{"affected":[{"ecosystem_specific":{"binaries":[{"ntp":"4.2.8p6-8.2","ntp-doc":"4.2.8p6-8.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 11 SP4","name":"ntp","purl":"pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.2.8p6-8.2"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"ntp":"4.2.8p6-8.2","ntp-doc":"4.2.8p6-8.2"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 11 SP4","name":"ntp","purl":"pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.2.8p6-8.2"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nThese security issues were fixed:\n- CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n- CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n- CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).\n- CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).\n- CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n- CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).\n- CVE-2015-7975: nextvar() missing length check (bsc#962988).\n- CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).\n- CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).\n- CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n- CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n- CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).\n\nThese non-security issues were fixed:\n- fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n  (--enable-ntp-signd).  This replaces the w32 patches in 4.2.4 that added\n  the authreg directive.\n- bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd.\n  When run as cron job, /usr/sbin/ is not in the path, which caused\n  the synchronization to fail.\n- bsc#782060: Speedup ntpq.\n- bsc#916617: Add /var/db/ntp-kod.\n- bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems.\n- bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n- Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted.\n- bsc#784760: Remove local clock from default configuration\n","id":"SUSE-SU-2016:1175-1","modified":"2016-04-28T13:46:02Z","published":"2016-04-28T13:46:02Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2016/suse-su-20161175-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/782060"},{"type":"REPORT","url":"https://bugzilla.suse.com/784760"},{"type":"REPORT","url":"https://bugzilla.suse.com/916617"},{"type":"REPORT","url":"https://bugzilla.suse.com/951559"},{"type":"REPORT","url":"https://bugzilla.suse.com/951629"},{"type":"REPORT","url":"https://bugzilla.suse.com/956773"},{"type":"REPORT","url":"https://bugzilla.suse.com/962318"},{"type":"REPORT","url":"https://bugzilla.suse.com/962784"},{"type":"REPORT","url":"https://bugzilla.suse.com/962802"},{"type":"REPORT","url":"https://bugzilla.suse.com/962960"},{"type":"REPORT","url":"https://bugzilla.suse.com/962966"},{"type":"REPORT","url":"https://bugzilla.suse.com/962970"},{"type":"REPORT","url":"https://bugzilla.suse.com/962988"},{"type":"REPORT","url":"https://bugzilla.suse.com/962994"},{"type":"REPORT","url":"https://bugzilla.suse.com/962995"},{"type":"REPORT","url":"https://bugzilla.suse.com/962997"},{"type":"REPORT","url":"https://bugzilla.suse.com/963000"},{"type":"REPORT","url":"https://bugzilla.suse.com/963002"},{"type":"REPORT","url":"https://bugzilla.suse.com/975496"},{"type":"REPORT","url":"https://bugzilla.suse.com/975981"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-5300"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7973"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7974"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7975"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7976"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7977"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7978"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7979"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-8138"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-8139"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-8140"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-8158"}],"related":["CVE-2015-5300","CVE-2015-7973","CVE-2015-7974","CVE-2015-7975","CVE-2015-7976","CVE-2015-7977","CVE-2015-7978","CVE-2015-7979","CVE-2015-8138","CVE-2015-8139","CVE-2015-8140","CVE-2015-8158"],"summary":"Security update for ntp","upstream":["CVE-2015-5300","CVE-2015-7973","CVE-2015-7974","CVE-2015-7975","CVE-2015-7976","CVE-2015-7977","CVE-2015-7978","CVE-2015-7979","CVE-2015-8138","CVE-2015-8139","CVE-2015-8140","CVE-2015-8158"]}