File _patchinfo of Package patchinfo.2460

Overview Repositories Revisions Requests Users Attributes Meta

File _patchinfo of Package patchinfo.2460

<patchinfo incident="2460">
  <issue id="977464" tracker="bnc">VUL-0: CVE-2016-1550: ntp: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing</issue>
  <issue id="957226" tracker="bnc">NTP does not start after upgrade to Leap 42.1</issue>
  <issue id="977450" tracker="bnc">VUL-0: CVE-2016-1551: ntp: Refclock impersonation vulnerability, AKA: refclock-peering</issue>
  <issue id="977451" tracker="bnc">VUL-0: CVE-2016-1549: ntp: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY</issue>
  <issue id="977452" tracker="bnc">VUL-0: CVE-2016-2516: ntp: Duplicate IPs on unconfig directives will cause an assertion botch</issue>
  <issue id="977461" tracker="bnc">VUL-0: CVE-2016-1548: ntp: Interleave-pivot - MITIGATION ONLY</issue>
  <issue id="977455" tracker="bnc">VUL-0: CVE-2016-2517: ntp: Remote configuration trustedkey/requestkey values are not properly validated</issue>
  <issue id="977457" tracker="bnc">VUL-0: CVE-2016-2518: ntp: Crafted addpeer with hmode &gt; 7 causes array wraparound with MATCH_ASSOC</issue>
  <issue id="977458" tracker="bnc">VUL-0: CVE-2016-2519: ntp: ctl_getitem() return value not always checked</issue>
  <issue id="977459" tracker="bnc">VUL-0: CVE-2016-1547: ntp:  CRYPTO-NAK DoS</issue>
  <issue id="977446" tracker="bnc">VUL-0: ntp: 4.2.8p7 release tracker bug</issue>
  <issue id="CVE-2016-2518" tracker="cve" />
  <issue id="CVE-2016-2519" tracker="cve" />
  <issue id="CVE-2015-7974" tracker="cve" />
  <issue id="CVE-2016-2516" tracker="cve" />
  <issue id="CVE-2016-2517" tracker="cve" />
  <issue id="CVE-2015-7705" tracker="cve" />
  <issue id="CVE-2015-7704" tracker="cve" />
  <issue id="CVE-2016-1547" tracker="cve" />
  <issue id="CVE-2016-1551" tracker="cve" />
  <issue id="CVE-2016-1550" tracker="cve" />
  <issue id="CVE-2016-1548" tracker="cve" />
  <issue id="CVE-2016-1549" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>rmax</packager>
  <description>
This update for ntp to 4.2.8p7 fixes the following issues:

* CVE-2016-1547, bsc#977459:
  Validate crypto-NAKs, AKA: CRYPTO-NAK DoS.
* CVE-2016-1548, bsc#977461: Interleave-pivot
* CVE-2016-1549, bsc#977451:
  Sybil vulnerability: ephemeral association attack.
* CVE-2016-1550, bsc#977464: Improve NTP security against buffer
  comparison timing attacks.
* CVE-2016-1551, bsc#977450:
  Refclock impersonation vulnerability
* CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig
  directives will cause an assertion botch in ntpd.
* CVE-2016-2517, bsc#977455: remote configuration trustedkey/
  requestkey/controlkey values are not properly validated.
* CVE-2016-2518, bsc#977457: Crafted addpeer with hmode &gt; 7
  causes array wraparound with MATCH_ASSOC.
* CVE-2016-2519, bsc#977458: ctl_getitem() return value not
  always checked.
* This update also improves the fixes for:
  CVE-2015-7704, CVE-2015-7705, CVE-2015-7974

Bugs fixed:
- Restrict the parser in the startup script to the first
  occurrance of "keys" and "controlkey" in ntp.conf (bsc#957226).
</description>
  <summary>Security update for ntp</summary>
</patchinfo>

Places

File _patchinfo of Package patchinfo.2460

Places