Security update for ntp

Announcement ID:	SUSE-SU-2016:1568-1
Rating:	important
References:	bsc#957226 bsc#962960 bsc#977450 bsc#977451 bsc#977452 bsc#977455 bsc#977457 bsc#977458 bsc#977459 bsc#977461 bsc#977464 bsc#979302 bsc#979981 bsc#981422 bsc#982064 bsc#982065 bsc#982066 bsc#982067 bsc#982068
Cross-References:	CVE-2015-7704 CVE-2015-7705 CVE-2015-7974 CVE-2016-1547 CVE-2016-1548 CVE-2016-1549 CVE-2016-1550 CVE-2016-1551 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 CVE-2016-4957
CVSS scores:	CVE-2015-7704 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2015-7705 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2015-7974 ( NVD ): 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N CVE-2016-1547 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2016-1548 ( NVD ): 7.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L CVE-2016-1549 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2016-1550 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2016-1551 ( NVD ): 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2016-2516 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-2517 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H CVE-2016-2518 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2016-2518 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2016-2519 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-4953 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-4953 ( NVD ): 4.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2016-4954 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-4954 ( NVD ): 4.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2016-4955 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-4955 ( NVD ): 4.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2016-4956 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVE-2016-4956 ( NVD ): 5.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L CVE-2016-4957 ( NVD ): 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves 17 vulnerabilities and has two security fixes can now be installed.

Description:

ntp was updated to version 4.2.8p8 to fix 17 security issues.

These security issues were fixed: - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key (bsc#962960). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). - CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch (bsc#977452). - CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated (bsc#977455). - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459). - CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering (bsc#977450). - CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464). - CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461). - CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY (bsc#977451).

This release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974.

These non-security issues were fixed: - bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice. - bsc#981422: Don't ignore SIGCHILD because it breaks wait(). - bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service. - Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by "rcntp addserver". - bsc#957226: Restrict the parser in the startup script to the first occurrance of "keys" and "controlkey" in ntp.conf.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2016-933=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2016-933=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2016-933=1

Package List:

• SUSE Linux Enterprise Desktop 12 (x86_64)
  • ntp-doc-4.2.8p8-46.8.1
  • ntp-debuginfo-4.2.8p8-46.8.1
  • ntp-debugsource-4.2.8p8-46.8.1
  • ntp-4.2.8p8-46.8.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • ntp-doc-4.2.8p8-46.8.1
  • ntp-debuginfo-4.2.8p8-46.8.1
  • ntp-debugsource-4.2.8p8-46.8.1
  • ntp-4.2.8p8-46.8.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • ntp-doc-4.2.8p8-46.8.1
  • ntp-debuginfo-4.2.8p8-46.8.1
  • ntp-debugsource-4.2.8p8-46.8.1
  • ntp-4.2.8p8-46.8.1

References:

• https://www.suse.com/security/cve/CVE-2015-7704.html
• https://www.suse.com/security/cve/CVE-2015-7705.html
• https://www.suse.com/security/cve/CVE-2015-7974.html
• https://www.suse.com/security/cve/CVE-2016-1547.html
• https://www.suse.com/security/cve/CVE-2016-1548.html
• https://www.suse.com/security/cve/CVE-2016-1549.html
• https://www.suse.com/security/cve/CVE-2016-1550.html
• https://www.suse.com/security/cve/CVE-2016-1551.html
• https://www.suse.com/security/cve/CVE-2016-2516.html
• https://www.suse.com/security/cve/CVE-2016-2517.html
• https://www.suse.com/security/cve/CVE-2016-2518.html
• https://www.suse.com/security/cve/CVE-2016-2519.html
• https://www.suse.com/security/cve/CVE-2016-4953.html
• https://www.suse.com/security/cve/CVE-2016-4954.html
• https://www.suse.com/security/cve/CVE-2016-4955.html
• https://www.suse.com/security/cve/CVE-2016-4956.html
• https://www.suse.com/security/cve/CVE-2016-4957.html
• https://bugzilla.suse.com/show_bug.cgi?id=957226
• https://bugzilla.suse.com/show_bug.cgi?id=962960
• https://bugzilla.suse.com/show_bug.cgi?id=977450
• https://bugzilla.suse.com/show_bug.cgi?id=977451
• https://bugzilla.suse.com/show_bug.cgi?id=977452
• https://bugzilla.suse.com/show_bug.cgi?id=977455
• https://bugzilla.suse.com/show_bug.cgi?id=977457
• https://bugzilla.suse.com/show_bug.cgi?id=977458
• https://bugzilla.suse.com/show_bug.cgi?id=977459
• https://bugzilla.suse.com/show_bug.cgi?id=977461
• https://bugzilla.suse.com/show_bug.cgi?id=977464
• https://bugzilla.suse.com/show_bug.cgi?id=979302
• https://bugzilla.suse.com/show_bug.cgi?id=979981
• https://bugzilla.suse.com/show_bug.cgi?id=981422
• https://bugzilla.suse.com/show_bug.cgi?id=982064
• https://bugzilla.suse.com/show_bug.cgi?id=982065
• https://bugzilla.suse.com/show_bug.cgi?id=982066
• https://bugzilla.suse.com/show_bug.cgi?id=982067
• https://bugzilla.suse.com/show_bug.cgi?id=982068