ntp, ntpdate security update

CentOS Errata and Security Advisory CESA-2017:3071

The Network Time Protocol (NTP) is used to synchronize a computer’s time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.

Security Fix(es):

• Two vulnerabilities were discovered in the NTP server’s parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. (CVE-2017-6463, CVE-2017-6464)

• A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash. (CVE-2017-6462)

Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2017-October/084770.html

Affected packages:
ntp
ntp-doc
ntp-perl
ntpdate

Upstream details at:
https://access.redhat.com/errata/RHSA-2017:3071