Security update for ntp

SUSE Security Update: Security update for ntp
Announcement ID: SUSE-SU-2016:1278-1
Rating: important
References: #957226 #977446 #977450 #977451 #977452 #977455 #977457 #977458 #977459 #977461 #977464
Affected Products:
  • SUSE Linux Enterprise Server 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP4

  • An update that fixes 12 vulnerabilities is now available.

    Description:


    This update for ntp to 4.2.8p7 fixes the following issues:

    * CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS.
    * CVE-2016-1548, bsc#977461: Interleave-pivot
    * CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association
    attack.
    * CVE-2016-1550, bsc#977464: Improve NTP security against buffer
    comparison timing attacks.
    * CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability
    * CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will
    cause an assertion botch in ntpd.
    * CVE-2016-2517, bsc#977455: remote configuration trustedkey/
    requestkey/controlkey values are not properly validated.
    * CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array
    wraparound with MATCH_ASSOC.
    * CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked.
    * This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705,
    CVE-2015-7974

    Bugs fixed:
    - Restrict the parser in the startup script to the first
    occurrance of "keys" and "controlkey" in ntp.conf (bsc#957226).

    Patch Instructions:

    To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product:

    • SUSE Linux Enterprise Server 11-SP4:
      zypper in -t patch slessp4-ntp-12553=1
    • SUSE Linux Enterprise Debuginfo 11-SP4:
      zypper in -t patch dbgsp4-ntp-12553=1

    To bring your system up-to-date, use "zypper patch".

    Package List:

    • SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • ntp-4.2.8p7-11.1
      • ntp-doc-4.2.8p7-11.1
    • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):
      • ntp-debuginfo-4.2.8p7-11.1
      • ntp-debugsource-4.2.8p7-11.1

    References: