Lucene search

K
suseSuseSUSE-SU-2016:1471-1
HistoryJun 01, 2016 - 6:08 p.m.

Security update for ntp (important)

2016-06-0118:08:21
lists.opensuse.org
72

EPSS

0.832

Percentile

98.5%

This update for ntp fixes the following issues:

  • Separate the creation of ntp.keys and key #1 in it to avoid problems
    when upgrading installations that have the file, but no key #1, which is
    needed e.g. by "rcntp addserver".

  • Update to 4.2.8p7 (bsc#977446):

    • CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS.
    • CVE-2016-1548, bsc#977461: Interleave-pivot
    • CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association
      attack.
    • CVE-2016-1550, bsc#977464: Improve NTP security against buffer
      comparison timing attacks.
    • CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability
    • CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will
      cause an assertion botch in ntpd.
    • CVE-2016-2517, bsc#977455: remote configuration trustedkey/
      requestkey/controlkey values are not properly validated.
    • CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array
      wraparound with MATCH_ASSOC.
    • CVE-2016-2519, bsc#977458: ctl_getitem() return value not always
      checked.
    • integrate ntp-fork.patch
    • Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974
  • Restrict the parser in the startup script to the first
    occurrance of "keys" and "controlkey" in ntp.conf (bsc#957226).