SUSE-SU-2016:1278-1

Source
https://www.suse.com/support/update/announcement/2016/suse-su-20161278-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2016:1278-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2016:1278-1
Related
Published
2016-05-11T12:37:44Z
Modified
2016-05-11T12:37:44Z
Summary
Security update for ntp
Details

This update for ntp to 4.2.8p7 fixes the following issues:

  • CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS.
  • CVE-2016-1548, bsc#977461: Interleave-pivot
  • CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack.
  • CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks.
  • CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability
  • CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd.
  • CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated.
  • CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC.
  • CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked.
  • This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974

Bugs fixed: - Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf (bsc#957226).

References

Affected packages

SUSE:Linux Enterprise Server 11 SP4 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p7-11.1

Ecosystem specific

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p7-11.1",
            "ntp": "4.2.8p7-11.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 11 SP4 / ntp

Package

Name
ntp
Purl
pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.2.8p7-11.1

Ecosystem specific

{
    "binaries": [
        {
            "ntp-doc": "4.2.8p7-11.1",
            "ntp": "4.2.8p7-11.1"
        }
    ]
}