Security update for ntp SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0775-1 Final 1 1 2015-04-20T13:55:43Z current 2015-04-20T13:55:43Z 2015-04-20T13:55:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for ntp NTP was updated to fix two security vulnerabilities: * ntpd could accept unauthenticated packets with symmetric key crypto. (CVE-2015-1798) * ntpd authentication did not protect symmetric associations against DoS attacks (CVE-2015-1799) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-04/msg00052.html E-Mail link for openSUSE-SU-2015:0775-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings ntp-4.2.6p5-15.16.1 ntp-doc-4.2.6p5-15.16.1 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. CVE-2015-1798 important 4 AV:N/AC:L/Au:S/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-04/msg00052.html https://www.suse.com/security/cve/CVE-2015-1798.html CVE-2015-1798 https://bugzilla.suse.com/924202 SUSE Bug 924202 https://bugzilla.suse.com/927497 SUSE Bug 927497 https://bugzilla.suse.com/928321 SUSE Bug 928321 https://bugzilla.suse.com/957163 SUSE Bug 957163 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. CVE-2015-1799 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-04/msg00052.html https://www.suse.com/security/cve/CVE-2015-1799.html CVE-2015-1799 https://bugzilla.suse.com/924202 SUSE Bug 924202 https://bugzilla.suse.com/927497 SUSE Bug 927497 https://bugzilla.suse.com/928321 SUSE Bug 928321 https://bugzilla.suse.com/943565 SUSE Bug 943565 https://bugzilla.suse.com/957163 SUSE Bug 957163 https://bugzilla.suse.com/959243 SUSE Bug 959243