My Favorites

Close

Please to see your favorites.

  • Bookmark
  • Email Document
  • Printer Friendly
  • Favorite
  • Rating:

NTP Security update for CVE-2014-9295 / VU#852879

This document (7016020) is provided subject to the disclaimer at the end of this document.

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

A potential remote code execution problem was found inside ntpd. The functions crypto_recv() (when using autokey authentication) and ctl_putdata() where updated to avoid buffer overflows that could be exploited. (CVE-2014-9295 / VU#852879)

Resolution

Apply the latest ntp patch to address this security issue.

NTP version 4.2.4p8 or greater
Date of the patch should be Friday Dec 19th 2014 or greater

Example to apply the patch and look at the patch information for OES11SP2/SLES11SP3

To apply the patch:
zypper up -t patch slessp3-ntp
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW patch is going to be installed:
  slessp3-ntp

The following package is going to be upgraded:
  ntp

1 package to upgrade.
Overall download size: 464.0 KiB. No additional space will be used or freed after the operation.
Continue? [y/n/? shows all options] (y): y
Retrieving package ntp-4.2.4p8-1.28.1.x86_64 (1/1), 464.0 KiB (1.6 MiB unpacked)
Retrieving: ntp-4.2.4p8-1.28.1.x86_64.rpm [done]
Installing: ntp-4.2.4p8-1.28.1 [done]
Additional rpm output:
Updating etc/sysconfig/ntp...
Updating etc/sysconfig/syslog...


To view the patch info:
zypper patch-info slessp3-ntp

Information for patch slessp3-ntp:

Name: slessp3-ntp
Version: 10117
Arch: noarch
Vendor: maint-coord@suse.de
Status: Needed
Category: security
Created On: Fri Dec 19 13:49:40 2014
Reboot Required: No
Package Manager Restart Required: No
Interactive: No
Summary: Security update for ntp
Description:

This ntp update fixes the following critical security issue:

    * A potential remote code execution problem was found inside ntpd. The
      functions crypto_recv() (when using autokey authentication) and
      ctl_putdata() where updated to avoid buffer overflows that could have
      been exploited. (CVE-2014-9295 / VU#852879)

Security Issues:

    * CVE-2014-9295
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295>


Provides:
patch:slessp3-ntp == 10117

Conflicts:
ntp.x86_64 < 4.2.4p8-1.28.1
ntp-doc.x86_64 < 4.2.4p8-1.28.1


For OES2SP3 the package is xntp

Additional Information

Change the version to apply the patch for versions other than SLES 11 SP3.

Example:
To apply the patch on OES11SP1/SLES11SP2
zypper up -t patch slessp2-ntp

To apply the patch on OES11/SLES11SP1
zypper up -t patch slessp1-ntp

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016020
  • Creation Date:23-DEC-14
  • Modified Date:05-JAN-15
    • NovellOpen Enterprise Server
    • SUSESUSE Linux Enterprise Server
    • NetIQeDirectory
< Back to Support Search

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center