SUSE-SU-2016:1568-1: important: Security update for ntp

sle-security-updates at sle-security-updates at
Tue Jun 14 04:08:32 MDT 2016

   SUSE Security Update: Security update for ntp

Announcement ID:    SUSE-SU-2016:1568-1
Rating:             important
References:         #957226 #962960 #977450 #977451 #977452 #977455 
                    #977457 #977458 #977459 #977461 #977464 #979302 
                    #979981 #981422 #982064 #982065 #982066 #982067 
Cross-References:   CVE-2015-7704 CVE-2015-7705 CVE-2015-7974
                    CVE-2016-1547 CVE-2016-1548 CVE-2016-1549
                    CVE-2016-1550 CVE-2016-1551 CVE-2016-2516
                    CVE-2016-2517 CVE-2016-2518 CVE-2016-2519
                    CVE-2016-4953 CVE-2016-4954 CVE-2016-4955
                    CVE-2016-4956 CVE-2016-4957
Affected Products:
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12

   An update that solves 17 vulnerabilities and has two fixes
   is now available.


   ntp was updated to version 4.2.8p8 to fix 17 security issues.

   These security issues were fixed:
   - CVE-2016-4956: Broadcast interleave (bsc#982068).
   - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound
     with MATCH_ASSOC (bsc#977457).
   - CVE-2016-2519: ctl_getitem() return value not always checked
   - CVE-2016-4954: Processing spoofed server packets (bsc#982066).
   - CVE-2016-4955: Autokey association reset (bsc#982067).
   - CVE-2015-7974: NTP did not verify peer associations of symmetric keys
     when authenticating packets, which might allowed remote attackers to
     conduct impersonation attacks via an arbitrary trusted key, aka a
     "skeleton key (bsc#962960).
   - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).
   - CVE-2016-2516: Duplicate IPs on unconfig directives will cause an
     assertion botch (bsc#977452).
   - CVE-2016-2517: Remote configuration trustedkey/requestkey values are not
     properly validated (bsc#977455).
   - CVE-2016-4953: Bad authentication demobilizes ephemeral associations
   - CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).
   - CVE-2016-1551: Refclock impersonation vulnerability, AKA:
     refclock-peering (bsc#977450).
   - CVE-2016-1550: Improve NTP security against buffer comparison timing
     attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464).
   - CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461).
   - CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA:
     ntp-sybil - MITIGATION ONLY (bsc#977451).

   This release also contained improved patches for CVE-2015-7704,
   CVE-2015-7705, CVE-2015-7974.

   These non-security issues were fixed:
   - bsc#979302: Change the process name of the forking DNS worker process to
     avoid the impression that ntpd is started twice.
   - bsc#981422: Don't ignore SIGCHILD because it breaks wait().
   - bsc#979981: ntp-wait does not accept fractional seconds, so use 1
     instead of 0.2 in ntp-wait.service.
   - Separate the creation of ntp.keys and key #1 in it to avoid problems
     when upgrading installations that have the file, but no key #1, which is
     needed e.g. by "rcntp addserver".
   - bsc#957226: Restrict the parser in the startup script to the first
     occurrance of "keys" and "controlkey" in ntp.conf.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2016-933=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2016-933=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):


   - SUSE Linux Enterprise Desktop 12 (x86_64):



More information about the sle-security-updates mailing list