Security update for ntp SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:3452-1 Final 1 1 2018-10-25T11:31:35Z current 2018-10-25T11:31:35Z 2018-10-25T11:31:35Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ntp NTP was updated to 4.2.8p12 (bsc#1111853): - CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531) - CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424) Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information. This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00069.html E-Mail link for openSUSE-SU-2018:3452-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 15.0 ntp-4.2.8p12-lp150.3.3.1 ntp-doc-4.2.8p12-lp150.3.3.1 ntp-4.2.8p12-lp150.3.3.1 as a component of openSUSE Leap 15.0 ntp-doc-4.2.8p12-lp150.3.3.1 as a component of openSUSE Leap 15.0 Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source. CVE-2018-12327 openSUSE Leap 15.0:ntp-4.2.8p12-lp150.3.3.1 openSUSE Leap 15.0:ntp-doc-4.2.8p12-lp150.3.3.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00069.html https://www.suse.com/security/cve/CVE-2018-12327.html CVE-2018-12327 https://bugzilla.suse.com/1098531 SUSE Bug 1098531 https://bugzilla.suse.com/1107887 SUSE Bug 1107887 https://bugzilla.suse.com/1111552 SUSE Bug 1111552 https://bugzilla.suse.com/1111853 SUSE Bug 1111853 ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. CVE-2018-7170 openSUSE Leap 15.0:ntp-4.2.8p12-lp150.3.3.1 openSUSE Leap 15.0:ntp-doc-4.2.8p12-lp150.3.3.1 low Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00069.html https://www.suse.com/security/cve/CVE-2018-7170.html CVE-2018-7170 https://bugzilla.suse.com/1082210 SUSE Bug 1082210 https://bugzilla.suse.com/1083424 SUSE Bug 1083424 https://bugzilla.suse.com/1098531 SUSE Bug 1098531