6336251 2001-04-08 16:50 -0700 /138 rader/ Slackware Security Team <security@SLACKWARE.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-04-09 08:26 av Brevbäraren
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: security@slackware.com
Mottagare: Bugtraq (import) <16394>
Ärende: [slackware-security] buffer overflow fix for NTP
------------------------------------------------------------
From: Slackware Security Team <security@SLACKWARE.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.LNX.4.21.0104081648100.32326-100000@bob.slackware.com>
The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug
that could lead to a root compromise. Slackware 7.1 and Slackware
-current users are urged to upgrade to the new packages available for
their release.
The updated package available for Slackware 7.1 is a patched version
of xntp3. The -current tree has been upgraded to ntp4, which also
fixes the problem. If you want to continue using xntp3 on -current,
you can use the updated package from the Slackware 7.1 tree and it
will work.
The updates available are:
FOR SLACKWARE 7.1:
================================
xntp3-5.93e AVAILABLE (xntp.tgz)
================================
Patched xntp3-5.93e against recently reported buffer overflow
problem. All sites running xntp from Slackware 7.1 should either
upgrade to this package or ensure that their /etc/ntp.conf does not
allow connections from untrusted hosts. To deny people access to
your time daemon (not a bad idea anyway if you're only running ntp
to keep your own clock updated) use this in /etc/ntp.conf:
# Don't serve time or stats to anyone else
restrict default ignore
The buffer overflow problem can be fixed by upgrading to this
package:
---------------------------------------------------------------------
ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz
For verification purposes, we provide the following checksums:
-------------------------------------------------------------
16-bit "sum" checksum:
39955 509 xntp.tgz
128-bit MD5 message digest:
aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz
Installation instructions for the xntp.tgz package:
--------------------------------------------------
Make sure you are not running xntpd on your system. This command
should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using
upgradepkg:
upgradepkg xntp.tgz
Then you can restart the daemon:
/usr/sbin/xntpd
FOR SLACKWARE -CURRENT:
==================================
ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
==================================
This package replaces the xntp.tgz package (which contained
xntp3-5.93e). The older version (and all versions prior to
ntp-4.0.99k23, which was released yesterday) contain a buffer
overflow bug which could lead to a root compromise on sites
offering ntp service.
The buffer overflow can be fixed by upgrading to the new ntp4.tgz
package:
-------------------------------------------------------------------------
ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz
For verification purposes, we provide the following checksums:
-------------------------------------------------------------
16-bit "sum" checksum:
12988 1167 ntp4.tgz
128-bit MD5 message digest:
8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz
Installation instructions for the ntp4.tgz package:
--------------------------------------------------
Make sure you are not running xntpd on your system. This command
should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using
upgradepkg:
upgradepkg xntp%ntp4
Then you can restart the daemon:
/usr/sbin/ntpd
Remember, it's also a good idea to backup configuration files before
upgrading packages.
- Slackware Linux Security Team
http://www.slackware.com
+------------------------------------------------------------------------+
| HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
+------------------------------------------------------------------------+
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back. Follow the instructions to |
| complete the unsubscription. Do not reply to this message to |
| unsubscribe! |
+------------------------------------------------------------------------+
(6336251) /Slackware Security Team <security@SLACKWARE.COM>/(Ombruten)