buffer overflow fix for NTP

2001-04-08T16:50:03
ID SSA-2001-0408165003
Type slackware
Reporter Slackware Linux Project
Modified 2001-04-08T16:50:03

Description

The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise. Slackware 7.1 and Slackware -current users are urged to upgrade to the new packages available for their release.

The updated package available for Slackware 7.1 is a patched version of xntp3. The -current tree has been upgraded to ntp4, which also fixes the problem. If you want to continue using xntp3 on -current, you can use the updated package from the Slackware 7.1 tree and it will work.

The updates available are:

FOR SLACKWARE 7.1:

================================ xntp3-5.93e AVAILABLE (xntp.tgz) ================================

Patched xntp3-5.93e against recently reported buffer overflow problem. All sites running xntp from Slackware 7.1 should either upgrade to this package or ensure that their /etc/ntp.conf does not allow connections from untrusted hosts. To deny people access to your time daemon (not a bad idea anyway if you're only running ntp to keep your own clock updated) use this in /etc/ntp.conf:

   >  Don't serve time or stats to anyone else
 restrict default ignore

The buffer overflow problem can be fixed by upgrading to this package:


 ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz

For verification purposes, we provide the following checksums:


 16-bit "sum" checksum:
 39955   509   xntp.tgz

 128-bit MD5 message digest:
 aefbeb1a1c8d2af8e1d1906f823368bd  xntp.tgz

Installation instructions for the xntp.tgz package:


 Make sure you are not running xntpd on your system.  This command
 should stop the daemon:

    killall xntpd

 Check to make sure it's not running:

    ps -ef | grep xntpd

 Once you have stopped the daemon, upgrade the package using
 upgradepkg:

    upgradepkg xntp.tgz

 Then you can restart the daemon:

    /usr/sbin/xntpd

FOR SLACKWARE -CURRENT:

================================== ntp-4.0.99k23 AVAILABLE (ntp4.tgz) ==================================

This package replaces the xntp.tgz package (which contained xntp3-5.93e). The older version (and all versions prior to ntp-4.0.99k23, which was released yesterday) contain a buffer overflow bug which could lead to a root compromise on sites offering ntp service.

The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:


 ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz

For verification purposes, we provide the following checksums:


 16-bit "sum" checksum:
 12988  1167  ntp4.tgz

 128-bit MD5 message digest:
 8dc3ec08fc63500ff75f640a1894bdd0  ntp4.tgz

Installation instructions for the ntp4.tgz package:


 Make sure you are not running xntpd on your system.  This command
 should stop the daemon:

    killall xntpd

 Check to make sure it's not running:

    ps -ef | grep xntpd

 Once you have stopped the daemon, upgrade the package using
 upgradepkg:

    upgradepkg xntp%ntp4

 Then you can restart the daemon:

    /usr/sbin/ntpd

Remember, it's also a good idea to backup configuration files before upgrading packages.