Debian: DSA-1948-1: New ntp packages fix denial of service

    Date08 Dec 2009
    CategoryDebian
    64
    Posted ByLinuxSecurity Advisories
    Robin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets.
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA-1908-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                                 Nico Golde
    December 8th, 2009                      http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : ntp
    Vulnerability  : denial of service
    Problem type   : remote
    Debian-specific: no
    Debian bug     : 560074
    CVE ID         : CVE-2009-3563
    
    Robin Park and Dmitri Vinokurov discovered that the daemon component of
    the ntp package, a reference implementation of the NTP protocol, is
    not properly reacting to certain incoming packets.
    
    An unexpected NTP mode 7 packets (MODE_PRIVATE) with spoofed IP data can lead
    ntpd to reply with a mode 7 response to the spoofed address.  This may result
    in the service playing packet ping-pong with other ntp servers or even itself
    which causes CPU usage and excessive disk use due to logging.  An attacker
    can use this to conduct denial of service attacks.
    
    
    For the oldstable distribution (etch), this problem has been fixed in
    version 1:4.2.2.p4+dfsg-2etch4.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 1:4.2.4p4+dfsg-8lenny3.
    
    For the testing (squeeze) and unstable (sid) distribution, this problem
    will be fixed soon.
    
    
    We recommend that you upgrade your ntp packages.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Debian (oldstable)
    - ------------------
    
    Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4.dsc
        Size/MD5 checksum:      906 115e93f010e32aa1c90231461487503a
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg.orig.tar.gz
        Size/MD5 checksum:  2199764 ad746cda2d90dbb9ed06fe164273c5d0
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4.diff.gz
        Size/MD5 checksum:   182632 80aa236bd0a39096c5e5d462c0b9b279
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp-refclock_4.2.2.p4+dfsg-2etch4_all.deb
        Size/MD5 checksum:    28596 df605f89c08a01116c2ff799777f6a2c
      http://security.debian.org/pool/updates/main/n/ntp/ntp-simple_4.2.2.p4+dfsg-2etch4_all.deb
        Size/MD5 checksum:    28594 0c683ac7e7f5b131515f956aed87de3d
      http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.2.p4+dfsg-2etch4_all.deb
        Size/MD5 checksum:   912886 1af5a623cbf5f145f34dab7beefcd183
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_alpha.deb
        Size/MD5 checksum:   408070 ca33235c58a26ad1a839084b4f2d385c
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_alpha.deb
        Size/MD5 checksum:    65056 e527eb4c93d427c025374805fb5288cb
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_amd64.deb
        Size/MD5 checksum:    62258 13a4f4faaf699913e421c093e598f2a9
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_amd64.deb
        Size/MD5 checksum:   359384 1a289aa1f8439e2ef736cbf29bbe140f
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_arm.deb
        Size/MD5 checksum:    59784 8a84cae4e8f643cbd3ed684e5a7eb0ff
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_arm.deb
        Size/MD5 checksum:   344316 57066e8abfdf51c36d63600c993f3c20
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_hppa.deb
        Size/MD5 checksum:   372448 0b8f9b90bb03a2f572066fe8b47c7202
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_hppa.deb
        Size/MD5 checksum:    62160 88dc964fa357187ddc97d37513a863ba
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_i386.deb
        Size/MD5 checksum:    58316 90fc92e7a8f6582ee21076849ae0dfba
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_i386.deb
        Size/MD5 checksum:   333772 e5fbae24686d444fff118f3ce9cc45db
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_ia64.deb
        Size/MD5 checksum:   523358 0032e3c9bcb4a27a312a47fb95d1f9a1
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_ia64.deb
        Size/MD5 checksum:    74712 72c1b601f4beb41c6c04a54534ba9c51
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_mips.deb
        Size/MD5 checksum:   382868 2980d63a9ca6344e6a76698d0e808f8c
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_mips.deb
        Size/MD5 checksum:    63610 d523930b9b98d6353bf4e6fb7d7e57f5
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_mipsel.deb
        Size/MD5 checksum:    64134 e4042de5af081701911a7cece69c6cce
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_mipsel.deb
        Size/MD5 checksum:   390142 b50dc2bd5970f224b6994c460f8f560a
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_powerpc.deb
        Size/MD5 checksum:   358860 432b58ad621ac266455f7e5124d2eb1c
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_powerpc.deb
        Size/MD5 checksum:    61760 2c9dd1b3a8d61bece4f420e533b7a6eb
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_s390.deb
        Size/MD5 checksum:   350300 40a28748d5016101c179bd4a22c08390
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_s390.deb
        Size/MD5 checksum:    61242 14c08344bfd0561ced0d54aa2cd23a2e
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_sparc.deb
        Size/MD5 checksum:    58584 0e573ef22b1514b12e01fa6ac2bb1ddb
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_sparc.deb
        Size/MD5 checksum:   332284 4589ff44bc97ad73513d8ba5419c7845
    
    
    Debian GNU/Linux 5.0 alias lenny
    - --------------------------------
    
    Debian (stable)
    - ---------------
    
    Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3.dsc
        Size/MD5 checksum:     1459 81e70fe84f27e3bfabdbfb9f3122492b
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz
        Size/MD5 checksum:  2835029 dc2b3ac9cc04b0f29df35467514c9884
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3.diff.gz
        Size/MD5 checksum:   300928 b568f39eda3e46f27239ad44021f968c
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.4p4+dfsg-8lenny3_all.deb
        Size/MD5 checksum:   927658 8db03976b7b105057ead2da4bae09219
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_alpha.deb
        Size/MD5 checksum:    66706 9213dcba9a99fa363f0ce48c514a008b
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_alpha.deb
        Size/MD5 checksum:   538492 de37b288ef933f34446ab78a8d8ed76b
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_amd64.deb
        Size/MD5 checksum:    63836 a0b5b030abe6a6c32591366febcec1d1
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_amd64.deb
        Size/MD5 checksum:   479472 277efe45a76a24da6ca14ae581d0a3a2
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_arm.deb
        Size/MD5 checksum:    61220 d4905eea52795330e517acca903059f4
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_arm.deb
        Size/MD5 checksum:   448164 cc28e545eb359eba225abfcb02cc4377
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_armel.deb
        Size/MD5 checksum:    62794 e5a43b8076a77643cc742348f0e63de1
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_armel.deb
        Size/MD5 checksum:   458908 3721b8d7b7a67b31db6249521dd9f015
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_hppa.deb
        Size/MD5 checksum:    63872 53a7009f1888c06b162c258a9bb5d6fb
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_hppa.deb
        Size/MD5 checksum:   485744 b8e950ba02a13ecacfe332db56c0c887
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_i386.deb
        Size/MD5 checksum:   434672 6ccfb060f39cc56f39ef8806865b767d
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_i386.deb
        Size/MD5 checksum:    60114 2f0914ae2191ddf3f74529bc896299da
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_ia64.deb
        Size/MD5 checksum:   707812 eb960c732894d56589ba62d76c5ba568
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_ia64.deb
        Size/MD5 checksum:    76366 6b5b986e454276661e8b483f095bd16e
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_mips.deb
        Size/MD5 checksum:    64116 ab287c70d2c2daf7b1a8808db8dcedc9
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_mips.deb
        Size/MD5 checksum:   490394 0009cb5333123767dc3afcde682d9e10
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_mipsel.deb
        Size/MD5 checksum:   500786 3b842b738e616f301c31cd025c595235
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_mipsel.deb
        Size/MD5 checksum:    64776 fd31cdaa7a78d7e3fa072b746dd98e01
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_powerpc.deb
        Size/MD5 checksum:   490620 21d03b435c327c2884fe587a56fe10fb
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_powerpc.deb
        Size/MD5 checksum:    65470 6966f71002ae63c104e608af1a7daa3a
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_s390.deb
        Size/MD5 checksum:    63678 4b143ad2444681bdb1ee44d395996a29
      http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_s390.deb
        Size/MD5 checksum:   474000 6fb44a33381b0d582599eb33896d8f0f
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.