SUSE-SU-2015:2058-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2015/suse-su-20152058-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2015:2058-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2015:2058-1
Related
Published
2015-11-20T09:21:30Z
Modified
2015-11-20T09:21:30Z
Summary
Security update for ntp
Details

This ntp update provides the following security and non security fixes:

  • Update to 4.2.8p4 to fix several security issues (bsc#951608):
    • CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK
    • CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values
    • CVE-2015-7854: Password Length Memory Corruption Vulnerability
    • CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow
    • CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability
    • CVE-2015-7851 saveconfig Directory Traversal Vulnerability
    • CVE-2015-7850 remote config logfile-keyfile
    • CVE-2015-7849 trusted key use-after-free
    • CVE-2015-7848 mode 7 loop counter underrun
    • CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC
    • CVE-2015-7703 configuration directives 'pidfile' and 'driftfile' should only be allowed locally
    • CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field
    • CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks
  • Use ntpq instead of deprecated ntpdc in start-ntpd (bnc#936327).
  • Add a controlkey to ntp.conf to make the above work.
  • Improve runtime configuration:
    • Read keytype from ntp.conf
    • Don't write ntp keys to syslog.
  • Don't let 'keysdir' lines in ntp.conf trigger the 'keys' parser.
  • Fix the comment regarding addserver in ntp.conf (bnc#910063).
  • Remove ntp.1.gz, it wasn't installed anymore.
  • Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. The rest is partially irrelevant, partially redundant and potentially outdated (bsc#942587).
  • Remove 'kod' from the restrict line in ntp.conf (bsc#944300).
  • Use SHA1 instead of MD5 for symmetric keys (bsc#905885).
  • Require perl-Socket6 (bsc#942441).
  • Fix incomplete backporting of 'rcntp ntptimemset'.
References

Affected packages

SUSE:Linux Enterprise Desktop 11 SP4 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p4-5.1

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p4-5.1",
            "ntp": "4.2.8p4-5.1"
        }
    ]
}

SUSE:Linux Enterprise Server 11 SP4 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p4-5.1

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p4-5.1",
            "ntp": "4.2.8p4-5.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 11 SP4 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p4-5.1

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p4-5.1",
            "ntp": "4.2.8p4-5.1"
        }
    ]
}