Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 11 articles for you...
89
security advisorysecurity updateFedoraFedora 37: NTPsec 1.2.2a Critical Security Fix for CVE-2023-4012
Security fix for CVE-2023-4012. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2023-9fa8f29bb7 2023-08-12 04:23:09.724870 -------------------------------------------------------------------------------- Name : ntpsec Product : Fedora 37 Version : 1.2.2a Release : 1.fc37 URL : https://www.ntpsec.org/ Summary : NTP daemon and utilities Description : NTPsec is a more secure and improved implementation of the Network Time Protocol derived from the original NTP project. -------------------------------------------------------------------------------- Update Information: Security fix for CVE-2023-4012 -------------------------------------------------------------------------------- ChangeLog: * Thu Aug 3 2023 Miroslav Lichvar 1.2.2a-1 - update to 1.2.2a (CVE-2023-4012) * Thu Jul 20 2023 Fedora Release Engineering - 1.2.2-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild * Wed Jun 14 2023 Python Maint - 1.2.2-3 - Rebuilt for Python 3.12 * Thu Jan 19 2023 Fedora Release Engineering - 1.2.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2023-9fa8f29bb7' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Aug 12, 2023
•Critical
Fedora
172
security advisorydenial of serviceupdateUbuntu 20.04 & 20.10 USN-4563-2 Moderate NTP Denial Of Service
NTP could be made to crash.. =========================================================================Ubuntu Security Notice USN-4563-2 April 20, 2021 ntp vulnerability ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.10 - Ubuntu 20.04 LTS Summary: NTP could be made to crash. Software Description: - ntp: Network Time Protocol daemon and utility programs Details: USN-4563-1 fixed a vulnerability in NTP. This update provides the corresponding update for Ubuntu 20.04 LTS and Ubuntu 20.10. Original advisory details: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.10: ntp 1:4.2.8p12+dfsg-3ubuntu4.20.10.1 ntpdate 1:4.2.8p12+dfsg-3ubuntu4.20.10.1 sntp 1:4.2.8p12+dfsg-3ubuntu4.20.10.1 Ubuntu 20.04 LTS: ntp 1:4.2.8p12+dfsg-3ubuntu4.20.04.1 ntpdate 1:4.2.8p12+dfsg-3ubuntu4.20.04.1 sntp 1:4.2.8p12+dfsg-3ubuntu4.20.04.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-4563-2 https://ubuntu.com/security/notices/USN-4563-1 CVE-2019-8936 Package Information: https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p12+dfsg-3ubuntu4.20.10.1 https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p12+dfsg-3ubuntu4.20.04.1 . NTP exhibits susceptibility to failures in certain iterations of Ubuntu. Consult the security bulletin for comprehensiveinformation and necessary patches.. NTP Update, Ubuntu 20.04, Ubuntu 20.10, Denial Of Service. . LinuxSecurity.com Team
Apr 20, 2021
Ubuntu
91
security advisorygentoodata lossGentoo: GLSA-202008-23 Advisory: chrony Symlink Vulnerability Warning
A vulnerability in chrony may allow a privileged attacker to cause data loss via a symlink.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202008-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: chrony: Symlink vulnerability Date: August 30, 2020 Bugs: #738154 ID: 202008-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A vulnerability in chrony may allow a privileged attacker to cause data loss via a symlink. Background ========= chrony is a versatile implementation of the Network Time Protocol (NTP). Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-misc/chrony < 3.5.1 > = 3.5.1 Description ========== It was found that chrony did not check whether its PID file was a symlink. Impact ===== A local attacker could perform symlink attack(s) to overwrite arbitrary files with root privileges. Workaround ========= There is no known workaround at this time. Resolution ========= All chrony users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =net-misc/chrony-3.5.1" References ========= [ 1 ] CVE-2020-14367 https://nvd.nist.gov/vuln/detail/CVE-2020-14367 [ 2 ] chrony-3.5.1 release announcement https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202008-23 Concerns? ======== Security isa primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Aug 30, 2020
Gentoo
98
security advisoryupdateDoSRed Hat Enterprise Linux 7: RHSA-2020-2663 Moderate: NTP DoS Risk
An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: ntp security update Advisory ID: RHSA-2020:2663-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2663 Issue date: 2020-06-23 CVE Names: CVE-2020-11868 CVE-2020-13817 ==================================================================== 1. Summary: An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64 Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64 3. Description: The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es): * ntp: ntpd using highly predictable transmittimestamps could result in time change or DoS (CVE-2020-13817) * ntp: DoS on client ntpd using server mode packet (CVE-2020-11868) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing this update, the ntpd daemon will restart automatically. 5. Bugs fixed (https://bugzilla.redhat.com/): 1716665 - CVE-2020-11868 ntp: DoS on client ntpd using server mode packet 1811627 - CVE-2020-13817 ntp: ntpd using highly predictable transmit timestamps could result in time change or DoS 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: ntp-4.2.6p5-29.el7_8.2.src.rpm x86_64: ntp-4.2.6p5-29.el7_8.2.x86_64.rpm ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm ntpdate-4.2.6p5-29.el7_8.2.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: ntp-doc-4.2.6p5-29.el7_8.2.noarch.rpm ntp-perl-4.2.6p5-29.el7_8.2.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm sntp-4.2.6p5-29.el7_8.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: ntp-4.2.6p5-29.el7_8.2.src.rpm x86_64: ntp-4.2.6p5-29.el7_8.2.x86_64.rpm ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm ntpdate-4.2.6p5-29.el7_8.2.x86_64.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: ntp-doc-4.2.6p5-29.el7_8.2.noarch.rpm ntp-perl-4.2.6p5-29.el7_8.2.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm sntp-4.2.6p5-29.el7_8.2.x86_64.rpm Red Hat Enterprise Linux Server (v.7): Source: ntp-4.2.6p5-29.el7_8.2.src.rpm ppc64: ntp-4.2.6p5-29.el7_8.2.ppc64.rpm ntp-debuginfo-4.2.6p5-29.el7_8.2.ppc64.rpm ntpdate-4.2.6p5-29.el7_8.2.ppc64.rpm ppc64le: ntp-4.2.6p5-29.el7_8.2.ppc64le.rpm ntp-debuginfo-4.2.6p5-29.el7_8.2.ppc64le.rpm ntpdate-4.2.6p5-29.el7_8.2.ppc64le.rpm s390x: ntp-4.2.6p5-29.el7_8.2.s390x.rpm ntp-debuginfo-4.2.6p5-29.el7_8.2.s390x.rpm ntpdate-4.2.6p5-29.el7_8.2.s390x.rpm x86_64: ntp-4.2.6p5-29.el7_8.2.x86_64.rpm ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm ntpdate-4.2.6p5-29.el7_8.2.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: ntp-doc-4.2.6p5-29.el7_8.2.noarch.rpm ntp-perl-4.2.6p5-29.el7_8.2.noarch.rpm ppc64: ntp-debuginfo-4.2.6p5-29.el7_8.2.ppc64.rpm sntp-4.2.6p5-29.el7_8.2.ppc64.rpm ppc64le: ntp-debuginfo-4.2.6p5-29.el7_8.2.ppc64le.rpm sntp-4.2.6p5-29.el7_8.2.ppc64le.rpm s390x: ntp-debuginfo-4.2.6p5-29.el7_8.2.s390x.rpm sntp-4.2.6p5-29.el7_8.2.s390x.rpm x86_64: ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm sntp-4.2.6p5-29.el7_8.2.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: ntp-4.2.6p5-29.el7_8.2.src.rpm x86_64: ntp-4.2.6p5-29.el7_8.2.x86_64.rpm ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm ntpdate-4.2.6p5-29.el7_8.2.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: ntp-doc-4.2.6p5-29.el7_8.2.noarch.rpm ntp-perl-4.2.6p5-29.el7_8.2.noarch.rpm x86_64: ntp-debuginfo-4.2.6p5-29.el7_8.2.x86_64.rpm sntp-4.2.6p5-29.el7_8.2.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-11868 https://access.redhat.com/security/cve/CVE-2020-13817 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPGv1 iQIVAwUBXvH1JtzjgjWX9erEAQjiuQ//ShY9pWuTl3/Djh64/sz4DRQqmQZjOxqz n1HzeCF73cqddVzg4I5R5qUwsj3m94D8jQjFw9o17bYo/VgvR3RY3EhjGpZJ27WG ++LGbh4AzMhLQn2TxaCB7mKjezE+iP+CuiPwY3pSGs3wB4zR/6wE+qF6S9Ws6Sh1 OcIHCPYntY2iq4nTVU3nsAy4JJaUQ93R6VmUPUi11t+atZVRzFU8poVW6p/52r5d FZBIQ+Y87Tm9ZBSMDi/gP30eyK5BdP/7bSWWrxfUXD882ZiyuE9EQVJLfYpM/3U9 0r40tKjAXZyF8G1y7/CgEWoxoIF40L3e2+gz06bTIGriIPPbQ1SnFv2kLQM2ebok wJvZJHqw2WOWTJwq1cBtBPxeR+gExBw5oLwBa3/KKZpubPeUa0tf1SMtRAAuZJm+ j0syeN1D5JVZnrIFHE/NhhmsuCTrPcCv5uB8M2587A9q3gDpe5cbJmG6L9uYml7+ +o4vq+7liJ14f72L+oQwf/shZteuxhXMKPLFHm49ZkFGCdz4nG5igSDrI2zY2E9u pH5ssHPasH7hLBQaX4F+kX6ZVrqySwrbUJADTIm2IxEM70/1zk9FVFyCRUkDgrMu /c3y46sEmaDz2pLOf9AuGUKTqFdjMaYudBeaxg8et3VXzavRevftg1/4F0U0KKX1 KRFf097/SzM=SE5I -----END PGP SIGNATURE----- -- RHSA-announce mailing list
Jun 23, 2020
Red Hat
89
security advisorymoderatefedoraFedora 29: 2019-f781d5c4c6 Moderate NTP DoS Security Update
Security fix for CVE-2019-8936. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-f781d5c4c6 2019-04-07 04:19:26.918259 --------------------------------------------------------------------------------Name : ntp Product : Fedora 29 Version : 4.2.8p13 Release : 1.fc29 URL : http://www.ntp.org Summary : The NTP daemon and utilities Description : The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. --------------------------------------------------------------------------------Update Information: Security fix for CVE-2019-8936 --------------------------------------------------------------------------------ChangeLog: * Thu Mar 7 2019 Miroslav Lichvar 4.2.8p13-1 - update to 4.2.8p13 (CVE-2019-8936) * Fri Feb 1 2019 Fedora Release Engineering - 4.2.8p12-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1686605 - CVE-2019-8936 ntp: Crafted null dereference attack in authenticated mode 6 packet https://bugzilla.redhat.com/show_bug.cgi?id=1686605 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-f781d5c4c6' at the command line. For more information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the FedoraProject can be found at --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Apr 07, 2019
•Important
Fedora
89
security advisoryfedoracriticalFedora 28: NTP Update 2019-694e3aa4e8 Critical Null Dereference
Security fix for CVE-2019-8936. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2019-694e3aa4e8 2019-04-07 01:47:03.754853 --------------------------------------------------------------------------------Name : ntp Product : Fedora 28 Version : 4.2.8p13 Release : 1.fc28 URL : http://www.ntp.org Summary : The NTP daemon and utilities Description : The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. --------------------------------------------------------------------------------Update Information: Security fix for CVE-2019-8936 --------------------------------------------------------------------------------ChangeLog: * Thu Mar 7 2019 Miroslav Lichvar 4.2.8p13-1 - update to 4.2.8p13 (CVE-2019-8936) * Fri Feb 1 2019 Fedora Release Engineering - 4.2.8p12-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild * Wed Aug 15 2018 Miroslav Lichvar 4.2.8p12-1 - update to 4.2.8p12 (CVE-2018-12327 CVE-2018-7170) * Fri Jul 13 2018 Fedora Release Engineering - 4.2.8p11-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild --------------------------------------------------------------------------------References: [ 1 ] Bug #1686605 - CVE-2019-8936 ntp: Crafted null dereference attack in authenticated mode 6 packet https://bugzilla.redhat.com/show_bug.cgi?id=1686605 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2019-694e3aa4e8' at the command line. Formore information, refer to the dnf documentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ --------------------------------------------------------------------------------_______________________________________________ package-announce mailing list --
Apr 06, 2019
•Critical
Fedora
89
security advisorybuffer overflowFedoraFedora 27: FEDORA-2018-7051d682fa Moderate: NTP Buffer Overflow
Security fix for CVE-2018-12327 and fixed fix for CVE-2018-7170.. --------------------------------------------------------------------------------Fedora Update Notification FEDORA-2018-7051d682fa 2018-09-26 20:15:42.048253 --------------------------------------------------------------------------------Name : ntp Product : Fedora 27 Version : 4.2.8p12 Release : 1.fc27 URL : http://www.ntp.org Summary : The NTP daemon and utilities Description : The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. --------------------------------------------------------------------------------Update Information: Security fix for CVE-2018-12327 and fixed fix for CVE-2018-7170. --------------------------------------------------------------------------------ChangeLog: * Wed Aug 15 2018 Miroslav Lichvar 4.2.8p12-1 - update to 4.2.8p12 (CVE-2018-12327 CVE-2018-7170) * Thu Mar 1 2018 Miroslav Lichvar 4.2.8p11-1 - update to 4.2.8p11 (CVE-2016-1549, CVE-2018-7170, CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185) - use noepeer restriction in default config --------------------------------------------------------------------------------References: [ 1 ] Bug #1593580 - CVE-2018-12327 ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution https://bugzilla.redhat.com/show_bug.cgi?id=1593580 --------------------------------------------------------------------------------This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-7051d682fa' at the command line. For more information, refer to the dnfdocumentation available at https://dnf.readthedocs.io/en/latest/command_ref.html All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list --
Sep 26, 2018
•Important
Fedora
172
security advisorysecurity issueDoSUbuntu 16.04 LTS USN-3096-1 DoS Threats Resolved for NTP
Several security issues were fixed in NTP.. =========================================================================Ubuntu Security Notice USN-3096-1 October 05, 2016 ntp vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: Several security issues were fixed in NTP. Software Description: - ntp: Network Time Protocol daemon and utility programs Details: Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. Anattacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Updateinstructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.3 Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 Ubuntu 12.04 LTS: ntp 1:4.2.6.p3+dfsg-1ubuntu3.11 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-3096-1 CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8158, CVE-2016-0727, CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, CVE-2016-2516, CVE-2016-2518, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956 Package Information: https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu5.3 https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p3+dfsg-1ubuntu3.11 . Multiple security flaws in NTP have been addressed in Ubuntu versions 16.04, 14.04, and 12.04 to mitigate risks and bolster protection.. NTP vulnerabilities, Network Time Protocol, Ubuntu updates. . Severity: Critical. LinuxSecurity.com Team
Oct 05, 2016
•Critical
Ubuntu
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!