Revisions of ntp
Dominique Leuenberger (dimstar_suse)
accepted
request 700033
from
Martin Pluskal (pluskalm)
(revision 119)
Dominique Leuenberger (dimstar_suse)
accepted
request 684184
from
Reinhard Max (rmax)
(revision 118)
- Update ro 4.2.8p13
* CVE-2019-8936, bsc#1128525: Crafted null dereference attack in
authenticated mode 6 packet.
* Fix several bugs in the BANCOMM reclock driver.
* Fix ntp_loopfilter.c snprintf compilation warnings.
* Fix spurious initgroups() error message.
* Fix STA_NANO struct timex units.
* Fix GPS week rollover in libparse.
* Fix incorrect poll interval in packet.
* Add a missing check for ENABLE_CMAC.
- Drop use of $FIRST_ARG in ntp.spec
The use of $FIRST_ARG was probably required because of the
%service_* rpm macros were playing tricks on the shell positional
parameters. This is bad practice and error prones so let's assume
that no macros should do that anymore and hence it's safe to assume
that positional parameters remains unchanged after any rpm macro
call.
Dominique Leuenberger (dimstar_suse)
accepted
request 657615
from
Reinhard Max (rmax)
(revision 117)
Dominique Leuenberger (dimstar_suse)
accepted
request 640670
from
Reinhard Max (rmax)
(revision 116)
- Update to 4.2.8p12
* CVE-2018-12327, bsc#1098531: fixed stack buffer overflow in
the openhost() command-line call of NTPQ/NTPDC.
* Add further tweaks to improve the fix for CVE-2018-7170,
bsc#1083424.
* ntp-usrgrp-resolver.patch was integrated upstream.
- Don't run autoreconf anymore and remove all related hacks and
BuildRequires.
Dominique Leuenberger (dimstar_suse)
accepted
request 601632
from
Reinhard Max (rmax)
(revision 115)
- Refactor the key handling in %post so that it does not overwrite user settings (bsc#1036505) and is more robust against ignored SIGPIPE (bsc#1090564).
Dominique Leuenberger (dimstar_suse)
accepted
request 592537
from
Martin Pluskal (pluskalm)
(revision 114)
Dominique Leuenberger (dimstar_suse)
accepted
request 586702
from
Reinhard Max (rmax)
(revision 113)
- Update to 4.2.8p11 (bsc#1082210):
* CVE-2016-1549: Sybil vulnerability: ephemeral association
attack. While fixed in ntp-4.2.8p7, there are significant
additional protections for this issue in 4.2.8p11.
* CVE-2018-7182, bsc#1083426: ctl_getitem(): buffer read overrun
leads to undefined behavior and information leak.
* CVE-2018-7170, bsc#1083424: Multiple authenticated ephemeral
associations.
* CVE-2018-7184, bsc#1083422: Interleaved symmetric mode cannot
recover from bad state.
* CVE-2018-7185, bsc#1083420: Unauthenticated packet can reset
authenticated interleaved association.
* CVE-2018-7183, bsc#1083417: ntpq:decodearr() can write beyond
its buffer limit.
* Obsoletes these patches: ntp-sntp-a.patch, ntp-warnings.patch
- Remove dead code from conf.start-ntpd (bsc#1082063).
- Don't use libevent's cached time stamps in sntp.
(bsc#1077445, ntp-sntp-libevent.patch)
Dominique Leuenberger (dimstar_suse)
accepted
request 561845
from
Factory Maintainer (factory-maintainer)
(revision 112)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 545184
from
Reinhard Max (rmax)
(revision 111)
Yuchen Lin (maxlin_factory)
accepted
request 486156
from
Reinhard Max (rmax)
(revision 110)
- Enable experimental leap smearing (fate#321003).
See /usr/share/doc/packages/ntp/README.leapsmear for details.
- Fix spelling and default values in conf.sysconfig.ntp
- Update to 4.2.8p10 (bsc#1030050):
* Sec 3389 / CVE-2017-6464 / VU#325339: NTP-01-016 NTP:
Denial of Service via Malformed Config
* Sec 3388 / CVE-2017-6462 / VU#325339: NTP-01-014 NTP:
Buffer Overflow in DPTS Clock
* Sec 3387 / CVE-2017-6463 / VU#325339: NTP-01-012 NTP:
Authenticated DoS via Malicious Config Option
* Sec 3386: NTP-01-011 NTP:
ntpq_stripquotes() returns incorrect Value
* Sec 3385: NTP-01-010 NTP:
ereallocarray()/eallocarray() underused
* Sec 3381: NTP-01-006 NTP: Copious amounts of Unused Code
* Sec 3380: NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver
* Sec 3379 / CVE-2017-6458 / VU#325339: NTP-01-004 NTP:
Potential Overflows in ctl_put() functions
* Sec 3378 / CVE-2017-6451 / VU#325339: NTP-01-003
Improper use of snprintf() in mx4200_send()
* Sec 3377 / CVE-2017-6460 / VU#325339: NTP-01-002
Buffer Overflow in ntpq when fetching reslist
* Sec 3376: NTP-01-001 Makefile does not enforce Security Flags
* Sec 3361 / CVE-2016-9042 / VU#325339: 0rigin (zero origin) DoS.
* [Bug 3393] clang scan-build findings
* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
* [Bug 3356] Bugfix 3072 breaks multicastclient
* [Bug 3173] forking async worker: interrupted pipe I/O
Dominique Leuenberger (dimstar_suse)
accepted
request 480781
from
Factory Maintainer (factory-maintainer)
(revision 109)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 461929
from
Reinhard Max (rmax)
(revision 108)
- Move ntp-kod to /var/lib/ntp/db, because /var/db is not a standard directory and causes problems for transactional updates (ntp-move-kod-file.patch) - Remove 50-ntp.list (bsc#1011919). - Use system-wide libevent instead of local copy. - Simplify ntpd's search for its own executable to prevent AppArmor warnings (bsc#956365, ntp-pathfind.patch).
Dominique Leuenberger (dimstar_suse)
accepted
request 441452
from
Reinhard Max (rmax)
(revision 107)
- Update to 4.2.8p9:
* CVE-2016-9311: Trap crash.
* CVE-2016-9310: Mode 6 unauthenticated trap information
disclosure and DDoS vector.
* CVE-2016-7427: Broadcast Mode Replay Prevention DoS.
* CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS.
* CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp
Bypass.
* CVE-2016-7434: Null pointer dereference in
_IO_str_init_static_internal().
* CVE-2016-7429: Interface selection attack.
* CVE-2016-7426: Client rate limiting and server responses.
* CVE-2016-7433: Reboot sync calculation problem.
* Fix a spurious error message (obsoletes ntp-sigchld.patch).
* Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog.
- Fix a regression in "trap" (bsc#981252, ntp-trap.patch).
- Reduce the number of netlink groups to listen on for changes to
the local network setup (bsc#992606, ntp-netlink.patch).
- Fix segfault in "sntp -a" (bnc#1009434, ntp-sntp-a.patch).
- Silence an OpenSSL version warning (bsc#992038,
ntp-openssl-version.patch).
Dominique Leuenberger (dimstar_suse)
accepted
request 434567
from
Factory Maintainer (factory-maintainer)
(revision 106)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 430705
from
Factory Maintainer (factory-maintainer)
(revision 105)
Automatic submission by obs-autosubmit
Dominique Leuenberger (dimstar_suse)
accepted
request 425845
from
Dominique Leuenberger (dimstar_suse)
(revision 104)
Revert the last patch - this seems totally broken when running ntp in a chroot
Dominique Leuenberger (dimstar_suse)
accepted
request 423960
from
Martin Pluskal (pluskalm)
(revision 103)
1
Dominique Leuenberger (dimstar_suse)
accepted
request 400540
from
Reinhard Max (rmax)
(revision 102)
- Keep the parent process alive until the daemon has finished
initialisation, to make sure that the PID file exists when the
parent returns (ntp-daemonize.patch).
- Update to 4.2.8p8 (bsc#982056):
* CVE-2016-4953, bsc#982065: Bad authentication demobilizes
ephemeral associations.
* CVE-2016-4954, bsc#982066: Processing spoofed server packets.
* CVE-2016-4955, bsc#982067: Autokey association reset.
* CVE-2016-4956, bsc#982068: Broadcast interleave.
* CVE-2016-4957, bsc#982064: CRYPTO_NAK crash.
- Change the process name of the forking DNS worker process to
avoid the impression that ntpd is started twice.
(bsc#979302, ntp-processname.patch).
- Don't ignore SIGCHILD because it breaks wait()
(boo#981422, ntp-sigchld.patch).
- ntp-wait does not accept fractional seconds, so use 1 instead of
0.2 in ntp-wait.service (boo#979981).
- Separate the creation of ntp.keys and key #1 in it to avoid
problems when upgrading installations that have the file, but
no key #1, which is needed e.g. by "rcntp addserver".
- Fix the TZ offset output of sntp during DST.
(bsc#951559, ntp-sntp-dst.patch)
- Add /var/db/ntp-kod (bsc#916617).
- Add ntp-ENOBUFS.patch to limit a warning that might happen
quite a lot on loaded systems (bsc#956773).
- Don't wait for 11 minutes to restart ntpd when it has died
(boo#894031).
- Update to 4.2.8p7 (bsc#977446):
* CVE-2016-1547, bsc#977459:
Dominique Leuenberger (dimstar_suse)
accepted
request 370038
from
Reinhard Max (rmax)
(revision 101)
- CVE-2015-8158, bsc#962966: potential infinite loop in ntpq
- CVE-2015-8138, bsc#963002: Zero Origin Timestamp Bypass
- CVE-2015-7978, bsc#963000: Stack exhaustion in recursive
traversal of restriction list.
- CVE-2015-7979, bsc#962784: off-path denial of service on
authenticated broadcast mode
- CVE-2015-7977, bsc#962970: restriction list NULL pointer
dereference
- CVE-2015-7976, bsc#962802: 'ntpq saveconfig' command allows
dangerous characters in filenames
- CVE-2015-7975, bsc#962988: nextvar() missing length check in ntpq
- CVE-2015-7974, bsc#962960: Missing key check allows impersonation
between authenticated peers
- CVE-2015-7973, bsc#962995: replay attack on authenticated
broadcast mode
- CVE-2015-5300, bsc#951629: MITM attacker can force ntpd to make
a step larger than the panic threshold
- update to 4.2.8p6
* fixes low- and medium-severity vulnerabilities
4.2.8p6: CVE-2015-8158 CVE-2015-8138 CVE-2015-7978
CVE-2015-7979 CVE-2015-7977 CVE-2015-7976 CVE-2015-7975
CVE-2015-7974 CVE-2015-7973
4.2.8p5: CVE-2015-5300
* bug fixes
----------------------- --------------------------------------------
Dominique Leuenberger (dimstar_suse)
accepted
request 354703
from
Reinhard Max (rmax)
(revision 100)
1
Displaying revisions 21 - 40 of 139
