- ------------------------------------------------------------------------
Debian Security Advisory DSA-1801-1                  security@debian.org
http://www.debian.org/security/                          Thijs Kinkhorst
May 19, 2009                          http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : ntp
Vulnerability  : buffer overflows
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2009-0159 CVE-2009-1252
CERT advisory  : VU#853097
Debian Bug     : 525373

Several remote vulnerabilities have been discovered in NTP, the Network
Time Protocol reference implementation. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2009-0159

    A buffer overflow in ntpq allow a remote NTP server to create a
    denial of service attack or to execute arbitrary code via a crafted
    response.

CVE-2009-1252

    A buffer overflow in ntpd allows a remote attacker to create a
    denial of service attack or to execute arbitrary code when the
    autokey functionality is enabled.

For the old stable distribution (etch), these problems have been fixed in
version 4.2.2.p4+dfsg-2etch3.

For the stable distribution (lenny), these problems have been fixed in
version 4.2.4p4+dfsg-8lenny2.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your ntp package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Source archives:

      Size/MD5 checksum:      906 8a1376e7b9883a31aeef2b242cddafb3
      Size/MD5 checksum:  2199764 ad746cda2d90dbb9ed06fe164273c5d0
      Size/MD5 checksum:   182790 1bef0f3e23bc046d7c70b60f257abce8

Architecture independent packages:

      Size/MD5 checksum:    28068 980216d8940c6f35ef734e8b4696bedb
      Size/MD5 checksum:   909142 a4f0b0390ef1d8ea3b42e9f79aa6419c
      Size/MD5 checksum:    28070 1a62301f74fc9ef23e73b86b168995d1

alpha architecture (DEC Alpha)

      Size/MD5 checksum:    64896 334da9b0c10e3d061d40313cff2f4aba
      Size/MD5 checksum:   407926 2ea4e315e61be332e2799152d117828f

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:   359278 206749f2d5cddbb47f43cadf031200f6
      Size/MD5 checksum:    61468 d7c76761a5b81efc6ad09d7339c65f65

arm architecture (ARM)

      Size/MD5 checksum:    59472 b7e6f73ba7ecc1b950f5ce4b8713bbc8
      Size/MD5 checksum:   343500 918b4ed05ccc9beef8b17ed820076736

hppa architecture (HP PA RISC)

      Size/MD5 checksum:    62008 718ac291a6d5bd5cee16da1ba332277a
      Size/MD5 checksum:   372266 a8801148122304f201143b3c83212ef1

i386 architecture (Intel ia32)

      Size/MD5 checksum:    58244 1e2645f55d880f0b32b189c788a6fa6e
      Size/MD5 checksum:   330784 2cffe9ce5766d3b3a7dd716451f9940d

ia64 architecture (Intel ia64)

      Size/MD5 checksum:    74564 11dc5d9603aa107736e25e73a999fed9
      Size/MD5 checksum:   523190 4b92e21247b790d31d87cae43288860e

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   382548 7ebe4c29857af28a1d0d47341c03ed9f
      Size/MD5 checksum:    63444 1479ed9849e0da2119fedd3c07ef0c6e

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   390040 7338922ec7c8a810374913a5440b84c8
      Size/MD5 checksum:    63986 63cf40dbea34d855dfa0b4dcab148753

powerpc architecture (PowerPC)

      Size/MD5 checksum:   358710 14eebc6b0f1b5566398761c0e9387e06
      Size/MD5 checksum:    61548 6f7d62dbce9a7e476c5740556e05adbe

s390 architecture (IBM S/390)

      Size/MD5 checksum:    61102 1cbb204bb34886adaf67f65add882fb6
      Size/MD5 checksum:   350088 2a27fe8eaedfac99221d0e0958750b69

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:    58438 3c247f0d8b30fd8eb287fbf5429bb25a
      Size/MD5 checksum:   332082 4506ffc7cdbc545decc4ebd726cc0fb3

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

      Size/MD5 checksum:  2835029 dc2b3ac9cc04b0f29df35467514c9884
      Size/MD5 checksum:   300806 7b70febe5a8b2731da1f6bc60e7095e6
      Size/MD5 checksum:     1459 b72ceb69656ba2fe3374e7a793c8c2c0

Architecture independent packages:

      Size/MD5 checksum:   929700 36d1605577c6243875f4e35d9c40c9e8

alpha architecture (DEC Alpha)

      Size/MD5 checksum:    66636 f732a56b27be857f1a4ae7bde9bac056
      Size/MD5 checksum:   537528 32e7a25e224daeb2a4c3e3b8bdd88006

amd64 architecture (AMD x86_64 (AMD64))

      Size/MD5 checksum:    63726 39a38d2d30352145617b63b0f1808832
      Size/MD5 checksum:   480718 88defc4b9564804bac6c0d1b91b4207b

arm architecture (ARM)

      Size/MD5 checksum:   448040 2512a1f1d5f1af9484d3c02cef012aed
      Size/MD5 checksum:    61078 89dbb40bd4aa2644572e90de539733c7

armel architecture (ARM EABI)

      Size/MD5 checksum:    62376 6c47db082b725923eaa4b54b0ea3e090
      Size/MD5 checksum:   458818 9339249185118e58f3575e43d0da862f

hppa architecture (HP PA RISC)

      Size/MD5 checksum:   485606 005701aa3a2f141f996d1cc6c69154a8
      Size/MD5 checksum:    63698 a28856e22f368954f6a61de73815b204

i386 architecture (Intel ia32)

      Size/MD5 checksum:   432098 b237d149bc205c7d644cf0b891cbae4e
      Size/MD5 checksum:    60078 2a661bfaf8dd05ec49c39b27fe44a5d2

ia64 architecture (Intel ia64)

      Size/MD5 checksum:    76208 aba226d105228a2be266a2eb9aa97aeb
      Size/MD5 checksum:   707612 1d676bd6a79da49a32f28b756c074c8d

mips architecture (MIPS (Big Endian))

      Size/MD5 checksum:   488812 8c95d2d99443cffd777a9ec175fda92d
      Size/MD5 checksum:    64026 3401aa68f558315d3fa4a397444ae375

mipsel architecture (MIPS (Little Endian))

      Size/MD5 checksum:   500628 c78913c3cb8b36474f7bb884facf2caa
      Size/MD5 checksum:    64614 96a808c0dcd3f0189ac5b12bc35b1616

powerpc architecture (PowerPC)

      Size/MD5 checksum:   490410 ed37bad3d4586ca982f1884ebecca859
      Size/MD5 checksum:    65298 bb30faf8ab938a762e3e6eef61dd5be1

s390 architecture (IBM S/390)

      Size/MD5 checksum:   473862 d4cdb4b995504b0037b41bffee80f6da
      Size/MD5 checksum:    63476 b6f43878943e279469da4e4b5f9841a9

sparc architecture (Sun SPARC/UltraSPARC)

      Size/MD5 checksum:   440966 94363f0f4b0a3681601553e70f3549e5
      Size/MD5 checksum:    60640 dcfd2724e17a9ed85620d0153eb55eac


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp:  dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Debian: DSA-1801-1: New ntp packages fix several vulnerabilities

May 19, 2009
Several remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation

Summary

CVE-2009-0159

A buffer overflow in ntpq allow a remote NTP server to create a
denial of service attack or to execute arbitrary code via a crafted
response.

CVE-2009-1252

A buffer overflow in ntpd allows a remote attacker to create a
denial of service attack or to execute arbitrary code when the
autokey functionality is enabled.

For the old stable distribution (etch), these problems have been fixed in
version 4.2.2.p4+dfsg-2etch3.

For the stable distribution (lenny), these problems have been fixed in
version 4.2.4p4+dfsg-8lenny2.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your ntp package.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch

Source archives:

Size/MD5 checksum: 906 8a1376e7b9883a31aeef2b242cddafb3
Size/MD5 checksum: 2199764 ad746cda2d90dbb9ed06fe164273c5d0
Size/MD5 checksum: 182790 1bef0f3e23bc046d7c70b60f257abce8

Architecture independent packages:

Size/MD5 checksum: 28068 980216d8940c6f35ef734e8b4696bedb
Size/MD5 checksum: 909142 a4f0b0390ef1d8ea3b42e9f79aa6419c
Size/MD5 checksum: 28070 1a62301f74fc9ef23e73b86b168995d1

alpha architecture (DEC Alpha)

Size/MD5 checksum: 64896 334da9b0c10e3d061d40313cff2f4aba
Size/MD5 checksum: 407926 2ea4e315e61be332e2799152d117828f

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 359278 206749f2d5cddbb47f43cadf031200f6
Size/MD5 checksum: 61468 d7c76761a5b81efc6ad09d7339c65f65

arm architecture (ARM)

Size/MD5 checksum: 59472 b7e6f73ba7ecc1b950f5ce4b8713bbc8
Size/MD5 checksum: 343500 918b4ed05ccc9beef8b17ed820076736

hppa architecture (HP PA RISC)

Size/MD5 checksum: 62008 718ac291a6d5bd5cee16da1ba332277a
Size/MD5 checksum: 372266 a8801148122304f201143b3c83212ef1

i386 architecture (Intel ia32)

Size/MD5 checksum: 58244 1e2645f55d880f0b32b189c788a6fa6e
Size/MD5 checksum: 330784 2cffe9ce5766d3b3a7dd716451f9940d

ia64 architecture (Intel ia64)

Size/MD5 checksum: 74564 11dc5d9603aa107736e25e73a999fed9
Size/MD5 checksum: 523190 4b92e21247b790d31d87cae43288860e

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 382548 7ebe4c29857af28a1d0d47341c03ed9f
Size/MD5 checksum: 63444 1479ed9849e0da2119fedd3c07ef0c6e

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 390040 7338922ec7c8a810374913a5440b84c8
Size/MD5 checksum: 63986 63cf40dbea34d855dfa0b4dcab148753

powerpc architecture (PowerPC)

Size/MD5 checksum: 358710 14eebc6b0f1b5566398761c0e9387e06
Size/MD5 checksum: 61548 6f7d62dbce9a7e476c5740556e05adbe

s390 architecture (IBM S/390)

Size/MD5 checksum: 61102 1cbb204bb34886adaf67f65add882fb6
Size/MD5 checksum: 350088 2a27fe8eaedfac99221d0e0958750b69

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 58438 3c247f0d8b30fd8eb287fbf5429bb25a
Size/MD5 checksum: 332082 4506ffc7cdbc545decc4ebd726cc0fb3

Debian GNU/Linux 5.0 alias lenny

Source archives:

Size/MD5 checksum: 2835029 dc2b3ac9cc04b0f29df35467514c9884
Size/MD5 checksum: 300806 7b70febe5a8b2731da1f6bc60e7095e6
Size/MD5 checksum: 1459 b72ceb69656ba2fe3374e7a793c8c2c0

Architecture independent packages:

Size/MD5 checksum: 929700 36d1605577c6243875f4e35d9c40c9e8

alpha architecture (DEC Alpha)

Size/MD5 checksum: 66636 f732a56b27be857f1a4ae7bde9bac056
Size/MD5 checksum: 537528 32e7a25e224daeb2a4c3e3b8bdd88006

amd64 architecture (AMD x86_64 (AMD64))

Size/MD5 checksum: 63726 39a38d2d30352145617b63b0f1808832
Size/MD5 checksum: 480718 88defc4b9564804bac6c0d1b91b4207b

arm architecture (ARM)

Size/MD5 checksum: 448040 2512a1f1d5f1af9484d3c02cef012aed
Size/MD5 checksum: 61078 89dbb40bd4aa2644572e90de539733c7

armel architecture (ARM EABI)

Size/MD5 checksum: 62376 6c47db082b725923eaa4b54b0ea3e090
Size/MD5 checksum: 458818 9339249185118e58f3575e43d0da862f

hppa architecture (HP PA RISC)

Size/MD5 checksum: 485606 005701aa3a2f141f996d1cc6c69154a8
Size/MD5 checksum: 63698 a28856e22f368954f6a61de73815b204

i386 architecture (Intel ia32)

Size/MD5 checksum: 432098 b237d149bc205c7d644cf0b891cbae4e
Size/MD5 checksum: 60078 2a661bfaf8dd05ec49c39b27fe44a5d2

ia64 architecture (Intel ia64)

Size/MD5 checksum: 76208 aba226d105228a2be266a2eb9aa97aeb
Size/MD5 checksum: 707612 1d676bd6a79da49a32f28b756c074c8d

mips architecture (MIPS (Big Endian))

Size/MD5 checksum: 488812 8c95d2d99443cffd777a9ec175fda92d
Size/MD5 checksum: 64026 3401aa68f558315d3fa4a397444ae375

mipsel architecture (MIPS (Little Endian))

Size/MD5 checksum: 500628 c78913c3cb8b36474f7bb884facf2caa
Size/MD5 checksum: 64614 96a808c0dcd3f0189ac5b12bc35b1616

powerpc architecture (PowerPC)

Size/MD5 checksum: 490410 ed37bad3d4586ca982f1884ebecca859
Size/MD5 checksum: 65298 bb30faf8ab938a762e3e6eef61dd5be1

s390 architecture (IBM S/390)

Size/MD5 checksum: 473862 d4cdb4b995504b0037b41bffee80f6da
Size/MD5 checksum: 63476 b6f43878943e279469da4e4b5f9841a9

sparc architecture (Sun SPARC/UltraSPARC)

Size/MD5 checksum: 440966 94363f0f4b0a3681601553e70f3549e5
Size/MD5 checksum: 60640 dcfd2724e17a9ed85620d0153eb55eac


These files will probably be moved into the stable distribution on
its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/

Severity
Several remote vulnerabilities have been discovered in NTP, the Network
Time Protocol reference implementation. The Common Vulnerabilities and
Exposures project identifies the following problems:

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up