Login
Login-Name Passwort


 
Newsletter
Werbung

Sicherheit: Mehrere Probleme in NTP
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in NTP
ID: SUSE-SU-2016:1175-1
Distribution: SUSE
Plattformen: SUSE Linux Enterprise Server 11-SP4, SUSE Linux Enterprise Debuginfo 11-SP4
Datum: Do, 28. April 2016, 22:58
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975

Originalnachricht

   SUSE Security Update: Security update for ntp
______________________________________________________________________________

Announcement ID: SUSE-SU-2016:1175-1
Rating: important
References: #782060 #784760 #916617 #951559 #951629 #956773
#962318 #962784 #962802 #962960 #962966 #962970
#962988 #962994 #962995 #962997 #963000 #963002
#975496 #975981
Cross-References: CVE-2015-5300 CVE-2015-7973 CVE-2015-7974
CVE-2015-7975 CVE-2015-7976 CVE-2015-7977
CVE-2015-7978 CVE-2015-7979 CVE-2015-8138
CVE-2015-8139 CVE-2015-8140 CVE-2015-8158

Affected Products:
SUSE Linux Enterprise Server 11-SP4
SUSE Linux Enterprise Debuginfo 11-SP4
______________________________________________________________________________

An update that solves 12 vulnerabilities and has 8 fixes is
now available.

Description:

ntp was updated to version 4.2.8p6 to fix 12 security issues.

These security issues were fixed:
- CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).
- CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
- CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated
broadcast mode (bsc#962784).
- CVE-2015-7978: Stack exhaustion in recursive traversal of restriction
list (bsc#963000).
- CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
- CVE-2015-7976: ntpq saveconfig command allows dangerous characters in
filenames (bsc#962802).
- CVE-2015-7975: nextvar() missing length check (bsc#962988).
- CVE-2015-7974: Skeleton Key: Missing key check allows impersonation
between authenticated peers (bsc#962960).
- CVE-2015-7973: Replay attack on authenticated broadcast mode
(bsc#962995).
- CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).
- CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).
- CVE-2015-5300: MITM attacker could have forced ntpd to make a step
larger than the panic threshold (bsc#951629).

These non-security issues were fixed:
- fate#320758 bsc#975981: Enable compile-time support for MS-SNTP
(--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added
the authreg directive.
- bsc#962318: Call /usr/sbin/sntp with full path to synchronize in
start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which
caused the synchronization to fail.
- bsc#782060: Speedup ntpq.
- bsc#916617: Add /var/db/ntp-kod.
- bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen
quite a lot on loaded systems.
- bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.
- Add ntp-fork.patch and build with threads disabled to allow name
resolution even when running chrooted.
- bsc#784760: Remove local clock from default configuration


Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- SUSE Linux Enterprise Server 11-SP4:

zypper in -t patch slessp4-ntp-12533=1

- SUSE Linux Enterprise Debuginfo 11-SP4:

zypper in -t patch dbgsp4-ntp-12533=1

To bring your system up-to-date, use "zypper patch".


Package List:

- SUSE Linux Enterprise Server 11-SP4 (i586 ia64 ppc64 s390x x86_64):

ntp-4.2.8p6-8.2
ntp-doc-4.2.8p6-8.2

- SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64):

ntp-debuginfo-4.2.8p6-8.2
ntp-debugsource-4.2.8p6-8.2


References:

https://www.suse.com/security/cve/CVE-2015-5300.html
https://www.suse.com/security/cve/CVE-2015-7973.html
https://www.suse.com/security/cve/CVE-2015-7974.html
https://www.suse.com/security/cve/CVE-2015-7975.html
https://www.suse.com/security/cve/CVE-2015-7976.html
https://www.suse.com/security/cve/CVE-2015-7977.html
https://www.suse.com/security/cve/CVE-2015-7978.html
https://www.suse.com/security/cve/CVE-2015-7979.html
https://www.suse.com/security/cve/CVE-2015-8138.html
https://www.suse.com/security/cve/CVE-2015-8139.html
https://www.suse.com/security/cve/CVE-2015-8140.html
https://www.suse.com/security/cve/CVE-2015-8158.html
https://bugzilla.suse.com/782060
https://bugzilla.suse.com/784760
https://bugzilla.suse.com/916617
https://bugzilla.suse.com/951559
https://bugzilla.suse.com/951629
https://bugzilla.suse.com/956773
https://bugzilla.suse.com/962318
https://bugzilla.suse.com/962784
https://bugzilla.suse.com/962802
https://bugzilla.suse.com/962960
https://bugzilla.suse.com/962966
https://bugzilla.suse.com/962970
https://bugzilla.suse.com/962988
https://bugzilla.suse.com/962994
https://bugzilla.suse.com/962995
https://bugzilla.suse.com/962997
https://bugzilla.suse.com/963000
https://bugzilla.suse.com/963002
https://bugzilla.suse.com/975496
https://bugzilla.suse.com/975981

--
To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-security-announce+help@opensuse.org
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung