Hello community, here is the log from the commit of package ntp for openSUSE:Factory checked in at 2015-11-18 22:32:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/ntp (Old) and /work/SRC/openSUSE:Factory/.ntp.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntp" Changes: -------- --- /work/SRC/openSUSE:Factory/ntp/ntp.changes 2015-09-16 10:37:14.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.ntp.new/ntp.changes 2015-11-18 22:32:48.000000000 +0100 @@ -1,0 +2,43 @@ +Fri Nov 6 09:40:55 UTC 2015 - [email protected] + +- Fix ntp-4.2.6p2-ntpq-speedup-782060.patch to not pick arbitraty + port numbers (bsc#782060). + +------------------------------------------------------------------- +Thu Oct 29 12:54:06 UTC 2015 - [email protected] + +- Update to 4.2.8p4 to fix several security issues (bsc#951608): + * CVE-2015-7871: NAK to the Future: Symmetric association + authentication bypass via crypto-NAK + * CVE-2015-7855: decodenetnum() will ASSERT botch instead of + returning FAIL on some bogus values + * CVE-2015-7854: Password Length Memory Corruption Vulnerability + * CVE-2015-7853: Invalid length data provided by a custom + refclock driver could cause a buffer overflow + * CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability + * CVE-2015-7851 saveconfig Directory Traversal Vulnerability + * CVE-2015-7850 remote config logfile-keyfile + * CVE-2015-7849 trusted key use-after-free + * CVE-2015-7848 mode 7 loop counter underrun + * CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC + * CVE-2015-7703 configuration directives "pidfile" and + "driftfile" should only be allowed locally + * CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should + validate the origin timestamp field + * CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey + data packet length checks + * obsoletes ntp-memlock.patch. +- Add a controlkey line to /etc/ntp.conf if one does not already + exist, to allow runtime configuration via ntpq. +- Use SHA1 instead of MD5 for symmetric keys (bsc#905885). +- Improve runtime configuration: + * Read keytype from ntp.conf + * Don't write ntp keys to syslog. +- Fix legacy action scripts to pass on command line arguments. +- Remove ntp.1.gz, it wasn't installed anymore. +- Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. + The rest is partially irrelevant, partially redundant and + potentially outdated (bsc#942587). +- Remove "kod" from the restrict line in ntp.conf (bsc#944300). + +------------------------------------------------------------------- Old: ---- ntp-4.2.7-rh-manpages.tar.gz ntp-4.2.8p3.tar.gz ntp.1.gz New: ---- ntp-4.2.8p4.tar.gz ntptime.8.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ --- /var/tmp/diff_new_pack.1SxiaM/_old 2015-11-18 22:32:50.000000000 +0100 +++ /var/tmp/diff_new_pack.1SxiaM/_new 2015-11-18 22:32:50.000000000 +0100 @@ -21,7 +21,7 @@ %global _ntpunitsdir %{_libexecdir}/systemd/ntp-units.d %endif Name: ntp -Version: 4.2.8p3 +Version: 4.2.8p4 Release: 0 Summary: Network Time Protocol daemon (version 4) License: (MIT and BSD-3-Clause and BSD-4-Clause) and GPL-2.0 @@ -41,9 +41,8 @@ Source9: conf.ntp-wait.service # documentation Source10: NTP-FAQ-%{ntpfaqversion}.tar.bz2 -Source11: ntp.1.gz Source12: README.SUSE -Source13: ntp-4.2.7-rh-manpages.tar.gz +Source13: ntptime.8.gz Source14: ntp.xml Source16: ntp.NetworkManager Patch1: ntp-segfault_on_invalid_device.patch @@ -113,7 +112,6 @@ %patch1 # copy README.SUSE cp %{SOURCE12} . -tar xzf %{SOURCE13} %patch10 -p1 %patch11 %patch15 @@ -184,7 +182,7 @@ F=%{buildroot}/usr/lib/initscripts/legacy-actions/ntpd/$f cat >$F <<-EOF #!/bin/bash - exec /usr/sbin/start-ntpd $f + exec /usr/sbin/start-ntpd $f "\$@" EOF chmod 755 $F done @@ -204,9 +202,7 @@ # # man pages # -install -d %{buildroot}/%{_mandir}/{man5,man8} -install -m 644 man/man5/* %{buildroot}/%{_mandir}/man5 -install -m 644 man/man8/* %{buildroot}/%{_mandir}/man8 +install -m 644 %{S:13} %{buildroot}/%{_mandir}/man8 # # firewall # @@ -253,12 +249,13 @@ %post # Create ntp.keys file -if [ ! -f %{_sysconfdir}/ntp.keys ]; then - tmp=$(dd if=/dev/urandom count=1 2>/dev/null | md5sum) - tmp=${tmp:0:7} > %{_sysconfdir}/ntp.keys - echo "1 M $tmp" > %{_sysconfdir}/ntp.keys - chown root:ntp %{_sysconfdir}/ntp.keys - chmod 0640 %{_sysconfdir}/ntp.keys +if [ ! -f /etc/ntp.keys ]; then + FILE=$(mktemp -p /etc) + chmod 0640 $FILE + chown root:ntp $FILE + KEY=$(tr -dc '[:alnum:]' < /dev/urandom | head -c 20) + echo "1 SHA1 $KEY" > $FILE + mv $FILE /etc/ntp.keys fi # Are we in update mode? if [ -f %{_sysconfdir}/sysconfig/ntp ]; then @@ -269,10 +266,16 @@ keys %{_sysconfdir}/ntp.keys # path for keys file trustedkey 1 # define trusted keys requestkey 1 # key (7) for accessing server variables -# controlkey 15 # key (6) for accessing server variables " >> %{_sysconfdir}/ntp.conf } fi +if [ -f /etc/sysconfig/ntp ]; then + grep -q '^controlkey ' /etc/ntp.conf || { + echo "# +controlkey 1 # key (6) for accessing server variables + " >> /etc/ntp.conf +} +fi # update from previous permissions if [ -f %{_sysconfdir}/ntp.conf ]; then chown root:ntp %{_sysconfdir}/ntp.conf ++++++ conf.ntp.conf ++++++ --- /var/tmp/diff_new_pack.1SxiaM/_old 2015-11-18 22:32:50.000000000 +0100 +++ /var/tmp/diff_new_pack.1SxiaM/_new 2015-11-18 22:32:50.000000000 +0100 @@ -52,8 +52,8 @@ # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. -restrict -4 default kod notrap nomodify nopeer noquery -restrict -6 default kod notrap nomodify nopeer noquery +restrict -4 default notrap nomodify nopeer noquery +restrict -6 default notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 @@ -85,3 +85,4 @@ trustedkey 1 # define trusted keys requestkey 1 # key (7) for accessing server variables controlkey 1 # key (6) for accessing server variables + ++++++ conf.start-ntpd ++++++ --- /var/tmp/diff_new_pack.1SxiaM/_old 2015-11-18 22:32:50.000000000 +0100 +++ /var/tmp/diff_new_pack.1SxiaM/_new 2015-11-18 22:32:50.000000000 +0100 @@ -23,8 +23,11 @@ NTPQ_BIN="/usr/sbin/ntpq" NTP_KEYS=$(awk '/^keys[[:blank:]]/ { print $2 }' $NTP_CONF) -NTP_KEYID=$(awk '/^requestkey[[:blank:]]/ { print $2 }' $NTP_CONF) -NTP_PASSWD=$(test -n "$NTP_KEYS" -a -n "$NTP_KEYID" -a -r "$NTP_KEYS" && awk '$0 ~ key { print $3 }' key="^[[:blank:]]*$NTP_KEYID[[:blank:]]" $NTP_KEYS) +NTP_KEYID=$(awk '/^controlkey[[:blank:]]/ { print $2 }' $NTP_CONF) +if test -n "$NTP_KEYS" -a -n "$NTP_KEYID" -a -r "$NTP_KEYS"; then + NTP_KEYTYPE=$(awk '$1 == "'$NTP_KEYID'"{ print $2 }' $NTP_KEYS) + NTP_PASSWD=$(awk '$1 == "'$NTP_KEYID'"{ print $3 }' $NTP_KEYS) +fi if [ -n "$NTP_KEYS" ]; then if test -z "$NTP_KEYID"; then @@ -32,7 +35,7 @@ exit 5 fi if test -z "$NTP_PASSWD"; then - echo -n "No password for requestkey set" + echo -n "No password for controlkey set" exit 1 fi fi @@ -139,9 +142,9 @@ function add_runtime_server() { [ "$NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP" = "yes" ] && /usr/sbin/sntp -S -c $@ - NTPC_CMD="keyid $NTP_KEYID\npasswd $NTP_PASSWD\n:config server $@\n" + NTPC_CMD="keytype $NTP_KEYTYPE\nkeyid $NTP_KEYID\npasswd $NTP_PASSWD\n:config server $@\n" NTPQ_LOG=$(echo -e "${NTPC_CMD}quit" | $NTPQ_BIN) - logger -t $0 "runtime configuration: $NTPQ_LOG" + logger -t $0 "runtime configuration: server $@" } function get_ntpd_ip_proto() { ++++++ ntp-4.2.6p2-ntpq-speedup-782060.patch ++++++ --- /var/tmp/diff_new_pack.1SxiaM/_old 2015-11-18 22:32:50.000000000 +0100 +++ /var/tmp/diff_new_pack.1SxiaM/_new 2015-11-18 22:32:50.000000000 +0100 @@ -2,14 +2,19 @@ do not ask for ntp service in all protocols which is very slow (bnc#782060) ---- libntp/decodenetnum.c.orig 2012-11-12 15:12:02.000000000 +0100 -+++ libntp/decodenetnum.c 2012-11-12 15:13:18.000000000 +0100 -@@ -70,7 +70,7 @@ +Index: libntp/decodenetnum.c +=================================================================== +--- libntp/decodenetnum.c.orig 2015-10-21 18:13:49.000000000 +0200 ++++ libntp/decodenetnum.c 2015-11-06 10:38:49.777763897 +0100 +@@ -71,8 +71,9 @@ + cp = name; } ZERO(hints); - hints.ai_flags = Z_AI_NUMERICHOST; +- hints.ai_flags = Z_AI_NUMERICHOST; - err = getaddrinfo(cp, "ntp", &hints, &ai); -+ err = getaddrinfo(cp, NULL, &hints, &ai); ++ hints.ai_socktype = SOCK_DGRAM; ++ hints.ai_flags = Z_AI_NUMERICHOST | Z_AI_NUMERICSERV; ++ err = getaddrinfo(cp, "123", &hints, &ai); if (err != 0) return 0; - NTP_INSIST(ai->ai_addrlen <= sizeof(*netnum)); + INSIST(ai->ai_addrlen <= sizeof(*netnum)); ++++++ ntp-4.2.7-rh-manpages.tar.gz -> ntp-4.2.8p4.tar.gz ++++++ /work/SRC/openSUSE:Factory/ntp/ntp-4.2.7-rh-manpages.tar.gz /work/SRC/openSUSE:Factory/.ntp.new/ntp-4.2.8p4.tar.gz differ: char 5, line 1
