Bug 936327 - ntpd runtime configuration ("start-ntp addserver") not working
ntpd runtime configuration ("start-ntp addserver") not working
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Basesystem
Other Other
: P2 - High : Normal (vote)
: ---
Assigned To: Reinhard Max
E-mail List
maint:running:62642:low maint:release...
Depends on:
Blocks: 946386
  Show dependency treegraph
Reported: 2015-06-28 17:46 UTC by Stefan Seyfried
Modified: 2016-08-18 15:53 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Seyfried 2015-06-28 17:46:44 UTC
runtime configuration of ntpd is not working anymore since this change:

* Tue Apr 07 2015 hsk@imb-jena.de
- update to 4.2.8p2
  * fixes CVE-2015-1798, CVE-2015-1799 (medium-severity
    vulnerabilities involving private key authentication)
  * bug fixes and enhancements
  * New script: update-leap

the result is simply:

susi:~ # start-ntpd addserver
sntp 4.2.8p2@1.3265-o Wed Apr 22 00:47:12 UTC 2015 (1)
2015-06-28 19:45:40.016416 (-0100) -0.000095 +/- 0.003526 s1 no-leap
localhost: timed out, nothing received
***Request timed out

The server is available and works:
susi:~ # ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
*GENERIC(0)      .DCFa.           0 l    9   64  377    0.000    1.124   1.304
 LOCAL(0)        .LOCL.           8 l 252m   64    0    0.000    0.000   0.000
+janetzki.eu   3 u   54   64  377   72.951  -13.305   6.022
+fb7390.home.s3e   3 u   35   64  377    0.361  -15.409   0.252
Comment 1 Stefan Seyfried 2015-06-28 17:53:14 UTC
I just built the version from openSUSE:13.2:Update in home:seife:testing and with that everything works just fine as expected.
Comment 3 Friedrich Haubensak 2015-06-29 13:36:39 UTC

adding "enable mode7" to /etc/ntp.conf would be a quick solution

ntpd 4.2.8 disabled ntpdc-responses by default...

they claim ntpdc to be utterly deprecated, and ntpq to be able to do everything ntpdc could do - so better rewrite start-ntpd to use ntpq - i tried without success :-(
Comment 4 Ludwig Nussel 2015-08-13 12:36:24 UTC
/usr/sbin/start-ntpd still uses ntpdc

ntp.conf was installed as ntp.conf.rpmnew for me so it was not obvious why adding time servers failed.
Comment 5 Reinhard Max 2015-08-13 15:40:17 UTC
I just figured out how to finally get rid of ntpdc in start-ntpd: "addserver" needs to be replaced by ":config server" when using ntpq.

But unfortunately that would still not make it work out of the box for upgrades, because we currently don't set the "controlkey" command in ntp.conf by default, which is needed for manipulating a running ntpd with ntpq.

We could of course add a post script that uses the ID from an existing requestkey line to create a new controlkey line if one doesn't exist, but I'd rather not muck with the user's/customer's config files.

What do you guys think?
Comment 6 Reinhard Max 2015-08-13 15:58:23 UTC
The changes to start-ntpd and ntp.conf are now in network:time/ntp.
Please test.
Comment 7 Friedrich Haubensak 2015-08-14 09:52:19 UTC
activating controlkey in ntpd.conf and using "ntpq .... :config server" in start-ntpd is what i tried.  then "start-ntpd addserver 0.de.pool.ntp.org" 
outputs e.g.
sntp 4.2.8p3@1.3265-o Thu Aug 13 16:01:41 UTC 2015 (1)
2015-08-14 11:47:51.181456 (-0100) +0.425504 +/- 0.315682 0.de.pool.ntp.org s2 no-leap
but does not change the list of peers, or, even worse, crashes ntpd, if there were no peers before.  in the latter case, ntpd is back some 10 minutes later, but still without any peers.  i tried again with your package from network:time/ntp, same result.  i tested on 13.2.
Comment 9 Reinhard Max 2015-09-18 11:30:08 UTC
I conformed the crash on SLE12-SP1.
It only seems to happen when the server gets specified by name, when I specify it by IP (v4 or v6) address, it works.
Comment 10 Reinhard Max 2015-11-05 14:20:46 UTC
Fix submitted to Factory.
Comment 11 Swamp Workflow Management 2015-11-20 13:11:41 UTC
SUSE-SU-2015:2058-1: An update that fixes 16 vulnerabilities is now available.

Category: security (moderate)
Bug References: 905885,910063,936327,942441,942587,944300,951608
CVE References: CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    ntp-4.2.8p4-5.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    ntp-4.2.8p4-5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ntp-4.2.8p4-5.1
Comment 14 Swamp Workflow Management 2016-05-06 11:09:13 UTC
SUSE-SU-2016:1247-1: An update that solves 28 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 782060,905885,910063,916617,920238,926510,936327,937837,942587,944300,946386,951559,951608,951629,954982,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    yast2-ntp-client-
SUSE Linux Enterprise Server 12 (src):    ntp-4.2.8p6-46.5.2, yast2-ntp-client-
SUSE Linux Enterprise Desktop 12 (src):    ntp-4.2.8p6-46.5.2, yast2-ntp-client-
Comment 15 Swamp Workflow Management 2016-05-17 13:11:10 UTC
SUSE-SU-2016:1311-1: An update that solves 30 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,926510,936327,937837,942441,942587,943216,943218,944300,946386,951351,951559,951608,951629,954982,956773,962318,962784,962802,962960,962966,962970,962988,962994,962995,962997,963000,963002,975496,975981
CVE References: CVE-2015-5194,CVE-2015-5219,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158
Sources used:
SUSE OpenStack Cloud 5 (src):    ntp-4.2.8p6-41.1
SUSE Manager Proxy 2.1 (src):    ntp-4.2.8p6-41.1
SUSE Manager 2.1 (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ntp-4.2.8p6-41.1, yast2-ntp-client-
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ntp-4.2.8p6-41.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ntp-4.2.8p6-41.1
Comment 16 Swamp Workflow Management 2016-05-27 13:17:08 UTC
openSUSE-SU-2016:1423-1: An update that fixes 37 vulnerabilities is now available.

Category: security (moderate)
Bug References: 782060,905885,910063,916617,920238,926510,936327,942587,944300,946386,951559,951608,951629,954982,956773,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
openSUSE 13.2 (src):    ntp-4.2.8p7-25.15.1
Comment 17 Swamp Workflow Management 2016-06-14 15:40:41 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-21.
When done, reassign the bug to security-team@suse.de.
Comment 18 Swamp Workflow Management 2016-07-29 17:11:11 UTC
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    ntp-4.2.8p8-0.7.1