--PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline =========================================================== Ubuntu Security Notice USN-175-1 September 01, 2005 ntp vulnerability CAN-2005-2496 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) The following packages are affected: ntp-refclock ntp-server ntp-simple The problem can be corrected by upgrading the affected package to version 1:4.2.0a-10ubuntu2.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Thomas Biege discovered a flaw in the privilege dropping of the NTP server. When ntpd was configured to drop root privileges, and the group to run under was specified as a name (as opposed to a numeric group ID), ntpd changed to the wrong group. Depending on the actual group it changed to, this could either cause non-minimal privileges, or a malfunctioning ntp server if the group does not have the privileges that ntpd actually needs. On Ubuntu 4.10, ntpd does not use privilege dropping by default, so you are only affected if you manually activated it. In Ubuntu 5.04, privilege dropping is used by default, but this bug is already fixed. Source archives: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a-10ubuntu2.1.diff.gz Size/MD5: 234593 97c1bebfcae647a962f162363c7ed022 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a-10ubuntu2.1.dsc Size/MD5: 798 f63546aed9aa010e3dd0b0874d687aa4 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a.orig.tar.gz Size/MD5: 2246283 730f143d7b0d85200caf77cbb4864dc4 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.0a-10ubuntu2.1_all.deb Size/MD5: 873462 16ce9b812dbe0b38f4d8fb01153d1f92 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a-10ubuntu2.1_amd64.deb Size/MD5: 213814 eeef43514349c68674cae6bfaf6b3cd7 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a-10ubuntu2.1_amd64.deb Size/MD5: 31306 fe323fa75ac6db329d85507aa4cea6c6 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a-10ubuntu2.1_amd64.deb Size/MD5: 128998 b500b8fa871f005a32185bc2bce38cbf http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a-10ubuntu2.1_amd64.deb Size/MD5: 254940 c5e907a96d3ff23e3d722ed95378c696 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a-10ubuntu2.1_amd64.deb Size/MD5: 43472 847b93764a179a79eb2f36d6cb9e9cf5 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a-10ubuntu2.1_i386.deb Size/MD5: 192816 e45ee4c94a3baa30aaaa85e40d813311 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a-10ubuntu2.1_i386.deb Size/MD5: 30438 05ee202944ccf62bf46df35afbc47b09 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a-10ubuntu2.1_i386.deb Size/MD5: 116122 f6ed8189745dfa4261d416b07ca23486 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a-10ubuntu2.1_i386.deb Size/MD5: 243778 c5958083e247ccbf94377c9931b134ea http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a-10ubuntu2.1_i386.deb Size/MD5: 40328 a98918a90262ecbb81b908278c97eabe powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a-10ubuntu2.1_powerpc.deb Size/MD5: 212772 7d81e4de659be6d86ee088db9b738bfa http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a-10ubuntu2.1_powerpc.deb Size/MD5: 31152 0455fc6928040ef536fb0cd589ab8b8b http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a-10ubuntu2.1_powerpc.deb Size/MD5: 128824 5c7ba8451fd85393f97994b9ab0aee0f http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a-10ubuntu2.1_powerpc.deb Size/MD5: 256310 86c56a61d3c882d1d909773ef838bc09 http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a-10ubuntu2.1_powerpc.deb Size/MD5: 43090 de414d466407f150b207ed4788e5fe3e --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDF1HkDecnbV4Fd/IRAk3IAKCBlKJ1Gy8m/Wk3eeUOq0jwklvUYACgxSre qZNQT6nFS2PHgxJTpneW7oU= =/ZZH -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr--