Security update for ntp

SUSE Security Update: Security update for ntp
Announcement ID: SUSE-SU-2018:0808-1
Rating: moderate
References: #1077445 #1082210 #1083417 #1083420 #1083422 #1083424 #1083426
Affected Products:
  • SUSE Linux Enterprise Server 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

  • An update that solves 6 vulnerabilities and has one errata is now available.


    This update for ntp fixes the following issues:

    Security issues fixed:

    - CVE-2016-1549: Significant additional protections against CVE-2016-1549
    that was fixed in ntp-4.2.8p7 (bsc#1082210).
    - CVE-2018-7170: Ephemeral association time spoofing additional protection
    - CVE-2018-7182: Buffer read overrun leads information leak in
    ctl_getitem() (bsc#1083426).
    - CVE-2018-7183: decodearr() can write beyond its buffer limit
    - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state
    - CVE-2018-7185: Unauthenticated packet can reset authenticated
    interleaved association (bsc#1083420).

    Bug fixes:

    - bsc#1077445: Don't use libevent's cached time stamps in sntp.
    - Disable CMAC in ntp when building against a version of OpenSSL that
    doesn't support it.

    Patch Instructions:

    To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP4:
      zypper in -t patch slessp4-ntp-13534=1
    • SUSE Linux Enterprise Debuginfo 11-SP4:
      zypper in -t patch dbgsp4-ntp-13534=1

    Package List:

    • SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • ntp-4.2.8p11-64.4.1
      • ntp-doc-4.2.8p11-64.4.1
    • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • ntp-debuginfo-4.2.8p11-64.4.1
      • ntp-debugsource-4.2.8p11-64.4.1