Date: Sun, 8 Apr 2001 16:50:03 -0700
From: Slackware Security Team <security@slackware.com>
Subject: [slackware-security] buffer overflow fix for NTP
The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise. Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.
The updated package available for Slackware 7.1 is a patched version of
xntp3. The -current tree has been upgraded to ntp4, which also fixes the
problem. If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.
The updates available are:
FOR SLACKWARE 7.1:
================================
xntp3-5.93e AVAILABLE (xntp.tgz)
================================
Patched xntp3-5.93e against recently reported buffer overflow problem.
All sites running xntp from Slackware 7.1 should either upgrade to this
package or ensure that their /etc/ntp.conf does not allow connections
from untrusted hosts. To deny people access to your time daemon (not a
bad idea anyway if you're only running ntp to keep your own clock
updated) use this in /etc/ntp.conf:
# Don't serve time or stats to anyone else
restrict default ignore
The buffer overflow problem can be fixed by upgrading to this package:
---------------------------------------------------------------------
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz
For verification purposes, we provide the following checksums:
-------------------------------------------------------------
16-bit "sum" checksum:
39955 509 xntp.tgz
128-bit MD5 message digest:
aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz
Installation instructions for the xntp.tgz package:
--------------------------------------------------
Make sure you are not running xntpd on your system. This command
should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using
upgradepkg:
upgradepkg xntp.tgz
Then you can restart the daemon:
/usr/sbin/xntpd
FOR SLACKWARE -CURRENT:
==================================
ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
==================================
This package replaces the xntp.tgz package (which contained xntp3-5.93e).
The older version (and all versions prior to ntp-4.0.99k23, which was
released yesterday) contain a buffer overflow bug which could lead to a
root compromise on sites offering ntp service.
The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:
-------------------------------------------------------------------------
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz
For verification purposes, we provide the following checksums:
-------------------------------------------------------------
16-bit "sum" checksum:
12988 1167 ntp4.tgz
128-bit MD5 message digest:
8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz
Installation instructions for the ntp4.tgz package:
--------------------------------------------------
Make sure you are not running xntpd on your system. This command
should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using
upgradepkg:
upgradepkg xntp%ntp4
Then you can restart the daemon:
/usr/sbin/ntpd
Remember, it's also a good idea to backup configuration files before
upgrading packages.
- Slackware Linux Security Team
http://www.slackware.com
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts
Articles
View All Hover to load posts