File _patchinfo of Package patchinfo.2460
<patchinfo incident="2460"> <issue id="977464" tracker="bnc">VUL-0: CVE-2016-1550: ntp: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing</issue> <issue id="957226" tracker="bnc">NTP does not start after upgrade to Leap 42.1</issue> <issue id="977450" tracker="bnc">VUL-0: CVE-2016-1551: ntp: Refclock impersonation vulnerability, AKA: refclock-peering</issue> <issue id="977451" tracker="bnc">VUL-0: CVE-2016-1549: ntp: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY</issue> <issue id="977452" tracker="bnc">VUL-0: CVE-2016-2516: ntp: Duplicate IPs on unconfig directives will cause an assertion botch</issue> <issue id="977461" tracker="bnc">VUL-0: CVE-2016-1548: ntp: Interleave-pivot - MITIGATION ONLY</issue> <issue id="977455" tracker="bnc">VUL-0: CVE-2016-2517: ntp: Remote configuration trustedkey/requestkey values are not properly validated</issue> <issue id="977457" tracker="bnc">VUL-0: CVE-2016-2518: ntp: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC</issue> <issue id="977458" tracker="bnc">VUL-0: CVE-2016-2519: ntp: ctl_getitem() return value not always checked</issue> <issue id="977459" tracker="bnc">VUL-0: CVE-2016-1547: ntp: CRYPTO-NAK DoS</issue> <issue id="977446" tracker="bnc">VUL-0: ntp: 4.2.8p7 release tracker bug</issue> <issue id="CVE-2016-2518" tracker="cve" /> <issue id="CVE-2016-2519" tracker="cve" /> <issue id="CVE-2015-7974" tracker="cve" /> <issue id="CVE-2016-2516" tracker="cve" /> <issue id="CVE-2016-2517" tracker="cve" /> <issue id="CVE-2015-7705" tracker="cve" /> <issue id="CVE-2015-7704" tracker="cve" /> <issue id="CVE-2016-1547" tracker="cve" /> <issue id="CVE-2016-1551" tracker="cve" /> <issue id="CVE-2016-1550" tracker="cve" /> <issue id="CVE-2016-1548" tracker="cve" /> <issue id="CVE-2016-1549" tracker="cve" /> <category>security</category> <rating>important</rating> <packager>rmax</packager> <description> This update for ntp to 4.2.8p7 fixes the following issues: * CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. * CVE-2016-1548, bsc#977461: Interleave-pivot * CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. * CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. * CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability * CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. * CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. * CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. * CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. * This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed: - Restrict the parser in the startup script to the first occurrance of "keys" and "controlkey" in ntp.conf (bsc#957226). </description> <summary>Security update for ntp</summary> </patchinfo>
