Overview

File _patchinfo of Package patchinfo.2702

<patchinfo incident="2702">
  <issue id="957226" tracker="bnc">NTP does not start after upgrade to Leap 42.1</issue>
  <issue id="962960" tracker="bnc">VUL-1: CVE-2015-7974: ntp,xntp: Missing key check allows impersonation between authenticated peers</issue>
  <issue id="977450" tracker="bnc">VUL-0: CVE-2016-1551: ntp: Refclock impersonation vulnerability, AKA: refclock-peering</issue>
  <issue id="977451" tracker="bnc">VUL-0: CVE-2016-1549: ntp: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY</issue>
  <issue id="977452" tracker="bnc">VUL-0: CVE-2016-2516: ntp: Duplicate IPs on unconfig directives will cause an assertion botch</issue>
  <issue id="977455" tracker="bnc">VUL-0: CVE-2016-2517: ntp: Remote configuration trustedkey/requestkey values are not properly validated</issue>
  <issue id="977457" tracker="bnc">VUL-0: CVE-2016-2518: ntp: Crafted addpeer with hmode &gt; 7 causes array wraparound with MATCH_ASSOC</issue>
  <issue id="977458" tracker="bnc">VUL-0: CVE-2016-2519: ntp: ctl_getitem() return value not always checked</issue>
  <issue id="977459" tracker="bnc">VUL-0: CVE-2016-1547: ntp:  CRYPTO-NAK DoS</issue>
  <issue id="977461" tracker="bnc">VUL-0: CVE-2016-1548: ntp: Interleave-pivot - MITIGATION ONLY</issue>
  <issue id="977464" tracker="bnc">VUL-0: CVE-2016-1550: ntp: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing</issue>
  <issue id="979302" tracker="bnc">SInce ntp-4.2.8p6-8.2 for SLES11SP4 ntp daemon run's twice</issue>
  <issue id="979981" tracker="bnc">network:time/ntp: Bug in ntp-wait.service</issue>
  <issue id="981422" tracker="bnc">sntp always reports error waiting on child [number]: No child processes</issue>
  <issue id="982064" tracker="bnc">VUL-0: CVE-2016-4957: ntp: CRYPTO_NAK crash</issue>
  <issue id="982065" tracker="bnc">VUL-0: CVE-2016-4953: ntp: Bad authentication demobilizes ephemeral associations</issue>
  <issue id="982066" tracker="bnc">VUL-0: CVE-2016-4954: ntp: Processing spoofed server packets</issue>
  <issue id="982067" tracker="bnc">VUL-0: CVE-2016-4955: ntp: Autokey association reset</issue>
  <issue id="982068" tracker="bnc">VUL-0: CVE-2016-4956: ntp: Broadcast interleave</issue>
  <issue id="CVE-2015-7704" tracker="cve" />
  <issue id="CVE-2015-7705" tracker="cve" />
  <issue id="CVE-2015-7974" tracker="cve" />
  <issue id="CVE-2016-1547" tracker="cve" />
  <issue id="CVE-2016-1548" tracker="cve" />
  <issue id="CVE-2016-1549" tracker="cve" />
  <issue id="CVE-2016-1550" tracker="cve" />
  <issue id="CVE-2016-1551" tracker="cve" />
  <issue id="CVE-2016-2516" tracker="cve" />
  <issue id="CVE-2016-2517" tracker="cve" />
  <issue id="CVE-2016-2518" tracker="cve" />
  <issue id="CVE-2016-2519" tracker="cve" />
  <issue id="CVE-2016-4953" tracker="cve" />
  <issue id="CVE-2016-4954" tracker="cve" />
  <issue id="CVE-2016-4955" tracker="cve" />
  <issue id="CVE-2016-4956" tracker="cve" />
  <issue id="CVE-2016-4957" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>rmax</packager>
  <description>ntp was updated to version 4.2.8p8 to fix 17 security issues.

These security issues were fixed:
- CVE-2016-4956: Broadcast interleave (bsc#982068).
- CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457).
- CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458).
- CVE-2016-4954: Processing spoofed server packets (bsc#982066).
- CVE-2016-4955: Autokey association reset (bsc#982067).
- CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key (bsc#962960).
- CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).
- CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch (bsc#977452).
- CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated (bsc#977455).
- CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065).
- CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).
- CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering (bsc#977450).
- CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464).
- CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461).
- CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY (bsc#977451).

This release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974.

These non-security issues were fixed:
- bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice.
- bsc#981422: Don't ignore SIGCHILD because it breaks wait().
- bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service.
- Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by "rcntp addserver".
- bsc#957226: Restrict the parser in the startup script to the first occurrance of "keys" and "controlkey" in ntp.conf.
  </description>
  <summary>Security update for ntp</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places