Sicherheit: Pufferüberlauf in ntpd

Lesezeichen hinzufügen

The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise. Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.

The updated package available for Slackware 7.1 is a patched version of
xntp3. The -current tree has been upgraded to ntp4, which also fixes the
problem. If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.

The updates available are:

FOR SLACKWARE 7.1:

================================
xntp3-5.93e AVAILABLE (xntp.tgz)
================================

Patched xntp3-5.93e against recently reported buffer overflow problem.
All sites running xntp from Slackware 7.1 should either upgrade to this
package or ensure that their /etc/ntp.conf does not allow connections
from untrusted hosts. To deny people access to your time daemon (not a
bad idea anyway if you're only running ntp to keep your own clock
updated) use this in /etc/ntp.conf:

# Don't serve time or stats to anyone else
restrict default ignore

The buffer overflow problem can be fixed by upgrading to this package:
---------------------------------------------------------------------

xntp.tgz

For verification purposes, we provide the following checksums:
-------------------------------------------------------------

16-bit "sum" checksum:
39955 509 xntp.tgz

128-bit MD5 message digest:
aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz

Installation instructions for the xntp.tgz package:
--------------------------------------------------

Make sure you are not running xntpd on your system. This command
should stop the daemon:

killall xntpd

Check to make sure it's not running:

ps -ef | grep xntpd

Once you have stopped the daemon, upgrade the package using
upgradepkg:

upgradepkg xntp.tgz

Then you can restart the daemon:

/usr/sbin/xntpd

FOR SLACKWARE -CURRENT:

==================================
ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
==================================

This package replaces the xntp.tgz package (which contained xntp3-5.93e).
The older version (and all versions prior to ntp-4.0.99k23, which was
released yesterday) contain a buffer overflow bug which could lead to a
root compromise on sites offering ntp service.

The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:
-------------------------------------------------------------------------

ntp4.tgz

For verification purposes, we provide the following checksums:
-------------------------------------------------------------

16-bit "sum" checksum:
12988 1167 ntp4.tgz

128-bit MD5 message digest:
8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz

Installation instructions for the ntp4.tgz package:
--------------------------------------------------

Make sure you are not running xntpd on your system. This command
should stop the daemon:

killall xntpd

Check to make sure it's not running:

ps -ef | grep xntpd

Once you have stopped the daemon, upgrade the package using
upgradepkg:

upgradepkg xntp%ntp4

Then you can restart the daemon:

/usr/sbin/ntpd

Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
http://www.slackware.com

+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+