The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[slackware-security] buffer overflow fix for NTP


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Sun, 8 Apr 2001 16:50:03 -0700
From: Slackware Security Team <[email protected]>
To: [email protected]
Subject: [slackware-security] buffer overflow fix for NTP

The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise.  Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.

The updated package available for Slackware 7.1 is a patched version of
xntp3.  The -current tree has been upgraded to ntp4, which also fixes the
problem.  If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.

The updates available are:


FOR SLACKWARE 7.1:


xntp3-5.93e AVAILABLE (xntp.tgz)
Patched xntp3-5.93e against recently reported buffer overflow problem. All sites running xntp from Slackware 7.1 should either upgrade to this package or ensure that their /etc/ntp.conf does not allow connections from untrusted hosts. To deny people access to your time daemon (not a bad idea anyway if you're only running ntp to keep your own clock updated) use this in /etc/ntp.conf: # Don't serve time or stats to anyone else restrict default ignore The buffer overflow problem can be fixed by upgrading to this package: --------------------------------------------------------------------- ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz For verification purposes, we provide the following checksums: ------------------------------------------------------------- 16-bit "sum" checksum: 39955 509 xntp.tgz 128-bit MD5 message digest: aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz Installation instructions for the xntp.tgz package: -------------------------------------------------- Make sure you are not running xntpd on your system. This command should stop the daemon: killall xntpd Check to make sure it's not running: ps -ef | grep xntpd Once you have stopped the daemon, upgrade the package using upgradepkg: upgradepkg xntp.tgz Then you can restart the daemon: /usr/sbin/xntpd FOR SLACKWARE -CURRENT:
ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
This package replaces the xntp.tgz package (which contained xntp3-5.93e). The older version (and all versions prior to ntp-4.0.99k23, which was released yesterday) contain a buffer overflow bug which could lead to a root compromise on sites offering ntp service. The buffer overflow can be fixed by upgrading to the new ntp4.tgz package: ------------------------------------------------------------------------- ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz For verification purposes, we provide the following checksums: ------------------------------------------------------------- 16-bit "sum" checksum: 12988 1167 ntp4.tgz 128-bit MD5 message digest: 8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz Installation instructions for the ntp4.tgz package: -------------------------------------------------- Make sure you are not running xntpd on your system. This command should stop the daemon: killall xntpd Check to make sure it's not running: ps -ef | grep xntpd Once you have stopped the daemon, upgrade the package using upgradepkg: upgradepkg xntp%ntp4 Then you can restart the daemon: /usr/sbin/ntpd Remember, it's also a good idea to backup configuration files before upgrading packages. - Slackware Linux Security Team http://www.slackware.com +------------------------------------------------------------------------+ | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | +------------------------------------------------------------------------+ | Send an email to [email protected] with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! | +------------------------------------------------------------------------+

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру