Upstream has issued an advisory on June 2: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities Fedora has updates for this currently on QA: https://bodhi.fedoraproject.org/updates/FEDORA-2016-89e0874533 Fedora has noted that CVE-2016-4953 was fixed with the patch for CVE-2016-1547. Furthermore, we're not affected by CVE-2016-4957, as this was caused by upstream's fix for the same issue, but RedHat/Fedora's fix was better. Patched packages uploaded for Mageia 5 and Cauldron. Advisory: ======================== Updated ntp packages fix security vulnerabilities: ntpq and ntpdc disclose the origin timestamp to unauthenticated clients, which may allow an attacker to impersonate a legitimate peer (CVE-2015-8139). An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set (CVE-2016-4954). An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working (CVE-2016-4955). The fix for CVE-2016-1548 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode (CVE-2016-4956). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956 http://support.ntp.org/bin/view/Main/SecurityNotice#June_2016_ntp_4_2_8p8_NTP_Securi ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-24.6.mga5 ntp-client-4.2.6p5-24.6.mga5 ntp-doc-4.2.6p5-24.6.mga5 from ntp-4.2.6p5-24.6.mga5.src.rpm
x86_64 Installed this yesterday. Running with the default /etc/ntp.conf file and default settings. $ systemctl status ntpd.service â ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: active (running) since Fri 2016-06-03 22:59:58 BST; 9h ago Main PID: 27056 (ntpd) CGroup: /system.slice/ntpd.service ââ27056 /usr/sbin/ntpd -u ntp:ntp -g The -g option prevents a first time exit if the the time difference between the system clock and the NTP server is greater than the panic threshold. The date command returns a time agreeing with a local radio-controlled clock. Good for 64-bits.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
Whiteboard: MGA5-64-OK => (none)
Paying more attention to the advisory... Ran the ntpq and ntpdc commands in listing mode to ensure that they worked. $ sudo ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== +hotel.zq1.de 122.227.206.195 3 u 873 1024 377 35.857 -0.269 0.727 *ntp1.ivlan.net 46.46.152.214 2 u 633 1024 377 70.572 -0.627 1.771 +admin2.debrecen 185.219.2.214 2 u 802 1024 377 52.409 0.619 3.115 $ sudo ntpdc -l client admin2.debrecen.hpc.niif.hu client hotel.zq1.de client ntp1.ivlan.net $ sudo ntpdc -s remote local st poll reach delay offset disp ======================================================================= .admin2.debrecen 192.168.1.103 2 1024 377 0.05118 0.000156 0.12442 .hotel.zq1.de 192.168.1.103 3 1024 377 0.03584 -0.000269 0.13914 *ntp1.ivlan.net 192.168.1.103 2 1024 377 0.07056 -0.000627 0.13885 $ sudo ntpdc -c peers remote local st poll reach delay offset disp ======================================================================= =admin2.debrecen 192.168.1.103 2 1024 377 0.05118 0.000156 0.12442 =hotel.zq1.de 192.168.1.103 3 1024 377 0.03584 -0.000269 0.13914 *ntp1.ivlan.net 192.168.1.103 2 1024 377 0.07047 -0.000063 0.12364
Updating on 1586 virtualbox # systemctl restart ntpd.service # systemctl status ntpd.service â ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: active (running) since Sun 2016-06-05 20:16:52 BST; 17s ago Process: 5278 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 5280 (ntpd) CGroup: /system.slice/ntpd.service ââ5280 /usr/sbin/ntpd -u ntp:ntp -g Jun 05 20:16:52 alkaid ntpd[5280]: Listen and drop on 1 v6wildcard :: UDP 123 Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 3 enp0s3 192.168.1.10...23 Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 4 lo ::1 UDP 123 Jun 05 20:16:52 alkaid ntpd[5280]: Listen normally on 5 enp0s3 fe80::a00:27...23 Jun 05 20:16:52 alkaid ntpd[5280]: peers refreshed Jun 05 20:16:52 alkaid ntpd[5280]: Listening on routing socket on fd #22 fo...es Jun 05 20:16:52 alkaid ntpd[5280]: 0.0.0.0 c016 06 restart Jun 05 20:16:52 alkaid ntpd[5280]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM Jun 05 20:16:52 alkaid ntpd[5280]: 0.0.0.0 c011 01 freq_not_set Hint: Some lines were ellipsized, use -l to show in full. Displayed time is correct. $ sudo ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 146.185.139.19 210.240.96.206 2 u 25 64 7 25.238 0.102 0.912 mirror.muntinte 193.190.230.65 2 u 25 64 7 31.695 0.818 0.732 ns1.rx-name.net 232.213.183.238 3 u 23 64 7 77.356 1.007 4.172 [lcl@alkaid ~]$ sudo ntpdc -l client ns1.rx-name.net client 146.185.139.19 client mirror.muntinternet.net [lcl@alkaid ~]$ sudo ntpdc -s remote local st poll reach delay offset disp ======================================================================= ns1.rx-name.net 192.168.1.109 3 64 17 0.07735 0.001007 0.96913 146.185.139.19 192.168.1.109 2 64 17 0.02524 0.000102 0.96933 *mirror.muntinte 192.168.1.109 2 64 17 0.03140 0.000139 0.96870 [lcl@alkaid ~]$ sudo ntpdc -c peers remote local st poll reach delay offset disp ======================================================================= =ns1.rx-name.net 192.168.1.109 3 64 17 0.07735 0.001007 0.96913 =146.185.139.19 192.168.1.109 2 64 17 0.02524 0.000102 0.96933 *mirror.muntinte 192.168.1.109 2 64 17 0.03140 0.000139 0.96870
It occurred to me that I might not have restarted the NTP daemon after updating. # systemctl start ntpd.service # systemctl status ntpd.service â ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: active (running) since Sun 2016-06-05 20:23:58 BST; 10s ago Process: 9365 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 9367 (ntpd) CGroup: /system.slice/ntpd.service ââ9367 /usr/sbin/ntpd -u ntp:ntp -g Jun 05 20:23:58 difda ntpd[9367]: Listen and drop on 1 v6wildcard :: UDP 123 Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 2 lo 127.0.0.1 UDP 123 Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 3 enp3s0 192.168.1.50 UDP 123 Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 4 lo ::1 UDP 123 Jun 05 20:23:58 difda ntpd[9367]: Listen normally on 5 enp3s0 fe80::dacb:8aff:fe52:52b4 UDP 123 Jun 05 20:23:58 difda ntpd[9367]: peers refreshed Jun 05 20:23:58 difda ntpd[9367]: Listening on routing socket on fd #22 for interface updates Jun 05 20:23:58 difda ntpd[9367]: 0.0.0.0 c016 06 restart Jun 05 20:23:58 difda ntpd[9367]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM Jun 05 20:23:58 difda ntpd[9367]: 0.0.0.0 c011 01 freq_not_set
Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK
Validating this. Could someone from sysadmin please push to 5 updates. Thanks.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/690012/
CC: (none) => davidwhodginsWhiteboard: MGA5-64-OK MGA5-32-OK => MGA5-64-OK MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0219.html
Status: NEW => RESOLVEDResolution: (none) => FIXED