Upstream has issued an advisory on November 21: http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se Patches added from Fedora, except CVE-2016-7433 which seems to not affect us but does them for some reason. The other missing CVEs from upstream appear to only affect newer versions of ntp. Advisory: ======================== Updated ntp packages fix security vulnerabilities: When ntpd is configured with rate limiting for all associations (restrict default limited in ntp.conf), the limits are applied also to responses received from its configured sources. An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources (CVE-2016-7426). When ntpd receives a server response on a socket that corresponds to a different interface than was used for the request, the peer structure is updated to use the interface for new requests. If ntpd is running on a host with multiple interfaces in separate networks and the operating system doesn't check source address in received packets (e.g. rp_filter on Linux is set to 0), an attacker that knows the address of the source can send a packet with spoofed source address which will cause ntpd to select wrong interface for the source and prevent it from sending new requests until the list of interfaces is refreshed, which happens on routing changes or every 5 minutes by default. If the attack is repeated often enough (once per second), ntpd will not be able to synchronize with the source (CVE-2016-7429). An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability (CVE-2016-9310). If trap service, disabled by default, has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service (CVE-2016-9311). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311 https://bugzilla.redhat.com/show_bug.cgi?id=1397345 https://bugzilla.redhat.com/show_bug.cgi?id=1397341 https://bugzilla.redhat.com/show_bug.cgi?id=1397319 https://bugzilla.redhat.com/show_bug.cgi?id=1398350 http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se ======================== Updated packages in core/updates_testing: ======================== ntp-4.2.6p5-24.7.mga5 ntp-client-4.2.6p5-24.7.mga5 ntp-doc-4.2.6p5-24.7.mga5 from ntp-4.2.6p5-24.7.mga5.src.rpm
Version: Cauldron => 5Source RPM: ntp-4.2.6p5-31.mga6.src.rpm => ntp-4.2.6p5-24.6.mga5.src.rpm
Testing on x86_64 real hardware. The backlinks lead to descriptions of the problems or deal with bug reporting infrastructure; nothing useful for QA as far as I can see. Installed the updates and restarted ntpd then kept an eye on the Mate panel clock. # systemctl restart ntpd # systemctl status ntpd â ntpd.service - Network Time Service Loaded: loaded (/usr/lib/systemd/system/ntpd.service; enabled) Active: active (running) since Sat 2016-11-26 20:15:30 GMT; 8s ago Process: 20495 ExecStart=/usr/sbin/ntpd -u ntp:ntp $OPTIONS (code=exited, status=0/SUCCESS) Main PID: 20497 (ntpd) CGroup: /system.slice/ntpd.service ââ20497 /usr/sbin/ntpd -u ntp:ntp -g Nov 26 20:15:30 belexeuli ntpd[20497]: Listen and drop on 1 v6wildcard :: U...23 Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 2 lo 127.0.0.1 UDP 123 Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 3 enp2s0 192.168....23 Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 4 lo ::1 UDP 123 Nov 26 20:15:30 belexeuli ntpd[20497]: Listen normally on 5 enp2s0 fe80::1a...23 Nov 26 20:15:30 belexeuli ntpd[20497]: peers refreshed Nov 26 20:15:30 belexeuli ntpd[20497]: Listening on routing socket on fd #2...es Nov 26 20:15:30 belexeuli ntpd[20497]: 0.0.0.0 c016 06 restart Nov 26 20:15:30 belexeuli ntpd[20497]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM Nov 26 20:15:30 belexeuli ntpd[20497]: 0.0.0.0 c011 01 freq_not_set Hint: Some lines were ellipsized, use -l to show in full. Clock ticking nicely. Checked timestamp on new file - OK. Saying OK but leaving it open for comments.
CC: (none) => tarazed25
Whiteboard: (none) => MGA5-64-OK
The advisory from Comment 0 uploaded.
CC: (none) => lewyssmithWhiteboard: MGA5-64-OK => MGA5-64-OK advisory
Working fine on Mageia 5 i586. This can be validated.
Whiteboard: MGA5-64-OK advisory => MGA5-32-OK MGA5-64-OK advisory
Keywords: (none) => validated_updateCC: (none) => youpburden, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0414.html
Status: NEW => RESOLVEDResolution: (none) => FIXED