First Last Prev Next    This bug is not in your last search results.
Bug 977452 - (CVE-2016-2516) VUL-0: CVE-2016-2516: ntp: Duplicate IPs on unconfig directives will cause an assertion botch
(CVE-2016-2516)
VUL-0: CVE-2016-2516: ntp: Duplicate IPs on unconfig directives will cause an...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-2516:6.3:(AV:N/A...
:
Depends on:
Blocks: 977446
  Show dependency treegraph
 
Reported: 2016-04-27 15:31 UTC by Marcus Meissner
Modified: 2016-08-18 15:52 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-04-27 15:31:50 UTC 
+++ This bug was initially created as a clone of Bug #977446 +++

http://support.ntp.org/bin/view/Main/NtpBug3011

 NTP Bug 3011
Duplicate IPs on unconfig directives will cause an assertion botch in ntpd

    Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
    References: Sec 3011 / CVE-2016-2516 / VU#718152
    Affects: All ntp-4 releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92
    CVSS2: MED 6.3 (AV:N/AC:M/Au:S/C:N/I:N/A:C)
    CVSS3: MED 4.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)
    Summary: If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and if an existing association is unconfigured using the same IP twice on the unconfig directive line, ntpd will abort.
    Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
        Properly monitor your ntpd instances 
    Credit: This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360.
Comment 1 Swamp Workflow Management 2016-04-27 22:03:20 UTC 
bugbot adjusting priority
Comment 4 Swamp Workflow Management 2016-05-11 16:09:22 UTC 
SUSE-SU-2016:1278-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 957226,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    ntp-4.2.8p7-11.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ntp-4.2.8p7-11.1
Comment 5 Swamp Workflow Management 2016-05-12 18:09:58 UTC 
SUSE-SU-2016:1291-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 957226,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    ntp-4.2.8p7-11.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ntp-4.2.8p7-11.1
Comment 7 Bernhard Wiedemann 2016-05-18 10:02:15 UTC 
This is an autogenerated message for OBS integration:
This bug (977452) was mentioned in
https://build.opensuse.org/request/show/396591 13.2 / ntp
Comment 8 Swamp Workflow Management 2016-05-18 12:11:13 UTC 
openSUSE-SU-2016:1329-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 957226,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
openSUSE Leap 42.1 (src):    ntp-4.2.8p7-21.1
Comment 9 Swamp Workflow Management 2016-05-27 13:21:03 UTC 
openSUSE-SU-2016:1423-1: An update that fixes 37 vulnerabilities is now available.

Category: security (moderate)
Bug References: 782060,905885,910063,916617,920238,926510,936327,942587,944300,946386,951559,951608,951629,954982,956773,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8139,CVE-2015-8140,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
openSUSE 13.2 (src):    ntp-4.2.8p7-25.15.1
Comment 10 Swamp Workflow Management 2016-06-01 16:09:10 UTC 
SUSE-SU-2016:1471-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 957226,977446,977450,977451,977452,977455,977457,977458,977459,977461,977464
CVE References: CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519
Sources used:
SUSE OpenStack Cloud 5 (src):    ntp-4.2.8p7-44.1
SUSE Manager Proxy 2.1 (src):    ntp-4.2.8p7-44.1
SUSE Manager 2.1 (src):    ntp-4.2.8p7-44.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ntp-4.2.8p7-44.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ntp-4.2.8p7-44.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ntp-4.2.8p7-44.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ntp-4.2.8p7-44.1
Comment 11 Swamp Workflow Management 2016-06-14 10:09:28 UTC 
SUSE-SU-2016:1568-1: An update that solves 17 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 957226,962960,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,979981,981422,982064,982065,982066,982067,982068
CVE References: CVE-2015-7704,CVE-2015-7705,CVE-2015-7974,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Sources used:
SUSE Linux Enterprise Server 12 (src):    ntp-4.2.8p8-46.8.1
SUSE Linux Enterprise Desktop 12 (src):    ntp-4.2.8p8-46.8.1
Comment 12 Swamp Workflow Management 2016-06-14 15:38:21 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-06-21.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62822
Comment 13 Swamp Workflow Management 2016-07-29 17:14:31 UTC 
SUSE-SU-2016:1912-1: An update that solves 43 vulnerabilities and has 9 fixes is now available.

Category: security (important)
Bug References: 782060,784760,905885,910063,916617,920183,920238,920893,920895,920905,924202,926510,936327,943218,943221,944300,951351,951559,951629,952611,957226,962318,962784,962802,962960,962966,962970,962988,962995,963000,963002,975496,977450,977451,977452,977455,977457,977458,977459,977461,977464,979302,981422,982056,982064,982065,982066,982067,982068,988417,988558,988565
CVE References: CVE-2015-1798,CVE-2015-1799,CVE-2015-5194,CVE-2015-5300,CVE-2015-7691,CVE-2015-7692,CVE-2015-7701,CVE-2015-7702,CVE-2015-7703,CVE-2015-7704,CVE-2015-7705,CVE-2015-7848,CVE-2015-7849,CVE-2015-7850,CVE-2015-7851,CVE-2015-7852,CVE-2015-7853,CVE-2015-7854,CVE-2015-7855,CVE-2015-7871,CVE-2015-7973,CVE-2015-7974,CVE-2015-7975,CVE-2015-7976,CVE-2015-7977,CVE-2015-7978,CVE-2015-7979,CVE-2015-8138,CVE-2015-8158,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518,CVE-2016-2519,CVE-2016-4953,CVE-2016-4954,CVE-2016-4955,CVE-2016-4956,CVE-2016-4957
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    ntp-4.2.8p8-0.7.1
Comment 14 Marcus Meissner 2016-08-01 08:34:45 UTC 
all released
First Last Prev Next    This bug is not in your last search results.