Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 581528 (CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519) - <net-misc/ntp-4.2.8_p7: multiple vulnerabilities (CVE-2016-{1547,1548,1549,1550,1551,2516,2517,2518,2519})
Summary: <net-misc/ntp-4.2.8_p7: multiple vulnerabilities (CVE-2016-{1547,1548,1549,15...
Status: RESOLVED FIXED
Alias: CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: http://support.ntp.org/bin/view/Main/...
Whiteboard: A2 [glsa]
Keywords:
Depends on: CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957
Blocks:
  Show dependency tree
 
Reported: 2016-04-29 11:34 UTC by Agostino Sarubbo
Modified: 2016-07-20 11:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-29 11:34:46 UTC
From ${URL} :

April 2016 NTP-4.2.8p7 Security Vulnerability Announcement (Medium)
NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016:
Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering
Reported by Matt Street and others of Cisco ASIG
Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY
Reported by Matthew Van Gundy of Cisco ASIG
Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY
Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG
Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken
Reported by Michael Tatarinov, NTP Project Developer Volunteer
Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
Reported by Jonathan Gardner of Cisco ASIG
Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
The following issues already listed above are "Mitigation only" and are expected to be fully resolved in an upcoming release.
NtpBug3012 - Sybil vulnerability: ephemeral association attack - MITIGATION ONLY
NtpBug2978 - Interleave pivot - MITIGATION ONLY
The following issues were fixed in earlier releases and contain improvements in this p7 release:
NtpBug2936 - Skeleton Key
NtpBug2901 - Clients that receive a KoD should validate the origin timestamp field
Timeline:
160426: ntp-4.2.8p7 released.
160418: pre-release patch availability announced to CERT.
160418: CERT notified.
160412: pre-release patches sent to authorized NTP Consortium members.
160221: CVE numbers requested from Mitre.
160219: Initial notification from Qihoo/360. Analysis begins.
160214: Advance notification sent to authorized NTP Consortium members.
160112: Initial notification from Cisco. Analysis begins.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2016-04-29 11:43:59 UTC
Arches please test and mark stable =net-misc/ntp-4.2.8_p7 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~ia64-linux ~x86-linux ~m68k-mint
Comment 2 Agostino Sarubbo gentoo-dev 2016-04-29 13:01:35 UTC
amd64 stable
Comment 3 Matt Turner gentoo-dev 2016-05-02 03:33:30 UTC
alpha stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-02 08:09:19 UTC
Stable for HPPA.
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-02 09:02:14 UTC
Stable for PPC64.
Comment 6 Markus Meier gentoo-dev 2016-05-12 17:19:33 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-06-27 08:50:15 UTC
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-07-08 07:57:09 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 10:05:41 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 12:05:03 UTC
ia64 stable.

Maintainer(s), please cleanup.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-07-20 11:53:50 UTC
This issue was resolved and addressed in
 GLSA 201607-15 at https://security.gentoo.org/glsa/201607-15
by GLSA coordinator Aaron Bauman (b-man).