The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug that
could lead to a root compromise.  Slackware 7.1 and Slackware -current
users are urged to upgrade to the new packages available for their
release.

The updated package available for Slackware 7.1 is a patched version of
xntp3.  The -current tree has been upgraded to ntp4, which also fixes the
problem.  If you want to continue using xntp3 on -current, you can use the
updated package from the Slackware 7.1 tree and it will work.

The updates available are:


FOR SLACKWARE 7.1:

 =============================== xntp3-5.93e AVAILABLE (xntp.tgz)
 ===============================
  Patched xntp3-5.93e against recently reported buffer overflow problem.
  All sites running xntp from Slackware 7.1 should either upgrade to this
  package or ensure that their /etc/ntp.conf does not allow connections
  from untrusted hosts.  To deny people access to your time daemon (not a
  bad idea anyway if you're only running ntp to keep your own clock
  updated) use this in /etc/ntp.conf:

     #  Don't serve time or stats to anyone else
     restrict default ignore

  The buffer overflow problem can be fixed by upgrading to this package:
  ---------------------------------------------------------------------

       

  For verification purposes, we provide the following checksums:
  -------------------------------------------------------------

     16-bit "sum" checksum:
     39955   509   xntp.tgz

     128-bit MD5 message digest:
     aefbeb1a1c8d2af8e1d1906f823368bd  xntp.tgz

  Installation instructions for the xntp.tgz package:
  --------------------------------------------------

     Make sure you are not running xntpd on your system.  This command
     should stop the daemon:

        killall xntpd

     Check to make sure it's not running:

        ps -ef | grep xntpd

     Once you have stopped the daemon, upgrade the package using
     upgradepkg:

        upgradepkg xntp.tgz

     Then you can restart the daemon:

        /usr/sbin/xntpd


FOR SLACKWARE -CURRENT:

 ================================= ntp-4.0.99k23 AVAILABLE (ntp4.tgz)
 =================================
  This package replaces the xntp.tgz package (which contained xntp3-5.93e).
  The older version (and all versions prior to ntp-4.0.99k23, which was
  released yesterday) contain a buffer overflow bug which could lead to a
  root compromise on sites offering ntp service.

  The buffer overflow can be fixed by upgrading to the new ntp4.tgz package:
  -------------------------------------------------------------------------

       

  For verification purposes, we provide the following checksums:
  -------------------------------------------------------------

     16-bit "sum" checksum:
     12988  1167  ntp4.tgz

     128-bit MD5 message digest:
     8dc3ec08fc63500ff75f640a1894bdd0  ntp4.tgz

  Installation instructions for the ntp4.tgz package:
  --------------------------------------------------

     Make sure you are not running xntpd on your system.  This command
     should stop the daemon:

        killall xntpd

     Check to make sure it's not running:

        ps -ef | grep xntpd

     Once you have stopped the daemon, upgrade the package using
     upgradepkg:

        upgradepkg xntp%ntp4

     Then you can restart the daemon:

        /usr/sbin/ntpd


Remember, it's also a good idea to backup configuration files before
upgrading packages.

- Slackware Linux Security Team
   The Slackware Linux Project

Slackware: 'xntp3' buffer overflow

April 9, 2001
The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise.

Summary

Where Find New Packages

MD5 Signatures

Severity
The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise. Slackware 7.1 and Slackware -current users are urged to upgrade to the new packages available for their release.
The updated package available for Slackware 7.1 is a patched version of xntp3. The -current tree has been upgraded to ntp4, which also fixes the problem. If you want to continue using xntp3 on -current, you can use the updated package from the Slackware 7.1 tree and it will work.
The updates available are:
FOR SLACKWARE 7.1:
=============================== xntp3-5.93e AVAILABLE (xntp.tgz) =============================== Patched xntp3-5.93e against recently reported buffer overflow problem. All sites running xntp from Slackware 7.1 should either upgrade to this package or ensure that their /etc/ntp.conf does not allow connections from untrusted hosts. To deny people access to your time daemon (not a bad idea anyway if you're only running ntp to keep your own clock updated) use this in /etc/ntp.conf:
# Don't serve time or stats to anyone else restrict default ignore
The buffer overflow problem can be fixed by upgrading to this package: ---------------------------------------------------------------------
For verification purposes, we provide the following checksums: -------------------------------------------------------------
16-bit "sum" checksum: 39955 509 xntp.tgz
128-bit MD5 message digest: aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz
Installation instructions for the xntp.tgz package: --------------------------------------------------
Make sure you are not running xntpd on your system. This command should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using upgradepkg:
upgradepkg xntp.tgz
Then you can restart the daemon:
/usr/sbin/xntpd
FOR SLACKWARE -CURRENT:
================================= ntp-4.0.99k23 AVAILABLE (ntp4.tgz) ================================= This package replaces the xntp.tgz package (which contained xntp3-5.93e). The older version (and all versions prior to ntp-4.0.99k23, which was released yesterday) contain a buffer overflow bug which could lead to a root compromise on sites offering ntp service.
The buffer overflow can be fixed by upgrading to the new ntp4.tgz package: -------------------------------------------------------------------------
For verification purposes, we provide the following checksums: -------------------------------------------------------------
16-bit "sum" checksum: 12988 1167 ntp4.tgz
128-bit MD5 message digest: 8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz
Installation instructions for the ntp4.tgz package: --------------------------------------------------
Make sure you are not running xntpd on your system. This command should stop the daemon:
killall xntpd
Check to make sure it's not running:
ps -ef | grep xntpd
Once you have stopped the daemon, upgrade the package using upgradepkg:
upgradepkg xntp%ntp4
Then you can restart the daemon:
/usr/sbin/ntpd
Remember, it's also a good idea to backup configuration files before upgrading packages.
- Slackware Linux Security Team The Slackware Linux Project

Installation Instructions

Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved