ntp-4.2.6p5-10.0.1.AXS4

エラータID: AXSA:2016-470:02

Release date: 
Wednesday, June 8, 2016 - 09:38
Subject: 
ntp-4.2.6p5-10.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

The Network Time Protocol (NTP) is used to synchronize a computer's
time with another reference time source. This package includes ntpd
(a daemon which continuously adjusts system time) and utilities used
to query and configure the ntpd daemon.

Perl scripts ntp-wait and ntptrace are in the ntp-perl package and
the ntpdate program is in the ntpdate package. The documentation is
in the ntp-doc package.

Security issues fixed with this release:

CVE-2015-5194
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-5195
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-5219
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7691
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7692
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7701
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7702
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7703
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7852
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7977
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2015-7978
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.

Solution: 

Update packages.

CVEs: 
CVE-2015-5194
The log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands.
CVE-2015-5195
ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.
CVE-2015-5219
The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infinite loop) via a crafted NTP packet.
CVE-2015-7691
The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey operations. NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.
CVE-2015-7692
The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.
CVE-2015-7701
Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (memory consumption).
CVE-2015-7702
The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomplete fix for CVE-2014-9750.
CVE-2015-7703
The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command.
CVE-2015-7852
ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets.
CVE-2015-7977
ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.
CVE-2015-7978
NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.
Additional Info: 

N/A

Download: 

SRPMS
  1. ntp-4.2.6p5-10.0.1.AXS4.src.rpm
    MD5: 0acdfb2c39144284e0fcf95a72d7ff9e
    SHA-256: e3cabf18ead0ab9e886253b3d2e77c48b42c934b204a7b3dd87d67ba9364d9cb
    Size: 4.11 MB

Asianux Server 4 for x86
  1. ntp-4.2.6p5-10.0.1.AXS4.i686.rpm
    MD5: 65644671c5392db8fb8062e1b0a6cfc3
    SHA-256: e0015bf3fdaf0c368b271ce7cf309fcb2cf9b5fa616736a411855d010c9c96c2
    Size: 592.05 kB
  2. ntpdate-4.2.6p5-10.0.1.AXS4.i686.rpm
    MD5: 94b166aa2f9cd8dfa766688efc1285f6
    SHA-256: a2175176a8fc1e18fdddb07cbb5a5217a561d286249a3b40292cd3c285105053
    Size: 76.78 kB

Asianux Server 4 for x86_64
  1. ntp-4.2.6p5-10.0.1.AXS4.x86_64.rpm
    MD5: b41b7909afc471e39768aeff9ef326ae
    SHA-256: 1e958dfe72a48c4856dccb4ea92e89e350836269431d453114856975a49350ec
    Size: 597.06 kB
  2. ntpdate-4.2.6p5-10.0.1.AXS4.x86_64.rpm
    MD5: 310c0c1ea5d7ea75c6debfe7ce5de633
    SHA-256: 60140d1756584418e209d0416ea56a8a4fce1fb9326aea32f5d8690aff400c29
    Size: 76.88 kB