You are here
Home > Preporuke > Ranjivosti programskog paketa ntp

Ranjivosti programskog paketa ntp

  • Detalji os-a: LSU
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

openSUSE Security Update: Security update for ntp

Announcement ID: openSUSE-SU-2016:1292-1
Rating: important
References: #782060 #916617 #937837 #951559 #951629 #956773
#962318 #962784 #962802 #962960 #962966 #962970
#962988 #962994 #962995 #962997 #963000 #963002
#975496 #975981
Cross-References: CVE-2015-5300 CVE-2015-7973 CVE-2015-7974
CVE-2015-7975 CVE-2015-7976 CVE-2015-7977
CVE-2015-7978 CVE-2015-7979 CVE-2015-8138
CVE-2015-8139 CVE-2015-8140 CVE-2015-8158

Affected Products:
openSUSE Leap 42.1

An update that solves 12 vulnerabilities and has 8 fixes is
now available.


ntp was updated to version 4.2.8p6 to fix 12 security issues.

Also yast2-ntp-client was updated to match some sntp syntax changes.

These security issues were fixed:
– CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).
– CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).
– CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated
broadcast mode (bsc#962784).
– CVE-2015-7978: Stack exhaustion in recursive traversal of restriction
list (bsc#963000).
– CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).
– CVE-2015-7976: ntpq saveconfig command allows dangerous characters in
filenames (bsc#962802).
– CVE-2015-7975: nextvar() missing length check (bsc#962988).
– CVE-2015-7974: Skeleton Key: Missing key check allows impersonation
between authenticated peers (bsc#962960).
– CVE-2015-7973: Replay attack on authenticated broadcast mode
– CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).
– CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).
– CVE-2015-5300: MITM attacker could have forced ntpd to make a step
larger than the panic threshold (bsc#951629).

These non-security issues were fixed:
– fate#320758 bsc#975981: Enable compile-time support for MS-SNTP
(–enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added
the authreg directive.
– bsc#962318: Call /usr/sbin/sntp with full path to synchronize in
start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which
caused the synchronization to fail.
– bsc#782060: Speedup ntpq.
– bsc#916617: Add /var/db/ntp-kod.
– bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen
quite a lot on loaded systems.
– bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.
– Add ntp-fork.patch and build with threads disabled to allow name
resolution even when running chrooted.

This update was imported from the SUSE:SLE-12-SP1:Update update project.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– openSUSE Leap 42.1:

zypper in -t patch openSUSE-2016-578=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– openSUSE Leap 42.1 (i586 x86_64):


– openSUSE Leap 42.1 (noarch):



To unsubscribe, e-mail:
For additional commands, e-mail:

AutorTomislav Protega
Cert idNCERT-REF-2016-05-0007-ADV
CveCVE-2015-5300 CVE-2015-7973 CVE-2015-7974 CVE-2015-7975 CVE-2015-7976 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 CVE-2015-8138 CVE-2015-8139 CVE-2015-8140 CVE-2015-8158
ID izvornikaopenSUSE-SU-2016:1292-1
ProizvodSecurity update for ntp
More in Preporuke
Ranjivosti programskog paketa ntp

Otkriveno je nekoliko ranjivosti u programskom paketu ntp za SUSE LE. Ranjivosti zahvaćaju razne komponente, a ovisno o tipu ranjivosti,...