libntpc1-1.2.1-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11103-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libntpc1-1.2.1-1.2 on GA media These are all security issues fixed in the libntpc1-1.2.1-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11103 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-7182/ SUSE CVE CVE-2018-7182 page https://www.suse.com/security/cve/CVE-2019-6442/ SUSE CVE CVE-2019-6442 page https://www.suse.com/security/cve/CVE-2019-6443/ SUSE CVE CVE-2019-6443 page https://www.suse.com/security/cve/CVE-2019-6445/ SUSE CVE CVE-2019-6445 page https://www.suse.com/security/cve/CVE-2021-22212/ SUSE CVE CVE-2021-22212 page openSUSE Tumbleweed libntpc1-1.2.1-1.2 ntpsec-1.2.1-1.2 ntpsec-devel-1.2.1-1.2 ntpsec-doc-1.2.1-1.2 ntpsec-utils-1.2.1-1.2 python3-ntp-1.2.1-1.2 libntpc1-1.2.1-1.2 as a component of openSUSE Tumbleweed ntpsec-1.2.1-1.2 as a component of openSUSE Tumbleweed ntpsec-devel-1.2.1-1.2 as a component of openSUSE Tumbleweed ntpsec-doc-1.2.1-1.2 as a component of openSUSE Tumbleweed ntpsec-utils-1.2.1-1.2 as a component of openSUSE Tumbleweed python3-ntp-1.2.1-1.2 as a component of openSUSE Tumbleweed The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. CVE-2018-7182 openSUSE Tumbleweed:libntpc1-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-devel-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-doc-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-utils-1.2.1-1.2 openSUSE Tumbleweed:python3-ntp-1.2.1-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-7182.html CVE-2018-7182 https://bugzilla.suse.com/1082210 SUSE Bug 1082210 https://bugzilla.suse.com/1083426 SUSE Bug 1083426 https://bugzilla.suse.com/1087324 SUSE Bug 1087324 An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can write one byte out of bounds in ntpd via a malformed config request, related to config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and yyerror in ntp_parser.y. CVE-2019-6442 openSUSE Tumbleweed:libntpc1-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-devel-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-doc-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-utils-1.2.1-1.2 openSUSE Tumbleweed:python3-ntp-1.2.1-1.2 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6442.html CVE-2019-6442 https://bugzilla.suse.com/1122132 SUSE Bug 1122132 An issue was discovered in NTPsec before 1.1.3. Because of a bug in ctl_getitem, there is a stack-based buffer over-read in read_sysvars in ntp_control.c in ntpd. CVE-2019-6443 openSUSE Tumbleweed:libntpc1-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-devel-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-doc-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-utils-1.2.1-1.2 openSUSE Tumbleweed:python3-ntp-1.2.1-1.2 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6443.html CVE-2019-6443 https://bugzilla.suse.com/1122144 SUSE Bug 1122144 An issue was discovered in NTPsec before 1.1.3. An authenticated attacker can cause a NULL pointer dereference and ntpd crash in ntp_control.c, related to ctl_getitem. CVE-2019-6445 openSUSE Tumbleweed:libntpc1-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-devel-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-doc-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-utils-1.2.1-1.2 openSUSE Tumbleweed:python3-ntp-1.2.1-1.2 moderate 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-6445.html CVE-2019-6445 https://bugzilla.suse.com/1122131 SUSE Bug 1122131 ntpkeygen can generate keys that ntpd fails to parse. NTPsec 1.2.0 allows ntpkeygen to generate keys with '#' characters. ntpd then either pads, shortens the key, or fails to load these keys entirely, depending on the key type and the placement of the '#'. This results in the administrator not being able to use the keys as expected or the keys are shorter than expected and easier to brute-force, possibly resulting in MITM attacks between ntp clients and ntp servers. For short AES128 keys, ntpd generates a warning that it is padding them. CVE-2021-22212 openSUSE Tumbleweed:libntpc1-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-devel-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-doc-1.2.1-1.2 openSUSE Tumbleweed:ntpsec-utils-1.2.1-1.2 openSUSE Tumbleweed:python3-ntp-1.2.1-1.2 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22212.html CVE-2021-22212 https://bugzilla.suse.com/1187088 SUSE Bug 1187088