A new update is available for Univention Corporate Server 3.1 as
part of the extended security maintenance.
It addresses the following problem:

Program component:  ntp
Reference:          CVE-2014-9297 CVE-2014-9298 CVE-2015-1798 CVE-2015-1799
Fixed version:      0.8.10.3.71.201505261154

This update fixed the following issues:
- Information leak/denial of service in autokey crypto handling (CVE-2014-9297)
- ACLs restricting the access to control mode queries can be bypassed
  on IPv6 networks(CVE-2014-9298)
- Man-in-the-middle attackers may spoof packets by omitting the MAC because
  the symmetric-key feature in the receive function in ntp_proto.c requires
  a correct MAC only if the MAC field has a nonzero length (CVE-2015-1798)
- Man-in-the-middle attackers may cause a denial of service (synchronization loss)
  by spoofing the source IP address of a peer because the symmetric-key feature
  in the receive function in ntp_proto.c performs state-variable updates upon
  receiving certain invalid packets (CVE-2015-1799)
--
Univention GmbH
be open.
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0
Fax  : +49 421 22232-99

<info@univention.de>
http://www.univention.de/

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876