-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1801-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst May 19, 2009 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : ntp Vulnerability : buffer overflows Problem type : remote Debian-specific: no CVE Id(s) : CVE-2009-0159 CVE-2009-1252 CERT advisory : VU#853097 Debian Bug : 525373 Several remote vulnerabilities have been discovered in NTP, the Network Time Protocol reference implementation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-0159 A buffer overflow in ntpq allow a remote NTP server to create a denial of service attack or to execute arbitrary code via a crafted response. CVE-2009-1252 A buffer overflow in ntpd allows a remote attacker to create a denial of service attack or to execute arbitrary code when the autokey functionality is enabled. For the old stable distribution (etch), these problems have been fixed in version 4.2.2.p4+dfsg-2etch3. For the stable distribution (lenny), these problems have been fixed in version 4.2.4p4+dfsg-8lenny2. The unstable distribution (sid) will be fixed soon. We recommend that you upgrade your ntp package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Source archives: http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3.dsc Size/MD5 checksum: 906 8a1376e7b9883a31aeef2b242cddafb3 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg.orig.tar.gz Size/MD5 checksum: 2199764 ad746cda2d90dbb9ed06fe164273c5d0 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3.diff.gz Size/MD5 checksum: 182790 1bef0f3e23bc046d7c70b60f257abce8 Architecture independent packages: http://security.debian.org/pool/updates/main/n/ntp/ntp-refclock_4.2.2.p4+dfsg-2etch3_all.deb Size/MD5 checksum: 28068 980216d8940c6f35ef734e8b4696bedb http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.2.p4+dfsg-2etch3_all.deb Size/MD5 checksum: 909142 a4f0b0390ef1d8ea3b42e9f79aa6419c http://security.debian.org/pool/updates/main/n/ntp/ntp-simple_4.2.2.p4+dfsg-2etch3_all.deb Size/MD5 checksum: 28070 1a62301f74fc9ef23e73b86b168995d1 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_alpha.deb Size/MD5 checksum: 64896 334da9b0c10e3d061d40313cff2f4aba http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_alpha.deb Size/MD5 checksum: 407926 2ea4e315e61be332e2799152d117828f amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_amd64.deb Size/MD5 checksum: 359278 206749f2d5cddbb47f43cadf031200f6 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_amd64.deb Size/MD5 checksum: 61468 d7c76761a5b81efc6ad09d7339c65f65 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_arm.deb Size/MD5 checksum: 59472 b7e6f73ba7ecc1b950f5ce4b8713bbc8 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_arm.deb Size/MD5 checksum: 343500 918b4ed05ccc9beef8b17ed820076736 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_hppa.deb Size/MD5 checksum: 62008 718ac291a6d5bd5cee16da1ba332277a http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_hppa.deb Size/MD5 checksum: 372266 a8801148122304f201143b3c83212ef1 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_i386.deb Size/MD5 checksum: 58244 1e2645f55d880f0b32b189c788a6fa6e http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_i386.deb Size/MD5 checksum: 330784 2cffe9ce5766d3b3a7dd716451f9940d ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_ia64.deb Size/MD5 checksum: 74564 11dc5d9603aa107736e25e73a999fed9 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_ia64.deb Size/MD5 checksum: 523190 4b92e21247b790d31d87cae43288860e mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_mips.deb Size/MD5 checksum: 382548 7ebe4c29857af28a1d0d47341c03ed9f http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_mips.deb Size/MD5 checksum: 63444 1479ed9849e0da2119fedd3c07ef0c6e mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_mipsel.deb Size/MD5 checksum: 390040 7338922ec7c8a810374913a5440b84c8 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_mipsel.deb Size/MD5 checksum: 63986 63cf40dbea34d855dfa0b4dcab148753 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_powerpc.deb Size/MD5 checksum: 358710 14eebc6b0f1b5566398761c0e9387e06 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_powerpc.deb Size/MD5 checksum: 61548 6f7d62dbce9a7e476c5740556e05adbe s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_s390.deb Size/MD5 checksum: 61102 1cbb204bb34886adaf67f65add882fb6 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_s390.deb Size/MD5 checksum: 350088 2a27fe8eaedfac99221d0e0958750b69 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch3_sparc.deb Size/MD5 checksum: 58438 3c247f0d8b30fd8eb287fbf5429bb25a http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch3_sparc.deb Size/MD5 checksum: 332082 4506ffc7cdbc545decc4ebd726cc0fb3 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz Size/MD5 checksum: 2835029 dc2b3ac9cc04b0f29df35467514c9884 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2.diff.gz Size/MD5 checksum: 300806 7b70febe5a8b2731da1f6bc60e7095e6 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2.dsc Size/MD5 checksum: 1459 b72ceb69656ba2fe3374e7a793c8c2c0 Architecture independent packages: http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.4p4+dfsg-8lenny2_all.deb Size/MD5 checksum: 929700 36d1605577c6243875f4e35d9c40c9e8 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_alpha.deb Size/MD5 checksum: 66636 f732a56b27be857f1a4ae7bde9bac056 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_alpha.deb Size/MD5 checksum: 537528 32e7a25e224daeb2a4c3e3b8bdd88006 amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_amd64.deb Size/MD5 checksum: 63726 39a38d2d30352145617b63b0f1808832 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_amd64.deb Size/MD5 checksum: 480718 88defc4b9564804bac6c0d1b91b4207b arm architecture (ARM) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_arm.deb Size/MD5 checksum: 448040 2512a1f1d5f1af9484d3c02cef012aed http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_arm.deb Size/MD5 checksum: 61078 89dbb40bd4aa2644572e90de539733c7 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_armel.deb Size/MD5 checksum: 62376 6c47db082b725923eaa4b54b0ea3e090 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_armel.deb Size/MD5 checksum: 458818 9339249185118e58f3575e43d0da862f hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_hppa.deb Size/MD5 checksum: 485606 005701aa3a2f141f996d1cc6c69154a8 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_hppa.deb Size/MD5 checksum: 63698 a28856e22f368954f6a61de73815b204 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_i386.deb Size/MD5 checksum: 432098 b237d149bc205c7d644cf0b891cbae4e http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_i386.deb Size/MD5 checksum: 60078 2a661bfaf8dd05ec49c39b27fe44a5d2 ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_ia64.deb Size/MD5 checksum: 76208 aba226d105228a2be266a2eb9aa97aeb http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_ia64.deb Size/MD5 checksum: 707612 1d676bd6a79da49a32f28b756c074c8d mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_mips.deb Size/MD5 checksum: 488812 8c95d2d99443cffd777a9ec175fda92d http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_mips.deb Size/MD5 checksum: 64026 3401aa68f558315d3fa4a397444ae375 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_mipsel.deb Size/MD5 checksum: 500628 c78913c3cb8b36474f7bb884facf2caa http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_mipsel.deb Size/MD5 checksum: 64614 96a808c0dcd3f0189ac5b12bc35b1616 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_powerpc.deb Size/MD5 checksum: 490410 ed37bad3d4586ca982f1884ebecca859 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_powerpc.deb Size/MD5 checksum: 65298 bb30faf8ab938a762e3e6eef61dd5be1 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_s390.deb Size/MD5 checksum: 473862 d4cdb4b995504b0037b41bffee80f6da http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_s390.deb Size/MD5 checksum: 63476 b6f43878943e279469da4e4b5f9841a9 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny2_sparc.deb Size/MD5 checksum: 440966 94363f0f4b0a3681601553e70f3549e5 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny2_sparc.deb Size/MD5 checksum: 60640 dcfd2724e17a9ed85620d0153eb55eac These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQEcBAEBAgAGBQJKEroGAAoJECIIoQCMVaAchDEH/2Pqj8ygk5rtBnKgNmSe8Nln H270HC1OHsrRBC+Rkbz/ua991+ycEbGHcRzUVRgpp94QbqESMI/nfFN2drLyabwu jAP8G9wvdPtTAorKPjkXBUWfV84tQ8zVO9/R/dxgUN3xHnVNnFX5rg/JElkA1lfS VVjk8p/YG6wvVEd3nUshdH5yG1GKZMzIK1NXupViKFv8Xz/Pfx2oLFWm4cH6Jdmy h+c53C8fSLLtDL1j2ADBWwEfZfun8p3K0jwqNT83B+gIH4jYgzpmB2cU7C4ljlE+ h89SreSes1jOg+OZz4UjPQJ2tFtETEGWCVhwq2hqWOhx5AEB+DBW9qWKtLtqqKw= =jvWf -----END PGP SIGNATURE-----