File _patchinfo of Package patchinfo.388

<patchinfo incident="388">
  <issue id="910764" tracker="bnc">L3: VUL-0: CVE-2014-9295: ntp: VU#852879: remote buffer overflow and weak cryptography</issue>
  <issue id="911792" tracker="bnc">VUL-0: CVE-2014-9297, CVE-2014-9298: ntpd: insufficient patches for crypto_recv()</issue>
  <issue id="CVE-2014-9297" tracker="cve" />
  <issue id="CVE-2014-9294" tracker="cve" />
  <issue id="CVE-2014-9293" tracker="cve" />
  <issue id="CVE-2014-9298" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>rmax</packager>
  <description>ntp was updated to fix four security issues.

These security issues were fixed:
- CVE-2014-9294: util/ntp-keygen.c in ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792).
- CVE-2014-9293: The config_auth function in ntpd, when an auth key was not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792).
- CVE-2014-9298: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses could be bypassed (bnc#911792).
- CVE-2014-9297: Information leak by not properly checking a length in several places in ntp_crypto.c (bnc#911792).
</description>
  <summary>Security update for ntp</summary>
</patchinfo>