{"affected":[{"ecosystem_specific":{"binaries":[{"ntp":"4.2.8p8-46.8.1","ntp-doc":"4.2.8p8-46.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Desktop 12","name":"ntp","purl":"pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Desktop%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.2.8p8-46.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"ntp":"4.2.8p8-46.8.1","ntp-doc":"4.2.8p8-46.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server 12","name":"ntp","purl":"pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.2.8p8-46.8.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"ntp":"4.2.8p8-46.8.1","ntp-doc":"4.2.8p8-46.8.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Server for SAP Applications 12","name":"ntp","purl":"pkg:rpm/suse/ntp&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"4.2.8p8-46.8.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"ntp was updated to version 4.2.8p8 to fix 17 security issues.\n\nThese security issues were fixed:\n- CVE-2016-4956: Broadcast interleave (bsc#982068).\n- CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457).\n- CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458).\n- CVE-2016-4954: Processing spoofed server packets (bsc#982066).\n- CVE-2016-4955: Autokey association reset (bsc#982067).\n- CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton key (bsc#962960).\n- CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).\n- CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch (bsc#977452).\n- CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated (bsc#977455).\n- CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065).\n- CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).\n- CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering (bsc#977450).\n- CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464).\n- CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461).\n- CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY (bsc#977451).\n\nThis release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974.\n\nThese non-security issues were fixed:\n- bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice.\n- bsc#981422: Don't ignore SIGCHILD because it breaks wait().\n- bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service.\n- Separate the creation of ntp.keys and key #1 in it to avoid problems when upgrading installations that have the file, but no key #1, which is needed e.g. by 'rcntp addserver'.\n- bsc#957226: Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf.\n  ","id":"SUSE-SU-2016:1568-1","modified":"2016-06-14T06:45:46Z","published":"2016-06-14T06:45:46Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2016/suse-su-20161568-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/957226"},{"type":"REPORT","url":"https://bugzilla.suse.com/962960"},{"type":"REPORT","url":"https://bugzilla.suse.com/977450"},{"type":"REPORT","url":"https://bugzilla.suse.com/977451"},{"type":"REPORT","url":"https://bugzilla.suse.com/977452"},{"type":"REPORT","url":"https://bugzilla.suse.com/977455"},{"type":"REPORT","url":"https://bugzilla.suse.com/977457"},{"type":"REPORT","url":"https://bugzilla.suse.com/977458"},{"type":"REPORT","url":"https://bugzilla.suse.com/977459"},{"type":"REPORT","url":"https://bugzilla.suse.com/977461"},{"type":"REPORT","url":"https://bugzilla.suse.com/977464"},{"type":"REPORT","url":"https://bugzilla.suse.com/979302"},{"type":"REPORT","url":"https://bugzilla.suse.com/979981"},{"type":"REPORT","url":"https://bugzilla.suse.com/981422"},{"type":"REPORT","url":"https://bugzilla.suse.com/982064"},{"type":"REPORT","url":"https://bugzilla.suse.com/982065"},{"type":"REPORT","url":"https://bugzilla.suse.com/982066"},{"type":"REPORT","url":"https://bugzilla.suse.com/982067"},{"type":"REPORT","url":"https://bugzilla.suse.com/982068"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7704"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7705"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2015-7974"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-1547"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-1548"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-1549"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-1550"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-1551"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-2516"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-2517"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-2518"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-2519"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-4953"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-4954"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-4955"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-4956"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2016-4957"}],"related":["CVE-2015-7704","CVE-2015-7705","CVE-2015-7974","CVE-2016-1547","CVE-2016-1548","CVE-2016-1549","CVE-2016-1550","CVE-2016-1551","CVE-2016-2516","CVE-2016-2517","CVE-2016-2518","CVE-2016-2519","CVE-2016-4953","CVE-2016-4954","CVE-2016-4955","CVE-2016-4956","CVE-2016-4957"],"summary":"Security update for ntp","upstream":["CVE-2015-7704","CVE-2015-7705","CVE-2015-7974","CVE-2016-1547","CVE-2016-1548","CVE-2016-1549","CVE-2016-1550","CVE-2016-1551","CVE-2016-2516","CVE-2016-2517","CVE-2016-2518","CVE-2016-2519","CVE-2016-4953","CVE-2016-4954","CVE-2016-4955","CVE-2016-4956","CVE-2016-4957"]}