to fail.

* bsc#782060: Speedup ntpq.

* bsc#951559: Fix the TZ offset output of sntp during DST.

* bsc#916617: Add /var/db/ntp-kod.

* bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might

happen quite a lot on loaded systems.

* Add ntp-fork.patch and build with threads disabled to allow name

resolution even when running chrooted.

* bnc#784760: Remove local clock from default configuration.

* Fix incomplete backporting of "rcntp ntptimemset".

* bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.

* Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.

* bsc#910063: Fix the comment regarding addserver in ntp.conf.

* bsc#944300: Remove "kod" from the restrict line in ntp.conf.

* bsc#905885: Use SHA1 instead of MD5 for symmetric keys.

* bsc#926510: Re-add chroot support, but mark it as deprecated and

disable it by default.

* bsc#920895: Drop support for running chrooted, because it is an

ongoing source of problems and not really needed anymore, given that

ntp now drops privileges and runs under apparmor.

* bsc#920183: Allow -4 and -6 address qualifiers in "server"

directives.

* Use upstream ntp-wait, because our version is incompatible with the

new ntpq command line syntax.

* bsc#920905: Adjust Util.pm to the Perl version on SLE11.

* bsc#920238: Enable ntpdc for backwards compatibility.

* bsc#920893: Don't use %exclude.

* bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes"

* bsc#988565: Ignore errors when removing extra files during

uninstallation

* bsc#988558: Don't blindly guess the value to use for IP_TOS

 

Security Issues:

 

* CVE-2016-4953

 

* CVE-2016-4954

 

* CVE-2016-4955

 

* CVE-2016-4956

 

* CVE-2016-4957

 

* CVE-2016-1547

 

* CVE-2016-1548

 

* CVE-2016-1549

 

* CVE-2016-1550

 

* CVE-2016-1551

 

* CVE-2016-2516

 

* CVE-2016-2517

 

* CVE-2016-2518

 

* CVE-2016-2519

 

* CVE-2015-8158

 

* CVE-2015-8138

 

* CVE-2015-7979

 

* CVE-2015-7978

 

* CVE-2015-7977

 

* CVE-2015-7976

 

* CVE-2015-7975

 

* CVE-2015-7974

 

* CVE-2015-7973

 

* CVE-2015-5300

 

* CVE-2015-5194

 

* CVE-2015-7871

 

* CVE-2015-7855

 

* CVE-2015-7854

 

* CVE-2015-7853

 

* CVE-2015-7852

 

* CVE-2015-7851

 

* CVE-2015-7850

 

* CVE-2015-7849

 

* CVE-2015-7848

 

* CVE-2015-7701

 

* CVE-2015-7703

 

* CVE-2015-7704

 

* CVE-2015-7705

 

* CVE-2015-7691

 

* CVE-2015-7692

 

* CVE-2015-7702

 

* CVE-2015-1798

 

* CVE-2015-1799

 

 

 

 

Package List:

 

- SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64):

 

ntp-4.2.8p8-0.7.1

ntp-doc-4.2.8p8-0.7.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-1798.html

https://www.suse.com/security/cve/CVE-2015-1799.html

https://www.suse.com/security/cve/CVE-2015-5194.html

https://www.suse.com/security/cve/CVE-2015-5300.html

https://www.suse.com/security/cve/CVE-2015-7691.html

https://www.suse.com/security/cve/CVE-2015-7692.html

https://www.suse.com/security/cve/CVE-2015-7701.html

https://www.suse.com/security/cve/CVE-2015-7702.html

https://www.suse.com/security/cve/CVE-2015-7703.html

https://www.suse.com/security/cve/CVE-2015-7704.html

https://www.suse.com/security/cve/CVE-2015-7705.html

https://www.suse.com/security/cve/CVE-2015-7848.html

https://www.suse.com/security/cve/CVE-2015-7849.html

https://www.suse.com/security/cve/CVE-2015-7850.html

https://www.suse.com/security/cve/CVE-2015-7851.html

https://www.suse.com/security/cve/CVE-2015-7852.html

https://www.suse.com/security/cve/CVE-2015-7853.html

https://www.suse.com/security/cve/CVE-2015-7854.html

https://www.suse.com/security/cve/CVE-2015-7855.html

https://www.suse.com/security/cve/CVE-2015-7871.html

https://www.suse.com/security/cve/CVE-2015-7973.html

https://www.suse.com/security/cve/CVE-2015-7974.html

https://www.suse.com/security/cve/CVE-2015-7975.html

https://www.suse.com/security/cve/CVE-2015-7976.html

https://www.suse.com/security/cve/CVE-2015-7977.html

https://www.suse.com/security/cve/CVE-2015-7978.html

https://www.suse.com/security/cve/CVE-2015-7979.html

https://www.suse.com/security/cve/CVE-2015-8138.html

https://www.suse.com/security/cve/CVE-2015-8158.html

https://www.suse.com/security/cve/CVE-2016-1547.html

https://www.suse.com/security/cve/CVE-2016-1548.html

https://www.suse.com/security/cve/CVE-2016-1549.html

https://www.suse.com/security/cve/CVE-2016-1550.html

https://www.suse.com/security/cve/CVE-2016-1551.html

https://www.suse.com/security/cve/CVE-2016-2516.html

https://www.suse.com/security/cve/CVE-2016-2517.html

https://www.suse.com/security/cve/CVE-2016-2518.html

https://www.suse.com/security/cve/CVE-2016-2519.html

https://www.suse.com/security/cve/CVE-2016-4953.html

https://www.suse.com/security/cve/CVE-2016-4954.html

https://www.suse.com/security/cve/CVE-2016-4955.html

https://www.suse.com/security/cve/CVE-2016-4956.html

https://www.suse.com/security/cve/CVE-2016-4957.html

https://bugzilla.suse.com/782060

https://bugzilla.suse.com/784760

https://bugzilla.suse.com/905885

https://bugzilla.suse.com/910063

https://bugzilla.suse.com/916617

https://bugzilla.suse.com/920183

https://bugzilla.suse.com/920238

https://bugzilla.suse.com/920893

https://bugzilla.suse.com/920895

https://bugzilla.suse.com/920905

https://bugzilla.suse.com/924202

https://bugzilla.suse.com/926510

https://bugzilla.suse.com/936327

https://bugzilla.suse.com/943218

https://bugzilla.suse.com/943221

https://bugzilla.suse.com/944300

https://bugzilla.suse.com/951351

https://bugzilla.suse.com/951559

https://bugzilla.suse.com/951629

https://bugzilla.suse.com/952611

https://bugzilla.suse.com/957226

https://bugzilla.suse.com/962318

https://bugzilla.suse.com/962784

https://bugzilla.suse.com/962802

https://bugzilla.suse.com/962960

https://bugzilla.suse.com/962966

https://bugzilla.suse.com/962970

https://bugzilla.suse.com/962988

https://bugzilla.suse.com/962995

https://bugzilla.suse.com/963000

https://bugzilla.suse.com/963002

https://bugzilla.suse.com/975496

https://bugzilla.suse.com/977450

https://bugzilla.suse.com/977451

https://bugzilla.suse.com/977452

https://bugzilla.suse.com/977455

https://bugzilla.suse.com/977457

https://bugzilla.suse.com/977458

https://bugzilla.suse.com/977459

https://bugzilla.suse.com/977461

https://bugzilla.suse.com/977464

https://bugzilla.suse.com/979302

https://bugzilla.suse.com/981422

https://bugzilla.suse.com/982056

https://bugzilla.suse.com/982064

https://bugzilla.suse.com/982065

https://bugzilla.suse.com/982066

https://bugzilla.suse.com/982067

https://bugzilla.suse.com/982068

https://bugzilla.suse.com/988417

https://bugzilla.suse.com/988558

https://bugzilla.suse.com/988565

https://download.suse.com/patch/finder/?keywords=e7685b9a0cc48dfc1cea383e011b438b

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×