Stay Secure with the Latest Linux Advisories

security advisorycode executionslackware

Slackware: 2018-229-01 Moderate: Ntp Command-Line Processing Risk

New ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] ntp (SSA:2018-229-01) New ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/ntp-4.2.8p12-i586-1_slack14.2.txz: Upgraded. This release improves on one security fix in ntpd: LOW/MEDIUM: Sec 3012: Sybil vulnerability: ephemeral association attack While fixed in ntp-4.2.8p7 and with significant additional protections for this issue in 4.2.8p11, ntp-4.2.8p12 includes a fix for an edge case in the new noepeer support. Originally reported by Matt Van Gundy of Cisco. Edge-case hole reported by Martin Burnicki of Meinberg. And fixes another security issue in ntpq and ntpdc: LOW: Sec 3505: The openhost() function used during command-line hostname processing by ntpq and ntpdc can write beyond its buffer limit, which could allow an attacker to achieve code execution or escalate to higher privileges via a long string as the argument for an IPv4 or IPv6 command-line parameter. NOTE: It is unclear whether there are any common situations in which ntpq or ntpdc is used with a command line from an untrusted source. Reported by Fakhri Zulkifli. For more information, see: http://www.ntp.org/support/securitynotice/ https://www.cve.org/CVERecord?id=CVE-2016-1549 https://www.cve.org/CVERecord?id=CVE-2018-12327 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 14.0: Updated package for Slackware x86_6414.0: Updated package for Slackware 14.1: Updated package for Slackware x86_64 14.1: Updated package for Slackware 14.2: Updated package for Slackware x86_64 14.2: Updated package for Slackware -current: Updated package for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 14.0 package: 4a4cc8e4dc6964dc4521058ce776ce4e ntp-4.2.8p12-i486-1_slack14.0.txz Slackware x86_64 14.0 package: d3a0c36c39e1c0cf5e3b8707f948a180 ntp-4.2.8p12-x86_64-1_slack14.0.txz Slackware 14.1 package: 7c42e1d9fa476c162be9375a7b662654 ntp-4.2.8p12-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 75472911bb9a76a949c94aa21471f6f0 ntp-4.2.8p12-x86_64-1_slack14.1.txz Slackware 14.2 package: 2ecd58c0cb1f6d035b36de9098e0d075 ntp-4.2.8p12-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 96844a4152a8dba26ed73d91662122ce ntp-4.2.8p12-x86_64-1_slack14.2.txz Slackware -current package: dc3f52b871f3edc1a64e2d9ef1649591 n/ntp-4.2.8p12-i586-1.txz Slackware x86_64 -current package: ecd43289b917c81e682b9b00077c1409 n/ntp-4.2.8p12-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg ntp-4.2.8p12-i586-1_slack14.2.txz Then, restart the NTP daemon: # sh /etc/rc.d/rc.ntpd restart +-----+ . The latest NTP updates for Slackware bolster system defenses by addressing significant security flaws and elevating overall safeguarding measures.. NTP Update, Slackware Security, System Protection, Network Time Protocol. . LinuxSecurity.com Team

Aug 17, 2018 Slackware