Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1512
SUSE Security Update: Security update for ntp
15 June 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ntp
Publisher: SUSE
Operating System: SUSE
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-4957 CVE-2016-4956 CVE-2016-4955
CVE-2016-4954 CVE-2016-4953 CVE-2016-2519
CVE-2016-2518 CVE-2016-2517 CVE-2016-2516
CVE-2016-1551 CVE-2016-1550 CVE-2016-1549
CVE-2016-1548 CVE-2016-1547 CVE-2015-7974
CVE-2015-7705 CVE-2015-7704
Reference: ESB-2016.1411
ESB-2015.2694
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for ntp
______________________________________________________________________________
Announcement ID: SUSE-SU-2016:1568-1
Rating: important
References: #957226 #962960 #977450 #977451 #977452 #977455
#977457 #977458 #977459 #977461 #977464 #979302
#979981 #981422 #982064 #982065 #982066 #982067
#982068
Cross-References: CVE-2015-7704 CVE-2015-7705 CVE-2015-7974
CVE-2016-1547 CVE-2016-1548 CVE-2016-1549
CVE-2016-1550 CVE-2016-1551 CVE-2016-2516
CVE-2016-2517 CVE-2016-2518 CVE-2016-2519
CVE-2016-4953 CVE-2016-4954 CVE-2016-4955
CVE-2016-4956 CVE-2016-4957
Affected Products:
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12
______________________________________________________________________________
An update that solves 17 vulnerabilities and has two fixes
is now available.
Description:
ntp was updated to version 4.2.8p8 to fix 17 security issues.
These security issues were fixed:
- CVE-2016-4956: Broadcast interleave (bsc#982068).
- CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound
with MATCH_ASSOC (bsc#977457).
- CVE-2016-2519: ctl_getitem() return value not always checked
(bsc#977458).
- CVE-2016-4954: Processing spoofed server packets (bsc#982066).
- CVE-2016-4955: Autokey association reset (bsc#982067).
- CVE-2015-7974: NTP did not verify peer associations of symmetric keys
when authenticating packets, which might allowed remote attackers to
conduct impersonation attacks via an arbitrary trusted key, aka a
"skeleton key (bsc#962960).
- CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).
- CVE-2016-2516: Duplicate IPs on unconfig directives will cause an
assertion botch (bsc#977452).
- CVE-2016-2517: Remote configuration trustedkey/requestkey values are not
properly validated (bsc#977455).
- CVE-2016-4953: Bad authentication demobilizes ephemeral associations
(bsc#982065).
- CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).
- CVE-2016-1551: Refclock impersonation vulnerability, AKA:
refclock-peering (bsc#977450).
- CVE-2016-1550: Improve NTP security against buffer comparison timing
attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464).
- CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461).
- CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA:
ntp-sybil - MITIGATION ONLY (bsc#977451).
This release also contained improved patches for CVE-2015-7704,
CVE-2015-7705, CVE-2015-7974.
These non-security issues were fixed:
- bsc#979302: Change the process name of the forking DNS worker process to
avoid the impression that ntpd is started twice.
- bsc#981422: Don't ignore SIGCHILD because it breaks wait().
- bsc#979981: ntp-wait does not accept fractional seconds, so use 1
instead of 0.2 in ntp-wait.service.
- Separate the creation of ntp.keys and key #1 in it to avoid problems
when upgrading installations that have the file, but no key #1, which is
needed e.g. by "rcntp addserver".
- bsc#957226: Restrict the parser in the startup script to the first
occurrance of "keys" and "controlkey" in ntp.conf.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Server 12:
zypper in -t patch SUSE-SLE-SERVER-12-2016-933=1
- SUSE Linux Enterprise Desktop 12:
zypper in -t patch SUSE-SLE-DESKTOP-12-2016-933=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):
ntp-4.2.8p8-46.8.1
ntp-debuginfo-4.2.8p8-46.8.1
ntp-debugsource-4.2.8p8-46.8.1
ntp-doc-4.2.8p8-46.8.1
- SUSE Linux Enterprise Desktop 12 (x86_64):
ntp-4.2.8p8-46.8.1
ntp-debuginfo-4.2.8p8-46.8.1
ntp-debugsource-4.2.8p8-46.8.1
ntp-doc-4.2.8p8-46.8.1
References:
https://www.suse.com/security/cve/CVE-2015-7704.html
https://www.suse.com/security/cve/CVE-2015-7705.html
https://www.suse.com/security/cve/CVE-2015-7974.html
https://www.suse.com/security/cve/CVE-2016-1547.html
https://www.suse.com/security/cve/CVE-2016-1548.html
https://www.suse.com/security/cve/CVE-2016-1549.html
https://www.suse.com/security/cve/CVE-2016-1550.html
https://www.suse.com/security/cve/CVE-2016-1551.html
https://www.suse.com/security/cve/CVE-2016-2516.html
https://www.suse.com/security/cve/CVE-2016-2517.html
https://www.suse.com/security/cve/CVE-2016-2518.html
https://www.suse.com/security/cve/CVE-2016-2519.html
https://www.suse.com/security/cve/CVE-2016-4953.html
https://www.suse.com/security/cve/CVE-2016-4954.html
https://www.suse.com/security/cve/CVE-2016-4955.html
https://www.suse.com/security/cve/CVE-2016-4956.html
https://www.suse.com/security/cve/CVE-2016-4957.html
https://bugzilla.suse.com/957226
https://bugzilla.suse.com/962960
https://bugzilla.suse.com/977450
https://bugzilla.suse.com/977451
https://bugzilla.suse.com/977452
https://bugzilla.suse.com/977455
https://bugzilla.suse.com/977457
https://bugzilla.suse.com/977458
https://bugzilla.suse.com/977459
https://bugzilla.suse.com/977461
https://bugzilla.suse.com/977464
https://bugzilla.suse.com/979302
https://bugzilla.suse.com/979981
https://bugzilla.suse.com/981422
https://bugzilla.suse.com/982064
https://bugzilla.suse.com/982065
https://bugzilla.suse.com/982066
https://bugzilla.suse.com/982067
https://bugzilla.suse.com/982068
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV2Duu4x+lLeg9Ub1AQgRow/9EmWuT3nkFlf+H0dP3ZJFKEqGUZ+tLRw6
qdZhEbpTWL5atQYbW+3M1s4oF1yvTdXvNR30kuO+SPL0ARofy61EN8Rs+QsXclSn
umsyag0q9bo1DRWBwgSk6Pg1xWBPTWCPorSLfeoLfqLi6nGfZRUWtToLByV1XX0w
TNt5UPf2xKhCXUieFsErSb6yJYDYtZz53/y9VpLzq++qNBgPJdm22slpgWYS+rP0
jHqzgYmz0yuiAGHa12Hhjai/jYnEXggOK+uutdM/MA8LW2Nz1YSvFCGjzIfCj7WU
TrCWGiHAifEmpEivET9+ReeACZR/zOWTHJJjaLC1ou3Evcof5wJsr0Gs1jryfx1E
sEZ/zuMEy/xC7Lsh4at3lDebT2+B0toxgMxQBe1jaO9yz58V+dNOgl8pJzPSB3hY
Vq3J6rmsDbxJmhpxZmQ8aFrExgBDLn9w44MAnYxscpNXwKOIFMyb9/RvgFxmoCOc
Bx47ueEROiPYdewMD6hRvhRkd1+Uwu+SHi5kF3PszkOJH8vjTWwmpAmpRrRj1wGd
l50uZlLeOU2rx/WbtvFYwcVm+3Gfcy0+Sq3PlRoH/rYDoFUZbmP3POXK1a2J0wWH
AymthT/XTaW3JNZXTvcDg3hl72LqnaJ9nHAC5tc7yzP9KtS8JF0WGEWqzeboayis
DZ+cA1arriE=
=LgZB
-----END PGP SIGNATURE-----