openSUSE Security Update : ntp (openSUSE-2016-578)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.

Synopsis :

The remote openSUSE host is missing a security update.

Description :

ntp was updated to version 4.2.8p6 to fix 12 security issues.

Also yast2-ntp-client was updated to match some sntp syntax changes.

These security issues were fixed :

- CVE-2015-8158: Fixed potential infinite loop in ntpq

- CVE-2015-8138: Zero Origin Timestamp Bypass

- CVE-2015-7979: Off-path Denial of Service (DoS) attack
on authenticated broadcast mode (bsc#962784).

- CVE-2015-7978: Stack exhaustion in recursive traversal
of restriction list (bsc#963000).

- CVE-2015-7977: reslist NULL pointer dereference

- CVE-2015-7976: ntpq saveconfig command allows dangerous
characters in filenames (bsc#962802).

- CVE-2015-7975: nextvar() missing length check

- CVE-2015-7974: Skeleton Key: Missing key check allows
impersonation between authenticated peers (bsc#962960).

- CVE-2015-7973: Replay attack on authenticated broadcast
mode (bsc#962995).

- CVE-2015-8140: ntpq vulnerable to replay attacks

- CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose
origin (bsc#962997).

- CVE-2015-5300: MITM attacker could have forced ntpd to
make a step larger than the panic threshold

These non-security issues were fixed :

- fate#320758 bsc#975981: Enable compile-time support for
MS-SNTP (--enable-ntp-signd). This replaces the w32
patches in 4.2.4 that added the authreg directive.

- bsc#962318: Call /usr/sbin/sntp with full path to
synchronize in start-ntpd. When run as cron job,
/usr/sbin/ is not in the path, which caused the
synchronization to fail.

- bsc#782060: Speedup ntpq.

- bsc#916617: Add /var/db/ntp-kod.

- bsc#956773: Add ntp-ENOBUFS.patch to limit a warning
that might happen quite a lot on loaded systems.

- bsc#951559,bsc#975496: Fix the TZ offset output of sntp
during DST.

- Add ntp-fork.patch and build with threads disabled to
allow name resolution even when running chrooted.

This update was imported from the SUSE:SLE-12-SP1:Update update

See also :

Solution :

Update the affected ntp packages.

Risk factor :

Medium / CVSS Base Score : 5.8

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now