[slackware-security] buffer overflow fix for NTP

From: Slackware Security Team (security@SLACKWARE.COM)
Date: Mon Apr 09 2001 - 01:50:03 CEST

  • Next message: Progeny Security Team: "PROGENY-SA-2001-02: ntpd remote buffer overflow"

    The version of xntp3 that shipped with Slackware 7.1 as well as the
    version that was in Slackware -current contains a buffer overflow bug that
    could lead to a root compromise. Slackware 7.1 and Slackware -current
    users are urged to upgrade to the new packages available for their
    release.

    The updated package available for Slackware 7.1 is a patched version of
    xntp3. The -current tree has been upgraded to ntp4, which also fixes the
    problem. If you want to continue using xntp3 on -current, you can use the
    updated package from the Slackware 7.1 tree and it will work.

    The updates available are:

    FOR SLACKWARE 7.1:

     ================================
     xntp3-5.93e AVAILABLE (xntp.tgz)
     ================================

      Patched xntp3-5.93e against recently reported buffer overflow problem.
      All sites running xntp from Slackware 7.1 should either upgrade to this
      package or ensure that their /etc/ntp.conf does not allow connections
      from untrusted hosts. To deny people access to your time daemon (not a
      bad idea anyway if you're only running ntp to keep your own clock
      updated) use this in /etc/ntp.conf:

         # Don't serve time or stats to anyone else
         restrict default ignore

      The buffer overflow problem can be fixed by upgrading to this package:
      ---------------------------------------------------------------------

         ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz

      For verification purposes, we provide the following checksums:
      -------------------------------------------------------------

         16-bit "sum" checksum:
         39955 509 xntp.tgz

         128-bit MD5 message digest:
         aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz

      Installation instructions for the xntp.tgz package:
      --------------------------------------------------

         Make sure you are not running xntpd on your system. This command
         should stop the daemon:

            killall xntpd

         Check to make sure it's not running:

            ps -ef | grep xntpd

         Once you have stopped the daemon, upgrade the package using
         upgradepkg:

            upgradepkg xntp.tgz

         Then you can restart the daemon:

            /usr/sbin/xntpd

    FOR SLACKWARE -CURRENT:

     ==================================
     ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
     ==================================

      This package replaces the xntp.tgz package (which contained xntp3-5.93e).
      The older version (and all versions prior to ntp-4.0.99k23, which was
      released yesterday) contain a buffer overflow bug which could lead to a
      root compromise on sites offering ntp service.

      The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:
      -------------------------------------------------------------------------

         ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz

      For verification purposes, we provide the following checksums:
      -------------------------------------------------------------

         16-bit "sum" checksum:
         12988 1167 ntp4.tgz

         128-bit MD5 message digest:
         8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz

      Installation instructions for the ntp4.tgz package:
      --------------------------------------------------

         Make sure you are not running xntpd on your system. This command
         should stop the daemon:

            killall xntpd

         Check to make sure it's not running:

            ps -ef | grep xntpd

         Once you have stopped the daemon, upgrade the package using
         upgradepkg:

            upgradepkg xntp%ntp4

         Then you can restart the daemon:

            /usr/sbin/ntpd

    Remember, it's also a good idea to backup configuration files before
    upgrading packages.

    - Slackware Linux Security Team
      http://www.slackware.com

    +------------------------------------------------------------------------+
    | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: |
    +------------------------------------------------------------------------+
    | Send an email to majordomo@slackware.com with this text in the body of |
    | the email message: |
    | |
    | unsubscribe slackware-security |
    | |
    | You will get a confirmation message back. Follow the instructions to |
    | complete the unsubscription. Do not reply to this message to |
    | unsubscribe! |
    +------------------------------------------------------------------------+



    This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 21:23:47 CEST