Environment
Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW
Situation
A potential remote code execution problem was found inside ntpd. The functions crypto_recv() (when using autokey authentication) and ctl_putdata() where updated to avoid buffer overflows that could be exploited. (CVE-2014-9295 / VU#852879)
Resolution
Apply the latest ntp patch to address this security issue.
NTP version 4.2.4p8 or greater
Date of the patch should be Friday Dec 19th 2014 or greater
Example to apply the patch and look at the patch information for OES11SP2/SLES11SP3
To apply the patch:
zypper up -t patch slessp3-ntp
Loading repository data...
Reading installed packages...
Resolving package dependencies...
The following NEW patch is going to be installed:
slessp3-ntp
The following package is going to be upgraded:
ntp
1 package to upgrade.
Overall download size: 464.0 KiB. No additional space will be used or freed after the operation.
Continue? [y/n/? shows all options] (y): y
Retrieving package ntp-4.2.4p8-1.28.1.x86_64 (1/1), 464.0 KiB (1.6 MiB unpacked)
Retrieving: ntp-4.2.4p8-1.28.1.x86_64.rpm [done]
Installing: ntp-4.2.4p8-1.28.1 [done]
Additional rpm output:
Updating etc/sysconfig/ntp...
Updating etc/sysconfig/syslog...
To view the patch info:
zypper patch-info slessp3-ntp
Information for patch slessp3-ntp:
Name: slessp3-ntp
Version: 10117
Arch: noarch
Vendor: maint-coord@suse.de
Status: Needed
Category: security
Created On: Fri Dec 19 13:49:40 2014
Reboot Required: No
Package Manager Restart Required: No
Interactive: No
Summary: Security update for ntp
Description:
This ntp update fixes the following critical security issue:
* A potential remote code execution problem was found inside ntpd. The
functions crypto_recv() (when using autokey authentication) and
ctl_putdata() where updated to avoid buffer overflows that could have
been exploited. (CVE-2014-9295 / VU#852879)
Security Issues:
* CVE-2014-9295
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295>
Provides:
patch:slessp3-ntp == 10117
Conflicts:
ntp.x86_64 < 4.2.4p8-1.28.1
ntp-doc.x86_64 < 4.2.4p8-1.28.1
For OES2SP3 the package is xntp
Additional Information
Change the version to apply the patch for versions other than SLES 11 SP3.
Example:
To apply the patch on OES11SP1/SLES11SP2
zypper up -t patch slessp2-ntp
To apply the patch on OES11/SLES11SP1
zypper up -t patch slessp1-ntp