Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -5 articles for you...
100
security advisorysecurity updateinformation leakSUSE: 2015:0322-1 Important: xntp Access Control and Info Leak
An update that fixes four vulnerabilities is now available. An update that fixes four vulnerabilities is now available. An update that fixes four vulnerabilities is now available.. SUSE Security Update: Security update for xntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:0322-1 Rating: important References: #911792 Cross-References: CVE-2014-9293 CVE-2014-9294 CVE-2014-9297 CVE-2014-9298 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes four vulnerabilities is now available. Description: xntp has been updated to fix two security issues: * CVE-2014-9298: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed (bnc#911792). * CVE-2014-9297: vallen is not validated in several places in ntp_crypto.c, leading to potential info leak (bnc#911792). Security Issues: * CVE-2014-9294 * CVE-2014-9293 * CVE-2014-9298 * CVE-2014-9297 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): xntp-4.2.4p3-48.27.1 xntp-doc-4.2.4p3-48.27.1 References: https://www.suse.com/security/cve/CVE-2014-9293.html https://www.suse.com/security/cve/CVE-2014-9294.html https://www.suse.com/security/cve/CVE-2014-9297.html https://www.suse.com/security/cve/CVE-2014-9298.html https://bugzilla.suse.com/show_bug.cgi?id=911792 https://scc.suse.com:443/patches/ . A security update for xntp is now available for SUSE Linux Enterprise Server 10 SP4 LTSS, addressing four critical vulnerabilities and improving system integrity. SUSE, xntp security, Enterprise Server, access control. . Severity: Important. LinuxSecurity.com Team
Feb 19, 2015
•Important
SuSE
100
security advisorycriticalremote executionSUSE Linux Enterprise: 2014:1686-2 Critical: xntp Remote Code Execution
An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available. An update that fixes one vulnerability is now available.. SUSE Security Update: Security update for xntp ______________________________________________________________________________ Announcement ID: SUSE-SU-2014:1686-2 Rating: critical References: #910764 Cross-References: CVE-2014-9295 Affected Products: SUSE Linux Enterprise Server 10 SP4 LTSS ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This ntp update fixes the following critical security issue: * A potential remote code execution problem was found inside ntpd. The functions crypto_recv() (when using autokey authentication) and ctl_putdata() where updated to avoid buffer overflows that could have been exploited. (CVE-2014-9295 / VU#852879) Security Issues: * CVE-2014-9295 Package List: - SUSE Linux Enterprise Server 10 SP4 LTSS (i586 s390x x86_64): xntp-4.2.4p3-48.25.1 xntp-doc-4.2.4p3-48.25.1 References: https://www.suse.com/security/cve/CVE-2014-9295.html https://bugzilla.suse.com/show_bug.cgi?id=910764 https://scc.suse.com:443/patches/ . Stay updated on xntp's vulnerability affecting remote execution on SUSE Linux. Secure your systems by applying patches and following mitigation strategies. SUSE Security, xntp Update, Remote Execution Flaw, Critical Issue. . Severity: Critical. LinuxSecurity.com Team
Dec 24, 2014
•Critical
SuSE
100
security advisorybuffer overflowcriticalSuSE: 2001:10 Urgent: xntp Vulnerability for Remote Root Access
An exploit published by Przemyslaw Frasunek demonstrates a buffer overflow in the control request parsing code of the ntpd.. ______________________________________________________________________________ SuSE Security Announcement Package: xntp Announcement-ID: SuSE-SA:2001:10 Date: Monday, April 9th 22:30 MEST Affected SuSE versions: (6.0, 6.1, 6.2), 6.3, 6.4, 7.0, 7.1 Vulnerability Type: remote root compromise Severity (1-10): 8 SuSE default package: no Other affected systems: systems using xntp in newer versions Content of this advisory: 1) security vulnerability resolved: xntp problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information xntp is the network time protocol package widely used with many unix and linux systems for system time synchronization over a network. An exploit published by Przemyslaw Frasunek demonstrates a buffer overflow in the control request parsing code. The exploit allows a remote attacker to execute arbitrary commands as root. All versions as shipped with SuSE Linux are affected by the buffer overflow problem. A temporary workaround is to kill the daemon and to set the variable START_XNTPD in the file /etc/rc.config to "no" so that the daemon will not be started again upon reboot of the system. Correct the system time manually if necessary or adjust the time by running ntpdate from a cron job on a regular basis. We believe that this problem is generally underestimated since the xntpd daemon tends to get forgotten over the years of a system's life- time once installed and configured. Thexntpd daemon is not started by default in SuSE Linux distributions. We strongly recommend to immediately update the xntp package on each system where the daemon is installed, configured and running. Note: The xntp update packages for most distributions have been available for download since Friday last week. The packages for all 6.4 and 7.0 version distributions had to be rebuilt due to a specfile bug that did not show up earlier and that caused a delay in building packages. This bug causes the rpm subsystem to complain about the release number of the package. Now that this bug is corrected, you might find yourself having installed a package where there is a newer version of the package on the ftp server. However, regardless of the package release number, all published packages fix the currently known security problems in the xntpd network time daemon. Note: The source rpm of xntp in newer distributions generates two packages: xntp.rpm and xntpdoc.rpm. It is not necessary to update the xntpdoc package which is why we do not provide the update packages on our ftp server. The xntpdoc package only contains the documentation for the xntp package and did not change in this updated package. Download the update package from locations desribed below and install the package with the command `rpm -Uhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. SPECIAL INSTALL INSTRUCTIONS: ============================= The xntpd daemon must be restarted for the new package to become active after the installation of the update rpm. You can do this by running the command kill -15 `pidof xntpd` as root. After performing the upgrade using the rpm command above, you can restart the xntpd: rcxntpd start You should now see the newdaemon synchronizing in your syslogs, depending on where you configured the daemon to write its logs to. i386 Intel Platform: SuSE-7.1 9e39ca8f7b01fef22766463b8295e25d source rpm: dfa51b46c92b917353f52e5d83863478 SuSE-7.0 4293ad8a3e084ec5d773bbcab8380c08 source rpm: 745b894dcb6a97caa36f97858a51e279 SuSE-6.4 8001ac19d0ee812be82b6b066b4313d5 source rpm: 7d56618cba3d768aa53246f39158987d SuSE-6.3 2f5d7b43b167c6acf13f68b13b1b7989 source rpm: 11182e5e8c3769e6f9498ade9fcbe1fc SuSE-6.2 (unsupported platform) 5b55d179e3d4a0c57513bed03013c1a9 source rpm: dbb7c833ddc25b0bde406b4319d4106f SuSE-6.1 (unsupported platform) baa93b55a4eaa486968fa6285f04c865 source rpm: 06f0174e8934e3ce6f419284564a7c91 Sparc Platform: SuSE-7.1 The xntp packages for the SuSE-7.1 sparc distribution are currently pending for being built. They will be available on the ftp server as soon as they are built. The packages are gpg-signed using the key that should have been installed on your system upon system installation/upgrade. Use the command `rpm --checksig xntp.rpm´ to verify this signature once the packages are available for download. In the meanwhile, please use the temporary workaround as described above. SuSE-7.0 bea9ea6a88ae68f27962d1b9ad866eac source rpm: 83243db2982126e1a6ba371ef6dcf59b AXP Alpha Platform: SuSE-7.0 e410a96c44f12ba3d51a4f1f3e056fcd source rpm: 61ed8e66753868735cd14e94cb295718 SuSE-6.4 9460bd3eaf5500c0184d9394b8b86627 source rpm: 5c62ef99f064b687047087562cfe54ca SuSE-6.3 ad8c8494f0aaa06a1690e4edcaa43904 source rpm: 743fe2aba27f1801ac5b14cff2f2edb6 SuSE-6.1 (unsupported platform) d400eeecb9bd0b4347f3fe58f7f90fee source rpm: e2d01c31542ebbf8c740b820a6372ad1 PPC Power PC Platform: SuSE-7.1 The xntp packages for the SuSE-7.1 ppc distribution are currently pending for being built. They will be available on the ftp server as soon as they are built. The packages are gpg-signed using the key that should have been installed on your system upon system installation/upgrade. Use the command `rpm --checksig xntp.rpm´ to verify this signature once the packages are available for download. In the meanwhile, please use the temporary workaround as described above. SuSE-7.0 2d82e8f63df84cb409df7659437c1177 source rpm: a0bce6c36cf30da1aa587e03103a01f6 SuSE-6.4 fe9082268bdf53dddcaad075284f899b source rpm: 1940b97593e3e134487d294a721e350d ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - kernel Please expect security updates of the Linux kernel soon. To resolve all currently known security problems in the Linux kernel, update the kernel manually to version 2.2.19 or wait until the SuSE update rpm packages for the supported distributions 6.3, 6.4, 7.0 and 7.1 are ready to be used and available for download. - more updates In addition to the kernel update, please expect more packages to see security updates. Currently, this involves vim, mc and sudo. - bind8 The update packages for the 7.0 sparc distribution is available. c7e2a95bd4b90d03207ffc3a9880c36c source rpm: 5d4d4b608f2a8a3e61f7dc6917254f4f The SuSE-7.1 sparc distribution was published after the bugs in bind8 were corrected. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe:
Apr 09, 2001
•Important
SuSE
99
security advisorybuffer overflowcritical updateSlackware 7.1: Urgent Patch for xntp3 Buffer Overflow Vulnerability
The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise.. The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -current contains a buffer overflow bug that could lead to a root compromise. Slackware 7.1 and Slackware -current users are urged to upgrade to the new packages available for their release. The updated package available for Slackware 7.1 is a patched version of xntp3. The -current tree has been upgraded to ntp4, which also fixes the problem. If you want to continue using xntp3 on -current, you can use the updated package from the Slackware 7.1 tree and it will work. The updates available are: FOR SLACKWARE 7.1: =============================== xntp3-5.93e AVAILABLE (xntp.tgz) =============================== Patched xntp3-5.93e against recently reported buffer overflow problem. All sites running xntp from Slackware 7.1 should either upgrade to this package or ensure that their /etc/ntp.conf does not allow connections from untrusted hosts. To deny people access to your time daemon (not a bad idea anyway if you're only running ntp to keep your own clock updated) use this in /etc/ntp.conf: # Don't serve time or stats to anyone else restrict default ignore The buffer overflow problem can be fixed by upgrading to this package: --------------------------------------------------------------------- For verification purposes, we provide the following checksums: ------------------------------------------------------------- 16-bit "sum" checksum: 39955 509 xntp.tgz 128-bit MD5 message digest: aefbeb1a1c8d2af8e1d1906f823368bd xntp.tgz Installation instructions for the xntp.tgz package: -------------------------------------------------- Make sure you are not running xntpd on your system. This command should stop the daemon: killall xntpd Check to make sure it's not running: ps -ef | grep xntpd Once you have stopped the daemon, upgrade the package using upgradepkg: upgradepkg xntp.tgz Then you can restart the daemon: /usr/sbin/xntpd FOR SLACKWARE -CURRENT: ================================= ntp-4.0.99k23 AVAILABLE (ntp4.tgz) ================================= This package replaces the xntp.tgz package (which contained xntp3-5.93e). The older version (and all versions prior to ntp-4.0.99k23, which was released yesterday) contain a buffer overflow bug which could lead to a root compromise on sites offering ntp service. The buffer overflow can be fixed by upgrading to the new ntp4.tgz package: ------------------------------------------------------------------------- For verification purposes, we provide the following checksums: ------------------------------------------------------------- 16-bit "sum" checksum: 12988 1167 ntp4.tgz 128-bit MD5 message digest: 8dc3ec08fc63500ff75f640a1894bdd0 ntp4.tgz Installation instructions for the ntp4.tgz package: -------------------------------------------------- Make sure you are not running xntpd on your system. This command should stop the daemon: killall xntpd Check to make sure it's not running: ps -ef | grep xntpd Once you have stopped the daemon, upgrade the package using upgradepkg: upgradepkg xntp%ntp4 Then you can restart the daemon: /usr/sbin/ntpd Remember, it's also a good idea to backup configuration files before upgrading packages. - Slackware Linux Security Team The Slackware Linux Project . The version of xntp3 that shipped with Slackware 7.1 as well as the version that was in Slackware -c. version, slackware, xntp3, shipped. . Severity: Critical. LinuxSecurity.com Team
Apr 09, 2001
•Critical
Slackware
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!