Security update for ntp (important)

2016-07-2919:08:48

lists.opensuse.org

0.971 High

EPSS

Percentile

99.7%

JSON

NTP was updated to version 4.2.8p8 to fix several security issues and to
ensure the continued maintainability of the package.

These security issues were fixed:

   * CVE-2016-4953: Bad authentication demobilized ephemeral associations
     (bsc#982065).
   * CVE-2016-4954: Processing spoofed server packets (bsc#982066).
   * CVE-2016-4955: Autokey association reset (bsc#982067).
   * CVE-2016-4956: Broadcast interleave (bsc#982068).
   * CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).
   * CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS
     (bsc#977459).
   * CVE-2016-1548: Prevent the change of time of an ntpd client or
     denying service to an ntpd client by forcing it to change from basic
     client/server mode to interleaved symmetric mode (bsc#977461).
   * CVE-2016-1549: Sybil vulnerability: ephemeral association attack
     (bsc#977451).
   * CVE-2016-1550: Improve security against buffer comparison timing
     attacks (bsc#977464).
   * CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y
   * CVE-2016-2516: Duplicate IPs on unconfig directives could have
     caused an assertion botch in ntpd (bsc#977452).
   * CVE-2016-2517: Remote configuration trustedkey/
     requestkey/controlkey values are not properly validated (bsc#977455).
   * CVE-2016-2518: Crafted addpeer with hmode &gt; 7 causes array
     wraparound with MATCH_ASSOC (bsc#977457).
   * CVE-2016-2519: ctl_getitem() return value not always checked
     (bsc#977458).
   * CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).
   * CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
   * CVE-2015-7979: Off-path Denial of Service (DoS) attack on
     authenticated broadcast mode (bsc#962784).
   * CVE-2015-7978: Stack exhaustion in recursive traversal of
     restriction list (bsc#963000).
   * CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
   * CVE-2015-7976: ntpq saveconfig command allowed dangerous characters
     in filenames (bsc#962802).
   * CVE-2015-7975: nextvar() missing length check (bsc#962988).
   * CVE-2015-7974: NTP did not verify peer associations of symmetric
     keys when authenticating packets, which might have allowed remote
     attackers to conduct impersonation attacks via an arbitrary trusted
     key, aka a &quot;skeleton&quot; key (bsc#962960).
   * CVE-2015-7973: Replay attack on authenticated broadcast mode
     (bsc#962995).
   * CVE-2015-5300: MITM attacker can force ntpd to make a step larger
     than the panic threshold (bsc#951629).
   * CVE-2015-5194: Crash with crafted logconfig configuration command
     (bsc#943218).
   * CVE-2015-7871: NAK to the Future: Symmetric association
     authentication bypass via crypto-NAK (bsc#952611).
   * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning
     FAIL on some bogus values (bsc#952611).
   * CVE-2015-7854: Password Length Memory Corruption Vulnerability
     (bsc#952611).
   * CVE-2015-7853: Invalid length data provided by a custom refclock
     driver could cause a buffer overflow (bsc#952611).
   * CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability
     (bsc#952611).
   * CVE-2015-7851: saveconfig Directory Traversal Vulnerability
     (bsc#952611).
   * CVE-2015-7850: Clients that receive a KoD now validate the origin
     timestamp field (bsc#952611).
   * CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).
   * CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).
   * CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).
   * CVE-2015-7703: Configuration directives &quot;pidfile&quot; and &quot;driftfile&quot;
     should only be allowed locally (bsc#943221).
   * CVE-2015-7704: Clients that receive a KoD should validate the origin
     timestamp field (bsc#952611).
   * CVE-2015-7705: Clients that receive a KoD should validate the origin
     timestamp field (bsc#952611).
   * CVE-2015-7691: Incomplete autokey data packet length checks
     (bsc#952611).
   * CVE-2015-7692: Incomplete autokey data packet length checks
     (bsc#952611).
   * CVE-2015-7702: Incomplete autokey data packet length checks
     (bsc#952611).
   * CVE-2015-1798: The symmetric-key feature in the receive function in
     ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC
     field has a nonzero length, which made it easier for
     man-in-the-middle attackers to spoof packets by omitting the MAC
     (bsc#924202).
   * CVE-2015-1799: The symmetric-key feature in the receive function in
     ntp_proto.c in ntpd in NTP performed state-variable updates upon
     receiving certain invalid packets, which made it easier for
     man-in-the-middle attackers to cause a denial of service
     (synchronization loss) by spoofing the source IP address of a peer
     (bsc#924202).

These non-security issues were fixed:

   * Keep the parent process alive until the daemon has finished
     initialisation, to make sure that the PID file exists when the
     parent returns.
   * bsc#979302: Change the process name of the forking DNS worker
     process to avoid the impression that ntpd is started twice.
   * bsc#981422: Don't ignore SIGCHILD because it breaks wait().
   * Separate the creation of ntp.keys and key #1 in it to avoid problems
     when upgrading installations that have the file, but no key #1,
     which is needed e.g. by &quot;rcntp addserver&quot;.
   * bsc#957226: Restrict the parser in the startup script to the first
     occurrance of &quot;keys&quot; and &quot;controlkey&quot; in ntp.conf.
   * Enable compile-time support for MS-SNTP (--enable-ntp-signd)
   * bsc#975496: Fix ntp-sntp-dst.patch.
   * bsc#962318: Call /usr/sbin/sntp with full path to synchronize in
     start-ntpd. When run as cron job, /usr/sbin/ is not in the path,
     which caused the synchronization to fail.
   * bsc#782060: Speedup ntpq.
   * bsc#951559: Fix the TZ offset output of sntp during DST.
   * bsc#916617: Add /var/db/ntp-kod.
   * bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might
     happen quite a lot on loaded systems.
   * Add ntp-fork.patch and build with threads disabled to allow name
     resolution even when running chrooted.
   * bnc#784760: Remove local clock from default configuration.
   * Fix incomplete backporting of &quot;rcntp ntptimemset&quot;.
   * bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.
   * Don't let &quot;keysdir&quot; lines in ntp.conf trigger the &quot;keys&quot; parser.
   * bsc#910063: Fix the comment regarding addserver in ntp.conf.
   * bsc#944300: Remove &quot;kod&quot; from the restrict line in ntp.conf.
   * bsc#905885: Use SHA1 instead of MD5 for symmetric keys.
   * bsc#926510: Re-add chroot support, but mark it as deprecated and
     disable it by default.
   * bsc#920895: Drop support for running chrooted, because it is an
     ongoing source of problems and not really needed anymore, given that

ntp now drops privileges and runs under apparmor.
* bsc#920183: Allow -4 and -6 address qualifiers in "server"
directives.
* Use upstream ntp-wait, because our version is incompatible with the
new ntpq command line syntax.
* bsc#920905: Adjust Util.pm to the Perl version on SLE11.
* bsc#920238: Enable ntpdc for backwards compatibility.
* bsc#920893: Don’t use %exclude.
* bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes"
* bsc#988565: Ignore errors when removing extra files during
uninstallation
* bsc#988558: Don’t blindly guess the value to use for IP_TOS

Security Issues:

   * CVE-2016-4953
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>&gt;
   * CVE-2016-4954
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>&gt;
   * CVE-2016-4955
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>&gt;
   * CVE-2016-4956
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>&gt;
   * CVE-2016-4957
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>&gt;
   * CVE-2016-1547
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>&gt;
   * CVE-2016-1548
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>&gt;
   * CVE-2016-1549
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>&gt;
   * CVE-2016-1550
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>&gt;
   * CVE-2016-1551
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>&gt;
   * CVE-2016-2516
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>&gt;
   * CVE-2016-2517
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>&gt;
   * CVE-2016-2518
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>&gt;
   * CVE-2016-2519
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>&gt;
   * CVE-2015-8158
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>&gt;
   * CVE-2015-8138
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>&gt;
   * CVE-2015-7979
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>&gt;
   * CVE-2015-7978
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>&gt;
   * CVE-2015-7977
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>&gt;
   * CVE-2015-7976
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>&gt;
   * CVE-2015-7975
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>&gt;
   * CVE-2015-7974
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>&gt;
   * CVE-2015-7973
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>&gt;
   * CVE-2015-5300
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>&gt;
   * CVE-2015-5194
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>&gt;
   * CVE-2015-7871
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>&gt;
   * CVE-2015-7855
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>&gt;
   * CVE-2015-7854
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>&gt;
   * CVE-2015-7853
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>&gt;
   * CVE-2015-7852
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>&gt;
   * CVE-2015-7851
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>&gt;
   * CVE-2015-7850
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>&gt;
   * CVE-2015-7849
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>&gt;
   * CVE-2015-7848
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>&gt;
   * CVE-2015-7701
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>&gt;
   * CVE-2015-7703
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>&gt;
   * CVE-2015-7704
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>&gt;
   * CVE-2015-7705
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>&gt;
   * CVE-2015-7691
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>&gt;
   * CVE-2015-7692
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>&gt;
   * CVE-2015-7702
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>&gt;
   * CVE-2015-1798
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>&gt;
   * CVE-2015-1799
     &lt;<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>&gt;

OSVersionArchitecturePackageVersionFilename
SUSE Linux Enterprise Server LTSS10.4i586ntp< 4.2.8p8-0.7.1ntp-4.2.8p8-0.7.1.i586.rpm
SUSE Linux Enterprise Server LTSS10.4s390xntp< 4.2.8p8-0.7.1ntp-4.2.8p8-0.7.1.s390x.rpm
SUSE Linux Enterprise Server LTSS10.4i586ntp-doc< 4.2.8p8-0.7.1ntp-doc-4.2.8p8-0.7.1.i586.rpm
SUSE Linux Enterprise Server LTSS10.4x86_64ntp< 4.2.8p8-0.7.1ntp-4.2.8p8-0.7.1.x86_64.rpm
SUSE Linux Enterprise Server LTSS10.4x86_64ntp-doc< 4.2.8p8-0.7.1ntp-doc-4.2.8p8-0.7.1.x86_64.rpm
SUSE Linux Enterprise Server LTSS10.4s390xntp-doc< 4.2.8p8-0.7.1ntp-doc-4.2.8p8-0.7.1.s390x.rpm

OS	Version	Architecture	Package	Version	Filename
SUSE Linux Enterprise Server LTSS	10.4	i586	ntp	< 4.2.8p8-0.7.1	ntp-4.2.8p8-0.7.1.i586.rpm
SUSE Linux Enterprise Server LTSS	10.4	s390x	ntp	< 4.2.8p8-0.7.1	ntp-4.2.8p8-0.7.1.s390x.rpm
SUSE Linux Enterprise Server LTSS	10.4	i586	ntp-doc	< 4.2.8p8-0.7.1	ntp-doc-4.2.8p8-0.7.1.i586.rpm
SUSE Linux Enterprise Server LTSS	10.4	x86_64	ntp	< 4.2.8p8-0.7.1	ntp-4.2.8p8-0.7.1.x86_64.rpm
SUSE Linux Enterprise Server LTSS	10.4	x86_64	ntp-doc	< 4.2.8p8-0.7.1	ntp-doc-4.2.8p8-0.7.1.x86_64.rpm
SUSE Linux Enterprise Server LTSS	10.4	s390x	ntp-doc	< 4.2.8p8-0.7.1	ntp-doc-4.2.8p8-0.7.1.s390x.rpm