Upstream has issued an advisory on April 26: http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security For now, two of the CVEs (CVE-2016-154[89]) have only been mitigated, but they plan to fix them later. According to Fedora, CVE-2016-1547 was previously fixed by the CVE-2015-7979 patch. I've synced fixes from Fedora in SVN, but they only list CVE-2016-1548 (?), CVE-2016-2516, CVE-2016-2518, and CVE-2016-1550 in their changelog. I haven't checked their bugzilla yet to try to determine the status of the other CVEs.
Whiteboard: (none) => MGA5TOO
Assigning to all packagers collectively, since there is no maintainer for this package, and because David Walser didn't assign this bug to himself when he committed some of the fixes.
CC: (none) => makowski.mageia, marja11Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this on May 10: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IFPKQDCJCLLEPK5D5RBOGCBNDW5TNIBM/
Seems then that we just need to push builds and create advisory but unfortunately, it don't build : crypto.o: In function `auth_md5': /home/philippe/rpmbuild/BUILD/ntp-4.2.6p5/sntp/crypto.c:61: undefined reference to `CRYPTO_memcmp' collect2: error: ld returned 1 exit status
(In reply to Philippe Makowski from comment #3) > Seems then that we just need to push builds > and create advisory Well, we also need to check the status of the CVEs from the NTP advisory that aren't explicitly listed in Fedora's changelog.
(In reply to David Walser from comment #4) > (In reply to Philippe Makowski from comment #3) > > Seems then that we just need to push builds > > and create advisory > > Well, we also need to check the status of the CVEs from the NTP advisory > that aren't explicitly listed in Fedora's changelog. Fedora : * Mon May 02 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-40 - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - don't crash on duplicate address in unconfig command (CVE-2016-2516) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550) * Thu Jan 21 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-36 - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138) - fix crash with reslist command (CVE-2015-7977, CVE-2015-7978) - fix infinite loop in ntpq/ntpdc (CVE-2015-8158) - check key ID in packets authenticated with symmetric key (CVE-2015-7974) - don't allow spoofed packets to demobilize associations (CVE-2015-7979, CVE-2016-1547) ntp : - Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering - Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY - Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch - Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated - Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC - Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked - Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos - Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY - Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken - Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks - Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing Missing in Fedora CVE-2016-1551,CVE-2016-2517 Missing in Mageia CVE-2016-1547,CVE-2016-1551,CVE-2016-2517
(In reply to Philippe Makowski from comment #5) > Missing in Fedora CVE-2016-1551,CVE-2016-2517 Also missing CVE-2016-2519 and CVE-2015-7704. > Missing in Mageia would be exactly the same as Fedora as I synced their fixes. See the note about CVE-2016-1547 in Comment 0.
CVE-2016-2517 and CVE-2016-2519 are mitigated in our default configuration by: restrict default nomodify notrap nopeer noquery CVE-2015-7704 was fixed previously, but the fix caused a regression, which is why it's listed again in the latest ntp advisory. CVE-2016-1551 doesn't affect Linux operating systems. So, indeed, we can ship this update if we can get it to build.
(In reply to Philippe Makowski from comment #3) > Seems then that we just need to push builds > and create advisory > but unfortunately, it don't build : > > crypto.o: In function `auth_md5': > /home/philippe/rpmbuild/BUILD/ntp-4.2.6p5/sntp/crypto.c:61: undefined > reference to `CRYPTO_memcmp' > collect2: error: ld returned 1 exit status That's nonsense. CRYPTO_memcmp is in libcrypto from openssl, which should be pulled in by the linker from this in sntp/Makefile.am: LDADD = $(LIBOPTS_LDADD) $(LIBM) ../libntp/libntp.a @LCRYPTO@
Ahh, LCRYPTO wasn't getting defined on x86_64 because it wasn't looking for libcrypto.so in /usr/lib64. Hopefully it builds this time.
Advisory: ======================== Updated ntp packages fix security vulnerabilities: It is possible to change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode. An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched (CVE-2016-1548). An exploitable vulnerability exists in the message authentication functionality of Network Time Protocol libntp. An attacker can send a series of crafted messages to attempt to recover the message digest key (CVE-2016-1550). If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and if an existing association is unconfigured using the same IP twice on the unconfig directive line, ntpd will abort (CVE-2016-2516). Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference (CVE-2016-2518). Note that CVE-2016-2516, as well as other known but unfixed vulnerabilities in ntpd, are also mitigated by not allowing remote configuration, which is the default in Mageia. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518 http://www.talosintel.com/reports/TALOS-2016-0082/ http://www.talosintel.com/reports/TALOS-2016-0084/ http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IFPKQDCJCLLEPK5D5RBOGCBNDW5TNIBM/ ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-24.5.mga5 ntp-client-4.2.6p5-24.5.mga5 ntp-doc-4.2.6p5-24.5.mga5 from ntp-4.2.6p5-24.5.mga5.src.rpm
Version: Cauldron => 5Assignee: pkg-bugs => qa-bugsWhiteboard: MGA5TOO => (none)Severity: normal => major
x86_64 Installed ntp-4.2.6p5-24.4.mga5 and started the daemon. Updated to ntp-4.2.6p5-24.5.mga5 and restarted the network time service. # systemctl status ntpd â ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: active (running) since Fri 2016-05-13 09:58:12 BST; 12s ago Process: 17647 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 17649 (ntpd) CGroup: /system.slice/ntpd.service ââ17649 /usr/sbin/ntpd -u ntp:ntp -g May 13 09:58:12 belexeuli ntpd[17649]: Listen and drop on 1 v6wildcard :: U...23 May 13 09:58:12 belexeuli ntpd[17649]: Listen normally on 2 lo 127.0.0.1 UDP 123 May 13 09:58:12 belexeuli ntpd[17649]: Listen normally on 3 enp2s0 192.168....23 May 13 09:58:12 belexeuli ntpd[17649]: Listen normally on 4 lo ::1 UDP 123 May 13 09:58:12 belexeuli ntpd[17649]: Listen normally on 5 enp2s0 fe80::1a...23 May 13 09:58:12 belexeuli ntpd[17649]: peers refreshed May 13 09:58:12 belexeuli ntpd[17649]: Listening on routing socket on fd #2...es May 13 09:58:12 belexeuli ntpd[17649]: 0.0.0.0 c016 06 restart May 13 09:58:12 belexeuli ntpd[17649]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM May 13 09:58:12 belexeuli ntpd[17649]: 0.0.0.0 c011 01 freq_not_set
CC: (none) => tarazed25
Keywords: (none) => validated_updateWhiteboard: (none) => MGA5-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0174.html
Status: NEW => RESOLVEDResolution: (none) => FIXED