ntp-4.2.6p5-22.2.0.1.el7.AXS7
エラータID: AXSA:2016-476:01
The Network Time Protocol (NTP) is used to synchronize a computer's
time with another reference time source. This package includes ntpd
(a daemon which continuously adjusts system time) and utilities used
to query and configure the ntpd daemon.
Perl scripts ntp-wait and ntptrace are in the ntp-perl package,
ntpdate is in the ntpdate package and sntp is in the sntp package.
The documentation is in the ntp-doc package.
Security issues fixed with this release:
CVE-2015-7979
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-1547
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-1548
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-1550
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-2518
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Update packages.
NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client.
An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.
An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.
An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key.
The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value.
N/A
SRPMS
- ntp-4.2.6p5-22.2.0.1.el7.AXS7.src.rpm
MD5: 35ba9c2592b3a5700c23e2fc9e65c798
SHA-256: 3c18247e35792549f3943c199e3c79cd21cb4576587956cac093297dea4a51d5
Size: 4.11 MB
Asianux Server 7 for x86_64
- ntp-4.2.6p5-22.2.0.1.el7.AXS7.x86_64.rpm
MD5: 6d9b306bc5d941a63bf514413295f295
SHA-256: 750c999f4a11d4b3a653169b2ea09a08a2c1c1c23bbff7cba532161f22ca0d68
Size: 542.84 kB - ntpdate-4.2.6p5-22.2.0.1.el7.AXS7.x86_64.rpm
MD5: bfff9d4a305701fdc9faf0862a21dc84
SHA-256: 5cd7dad9ed72a97de564a5c2968518d13cacf5187a9998f2860c97e56ace78d6
Size: 83.36 kB
日本語