| Summary: | <net-misc/ntp-4.2.8_p7: multiple vulnerabilities (CVE-2016-{1547,1548,1549,1550,1551,2516,2517,2518,2519}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | base-system |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 584954 | ||
| Bug Blocks: | |||
Arches please test and mark stable =net-misc/ntp-4.2.8_p7 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~m68k-mint amd64 stable alpha stable Stable for HPPA. Stable for PPC64. arm stable x86 stable ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. This issue was resolved and addressed in GLSA 201607-15 at https://security.gentoo.org/glsa/201607-15 by GLSA coordinator Aaron Bauman (b-man). |
From ${URL} : April 2016 NTP-4.2.8p7 Security Vulnerability Announcement (Medium) NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016: Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering Reported by Matt Street and others of Cisco ASIG Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY Reported by Matthew Van Gundy of Cisco ASIG Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken Reported by Michael Tatarinov, NTP Project Developer Volunteer Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks Reported by Jonathan Gardner of Cisco ASIG Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG. The following issues already listed above are "Mitigation only" and are expected to be fully resolved in an upcoming release. NtpBug3012 - Sybil vulnerability: ephemeral association attack - MITIGATION ONLY NtpBug2978 - Interleave pivot - MITIGATION ONLY The following issues were fixed in earlier releases and contain improvements in this p7 release: NtpBug2936 - Skeleton Key NtpBug2901 - Clients that receive a KoD should validate the origin timestamp field Timeline: 160426: ntp-4.2.8p7 released. 160418: pre-release patch availability announced to CERT. 160418: CERT notified. 160412: pre-release patches sent to authorized NTP Consortium members. 160221: CVE numbers requested from Mitre. 160219: Initial notification from Qihoo/360. Analysis begins. 160214: Advance notification sent to authorized NTP Consortium members. 160112: Initial notification from Cisco. Analysis begins. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.