Alerts This Week
Warning Icon 1 914
Alerts This Week
Warning Icon 1 914

Fedora 20: Update 2015-5874 Critical NTP Security Fix for DoS Attacks

fedora
Calendar Grey April 22, 2015
Dist Fedora Esm H88
Important patch resolves several Denial of Service risks in ntp for Fedora 20. Implement this security upgrade for improved safeguarding.
Security fix for CVE-2015-1799, CVE-2015-1798, #1210324

Summary

The Network Time Protocol (NTP) is used to synchronize a computer's

time with another reference time source. This package includes ntpd

(a daemon which continuously adjusts system time) and utilities used

to query and configure the ntpd daemon.

Perl scripts ntp-wait and ntptrace are in the ntp-perl package,

ntpdate is in the ntpdate package and sntp is in the sntp package.

The documentation is in the ntp-doc package.

Update Information:

Security fix for CVE-2015-1799, CVE-2015-1798, #1210324

Topics%20covered

Topics Covered

security advisory Fedora DoS attack security fix ntp

Change Log

* Tue Apr 14 2015 Miroslav Lichvar 4.2.6p5-22 - fix generation of MD5 keys with ntp-keygen on big-endian systems (#1210324) * Wed Apr 8 2015 Miroslav Lichvar 4.2.6p5-21 - reject packets without MAC when authentication is enabled (CVE-2015-1798) - protect symmetric associations with symmetric key against DoS attack (CVE-2015-1799) * Thu Feb 5 2015 Miroslav Lichvar 4.2.6p5-20 - validate lengths of values in extension fields (CVE-2014-9297) - drop packets with spoofed source address ::1 (CVE-2014-9298) * Fri Dec 19 2014 Miroslav Lichvar 4.2.6p5-19 - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - don't mobilize passive association when authentication fails (CVE-2014-9296) * Mon Dec 9 2013 Miroslav Lichvar 4.2.6p5-18 - fix calculation of root dispersion (#1037981) - refresh peers on routing updates (#1028176) - drop patch allowing -p and -u options to be used twice (#639101) - remove unnecessary IPv6 restrict line from default ntp.conf - replace hardening build flags with _hardened_build

References


[ 1 ] Bug #1199435 - CVE-2015-1799 ntp: authentication doesn't protect symmetric associations against DoS attacks https://bugzilla.redhat.com/show_bug.cgi?id=1199435 [ 2 ] Bug #1199430 - CVE-2015-1798 ntp: ntpd accepts unauthenticated packets with symmetric key crypto https://bugzilla.redhat.com/show_bug.cgi?id=1199430 [ 3 ] Bug #1210324 - ntp: ntp-keygen may generate non-random symmetric keys on big-endian systems https://bugzilla.redhat.com/show_bug.cgi?id=1210324

Update Instructions

This update can be installed with the "yum" update program. Use su -c 'yum update ntp' at the command line. For more information, refer to "Managing Software with yum", available at .

Severity
critical
Lowest
Low
Medium
High
Critical

Name: ntp
Product: Fedora 20
Version: 4.2.6p5
Release: 22.fc20
URL: http://www.ntp.org
Summary: The NTP daemon and utilities

Topics%20covered

Topics Covered

security advisory Fedora DoS attack security fix ntp

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here