Fedora has issued an advisory on March 27: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PAWSWGYT4BYAU6JMQXZOD22NFWPCVJQP/ The issues are fixed upstream in 4.2.8p11. We should also add the nopeer restriction to the default config if we haven't: https://src.fedoraproject.org/cgit/rpms/ntp.git/commit/?h=f27&id=ddca0198432d804162e603e987237163b628c587 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO, MGA5TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. CC'ing two committers.
Assignee: bugsquad => pkg-bugsCC: (none) => guillomovitch, lists.jjorge, marja11
(In reply to David Walser from comment #0) > The issues are fixed upstream in 4.2.8p11. > > We should also add the nopeer restriction to the default config if we > haven't: > https://src.fedoraproject.org/cgit/rpms/ntp.git/commit/ > ?h=f27&id=ddca0198432d804162e603e987237163b628c587 > > Mageia 5 and Mageia 6 are also affected. You mean noepeer instead of nopeer? we already use nopeer.
CC: (none) => guichard.adrien
Assignee: pkg-bugs => guichard.adrien
Adrien is working on this bug as apprentice.
Status: NEW => ASSIGNED
I could rebuild mga7 package into mga6 distribution and install it, if I do backport pps-tools package into mga6. Before going further, I need to know if this is ok, or if it is better to patch Mga6 version (which is much more difficult, and should require pps-tools by the way)?
Yes, good catch, I meant noepeer. As for pps-tools, just drop the requires for that, it was only recently added and isn't strictly necessary. It'd be nice to patch, but Fedora doesn't have patches and that's where we always get patches, so I think we need to just update it.
ntp-4.2.8p11-1.mga7 uploaded for Cauldron by Adrien and Jóse.
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
it seems ntpdate is on its way to be deprecated (the following link has been written in 2014): https://support.ntp.org/bin/view/Dev/DeprecatingNtpdate drakclock is using ntpdate, I will try to patch drakclock to use equivalent "ntpd -q" command to avoid this. The good news (for me) is that drakclock seems to be broken on Mageia 6 with "4.2.6p5" version. So I hardly can cause any regression :-)
Created attachment 10074 [details] patch removing ntpdate in favor of ntpd equivalent command
Comment on attachment 10074 [details] patch removing ntpdate in favor of ntpd equivalent command drakclock patch for ntp-4.2.8p11.
(In reply to Adrien Guichard from comment #9) > Comment on attachment 10074 [details] > patch removing ntpdate in favor of ntpd equivalent command > > drakclock patch for ntp-4.2.8p11. Commited : http://gitweb.mageia.org/software/drakx/commit/?id=2bd349e099e93bf2598a31ae169166b86c7c87fc
CC: (none) => thierry.vignaudKeywords: (none) => PATCH
Blocks: (none) => 22864
Built for Mageia 6 (now we just need an advisory): ntp-4.2.8p11-1.mga6 ntp-perl-4.2.8p11-1.mga6 ntpdate-4.2.8p11-1.mga6 sntp-4.2.8p11-1.mga6 ntp-doc-4.2.8p11-1.mga6 from ntp-4.2.8p11-1.mga6.src.rpm Mageia 5 split to Bug 22864 and can be dealt with later if we get patches.
Whiteboard: MGA5TOO => (none)Keywords: PATCH => (none)
We do have uploaded updated ntp package for Mageia 6. The release package is now 4.2.8p11 version. Suggested advisory: ======================== This release addresses five security issues in ntpd for Mageia 6: LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. Reported by Matt Van Gundy of Cisco. INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak Reported by Yihan Lian of Qihoo 360. LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations Reported on the questions@ list. LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state Reported by Miroslav Lichvar of Red Hat. LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet can reset authenticated interleaved association Reported by Miroslav Lichvar of Red Hat. one security issue in ntpq: MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909: ntpq:decodearr() can write beyond its buffer limit Reported by Michael Macnair of Thales-esecurity.com. and provides over 33 bugfixes and 32 other improvements. ENotification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made. References: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities ======================== Updated packages in {core}/updates_testing: ======================== ntp-4.2.8p11-1.mga6 ntpdate-4.2.8p11-1.mga6 sntp-4.2.8p11-1.mga6 ntp-doc-4.2.8p11-1.mga6 ntp-perl-4.2.8p11-1.mga6
Assignee: guichard.adrien => qa-bugs
Trying this out later. It has proved impractical to search for PoCs for these issues because there is a maze of references to be followed up and so far they have not yielded anything useful.
CC: (none) => tarazed25
Updated ntp and ntpdoc for Mageia6, x86_64. Installed the rest manually, noting that the package names are e.g. sntp-4.2.8p11. Restarted ntpd and checked status. Enabled the NTP via MCC services and selected uk.pool.ntp.org for a server. The patch removes ntpdate and the man page agrees that it may be deprecated. There are a few other utilities associated with this, including one for SNTP but I could not find any SNTP servers. ntpq is an interactive tool for setting and querying NTP parameters. $ ntpq host Name or service not known ntpq> host uk.pool.ntp.org current host set to uk.pool.ntp.org ntpq> host current host is uk.pool.ntp.org ntpq> ? ntpq commands: :config drefid mreadlist readvar addvars exit mreadvar reslist apeers help mrl rl associations host mrulist rmvars authenticate hostnames mrv rv authinfo ifstats ntpversion saveconfig cl iostats opeers showvars clearvars kerninfo passociations sysinfo clocklist keyid passwd sysstats clockvar keytype peers timeout config-from-file lassociations poll timerstats cooked lopeers pstats version cv lpassociations quit writelist debug lpeers raw writevar delay monstats readlist ntpq> kerninfo uk.pool.ntp.org: timed out, nothing received ***Request timed out ntpq> version ntpq 4.2.8p11@1.3728-o Mon Apr 2 08:42:48 UTC 2018 (1) ntpq> help :config function: send a remote configuration command to ntpd usage: :config <configuration command line> ntpq> timerstats uk.pool.ntp.org: timed out, nothing received ***Request timed out ntpq> exit Several of the enquiries resulted in a timeout. I wonder if that is because the server is in stratum one and delegates requests to a subsidiary but see this: $ ntpq host uk.pool.ntp.org Name or service not known I shall assume that this is more a matter of my ignorance of how this service works rather than anything wrong with ntp, which is running fine.
Whiteboard: (none) => MGA6-64-OK
(In reply to Len Lawrence from comment #14) > Updated ntp and ntpdoc for Mageia6, x86_64. Installed the rest manually, > noting that the package names are e.g. sntp-4.2.8p11. > > Restarted ntpd and checked status. Enabled the NTP via MCC services and > selected uk.pool.ntp.org for a server. > > The patch removes ntpdate and the man page agrees that it may be deprecated. > There are a few other utilities associated with this, including one for SNTP > but I could not find any SNTP servers. > ntpq is an interactive tool for setting and querying NTP parameters. > $ ntpq host > Name or service not known > ntpq> host uk.pool.ntp.org > current host set to uk.pool.ntp.org > ntpq> host > current host is uk.pool.ntp.org > ntpq> ? > ntpq commands: > :config drefid mreadlist readvar > addvars exit mreadvar reslist > apeers help mrl rl > associations host mrulist rmvars > authenticate hostnames mrv rv > authinfo ifstats ntpversion saveconfig > cl iostats opeers showvars > clearvars kerninfo passociations sysinfo > clocklist keyid passwd sysstats > clockvar keytype peers timeout > config-from-file lassociations poll timerstats > cooked lopeers pstats version > cv lpassociations quit writelist > debug lpeers raw writevar > delay monstats readlist > ntpq> kerninfo > uk.pool.ntp.org: timed out, nothing received > ***Request timed out > ntpq> version > ntpq 4.2.8p11@1.3728-o Mon Apr 2 08:42:48 UTC 2018 (1) > ntpq> help :config > function: send a remote configuration command to ntpd > usage: :config <configuration command line> > ntpq> timerstats > uk.pool.ntp.org: timed out, nothing received > ***Request timed out > ntpq> exit > > Several of the enquiries resulted in a timeout. I wonder if that is because > the server is in stratum one and delegates requests to a subsidiary but see > this: > $ ntpq host uk.pool.ntp.org > Name or service not known $ ntpq host uk.pool.ntp.org Name or service not known but $ ntpq uk.pool.ntp.org ntpq> host current host is uk.pool.ntp.org and $ ntpq noexistinguk.pool.ntp.org Name or service not known so "host" is not part of the command line :) > > I shall assume that this is more a matter of my ignorance of how this > service works rather than anything wrong with ntp, which is running fine. At least ntpq -p, ntpq -c timerstats are working. I do not find any useful resource that explain how to avoid these timeouts. debug command do not print anything, changing the ntp configuration does not help.. If I do find anything, I will let you know.
@Len : great work yet again probing the unknown. (In reply to Len Lawrence from comment #14) > noting that the package names are e.g. sntp-4.2.8p11. Should they be? The RPMs list shows: ntp-4.2.8p11-1.mga6.x86_64.rpm ntp-doc-4.2.8p11-1.mga6.noarch.rpm ntp-perl-4.2.8p11-1.mga6.noarch.rpm ntpdate-4.2.8p11-1.mga6.x86_64.rpm sntp-4.2.8p11-1.mga6.x86_64.rpm and the universal package version format indicates that the pkg name stops at the -4.2 etc. Is it OK also not to have 32-bit versions of this update? Asking for feedback on these 2 things; otherwise it is good for validation.
CC: (none) => lewyssmithKeywords: (none) => advisory, feedback
(In reply to Lewis Smith from comment #16) > the universal package version format indicates that the pkg name stops at the -4.2 I don't know this UPVF, but the naming is just the same as current mageia 6 ntp... > Is it OK also not to have 32-bit versions of this update? Why do you think that? There are 32 bit versions, ex: http://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/6/i586/media/core/updates_testing/ntp-4.2.8p11-1.mga6.i586.rpm
Keywords: feedback => (none)
(In reply to José Jorge from comment #17) > (In reply to Lewis Smith from comment #16) > > Is it OK also not to have 32-bit versions of this update? > > Why do you think that? There are 32 bit versions, ex: > Because they were not listed correctly in the advisory with arches?
CC: (none) => zen25000
The current PRE-update package names are: ntp ntp-client ntp-doc I could not find any of the following, first from 'Add/Remove software' GUI, then urpmq (Dim pecyn o'r enw = No package named...): $ urpmq -i ntp-perl Dim pecyn o'r enw ntp-perl $ urpmq -i ntp-perl-4.2.8p11 Dim pecyn o'r enw ntp-perl-4.2.8p11 $ urpmq -i ntpdate Dim pecyn o'r enw ntpdate $ urpmq -i ntpdate-4.2.8p11 Dim pecyn o'r enw ntpdate-4.2.8p11 $ urpmq -i sntp Dim pecyn o'r enw sntp $ urpmq -i sntp-4.2.8p11 Dim pecyn o'r enw sntp-4.2.8p11 ------------------------------- Invoking Updates_Testing, I see: ntp-perl (version 4.2.8p11) ntpupdate (version 4.2.8p11) sntp (version 4.2.8p11) which is what one would expect, and looks correct. Are they new for this update? ------------------------------------------------------------ >> Is it OK also not to have 32-bit versions of this update? >Why do you think that? There are 32 bit versions Good to know; all is well. As per c18, they should have been listed in both the bug RPMs page, and the pkg list in the bug. Never mind - they are there. Sorry for the noise; but I think it was justified.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Re comment 19 Have to agree Lewis, you were justified. As to the naming of the packages, when I tried to install them before the update urpmi did not respond to the 'universal package name format'; it came back with "unknown package". The only way the packages could be installed was by using e.g. 'sudo urpmi sntp-4.2.8p11'. After the update of course they were available in the MageiaUpdate list. I have just ried again on another machine entirely to confirm this. $ sudo urpmi sntp No package named sntp $ sudo urpmi.update -a $ sudo urpmi ntp-perl No package named ntp-perl But it gets worse: $ sudo urpmi sntp-4.2.8p11 No package named sntp-4.2.8p11 Wondering if it might have something to do with the new rpm and php updates, which were pending, I installed those and tried again. Same results. Enabled updates testing, ran MageiaUpdate and then installed one package at a time. # urpmi ntp-perl Unknown option: X To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Updates Testing (distrib5)") ntp 4.2.8p11 1.mga6 x86_64 ntp-perl 4.2.8p11 1.mga6 noarch 2.1MB of additional disk space will be used. 701KB of packages will be retrieved. Proceed with the installation of the 2 packages? (Y/n) ................. This is very odd.
Had a look at core release at distrib-coffee and note that sntp and ntp-perl are not listed so no wonder they could not be installed - they made their debut in core updates - unknown package would have been returned however they were addressed so it is I who should apologize for the noise.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0195.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED
Summary: ntp new security issue CVE-2016-1549, CVE-2018-717[0,2-5] => ntp new security issue CVE-2016-1549, CVE-2018-7170, CVE-2018-718[2-5]