Slackware alert: buffer overflow fix for NTP

Posted by dave on Apr 8, 2001 3:50 PM EDT
Mailing list
Mail this story
Print this story

The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise. Slackware 7.1 and Slackware -current users are urged to upgrade to the new packages available for their release.

The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise.  Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.

The updated package available for Slackware 7.1 is a patched version of xntp3. The -current tree has been upgraded to ntp4, which also fixes the problem. If you want to continue using xntp3 on -current, you can use the updated package from the Slackware 7.1 tree and it will work.

The updates available are:

FOR SLACKWARE 7.1:

================================ xntp3-5.93e AVAILABLE (xntp.tgz) ================================

Patched xntp3-5.93e against recently reported buffer overflow problem. All sites running xntp from Slackware 7.1 should either upgrade to this package or ensure that their /etc/ntp.conf does not allow connections from untrusted hosts. To deny people access to your time daemon (not a bad idea anyway if you're only running ntp to keep your own clock updated) use this in /etc/ntp.conf:

# Don't serve time or stats to anyone else restrict default ignore

The buffer overflow problem can be fixed by upgrading to this package: ---------------------------------------------------------------------

ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz

For verification purposes, we provide the following checksums: -------------------------------------------------------------

16-bit "sum" checksum: 39955 509 xntp.tgz

128-bit MD5 message digest: aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz

Installation instructions for the xntp.tgz package: --------------------------------------------------

Make sure you are not running xntpd on your system. This command should stop the daemon:

killall xntpd

Check to make sure it's not running:

ps -ef | grep xntpd

Once you have stopped the daemon, upgrade the package using upgradepkg:

upgradepkg xntp.tgz

Then you can restart the daemon:

/usr/sbin/xntpd

FOR SLACKWARE -CURRENT:

================================== ntp-4.0.99k23 AVAILABLE (ntp4.tgz) ==================================

This package replaces the xntp.tgz package (which contained xntp3-5.93e). The older version (and all versions prior to ntp-4.0.99k23, which was released yesterday) contain a buffer overflow bug which could lead to a root compromise on sites offering ntp service.

The buffer overflow can be fixed by upgrading to the new ntp4.tgz package: -------------------------------------------------------------------------

ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz

For verification purposes, we provide the following checksums: -------------------------------------------------------------

16-bit "sum" checksum: 12988 1167 ntp4.tgz

128-bit MD5 message digest: 8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz

Installation instructions for the ntp4.tgz package: --------------------------------------------------

Make sure you are not running xntpd on your system. This command should stop the daemon:

killall xntpd

Check to make sure it's not running:

ps -ef | grep xntpd

Once you have stopped the daemon, upgrade the package using upgradepkg:

upgradepkg xntp%ntp4

Then you can restart the daemon:

/usr/sbin/ntpd

Remember, it's also a good idea to backup configuration files before upgrading packages.

- Slackware Linux Security Team http://www.slackware.com

+------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+

  Nav
» Read more about: Story Type: Security; Groups: Slackware

« Return to the newswire homepage

This topic does not have any threads posted yet!

You cannot post until you login.