Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1512 SUSE Security Update: Security update for ntp 15 June 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ntp Publisher: SUSE Operating System: SUSE Impact/Access: Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-4957 CVE-2016-4956 CVE-2016-4955 CVE-2016-4954 CVE-2016-4953 CVE-2016-2519 CVE-2016-2518 CVE-2016-2517 CVE-2016-2516 CVE-2016-1551 CVE-2016-1550 CVE-2016-1549 CVE-2016-1548 CVE-2016-1547 CVE-2015-7974 CVE-2015-7705 CVE-2015-7704 Reference: ESB-2016.1411 ESB-2015.2694 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for ntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2016:1568-1 Rating: important References: #957226 #962960 #977450 #977451 #977452 #977455 #977457 #977458 #977459 #977461 #977464 #979302 #979981 #981422 #982064 #982065 #982066 #982067 #982068 Cross-References: CVE-2015-7704 CVE-2015-7705 CVE-2015-7974 CVE-2016-1547 CVE-2016-1548 CVE-2016-1549 CVE-2016-1550 CVE-2016-1551 CVE-2016-2516 CVE-2016-2517 CVE-2016-2518 CVE-2016-2519 CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 CVE-2016-4957 Affected Products: SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Desktop 12 ______________________________________________________________________________ An update that solves 17 vulnerabilities and has two fixes is now available. Description: ntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed: - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key (bsc#962960). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). - CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch (bsc#977452). - CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated (bsc#977455). - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459). - CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering (bsc#977450). - CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464). - CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461). - CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY (bsc#977451). This release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974. These non-security issues were fixed: - bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice. - bsc#981422: Don't ignore SIGCHILD because it breaks wait(). - bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service. - Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by "rcntp addserver". - bsc#957226: Restrict the parser in the startup script to the first occurrance of "keys" and "controlkey" in ntp.conf. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Server 12: zypper in -t patch SUSE-SLE-SERVER-12-2016-933=1 - SUSE Linux Enterprise Desktop 12: zypper in -t patch SUSE-SLE-DESKTOP-12-2016-933=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64): ntp-4.2.8p8-46.8.1 ntp-debuginfo-4.2.8p8-46.8.1 ntp-debugsource-4.2.8p8-46.8.1 ntp-doc-4.2.8p8-46.8.1 - SUSE Linux Enterprise Desktop 12 (x86_64): ntp-4.2.8p8-46.8.1 ntp-debuginfo-4.2.8p8-46.8.1 ntp-debugsource-4.2.8p8-46.8.1 ntp-doc-4.2.8p8-46.8.1 References: https://www.suse.com/security/cve/CVE-2015-7704.html https://www.suse.com/security/cve/CVE-2015-7705.html https://www.suse.com/security/cve/CVE-2015-7974.html https://www.suse.com/security/cve/CVE-2016-1547.html https://www.suse.com/security/cve/CVE-2016-1548.html https://www.suse.com/security/cve/CVE-2016-1549.html https://www.suse.com/security/cve/CVE-2016-1550.html https://www.suse.com/security/cve/CVE-2016-1551.html https://www.suse.com/security/cve/CVE-2016-2516.html https://www.suse.com/security/cve/CVE-2016-2517.html https://www.suse.com/security/cve/CVE-2016-2518.html https://www.suse.com/security/cve/CVE-2016-2519.html https://www.suse.com/security/cve/CVE-2016-4953.html https://www.suse.com/security/cve/CVE-2016-4954.html https://www.suse.com/security/cve/CVE-2016-4955.html https://www.suse.com/security/cve/CVE-2016-4956.html https://www.suse.com/security/cve/CVE-2016-4957.html https://bugzilla.suse.com/957226 https://bugzilla.suse.com/962960 https://bugzilla.suse.com/977450 https://bugzilla.suse.com/977451 https://bugzilla.suse.com/977452 https://bugzilla.suse.com/977455 https://bugzilla.suse.com/977457 https://bugzilla.suse.com/977458 https://bugzilla.suse.com/977459 https://bugzilla.suse.com/977461 https://bugzilla.suse.com/977464 https://bugzilla.suse.com/979302 https://bugzilla.suse.com/979981 https://bugzilla.suse.com/981422 https://bugzilla.suse.com/982064 https://bugzilla.suse.com/982065 https://bugzilla.suse.com/982066 https://bugzilla.suse.com/982067 https://bugzilla.suse.com/982068 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV2Duu4x+lLeg9Ub1AQgRow/9EmWuT3nkFlf+H0dP3ZJFKEqGUZ+tLRw6 qdZhEbpTWL5atQYbW+3M1s4oF1yvTdXvNR30kuO+SPL0ARofy61EN8Rs+QsXclSn umsyag0q9bo1DRWBwgSk6Pg1xWBPTWCPorSLfeoLfqLi6nGfZRUWtToLByV1XX0w TNt5UPf2xKhCXUieFsErSb6yJYDYtZz53/y9VpLzq++qNBgPJdm22slpgWYS+rP0 jHqzgYmz0yuiAGHa12Hhjai/jYnEXggOK+uutdM/MA8LW2Nz1YSvFCGjzIfCj7WU TrCWGiHAifEmpEivET9+ReeACZR/zOWTHJJjaLC1ou3Evcof5wJsr0Gs1jryfx1E sEZ/zuMEy/xC7Lsh4at3lDebT2+B0toxgMxQBe1jaO9yz58V+dNOgl8pJzPSB3hY Vq3J6rmsDbxJmhpxZmQ8aFrExgBDLn9w44MAnYxscpNXwKOIFMyb9/RvgFxmoCOc Bx47ueEROiPYdewMD6hRvhRkd1+Uwu+SHi5kF3PszkOJH8vjTWwmpAmpRrRj1wGd l50uZlLeOU2rx/WbtvFYwcVm+3Gfcy0+Sq3PlRoH/rYDoFUZbmP3POXK1a2J0wWH AymthT/XTaW3JNZXTvcDg3hl72LqnaJ9nHAC5tc7yzP9KtS8JF0WGEWqzeboayis DZ+cA1arriE= =LgZB -----END PGP SIGNATURE-----