Bug 936327

Summary: ntpd runtime configuration ("start-ntp addserver 192.168.200.1") not working
Product: [openSUSE] openSUSE Tumbleweed Reporter: Stefan Seyfried <seife>
Component: BasesystemAssignee: Reinhard Max <max>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P2 - High CC: chcao, hsk17, lnussel, mpluskal
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:62642:low maint:released:oes2015:62656 maint:released:sle10-sp4:62913 maint:released:sle10-sp3:62912
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 946386    

Description Stefan Seyfried 2015-06-28 17:46:44 UTC
runtime configuration of ntpd is not working anymore since this change:

* Tue Apr 07 2015 hsk@imb-jena.de
- update to 4.2.8p2
  * fixes CVE-2015-1798, CVE-2015-1799 (medium-severity
    vulnerabilities involving private key authentication)
  * bug fixes and enhancements
  * New script: update-leap

the result is simply:

susi:~ # start-ntpd addserver 192.168.200.1
sntp 4.2.8p2@1.3265-o Wed Apr 22 00:47:12 UTC 2015 (1)
2015-06-28 19:45:40.016416 (-0100) -0.000095 +/- 0.003526 192.168.200.1 s1 no-leap
localhost: timed out, nothing received
***Request timed out

The server is available and works:
susi:~ # ntpq -p 192.168.200.1
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*GENERIC(0)      .DCFa.           0 l    9   64  377    0.000    1.124   1.304
 LOCAL(0)        .LOCL.           8 l 252m   64    0    0.000    0.000   0.000
+janetzki.eu     46.165.212.205   3 u   54   64  377   72.951  -13.305   6.022
+fb7390.home.s3e 193.224.45.107   3 u   35   64  377    0.361  -15.409   0.252
Comment 1 Stefan Seyfried 2015-06-28 17:53:14 UTC
I just built the version from openSUSE:13.2:Update in home:seife:testing and with that everything works just fine as expected.
Comment 3 Friedrich Haubensak 2015-06-29 13:36:39 UTC
umphhh...  

adding "enable mode7" to /etc/ntp.conf would be a quick solution

ntpd 4.2.8 disabled ntpdc-responses by default...

they claim ntpdc to be utterly deprecated, and ntpq to be able to do everything ntpdc could do - so better rewrite start-ntpd to use ntpq - i tried without success :-(
Comment 4 Ludwig Nussel 2015-08-13 12:36:24 UTC
/usr/sbin/start-ntpd still uses ntpdc

ntp.conf was installed as ntp.conf.rpmnew for me so it was not obvious why adding time servers failed.
Comment 5 Reinhard Max 2015-08-13 15:40:17 UTC
I just figured out how to finally get rid of ntpdc in start-ntpd: "addserver" needs to be replaced by ":config server" when using ntpq.

But unfortunately that would still not make it work out of the box for upgrades, because we currently don't set the "controlkey" command in ntp.conf by default, which is needed for manipulating a running ntpd with ntpq.

We could of course add a post script that uses the ID from an existing requestkey line to create a new controlkey line if one doesn't exist, but I'd rather not muck with the user's/customer's config files.

What do you guys think?
Comment 6 Reinhard Max 2015-08-13 15:58:23 UTC
The changes to start-ntpd and ntp.conf are now in network:time/ntp.
Please test.
Comment 7 Friedrich Haubensak 2015-08-14 09:52:19 UTC
activating controlkey in ntpd.conf and using "ntpq .... :config server" in start-ntpd is what i tried.  then "start-ntpd addserver 0.de.pool.ntp.org" 
outputs e.g.
<pre>
sntp 4.2.8p3@1.3265-o Thu Aug 13 16:01:41 UTC 2015 (1)
2015-08-14 11:47:51.181456 (-0100) +0.425504 +/- 0.315682 0.de.pool.ntp.org 88.198.35.53 s2 no-leap
</pre>
but does not change the list of peers, or, even worse, crashes ntpd, if there were no peers before.  in the latter case, ntpd is back some 10 minutes later, but still without any peers.  i tried again with your package from network:time/ntp, same result.  i tested on 13.2.
Comment 9 Reinhard Max 2015-09-18 11:30:08 UTC
I conformed the crash on SLE12-SP1.
It only seems to happen when the server gets specified by name, when I specify it by IP (v4 or v6) address, it works.
Comment 10 Reinhard Max 2015-11-05 14:20:46 UTC
Fix submitted to Factory.
Comment 11 Swamp Workflow Management 2015-11-20 13:11:41 UTC
SUSE-SU-2015:2058-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 905885,910063,936327,942441,942587,944300,951608
CVE References: CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    ntp-4.2.8p4-5.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    ntp-4.2.8p4-5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ntp-4.2.8p4-5.1
Comment 14 Swamp Workflow Management 2016-05-06 11:09:13 UTC
SUSE-SU-2016:1247-1: An update that solves 28 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 782060,905885,910063,916617,920238,926510,936327,937837,942587,944300,946386,951559,951608,951629,954982,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    yast2-ntp-client-3.1.12.4-8.2
SUSE Linux Enterprise Server 12 (src):    ntp-4.2.8p6-46.5.2, yast2-ntp-client-3.1.12.4-8.2
SUSE Linux Enterprise Desktop 12 (src):    ntp-4.2.8p6-46.5.2, yast2-ntp-client-3.1.12.4-8.2
Comment 15 Swamp Workflow Management 2016-05-17 13:11:10 UTC
SUSE-SU-2016:1311-1: An update that solves 30 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,926510,936327,937837,942441,942587,943216,943218,944300,946386,951351,951559,951608,951629,954982,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5194,CVE-2015-5219,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE OpenStack Cloud 5 (src):    ntp-4.2.8p6-41.1
SUSE Manager Proxy 2.1 (src):    ntp-4.2.8p6-41.1
SUSE Manager 2.1 (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ntp-4.2.8p6-41.1, yast2-ntp-client-2.17.14.1-1.12.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ntp-4.2.8p6-41.1
Comment 16 Swamp Workflow Management 2016-05-27 13:17:08 UTC
openSUSE-SU-2016:1423-1: An update that fixes 37 vulnerabilities is now available.

Category: security (moderate)
Bug References: 782060,905885,910063,916617,920238,926510,936327,942587,944300,946386,951559,951608,951629,954982,956773,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
openSUSE 13.2 (src):    ntp-4.2.8p7-25.15.1
Comment 17 Swamp Workflow Management 2016-06-14 15:40:41 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62822
Comment 18 Swamp Workflow Management 2016-07-29 17:11:11 UTC
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    ntp-4.2.8p8-0.7.1