Описание
Security update for ntp
This update for NTP to version 4.2.8p12 fixes the following vulnerabilities (bsc#1111853):
- CVE-2018-12327: Fixed stack buffer overflow in the openhost() command-line call of NTPQ/NTPDC. (bsc#1098531)
- CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral association time spoofing additional protection (bsc#1083424)
Please also see https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/ for more information.
This update was imported from the SUSE:SLE-12-SP1:Update update project.
Список пакетов
openSUSE Leap 42.3
Ссылки
- E-Mail link for openSUSE-SU-2018:3438-1
- SUSE Security Ratings
Описание
Stack-based buffer overflow in ntpq and ntpdc of NTP version 4.2.8p11 allows an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source.
Затронутые продукты
Ссылки
- CVE-2018-12327
- SUSE Bug 1098531
- SUSE Bug 1107887
- SUSE Bug 1111552
- SUSE Bug 1111853
- SUSE Bug 1155513
Описание
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.
Затронутые продукты
Ссылки
- CVE-2018-7170
- SUSE Bug 1082210
- SUSE Bug 1083424
- SUSE Bug 1098531
- SUSE Bug 1155513