Slackware alert: buffer overflow fix for NTP

Posted by dave on Apr 8, 2001 3:50 PM EDT
Mailing list		Mail this story
Print this story

The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise. Slackware 7.1 and Slackware -current users are urged to upgrade to the new packages available for their release. 

The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise.  Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.

The updated package available for Slackware 7.1 is a patched version of
xntp3.  The -current tree has been upgraded to ntp4, which also fixes the
problem.  If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.

The updates available are:


FOR SLACKWARE 7.1:

 ================================
 xntp3-5.93e AVAILABLE (xntp.tgz)
 ================================

  Patched xntp3-5.93e against recently reported buffer overflow problem.
  All sites running xntp from Slackware 7.1 should either upgrade to this
  package or ensure that their /etc/ntp.conf does not allow connections
  from untrusted hosts.  To deny people access to your time daemon (not a
  bad idea anyway if you're only running ntp to keep your own clock
  updated) use this in /etc/ntp.conf:

     #  Don't serve time or stats to anyone else
     restrict default ignore

  The buffer overflow problem can be fixed by upgrading to this package:
  ---------------------------------------------------------------------

     ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz

  For verification purposes, we provide the following checksums:
  -------------------------------------------------------------

     16-bit "sum" checksum:
     39955   509   xntp.tgz

     128-bit MD5 message digest:
     aefbeb1a1c8d2af8e1d1906f823368bd  xntp.tgz

  Installation instructions for the xntp.tgz package:
  --------------------------------------------------

     Make sure you are not running xntpd on your system.  This command
     should stop the daemon:

        killall xntpd

     Check to make sure it's not running:

        ps -ef | grep xntpd

     Once you have stopped the daemon, upgrade the package using
     upgradepkg:

        upgradepkg xntp.tgz

     Then you can restart the daemon:

        /usr/sbin/xntpd


FOR SLACKWARE -CURRENT:

 ==================================
 ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
 ==================================

  This package replaces the xntp.tgz package (which contained xntp3-5.93e).
  The older version (and all versions prior to ntp-4.0.99k23, which was
  released yesterday) contain a buffer overflow bug which could lead to a
  root compromise on sites offering ntp service.

  The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:
  -------------------------------------------------------------------------

     ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz

  For verification purposes, we provide the following checksums:
  -------------------------------------------------------------

     16-bit "sum" checksum:
     12988  1167  ntp4.tgz

     128-bit MD5 message digest:
     8dc3ec08fc63500ff75f640a1894bdd0  ntp4.tgz

  Installation instructions for the ntp4.tgz package:
  --------------------------------------------------

     Make sure you are not running xntpd on your system.  This command
     should stop the daemon:

        killall xntpd

     Check to make sure it's not running:

        ps -ef | grep xntpd

     Once you have stopped the daemon, upgrade the package using
     upgradepkg:

        upgradepkg xntp%ntp4

     Then you can restart the daemon:

        /usr/sbin/ntpd


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
  http://www.slackware.com


+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST:                         |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message:                                                     |
|                                                                        |
|   unsubscribe slackware-security                                       |
|                                                                        |
| You will get a confirmation message back.  Follow the instructions to  |
| complete the unsubscription.  Do not reply to this message to          |
| unsubscribe!                                                           |
+------------------------------------------------------------------------+

  Nav
» Read more about: Story Type: Security; Groups: Slackware

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.