SUSE-SU-2016:1177-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2016/suse-su-20161177-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1177-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2016:1177-1
Related
Published
2016-04-28T13:45:26Z
Modified
2016-04-28T13:45:26Z
Summary
Security update for ntp
Details

ntp was updated to version 4.2.8p6 to fix 12 security issues.

Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837)

These security issues were fixed: - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).

These non-security issues were fixed: - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted.

References

Affected packages

SUSE:Linux Enterprise Desktop 12 SP1 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p6-8.2

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p6-8.2",
            "yast2-ntp-client": "3.1.22-6.2",
            "ntp": "4.2.8p6-8.2"
        }
    ]
}

SUSE:Linux Enterprise Desktop 12 SP1 / yast2-ntp-client

Package

Name
yast2-ntp-client
Purl
pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.22-6.2

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p6-8.2",
            "yast2-ntp-client": "3.1.22-6.2",
            "ntp": "4.2.8p6-8.2"
        }
    ]
}

SUSE:Linux Enterprise Software Development Kit 12 SP1 / yast2-ntp-client

Package

Name
yast2-ntp-client
Purl
pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.22-6.2

Ecosystem specific 

{
    "binaries": [
        {
            "yast2-ntp-client-devel-doc": "3.1.22-6.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP1 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p6-8.2

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p6-8.2",
            "yast2-ntp-client": "3.1.22-6.2",
            "ntp": "4.2.8p6-8.2"
        }
    ]
}

SUSE:Linux Enterprise Server 12 SP1 / yast2-ntp-client

Package

Name
yast2-ntp-client
Purl
pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.22-6.2

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p6-8.2",
            "yast2-ntp-client": "3.1.22-6.2",
            "ntp": "4.2.8p6-8.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP1 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p6-8.2

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p6-8.2",
            "yast2-ntp-client": "3.1.22-6.2",
            "ntp": "4.2.8p6-8.2"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 12 SP1 / yast2-ntp-client

Package

Name
yast2-ntp-client
Purl
pkg:rpm/suse/yast2-ntp-client&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.22-6.2

Ecosystem specific 

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p6-8.2",
            "yast2-ntp-client": "3.1.22-6.2",
            "ntp": "4.2.8p6-8.2"
        }
    ]
}