ntp-4.2.8p9-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10181 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ntp-4.2.8p9-1.1 on GA media These are all security issues fixed in the ntp-4.2.8p9-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10181 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10181 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-0159/ SUSE CVE CVE-2009-0159 page https://www.suse.com/security/cve/CVE-2009-1252/ SUSE CVE CVE-2009-1252 page https://www.suse.com/security/cve/CVE-2013-5211/ SUSE CVE CVE-2013-5211 page https://www.suse.com/security/cve/CVE-2014-9293/ SUSE CVE CVE-2014-9293 page https://www.suse.com/security/cve/CVE-2014-9294/ SUSE CVE CVE-2014-9294 page https://www.suse.com/security/cve/CVE-2014-9295/ SUSE CVE CVE-2014-9295 page https://www.suse.com/security/cve/CVE-2014-9296/ SUSE CVE CVE-2014-9296 page https://www.suse.com/security/cve/CVE-2014-9297/ SUSE CVE CVE-2014-9297 page https://www.suse.com/security/cve/CVE-2014-9298/ SUSE CVE CVE-2014-9298 page https://www.suse.com/security/cve/CVE-2015-1798/ SUSE CVE CVE-2015-1798 page https://www.suse.com/security/cve/CVE-2015-1799/ SUSE CVE CVE-2015-1799 page https://www.suse.com/security/cve/CVE-2015-5300/ SUSE CVE CVE-2015-5300 page https://www.suse.com/security/cve/CVE-2015-7691/ SUSE CVE CVE-2015-7691 page https://www.suse.com/security/cve/CVE-2015-7692/ SUSE CVE CVE-2015-7692 page https://www.suse.com/security/cve/CVE-2015-7701/ SUSE CVE CVE-2015-7701 page https://www.suse.com/security/cve/CVE-2015-7702/ SUSE CVE CVE-2015-7702 page https://www.suse.com/security/cve/CVE-2015-7703/ SUSE CVE CVE-2015-7703 page https://www.suse.com/security/cve/CVE-2015-7704/ SUSE CVE CVE-2015-7704 page https://www.suse.com/security/cve/CVE-2015-7705/ SUSE CVE CVE-2015-7705 page https://www.suse.com/security/cve/CVE-2015-7848/ SUSE CVE CVE-2015-7848 page https://www.suse.com/security/cve/CVE-2015-7849/ SUSE CVE CVE-2015-7849 page https://www.suse.com/security/cve/CVE-2015-7850/ SUSE CVE CVE-2015-7850 page https://www.suse.com/security/cve/CVE-2015-7851/ SUSE CVE CVE-2015-7851 page https://www.suse.com/security/cve/CVE-2015-7852/ SUSE CVE CVE-2015-7852 page https://www.suse.com/security/cve/CVE-2015-7853/ SUSE CVE CVE-2015-7853 page https://www.suse.com/security/cve/CVE-2015-7854/ SUSE CVE CVE-2015-7854 page https://www.suse.com/security/cve/CVE-2015-7855/ SUSE CVE CVE-2015-7855 page https://www.suse.com/security/cve/CVE-2015-7871/ SUSE CVE CVE-2015-7871 page https://www.suse.com/security/cve/CVE-2015-7973/ SUSE CVE CVE-2015-7973 page https://www.suse.com/security/cve/CVE-2015-7974/ SUSE CVE CVE-2015-7974 page https://www.suse.com/security/cve/CVE-2015-7975/ SUSE CVE CVE-2015-7975 page https://www.suse.com/security/cve/CVE-2015-7976/ SUSE CVE CVE-2015-7976 page https://www.suse.com/security/cve/CVE-2015-7977/ SUSE CVE CVE-2015-7977 page https://www.suse.com/security/cve/CVE-2015-7978/ SUSE CVE CVE-2015-7978 page https://www.suse.com/security/cve/CVE-2015-7979/ SUSE CVE CVE-2015-7979 page https://www.suse.com/security/cve/CVE-2015-8138/ SUSE CVE CVE-2015-8138 page https://www.suse.com/security/cve/CVE-2015-8158/ SUSE CVE CVE-2015-8158 page https://www.suse.com/security/cve/CVE-2016-1547/ SUSE CVE CVE-2016-1547 page https://www.suse.com/security/cve/CVE-2016-1548/ SUSE CVE CVE-2016-1548 page https://www.suse.com/security/cve/CVE-2016-1549/ SUSE CVE CVE-2016-1549 page https://www.suse.com/security/cve/CVE-2016-1550/ SUSE CVE CVE-2016-1550 page https://www.suse.com/security/cve/CVE-2016-1551/ SUSE CVE CVE-2016-1551 page https://www.suse.com/security/cve/CVE-2016-2516/ SUSE CVE CVE-2016-2516 page https://www.suse.com/security/cve/CVE-2016-2517/ SUSE CVE CVE-2016-2517 page https://www.suse.com/security/cve/CVE-2016-2518/ SUSE CVE CVE-2016-2518 page https://www.suse.com/security/cve/CVE-2016-2519/ SUSE CVE CVE-2016-2519 page https://www.suse.com/security/cve/CVE-2016-4953/ SUSE CVE CVE-2016-4953 page https://www.suse.com/security/cve/CVE-2016-4954/ SUSE CVE CVE-2016-4954 page https://www.suse.com/security/cve/CVE-2016-4955/ SUSE CVE CVE-2016-4955 page https://www.suse.com/security/cve/CVE-2016-4956/ SUSE CVE CVE-2016-4956 page https://www.suse.com/security/cve/CVE-2016-4957/ SUSE CVE CVE-2016-4957 page https://www.suse.com/security/cve/CVE-2016-7426/ SUSE CVE CVE-2016-7426 page https://www.suse.com/security/cve/CVE-2016-7427/ SUSE CVE CVE-2016-7427 page https://www.suse.com/security/cve/CVE-2016-7428/ SUSE CVE CVE-2016-7428 page https://www.suse.com/security/cve/CVE-2016-7429/ SUSE CVE CVE-2016-7429 page https://www.suse.com/security/cve/CVE-2016-7431/ SUSE CVE CVE-2016-7431 page https://www.suse.com/security/cve/CVE-2016-7433/ SUSE CVE CVE-2016-7433 page https://www.suse.com/security/cve/CVE-2016-7434/ SUSE CVE CVE-2016-7434 page https://www.suse.com/security/cve/CVE-2016-9310/ SUSE CVE CVE-2016-9310 page https://www.suse.com/security/cve/CVE-2016-9311/ SUSE CVE CVE-2016-9311 page openSUSE Tumbleweed ntp-4.2.8p9-1.1 ntp-doc-4.2.8p9-1.1 ntp-4.2.8p9-1.1 as a component of openSUSE Tumbleweed ntp-doc-4.2.8p9-1.1 as a component of openSUSE Tumbleweed Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. CVE-2009-0159 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-0159.html CVE-2009-0159 https://bugzilla.suse.com/484653 SUSE Bug 484653 https://bugzilla.suse.com/501632 SUSE Bug 501632 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. CVE-2009-1252 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-1252.html CVE-2009-1252 https://bugzilla.suse.com/501632 SUSE Bug 501632 The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. CVE-2013-5211 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-5211.html CVE-2013-5211 https://bugzilla.suse.com/857195 SUSE Bug 857195 https://bugzilla.suse.com/889447 SUSE Bug 889447 https://bugzilla.suse.com/959243 SUSE Bug 959243 The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. CVE-2014-9293 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9293.html CVE-2014-9293 https://bugzilla.suse.com/910764 SUSE Bug 910764 https://bugzilla.suse.com/911053 SUSE Bug 911053 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/959243 SUSE Bug 959243 util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. CVE-2014-9294 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9294.html CVE-2014-9294 https://bugzilla.suse.com/910764 SUSE Bug 910764 https://bugzilla.suse.com/911053 SUSE Bug 911053 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/959243 SUSE Bug 959243 Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. CVE-2014-9295 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9295.html CVE-2014-9295 https://bugzilla.suse.com/910764 SUSE Bug 910764 https://bugzilla.suse.com/911053 SUSE Bug 911053 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/916239 SUSE Bug 916239 https://bugzilla.suse.com/959243 SUSE Bug 959243 The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets. CVE-2014-9296 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9296.html CVE-2014-9296 https://bugzilla.suse.com/910764 SUSE Bug 910764 https://bugzilla.suse.com/911053 SUSE Bug 911053 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2014-9297 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9297.html CVE-2014-9297 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/948963 SUSE Bug 948963 https://bugzilla.suse.com/959243 SUSE Bug 959243 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage. CVE-2014-9298 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-9298.html CVE-2014-9298 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/948963 SUSE Bug 948963 https://bugzilla.suse.com/959243 SUSE Bug 959243 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. CVE-2015-1798 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1798.html CVE-2015-1798 https://bugzilla.suse.com/924202 SUSE Bug 924202 https://bugzilla.suse.com/927497 SUSE Bug 927497 https://bugzilla.suse.com/928321 SUSE Bug 928321 https://bugzilla.suse.com/936327 SUSE Bug 936327 https://bugzilla.suse.com/957163 SUSE Bug 957163 The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. CVE-2015-1799 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-1799.html CVE-2015-1799 https://bugzilla.suse.com/924202 SUSE Bug 924202 https://bugzilla.suse.com/927497 SUSE Bug 927497 https://bugzilla.suse.com/928321 SUSE Bug 928321 https://bugzilla.suse.com/936327 SUSE Bug 936327 https://bugzilla.suse.com/943565 SUSE Bug 943565 https://bugzilla.suse.com/957163 SUSE Bug 957163 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962624 SUSE Bug 962624 The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to an arbitrary time when started with the -g option, or to alter the time by up to 900 seconds otherwise by responding to an unspecified number of requests from trusted sources, and leveraging a resulting denial of service (abort and restart). CVE-2015-5300 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5300.html CVE-2015-5300 https://bugzilla.suse.com/951629 SUSE Bug 951629 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962624 SUSE Bug 962624 The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey operations. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. CVE-2015-7691 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7691.html CVE-2015-7691 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. CVE-2015-7692 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7692.html CVE-2015-7692 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (memory consumption). CVE-2015-7701 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7701.html CVE-2015-7701 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750. CVE-2015-7702 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7702.html CVE-2015-7702 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/911792 SUSE Bug 911792 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command. CVE-2015-7703 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7703.html CVE-2015-7703 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/943216 SUSE Bug 943216 https://bugzilla.suse.com/943218 SUSE Bug 943218 https://bugzilla.suse.com/943219 SUSE Bug 943219 https://bugzilla.suse.com/943221 SUSE Bug 943221 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages. CVE-2015-7704 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7704.html CVE-2015-7704 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/952611 SUSE Bug 952611 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/977446 SUSE Bug 977446 The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to have unspecified impact via a large number of crafted requests. CVE-2015-7705 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7705.html CVE-2015-7705 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/952611 SUSE Bug 952611 https://bugzilla.suse.com/959243 SUSE Bug 959243 An integer overflow can occur in NTP-dev.4.3.70 leading to an out-of-bounds memory copy operation when processing a specially crafted private mode packet. The crafted packet needs to have the correct message authentication code and a valid timestamp. When processed by the NTP daemon, it leads to an immediate crash. CVE-2015-7848 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7848.html CVE-2015-7848 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 Use-after-free vulnerability in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to possibly execute arbitrary code or cause a denial of service (crash) via crafted packets. CVE-2015-7849 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7849.html CVE-2015-7849 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (infinite loop or crash) by pointing the key file at the log file. CVE-2015-7850 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7850.html CVE-2015-7850 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\' or '/' characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files. CVE-2015-7851 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7851.html CVE-2015-7851 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets. CVE-2015-7852 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7852.html CVE-2015-7852 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative input value. CVE-2015-7853 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7853.html CVE-2015-7853 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 Buffer overflow in the password management functionality in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted key file. CVE-2015-7854 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7854.html CVE-2015-7854 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure) via a 6 or mode 7 packet containing a long data value. CVE-2015-7855 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7855.html CVE-2015-7855 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/992991 SUSE Bug 992991 Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to bypass authentication. CVE-2015-7871 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7871.html CVE-2015-7871 https://bugzilla.suse.com/1010964 SUSE Bug 1010964 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/952606 SUSE Bug 952606 https://bugzilla.suse.com/959243 SUSE Bug 959243 NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network. CVE-2015-7973 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4.3 AV:A/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7973.html CVE-2015-7973 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962995 SUSE Bug 962995 NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." CVE-2015-7974 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.1 AV:N/AC:H/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7974.html CVE-2015-7974 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962960 SUSE Bug 962960 https://bugzilla.suse.com/962995 SUSE Bug 962995 The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 does not properly validate the length of its input, which allows an attacker to cause a denial of service (application crash). CVE-2015-7975 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4 AV:L/AC:H/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7975.html CVE-2015-7975 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962988 SUSE Bug 962988 https://bugzilla.suse.com/962995 SUSE Bug 962995 The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename. CVE-2015-7976 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7976.html CVE-2015-7976 https://bugzilla.suse.com/962802 SUSE Bug 962802 https://bugzilla.suse.com/962995 SUSE Bug 962995 ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command. CVE-2015-7977 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7977.html CVE-2015-7977 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962970 SUSE Bug 962970 https://bugzilla.suse.com/962995 SUSE Bug 962995 NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list. CVE-2015-7978 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7978.html CVE-2015-7978 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962970 SUSE Bug 962970 https://bugzilla.suse.com/962995 SUSE Bug 962995 https://bugzilla.suse.com/963000 SUSE Bug 963000 NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client. CVE-2015-7979 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 5.8 AV:N/AC:M/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-7979.html CVE-2015-7979 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962784 SUSE Bug 962784 https://bugzilla.suse.com/962995 SUSE Bug 962995 https://bugzilla.suse.com/977459 SUSE Bug 977459 https://bugzilla.suse.com/982065 SUSE Bug 982065 NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero. CVE-2015-8138 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8138.html CVE-2015-8138 https://bugzilla.suse.com/951608 SUSE Bug 951608 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/963002 SUSE Bug 963002 https://bugzilla.suse.com/974668 SUSE Bug 974668 https://bugzilla.suse.com/977446 SUSE Bug 977446 The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values. CVE-2015-8158 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-8158.html CVE-2015-8158 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/962966 SUSE Bug 962966 An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. CVE-2016-1547 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1547.html CVE-2016-1547 https://bugzilla.suse.com/962784 SUSE Bug 962784 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977459 SUSE Bug 977459 https://bugzilla.suse.com/982064 SUSE Bug 982064 https://bugzilla.suse.com/982065 SUSE Bug 982065 An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. CVE-2016-1548 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 6.4 AV:N/AC:L/Au:N/C:N/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1548.html CVE-2016-1548 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977461 SUSE Bug 977461 https://bugzilla.suse.com/982068 SUSE Bug 982068 A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock. CVE-2016-1549 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1549.html CVE-2016-1549 https://bugzilla.suse.com/1083424 SUSE Bug 1083424 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977451 SUSE Bug 977451 An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key. CVE-2016-1550 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.6 AV:L/AC:H/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1550.html CVE-2016-1550 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977464 SUSE Bug 977464 ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match that reference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering which would block these packets is in danger of having its time controlled by an attacker. CVE-2016-1551 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1551.html CVE-2016-1551 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977450 SUSE Bug 977450 NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive. CVE-2016-2516 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 6.3 AV:N/AC:M/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2516.html CVE-2016-2516 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977452 SUSE Bug 977452 NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression. CVE-2016-2517 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4.9 AV:N/AC:H/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2517.html CVE-2016-2517 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977455 SUSE Bug 977455 The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value. CVE-2016-2518 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.1 AV:N/AC:H/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2518.html CVE-2016-2518 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977457 SUSE Bug 977457 ntpd in NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (ntpd abort) by a large request data value, which triggers the ctl_getitem function to return a NULL value. CVE-2016-2519 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 4.9 AV:N/AC:H/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-2519.html CVE-2016-2519 https://bugzilla.suse.com/959243 SUSE Bug 959243 https://bugzilla.suse.com/977446 SUSE Bug 977446 https://bugzilla.suse.com/977458 SUSE Bug 977458 ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. CVE-2016-4953 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4953.html CVE-2016-4953 https://bugzilla.suse.com/962784 SUSE Bug 962784 https://bugzilla.suse.com/977459 SUSE Bug 977459 https://bugzilla.suse.com/982056 SUSE Bug 982056 https://bugzilla.suse.com/982065 SUSE Bug 982065 The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. CVE-2016-4954 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4954.html CVE-2016-4954 https://bugzilla.suse.com/982056 SUSE Bug 982056 https://bugzilla.suse.com/982066 SUSE Bug 982066 ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. CVE-2016-4955 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4955.html CVE-2016-4955 https://bugzilla.suse.com/982056 SUSE Bug 982056 https://bugzilla.suse.com/982067 SUSE Bug 982067 ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. CVE-2016-4956 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.6 AV:N/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4956.html CVE-2016-4956 https://bugzilla.suse.com/977461 SUSE Bug 977461 https://bugzilla.suse.com/982056 SUSE Bug 982056 https://bugzilla.suse.com/982068 SUSE Bug 982068 ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial of service (daemon crash) via a crypto-NAK packet. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-1547. CVE-2016-4957 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4957.html CVE-2016-4957 https://bugzilla.suse.com/977459 SUSE Bug 977459 https://bugzilla.suse.com/982056 SUSE Bug 982056 https://bugzilla.suse.com/982064 SUSE Bug 982064 NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address. CVE-2016-7426 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 1 AV:L/AC:H/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7426.html CVE-2016-7426 https://bugzilla.suse.com/1011406 SUSE Bug 1011406 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet. CVE-2016-7427 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.9 AV:A/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7427.html CVE-2016-7427 https://bugzilla.suse.com/1011390 SUSE Bug 1011390 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet. CVE-2016-7428 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 2.9 AV:A/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7428.html CVE-2016-7428 https://bugzilla.suse.com/1011417 SUSE Bug 1011417 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 NTP before 4.2.8p9 changes the peer structure to the interface it receives the response from a source, which allows remote attackers to cause a denial of service (prevent communication with a source) by sending a response for a source to an interface the source does not use. CVE-2016-7429 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 1 AV:L/AC:H/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7429.html CVE-2016-7429 https://bugzilla.suse.com/1011404 SUSE Bug 1011404 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression. CVE-2016-7431 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7431.html CVE-2016-7431 https://bugzilla.suse.com/1011395 SUSE Bug 1011395 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion." CVE-2016-7433 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 1.2 AV:L/AC:H/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7433.html CVE-2016-7433 https://bugzilla.suse.com/1011411 SUSE Bug 1011411 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query. CVE-2016-7434 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 3.8 AV:L/AC:H/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-7434.html CVE-2016-7434 https://bugzilla.suse.com/1011398 SUSE Bug 1011398 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to set or unset traps via a crafted control mode packet. CVE-2016-9310 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9310.html CVE-2016-9310 https://bugzilla.suse.com/1011377 SUSE Bug 1011377 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330 ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted packet. CVE-2016-9311 openSUSE Tumbleweed:ntp-4.2.8p9-1.1 openSUSE Tumbleweed:ntp-doc-4.2.8p9-1.1 moderate 7.8 AV:N/AC:M/Au:N/C:P/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-9311.html CVE-2016-9311 https://bugzilla.suse.com/1011377 SUSE Bug 1011377 https://bugzilla.suse.com/1011421 SUSE Bug 1011421 https://bugzilla.suse.com/1012330 SUSE Bug 1012330