You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa ntp

Sigurnosni nedostaci programskog paketa ntp

  • Detalji os-a: WN7
  • Važnost: IMP
  • Operativni sustavi: L
  • Kategorije: LSU

SUSE Security Update: Security update for ntp

Announcement ID: SUSE-SU-2016:1568-1
Rating: important
References: #957226 #962960 #977450 #977451 #977452 #977455
#977457 #977458 #977459 #977461 #977464 #979302
#979981 #981422 #982064 #982065 #982066 #982067
Cross-References: CVE-2015-7704 CVE-2015-7705 CVE-2015-7974
CVE-2016-1547 CVE-2016-1548 CVE-2016-1549
CVE-2016-1550 CVE-2016-1551 CVE-2016-2516
CVE-2016-2517 CVE-2016-2518 CVE-2016-2519
CVE-2016-4953 CVE-2016-4954 CVE-2016-4955
CVE-2016-4956 CVE-2016-4957
Affected Products:
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Desktop 12

An update that solves 17 vulnerabilities and has two fixes
is now available.


ntp was updated to version 4.2.8p8 to fix 17 security issues.

These security issues were fixed:
– CVE-2016-4956: Broadcast interleave (bsc#982068).
– CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound
with MATCH_ASSOC (bsc#977457).
– CVE-2016-2519: ctl_getitem() return value not always checked
– CVE-2016-4954: Processing spoofed server packets (bsc#982066).
– CVE-2016-4955: Autokey association reset (bsc#982067).
– CVE-2015-7974: NTP did not verify peer associations of symmetric keys
when authenticating packets, which might allowed remote attackers to
conduct impersonation attacks via an arbitrary trusted key, aka a
“skeleton key (bsc#962960).
– CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).
– CVE-2016-2516: Duplicate IPs on unconfig directives will cause an
assertion botch (bsc#977452).
– CVE-2016-2517: Remote configuration trustedkey/requestkey values are not
properly validated (bsc#977455).
– CVE-2016-4953: Bad authentication demobilizes ephemeral associations
– CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).
– CVE-2016-1551: Refclock impersonation vulnerability, AKA:
refclock-peering (bsc#977450).
– CVE-2016-1550: Improve NTP security against buffer comparison timing
attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464).
– CVE-2016-1548: Interleave-pivot – MITIGATION ONLY (bsc#977461).
– CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA:
ntp-sybil – MITIGATION ONLY (bsc#977451).

This release also contained improved patches for CVE-2015-7704,
CVE-2015-7705, CVE-2015-7974.

These non-security issues were fixed:
– bsc#979302: Change the process name of the forking DNS worker process to
avoid the impression that ntpd is started twice.
– bsc#981422: Don’t ignore SIGCHILD because it breaks wait().
– bsc#979981: ntp-wait does not accept fractional seconds, so use 1
instead of 0.2 in ntp-wait.service.
– Separate the creation of ntp.keys and key #1 in it to avoid problems
when upgrading installations that have the file, but no key #1, which is
needed e.g. by “rcntp addserver”.
– bsc#957226: Restrict the parser in the startup script to the first
occurrance of “keys” and “controlkey” in ntp.conf.

Patch Instructions:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

– SUSE Linux Enterprise Server 12:

zypper in -t patch SUSE-SLE-SERVER-12-2016-933=1

– SUSE Linux Enterprise Desktop 12:

zypper in -t patch SUSE-SLE-DESKTOP-12-2016-933=1

To bring your system up-to-date, use “zypper patch”.

Package List:

– SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):


– SUSE Linux Enterprise Desktop 12 (x86_64):



To unsubscribe, e-mail:
For additional commands, e-mail:

AutorMarko Stanec
Cert idNCERT-REF-2016-06-0056-ADV
More in Preporuke
Sigurnosni nedostaci programskog paketa nodejs

Otkriveni su sigurnosni nedostaci u programskom paketu nodejs za operacijski sustav Suse. Otkriveni nedostaci potencijalnim napadačima omogućuju otkrivanje osjetljivih informacija,...