LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: November 21st, 2014
Linux Security Week: November 17th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Slackware: 'xntp3' buffer overflow Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
Slackware The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise.

The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise.  Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.

The updated package available for Slackware 7.1 is a patched version of
xntp3.  The -current tree has been upgraded to ntp4, which also fixes the
problem.  If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.

The updates available are:


FOR SLACKWARE 7.1:

 ================================
 xntp3-5.93e AVAILABLE (xntp.tgz)
 ================================

  Patched xntp3-5.93e against recently reported buffer overflow problem.
  All sites running xntp from Slackware 7.1 should either upgrade to this
  package or ensure that their /etc/ntp.conf does not allow connections
  from untrusted hosts.  To deny people access to your time daemon (not a
  bad idea anyway if you're only running ntp to keep your own clock
  updated) use this in /etc/ntp.conf:

     #  Don't serve time or stats to anyone else
     restrict default ignore

  The buffer overflow problem can be fixed by upgrading to this package:
  ---------------------------------------------------------------------

      ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz

  For verification purposes, we provide the following checksums:
  -------------------------------------------------------------

     16-bit "sum" checksum:
     39955   509   xntp.tgz

     128-bit MD5 message digest:
     aefbeb1a1c8d2af8e1d1906f823368bd  xntp.tgz

  Installation instructions for the xntp.tgz package:
  --------------------------------------------------

     Make sure you are not running xntpd on your system.  This command
     should stop the daemon:

        killall xntpd

     Check to make sure it's not running:

        ps -ef | grep xntpd

     Once you have stopped the daemon, upgrade the package using
     upgradepkg:

        upgradepkg xntp.tgz

     Then you can restart the daemon:

        /usr/sbin/xntpd


FOR SLACKWARE -CURRENT:

 ==================================
 ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
 ==================================

  This package replaces the xntp.tgz package (which contained xntp3-5.93e).
  The older version (and all versions prior to ntp-4.0.99k23, which was
  released yesterday) contain a buffer overflow bug which could lead to a
  root compromise on sites offering ntp service.

  The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:
  -------------------------------------------------------------------------

      ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz

  For verification purposes, we provide the following checksums:
  -------------------------------------------------------------

     16-bit "sum" checksum:
     12988  1167  ntp4.tgz

     128-bit MD5 message digest:
     8dc3ec08fc63500ff75f640a1894bdd0  ntp4.tgz

  Installation instructions for the ntp4.tgz package:
  --------------------------------------------------

     Make sure you are not running xntpd on your system.  This command
     should stop the daemon:

        killall xntpd

     Check to make sure it's not running:

        ps -ef | grep xntpd

     Once you have stopped the daemon, upgrade the package using
     upgradepkg:

        upgradepkg xntp%ntp4

     Then you can restart the daemon:

        /usr/sbin/ntpd


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
   http://www.slackware.com


 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.