RHBA-2013:1593 - Bug Fix Advisory

Topic

Updated ntp packages that fix several bugs and add various enhancements are now
available for Red Hat Enterprise Linux 6.

Description

The Network Time Protocol (NTP) is used to synchronize a computer's time with
another reference time source. The ntp packages include the ntpd daemon and
utilities used to query and configure ntpd.

The ntp packages have been upgraded to upstream version 4.2.6p5, which provides
a number of bug fixes and enhancements over the previous version. (BZ#654004)

This update also fixes the following bugs:

• The ntpdate service did not wait for the NetworkManager service to configure

the network before attempting to obtain the date and time update from the
Internet. Consequently, ntpdate failed to set the system clock if the network
was not configured. With this update, ntpdate attempts to obtain updates from
the Internet in several increasing intervals if the initial attempt fails. The
system clock is now set even when NetworkManager takes longer period of time to
configure the network. (BZ#673198)

• The ntp-keygen utility always used the DES-CBC (Data Encryption

Standard-Cipher Block Chaining) encryption algorithm to encrypt private NTP
keys. However, DES-CBC is not supported in FIPS mode. Therefore, ntp-keygen
generated empty private keys when it was used on systems with FIPS mode enabled.
To solve this problem, a new "-C" option has been added to ntp-keygen that
allows for selection of an encryption algorithm for private key files. Private
NTP keys are now generated as expected on systems with FIPS mode enabled.
(BZ#749530)

• The ntpstat utility did not include the root delay in the "time correct to

within" value so the real maximum errors could have been larger than values
reported by ntpstat. The ntpstat utility has been fixed to include the root
delay as expected and the "time correct to within" values displayed by the
utility are now correct. (BZ#830821)

• When adding NTP servers that were provided by DHCP (using dhclient-script) to

the ntp.conf file, the ntp script did not verify whether ntp.conf already
contained these servers. This could result in duplicate NTP server entries in
the configuration file. This update modifies the ntp script so that duplicate
NTP server entries can no longer occur in the ntp.conf file. (BZ#862983)

• When ntpd was configured as a broadcast client, it did not update the

broadcast socket upon change of the network configuration. Consequently, the
broadcast client stopped working after the network service had been restarted.
This update modifies ntpd to update the broadcast client socket after network
interface update so the client continues working after the network service
restart as expected. (BZ#973807)

In addition, this update adds the following enhancements:

• NTP now specifies four off-site NTP servers with the iburst configuration

option in the default ntp.conf file, which results in faster initial time
synchronization and improved reliability of the NTP service. (BZ#623616,
BZ#667524)

• Support for authentication using SHA1 symetric keys has been added to NTP.

SHA1 keys can be generated by the ntp-keygen utility and configured in the
/etc/ntp/keys file on the client and server machines. (BZ#641800)

• Support for signed responses has been added to NTP. This is required when

using Samba 4 as an Active Directory (AD) Domain Controller (DC). (BZ#835155)

• A new miscellaneous ntpd option, "interface", has been added. This option

allows control of which network addresses ntpd opens and whether to drop
incoming packets without processing or not. For more information on use of the
"interface" option, refer to the ntp_misc(5) man page. (BZ#918275)

Users of ntp are advised to upgrade to these updated packages, which fix these
bugs and add these enhancements.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 641800 - RHEL ntp daemon does not support SHA1 authentication of (s)ntp packets
• BZ - 667524 - update ntp.conf to include 4 servers by default to match fedora and best practices
• BZ - 673198 - ntpdate fails to get update with NetworkManager
• BZ - 716968 - ntp-keygen -i doesn't work
• BZ - 819781 - service ntpd start fails for systems with over 1024 IPs
• BZ - 835155 - RHEL6 version of NTP does not support signed responses
• BZ - 969052 - ntpd incorrectly compares IPv6 addresses (does not compare scope_id)

CVEs

(none)

References

(none)