Security update for ntp
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2015:0274-1
Final
1
1
2015-02-10T07:37:15Z
current
2015-02-10T07:37:15Z
2015-02-10T07:37:15Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for ntp
ntp was updated to fix four security issues.
These security issues were fixed:
- CVE-2014-9294: util/ntp-keygen.c in ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792).
- CVE-2014-9293: The config_auth function in ntpd, when an auth key was not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack (bnc#910764 911792).
- CVE-2014-9298: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses could be bypassed (bnc#911792).
- CVE-2014-9297: Information leak by not properly checking a length in several places in ntp_crypto.c (bnc#911792).
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
SUSE-SLE-DESKTOP-12-2015-70,SUSE-SLE-SERVER-12-2015-70
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2015/suse-su-20150274-1/
Link for SUSE-SU-2015:0274-1
https://lists.suse.com/pipermail/sle-security-updates/2015-February/001220.html
E-Mail link for SUSE-SU-2015:0274-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/910764
SUSE Bug 910764
https://bugzilla.suse.com/911792
SUSE Bug 911792
https://www.suse.com/security/cve/CVE-2014-9293/
SUSE CVE CVE-2014-9293 page
https://www.suse.com/security/cve/CVE-2014-9294/
SUSE CVE CVE-2014-9294 page
https://www.suse.com/security/cve/CVE-2014-9297/
SUSE CVE CVE-2014-9297 page
https://www.suse.com/security/cve/CVE-2014-9298/
SUSE CVE CVE-2014-9298 page
SUSE Linux Enterprise Desktop 12
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server for SAP Applications 12
ntp-4.2.6p5-37.2
ntp-doc-4.2.6p5-37.2
ntp-4.2.6p5-37.2 as a component of SUSE Linux Enterprise Desktop 12
ntp-doc-4.2.6p5-37.2 as a component of SUSE Linux Enterprise Desktop 12
ntp-4.2.6p5-37.2 as a component of SUSE Linux Enterprise Server 12
ntp-doc-4.2.6p5-37.2 as a component of SUSE Linux Enterprise Server 12
ntp-4.2.6p5-37.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12
ntp-doc-4.2.6p5-37.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
CVE-2014-9293
SUSE Linux Enterprise Desktop 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Desktop 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-doc-4.2.6p5-37.2
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20150274-1/
https://www.suse.com/security/cve/CVE-2014-9293.html
CVE-2014-9293
https://bugzilla.suse.com/910764
SUSE Bug 910764
https://bugzilla.suse.com/911053
SUSE Bug 911053
https://bugzilla.suse.com/911792
SUSE Bug 911792
https://bugzilla.suse.com/959243
SUSE Bug 959243
util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
CVE-2014-9294
SUSE Linux Enterprise Desktop 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Desktop 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-doc-4.2.6p5-37.2
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20150274-1/
https://www.suse.com/security/cve/CVE-2014-9294.html
CVE-2014-9294
https://bugzilla.suse.com/910764
SUSE Bug 910764
https://bugzilla.suse.com/911053
SUSE Bug 911053
https://bugzilla.suse.com/911792
SUSE Bug 911792
https://bugzilla.suse.com/959243
SUSE Bug 959243
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2014-9297
SUSE Linux Enterprise Desktop 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Desktop 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-doc-4.2.6p5-37.2
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20150274-1/
https://www.suse.com/security/cve/CVE-2014-9297.html
CVE-2014-9297
https://bugzilla.suse.com/911792
SUSE Bug 911792
https://bugzilla.suse.com/948963
SUSE Bug 948963
https://bugzilla.suse.com/959243
SUSE Bug 959243
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-9750, CVE-2014-9751. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2014-9750 and CVE-2014-9751 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage.
CVE-2014-9298
SUSE Linux Enterprise Desktop 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Desktop 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server 12:ntp-doc-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-4.2.6p5-37.2
SUSE Linux Enterprise Server for SAP Applications 12:ntp-doc-4.2.6p5-37.2
important
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2015/suse-su-20150274-1/
https://www.suse.com/security/cve/CVE-2014-9298.html
CVE-2014-9298
https://bugzilla.suse.com/911792
SUSE Bug 911792
https://bugzilla.suse.com/948963
SUSE Bug 948963
https://bugzilla.suse.com/959243
SUSE Bug 959243