Login
Newsletter
Werbung
Sicherheit: Mehrere Probleme in NTP
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in NTP
ID: USN-3349-1
Distribution: Ubuntu
Plattformen: Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 16.10, Ubuntu 17.04
Datum: Mi, 5. Juli 2017, 22:44
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6462
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6464
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6460
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6463
Applikationen: NTP

Originalnachricht

 
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7607822938027416938==
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="IenuuMmWw3MqE4Ec7pKVqnnUKcIOvB6m0"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--IenuuMmWw3MqE4Ec7pKVqnnUKcIOvB6m0
Content-Type: multipart/mixed;
 boundary="j3FjMtcFEWRh2i217ud53weAGMp9n0qsQ";
 protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: "ubuntu-security-announce@lists.ubuntu.com"
 <ubuntu-security-announce@lists.ubuntu.com>
Message-ID: <35fc1afc-24f4-bd9f-c48c-2420352fcef3@canonical.com>
Subject: [USN-3349-1] NTP vulnerabilities

--j3FjMtcFEWRh2i217ud53weAGMp9n0qsQ
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-3349-1
July 05, 2017

ntp vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in NTP.

Software Description:
- ntp: Network Time Protocol daemon and utility programs

Details:

Yihan Lian discovered that NTP incorrectly handled certain large request
data values. A remote attacker could possibly use this issue to cause NTP
to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-2519)

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)

Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service. This issue only affected Ubuntu 14.04 LTS,
Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428)

Miroslav Lichvar discovered that NTP incorrectly handled certain responses.
A remote attacker could possibly use this issue to perform a denial of
service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and
Ubuntu 16.10. (CVE-2016-7429)

Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly
handled origin timestamps of zero. A remote attacker could possibly use
this issue to bypass the origin timestamp protection mechanism. This issue
only affected Ubuntu 16.10. (CVE-2016-7431)

Brian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP
incorrectly performed initial sync calculations. This issue only applied
to Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433)

Magnus Stubman discovered that NTP incorrectly handled certain mrulist
queries. A remote attacker could possibly use this issue to cause NTP to
crash, resulting in a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 16.10. (CVE-2016-7434)

Matthew Van Gund discovered that NTP incorrectly handled origin timestamp
checks. A remote attacker could possibly use this issue to perform a denial
of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04.
(CVE-2016-9042)

Matthew Van Gundy discovered that NTP incorrectly handled certain control
mode packets. A remote attacker could use this issue to set or unset traps.
This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu
16.10. (CVE-2016-9310)

Matthew Van Gundy discovered that NTP incorrectly handled the trap service.
A remote attacker could possibly use this issue to cause NTP to crash,
resulting in a denial of service. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311)

It was discovered that NTP incorrectly handled memory when processing long
variables. A remote authenticated user could possibly use this issue to
cause NTP to crash, resulting in a denial of service. (CVE-2017-6458)

It was discovered that NTP incorrectly handled memory when processing long
variables. A remote authenticated user could possibly use this issue to
cause NTP to crash, resulting in a denial of service. This issue only
applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-6460)

It was discovered that the NTP legacy DPTS refclock driver incorrectly
handled the /dev/datum device. A local attacker could possibly use this
issue to cause a denial of service. (CVE-2017-6462)

It was discovered that NTP incorrectly handled certain invalid settings
in a :config directive. A remote authenticated user could possibly use
this issue to cause NTP to crash, resulting in a denial of service.
(CVE-2017-6463)

It was discovered that NTP incorrectly handled certain invalid mode
configuration directives. A remote authenticated user could possibly use
this issue to cause NTP to crash, resulting in a denial of service.
(CVE-2017-6464)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  ntp                             1:4.2.8p9+dfsg-2ubuntu1.1

Ubuntu 16.10:
  ntp                             1:4.2.8p8+dfsg-1ubuntu2.1

Ubuntu 16.04 LTS:
  ntp                             1:4.2.8p4+dfsg-3ubuntu5.5

Ubuntu 14.04 LTS:
  ntp                             1:4.2.6.p5+dfsg-3ubuntu2.14.04.11

In general, a standard system update will make all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3349-1
  CVE-2016-2519, CVE-2016-7426, CVE-2016-7427, CVE-2016-7428,
  CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434,
  CVE-2016-9042, CVE-2016-9310, CVE-2016-9311, CVE-2017-6458,
  CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464

Package Information:
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p9+dfsg-2ubuntu1.1
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p8+dfsg-1ubuntu2.1
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu5.5
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.11



--j3FjMtcFEWRh2i217ud53weAGMp9n0qsQ--

--IenuuMmWw3MqE4Ec7pKVqnnUKcIOvB6m0
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJZXTfiAAoJEGVp2FWnRL6T8lUP/jfxdoiceRYCTXUyyJLJ1P2P
zHB4PLh/nq2ZE2KzXOcv5nWXoGqSMBgIYNqS+ycb1KXV04Tw+YO/nkMNVaAYbVQX
CXqipTbPyEsP3dHhj//+/ea93jVSBAtD2ibMmKyj/pjWukr7LU6zJHYC2UUlBG0/
AtlmK1mOmWHLt5By17ekWaDz1qHgHYOieEFAPaAD249CFvnlB6asAvbA7VK79dvL
uPBHmoRdIzqEYskGceU/AgE1s/YtkSXqPlNsH59EyQ4UOiQm6xO1MiY98aV7YBZf
hEh8YD4rD+qvR8P7aSH6H2TBA5kHrv0O+H6iWe04kgRv8ugzb2pl/mH4SMb8eITy
iL71AuRoAfnUGWIXGRLBxFpLHJ9ryOFMcwPQp5GUusHkCpSE5E6yw+TOWZJZzkE/
AuQ89qjNdkjgs8cpXPvDzrcZ2xbjQI1y4vAD4CGr+KtOS7zGPnwquQn5k54lGsQo
qxZ26SN1v6LCgo1HVQzhAo8goFasFPbP54D/e95y/yFhLsj3mslMN9FQM6AmK13h
Hs2LoceUPK+ecoTaXgkStGgRKEMX383cp+CbUIUMYjjuW4+NEpTBLPG43FHDqtIB
WWxsGbUZNtTUqbn9TRyNJOJgVT9n0HZpeZBK+EplcZksXjEDa5Hpr+mWHIOEufwc
VaJviJp+1FqSkOTlhF6U
=0Q0Y
-----END PGP SIGNATURE-----

--IenuuMmWw3MqE4Ec7pKVqnnUKcIOvB6m0--


--===============7607822938027416938==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============7607822938027416938==--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten

141
Mach­t's gut!

51
Neue Raspber­ry Pi-Va­ri­an­te mit 8 GB RAM

0
Genode 20.05 frei­ge­ge­ben

9
Sub­ver­si­on 1.14.0-LTS vor­ge­stellt

0
»Hum­ble Ci­ties: Sky­lines Bund­le« vor­ge­stellt

0
End of Life für Co­reOS Con­tai­ner Linux ver­kün­det

32
Elek­tra 0.9.2 er­schie­nen

8
Nex­tDNS ver­lässt die Be­ta-Pha­se

23
Tu­xe­do stellt Ga­mer-Note­book vor

0
Libre Gra­phics Mee­ting be­ginnt als On­li­ne-Va­ri­an­te
 
Werbung