NTP Security update for CVE-2014-9295 / VU#852879

  • Document ID:7016020
  • Creation Date:23-Dec-2014
  • Modified Date:05-Jan-2015
    • Micro Focus Products:
      eDirectory
      Open Enterprise Server
    • SUSE Products:
      SUSE Linux Enterprise Server

Environment

Novell Open Enterprise Server 11 SP2 (OES11SP2)
Novell Open Enterprise Server 11 SP1 (OES11SP1)
Novell Open Enterprise Server 11 (OES11)
Novell Open Enterprise Server 2 SP3 (OES2SP3)
Domain Services for Windows
DSfW

Situation

A potential remote code execution problem was found inside ntpd. The functions crypto_recv() (when using autokey authentication) and ctl_putdata() where updated to avoid buffer overflows that could be exploited. (CVE-2014-9295 / VU#852879)

Resolution

Apply the latest ntp patch to address this security issue.

NTP version 4.2.4p8 or greater
Date of the patch should be Friday Dec 19th 2014 or greater

Example to apply the patch and look at the patch information for OES11SP2/SLES11SP3

To apply the patch:
zypper up -t patch slessp3-ntp
Loading repository data...
Reading installed packages...
Resolving package dependencies...

The following NEW patch is going to be installed:
  slessp3-ntp

The following package is going to be upgraded:
  ntp

1 package to upgrade.
Overall download size: 464.0 KiB. No additional space will be used or freed after the operation.
Continue? [y/n/? shows all options] (y): y
Retrieving package ntp-4.2.4p8-1.28.1.x86_64 (1/1), 464.0 KiB (1.6 MiB unpacked)
Retrieving: ntp-4.2.4p8-1.28.1.x86_64.rpm [done]
Installing: ntp-4.2.4p8-1.28.1 [done]
Additional rpm output:
Updating etc/sysconfig/ntp...
Updating etc/sysconfig/syslog...


To view the patch info:
zypper patch-info slessp3-ntp

Information for patch slessp3-ntp:

Name: slessp3-ntp
Version: 10117
Arch: noarch
Vendor: maint-coord@suse.de
Status: Needed
Category: security
Created On: Fri Dec 19 13:49:40 2014
Reboot Required: No
Package Manager Restart Required: No
Interactive: No
Summary: Security update for ntp
Description:

This ntp update fixes the following critical security issue:

    * A potential remote code execution problem was found inside ntpd. The
      functions crypto_recv() (when using autokey authentication) and
      ctl_putdata() where updated to avoid buffer overflows that could have
      been exploited. (CVE-2014-9295 / VU#852879)

Security Issues:

    * CVE-2014-9295
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9295>


Provides:
patch:slessp3-ntp == 10117

Conflicts:
ntp.x86_64 < 4.2.4p8-1.28.1
ntp-doc.x86_64 < 4.2.4p8-1.28.1


For OES2SP3 the package is xntp

Additional Information

Change the version to apply the patch for versions other than SLES 11 SP3.

Example:
To apply the patch on OES11SP1/SLES11SP2
zypper up -t patch slessp2-ntp

To apply the patch on OES11/SLES11SP1
zypper up -t patch slessp1-ntp