Bug 6427 - [UPDATE REQUEST] ntp 4.2.6p5 -> 4.2.8p8
: [UPDATE REQUEST] ntp 4.2.6p5 -> 4.2.8p8
Status: VERIFIED FIXED
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: Fresh
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
https://advisories.mageia.org/MGASA-2...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-09 18:14 MSK by Andrey Bondrov
Modified: 2016-09-19 14:19 MSD (History)
4 users (show)

See Also:
RPM Package: ntp
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
denis.silakov: published+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrey Bondrov 2015-12-09 18:14:29 MSK
New version of ntp was released.
Comment 1 Andrey Bondrov 2015-12-09 18:15:04 MSK
Advisory: "Update ntp to new version 4.2.8p4"

https://abf.rosalinux.ru/build_lists/2605154
https://abf.rosalinux.ru/build_lists/2605156
Comment 2 Denis Silakov 2015-12-28 16:26:26 MSK
*** Bug 4837 has been marked as a duplicate of this bug. ***
Comment 3 Denis Silakov 2015-12-28 16:26:37 MSK
*** Bug 5391 has been marked as a duplicate of this bug. ***
Comment 4 Vladimir Potapov 2015-12-29 18:05:21 MSK
дек 29 21:46:04 DNS-R6-X64 systemd[1]: ntpdate.service: main process exited, code=exited, status=2/INVALIDARGUMENT
дек 29 21:46:04 DNS-R6-X64 systemd[1]: Failed to start Set time via NTP.
Comment 5 Vladimir Potapov 2015-12-29 18:06:21 MSK
new ntpdate fail on start
*************************
QA Denied
Comment 6 Denis Silakov 2016-01-26 13:54:29 MSK
*** Bug 5083 has been marked as a duplicate of this bug. ***
Comment 7 Denis Silakov 2016-01-26 14:06:13 MSK
Let's try new build lists. I've returned a patch that was erroenously dropped but which is required by our ntpdate-wrapper.

Advisory: "Update ntp to new version 4.2.8p4"

Build lists:
https://abf.io/build_lists/2620653
https://abf.io/build_lists/2620654
Comment 8 Vladimir Potapov 2016-01-26 19:54:02 MSK
The update is sent to expanded testing
***************************************
Comment 9 Vladimir Potapov 2016-01-27 11:04:39 MSK
update error:

ntp-client            #####################################################################
ERROR: 'script' failed for ntp-client-4.2.8p4-2-rosa2014.1.i586: 
error: %post(ntp-client-4.2.8p4-2.i586) scriptlet failed, exit status 1
Comment 10 Zombie Ryushu 2016-01-29 20:43:13 MSK
An addditional security vulnerability has appeared. This needs to go to back to  expanded testing. 
In ntpd before 4.2.8p6, when used with symmetric key encryption, the
client would accept packets encrypted with keys for any configured server,
allowing a server to impersonate other servers to clients, thus performing
a man-in-the-middle attack. A server can be attacked by a client in a
similar manner (CVE-2015-7974).

A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc
reslist' commands that queried restriction lists with a large amount of
entries. A remote attacker could use this flaw to crash the ntpd process
(CVE-2015-7977).

A stack-based buffer overflow was found in the way ntpd processed 'ntpdc
reslist' commands that queried restriction lists with a large amount of
entries. A remote attacker could use this flaw to crash the ntpd process
(CVE-2015-7978).

It was found that when NTP is configured in broadcast mode, an off-path
attacker could broadcast packets with bad authentication (wrong key,
mismatched key, incorrect MAC, etc) to all clients. The clients, upon
receiving the malformed packets, would break the association with the
broadcast server. This could cause the time on affected clients to become
out of sync over a longer period of time (CVE-2015-7979).

A faulty protection against spoofing and replay attacks allows an attacker
to disrupt synchronization with kiss-of-death packets, take full control
of the clock, or cause ntpd to crash (CVE-2015-8138).

A flaw was found in the way the ntpq client certain processed incoming
packets in a loop in the getresponse() function. A remote attacker could
potentially use this flaw to crash an ntpq client instance
(CVE-2015-8158).

The ntp package has been patched to fix these issues and a few other bugs.

Note that there are still some unfixed issues.  Two of those issues,
CVE-2015-8139 and CVE-2015-8140, are vulnerabilities to spoofing and
replay attacks that can be mitigated by either adding the noquery option
to all restrict entries in ntp.conf, configuring ntpd to get time from
multiple sources, or using a restriction list to limit who is allowed to
issue ntpq and ntpdc queries.

Additionally, the other unfixed issues can also be mitigated.
CVE-2015-7973, a replay attack issue, can be mitigated by not using
broadcast mode, and CVE-2015-7976, a bug that can cause globbing issues
on the server, can be mitigated by restricting use of the "saveconfig"
command with the "restrict nomodify" directive.

Please update to 4.2.8p6
Comment 11 Алзим 2016-08-24 15:38:05 MSD
Advisory: «Update ntp to new version 4.2.8p8»

Build lists:
https://abf.io/build_lists/2709256
https://abf.io/build_lists/2709257
Comment 12 Vladimir Potapov 2016-09-09 17:14:49 MSD
Please, add in /lib/systemd/system/ntpdate.service
network-online.target
to "After"
After=syslog.target network.target nss-lookup.target
from
After=syslog.target network-online.target nss-lookup.target

to correct start.
Comment 13 Vladimir Potapov 2016-09-09 17:19:10 MSD
(In reply to comment #12)
> Please, add in /lib/systemd/system/ntpdate.service
> network-online.target
> to "After"
> After=syslog.target network.target nss-lookup.target
> from
> After=syslog.target network-online.target nss-lookup.target
> 
> to correct start.

from
After=syslog.target network.target nss-lookup.target
to
After=syslog.target network-online.target nss-lookup.target
Comment 14 Andrey Bondrov 2016-09-09 17:46:46 MSD
(In reply to comment #12)
> Please, add in /lib/systemd/system/ntpdate.service

Advisory: "Update ntp to new version 4.2.8p8. Start ntpdate service after network-online.target, not after network.target"

https://abf.rosalinux.ru/build_lists/2712319
https://abf.rosalinux.ru/build_lists/2712320
Comment 15 Vladimir Potapov 2016-09-13 12:26:21 MSD
The update is sent to expanded testing
****************************************
Comment 16 Vladimir Potapov 2016-09-19 14:02:31 MSD
ntp-4.2.8p8-2
https://abf.rosalinux.ru/build_lists/2712319
https://abf.rosalinux.ru/build_lists/2712320
************************* Advisory *********************
Update ntp to new version 4.2.8p8, fix (CVE-2015-7974), (CVE-2015-7977), (CVE-2015-7978), (CVE-2015-7979), (CVE-2015-8138),  . Start ntpdate service after network-online.target, not after network.target
********************************************************
QA Verified