Security update for ntp

SUSE Security Update: Security update for ntp
Announcement ID: SUSE-SU-2016:1311-1
Rating: important
References: #782060 #784760 #905885 #910063 #916617 #920183 #920238 #926510 #936327 #937837 #942441 #942587 #943216 #943218 #944300 #946386 #951351 #951559 #951608 #951629 #954982 #956773 #962318 #962784 #962802 #962960 #962966 #962970 #962988 #962994 #962995 #962997 #963000 #963002 #975496 #975981
Affected Products:
  • SUSE OpenStack Cloud 5
  • SUSE Manager Proxy 2.1
  • SUSE Manager 2.1
  • SUSE Linux Enterprise Server 11-SP3-LTSS
  • SUSE Linux Enterprise Server 11-SP2-LTSS
  • SUSE Linux Enterprise Debuginfo 11-SP3
  • SUSE Linux Enterprise Debuginfo 11-SP2

  • An update that solves 30 vulnerabilities and has 6 fixes is now available.

    Description:


    This network time protocol server ntp was updated to 4.2.8p6 to fix the
    following issues:

    Also yast2-ntp-client was updated to match some sntp syntax changes.
    (bsc#937837)

    Major functional changes:
    - The "sntp" commandline tool changed its option handling in a major way.
    - "controlkey 1" is added during update to ntp.conf to allow sntp to work.
    - The local clock is being disabled during update.
    - ntpd is no longer running chrooted.


    Other functional changes:
    - ntp-signd is installed.
    - "enable mode7" can be added to the configuration to allow ntdpc to work
    as compatibility mode option.
    - "kod" was removed from the default restrictions.
    - SHA1 keys are used by default instead of MD5 keys.

    These security issues were fixed:
    - CVE-2015-5219: An endless loop due to incorrect precision to double
    conversion (bsc#943216).
    - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).
    - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
    - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated
    broadcast mode (bsc#962784).
    - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction
    list (bsc#963000).
    - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
    - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in
    filenames (bsc#962802).
    - CVE-2015-7975: nextvar() missing length check (bsc#962988).
    - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation
    between authenticated peers (bsc#962960).
    - CVE-2015-7973: Replay attack on authenticated broadcast mode
    (bsc#962995).
    - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).
    - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).
    - CVE-2015-5300: MITM attacker could have forced ntpd to make a step
    larger than the panic threshold (bsc#951629).
    - CVE-2015-7871: NAK to the Future: Symmetric association authentication
    bypass via crypto-NAK (bsc#951608).
    - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning
    FAIL on some bogus values (bsc#951608).
    - CVE-2015-7854: Password Length Memory Corruption Vulnerability
    (bsc#951608).
    - CVE-2015-7853: Invalid length data provided by a custom refclock driver
    could cause a buffer overflow (bsc#951608).
    - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability
    (bsc#951608).
    - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).
    - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).
    - CVE-2015-7849: trusted key use-after-free (bsc#951608).
    - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).
    - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).
    - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should
    only be allowed locally (bsc#951608).
    - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate
    the origin timestamp field (bsc#951608).
    - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data
    packet length checks (bsc#951608).

    These non-security issues were fixed:
    - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP
    (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added
    the authreg directive.
    - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in
    start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which
    caused the synchronization to fail.
    - bsc#782060: Speedup ntpq.
    - bsc#916617: Add /var/db/ntp-kod.
    - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen
    quite a lot on loaded systems.
    - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.
    - Add ntp-fork.patch and build with threads disabled to allow name
    resolution even when running chrooted.
    - Add a controlkey line to /etc/ntp.conf if one does not already exist to
    allow runtime configuuration via ntpq.
    - bsc#946386: Temporarily disable memlock to avoid problems due to high
    memory usage during name resolution.
    - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.
    - Improve runtime configuration:
    * Read keytype from ntp.conf
    * Don't write ntp keys to syslog.
    - Fix legacy action scripts to pass on command line arguments.
    - bsc#944300: Remove "kod" from the restrict line in ntp.conf.
    - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.
    - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.
    - Disable mode 7 (ntpdc) again, now that we don't use it anymore.
    - Add "addserver" as a new legacy action.
    - bsc#910063: Fix the comment regarding addserver in ntp.conf.
    - bsc#926510: Disable chroot by default.
    - bsc#920238: Enable ntpdc for backwards compatibility.
    - bsc#784760: Remove local clock from default configuration.
    - bsc#942441/fate#319496: Require perl-Socket6.
    - Improve runtime configuration:
    * Read keytype from ntp.conf
    * Don't write ntp keys to syslog.
    - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives.
    - Use upstream ntp-wait, because our version is incompatible with the new
    ntpq command line syntax.

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE OpenStack Cloud 5:
      zypper in -t patch sleclo50sp3-ntp-12561=1
    • SUSE Manager Proxy 2.1:
      zypper in -t patch slemap21-ntp-12561=1
    • SUSE Manager 2.1:
      zypper in -t patch sleman21-ntp-12561=1
    • SUSE Linux Enterprise Server 11-SP3-LTSS:
      zypper in -t patch slessp3-ntp-12561=1
    • SUSE Linux Enterprise Server 11-SP2-LTSS:
      zypper in -t patch slessp2-ntp-12561=1
    • SUSE Linux Enterprise Debuginfo 11-SP3:
      zypper in -t patch dbgsp3-ntp-12561=1
    • SUSE Linux Enterprise Debuginfo 11-SP2:
      zypper in -t patch dbgsp2-ntp-12561=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE OpenStack Cloud 5 (x86_64):
      • ntp-4.2.8p6-41.1
      • ntp-doc-4.2.8p6-41.1
    • SUSE Manager Proxy 2.1 (x86_64):
      • ntp-4.2.8p6-41.1
      • ntp-doc-4.2.8p6-41.1
    • SUSE Manager 2.1 (s390x x86_64):
      • ntp-4.2.8p6-41.1
      • ntp-doc-4.2.8p6-41.1
    • SUSE Linux Enterprise Server 11-SP3-LTSS (i586 s390x x86_64):
      • ntp-4.2.8p6-41.1
      • ntp-doc-4.2.8p6-41.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (i586 s390x x86_64):
      • ntp-4.2.8p6-41.1
      • ntp-doc-4.2.8p6-41.1
    • SUSE Linux Enterprise Server 11-SP2-LTSS (noarch):
      • yast2-ntp-client-2.17.14.1-1.12.1
    • SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
      • ntp-debuginfo-4.2.8p6-41.1
      • ntp-debugsource-4.2.8p6-41.1
    • SUSE Linux Enterprise Debuginfo 11-SP2 (i586 s390x x86_64):
      • ntp-debuginfo-4.2.8p6-41.1
      • ntp-debugsource-4.2.8p6-41.1

    References: