-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA-1908-1 security@debian.org http://www.debian.org/security/ Nico Golde December 8th, 2009 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : ntp Vulnerability : denial of service Problem type : remote Debian-specific: no Debian bug : 560074 CVE ID : CVE-2009-3563 Robin Park and Dmitri Vinokurov discovered that the daemon component of the ntp package, a reference implementation of the NTP protocol, is not properly reacting to certain incoming packets. An unexpected NTP mode 7 packets (MODE_PRIVATE) with spoofed IP data can lead ntpd to reply with a mode 7 response to the spoofed address. This may result in the service playing packet ping-pong with other ntp servers or even itself which causes CPU usage and excessive disk use due to logging. An attacker can use this to conduct denial of service attacks. For the oldstable distribution (etch), this problem has been fixed in version 1:4.2.2.p4+dfsg-2etch4. For the stable distribution (lenny), this problem has been fixed in version 1:4.2.4p4+dfsg-8lenny3. For the testing (squeeze) and unstable (sid) distribution, this problem will be fixed soon. We recommend that you upgrade your ntp packages. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - ------------------------------- Debian (oldstable) - ------------------ Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4.dsc Size/MD5 checksum: 906 115e93f010e32aa1c90231461487503a http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg.orig.tar.gz Size/MD5 checksum: 2199764 ad746cda2d90dbb9ed06fe164273c5d0 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4.diff.gz Size/MD5 checksum: 182632 80aa236bd0a39096c5e5d462c0b9b279 Architecture independent packages: http://security.debian.org/pool/updates/main/n/ntp/ntp-refclock_4.2.2.p4+dfsg-2etch4_all.deb Size/MD5 checksum: 28596 df605f89c08a01116c2ff799777f6a2c http://security.debian.org/pool/updates/main/n/ntp/ntp-simple_4.2.2.p4+dfsg-2etch4_all.deb Size/MD5 checksum: 28594 0c683ac7e7f5b131515f956aed87de3d http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.2.p4+dfsg-2etch4_all.deb Size/MD5 checksum: 912886 1af5a623cbf5f145f34dab7beefcd183 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_alpha.deb Size/MD5 checksum: 408070 ca33235c58a26ad1a839084b4f2d385c http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_alpha.deb Size/MD5 checksum: 65056 e527eb4c93d427c025374805fb5288cb amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_amd64.deb Size/MD5 checksum: 62258 13a4f4faaf699913e421c093e598f2a9 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_amd64.deb Size/MD5 checksum: 359384 1a289aa1f8439e2ef736cbf29bbe140f arm architecture (ARM) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_arm.deb Size/MD5 checksum: 59784 8a84cae4e8f643cbd3ed684e5a7eb0ff http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_arm.deb Size/MD5 checksum: 344316 57066e8abfdf51c36d63600c993f3c20 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_hppa.deb Size/MD5 checksum: 372448 0b8f9b90bb03a2f572066fe8b47c7202 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_hppa.deb Size/MD5 checksum: 62160 88dc964fa357187ddc97d37513a863ba i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_i386.deb Size/MD5 checksum: 58316 90fc92e7a8f6582ee21076849ae0dfba http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_i386.deb Size/MD5 checksum: 333772 e5fbae24686d444fff118f3ce9cc45db ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_ia64.deb Size/MD5 checksum: 523358 0032e3c9bcb4a27a312a47fb95d1f9a1 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_ia64.deb Size/MD5 checksum: 74712 72c1b601f4beb41c6c04a54534ba9c51 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_mips.deb Size/MD5 checksum: 382868 2980d63a9ca6344e6a76698d0e808f8c http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_mips.deb Size/MD5 checksum: 63610 d523930b9b98d6353bf4e6fb7d7e57f5 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_mipsel.deb Size/MD5 checksum: 64134 e4042de5af081701911a7cece69c6cce http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_mipsel.deb Size/MD5 checksum: 390142 b50dc2bd5970f224b6994c460f8f560a powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_powerpc.deb Size/MD5 checksum: 358860 432b58ad621ac266455f7e5124d2eb1c http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_powerpc.deb Size/MD5 checksum: 61760 2c9dd1b3a8d61bece4f420e533b7a6eb s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_s390.deb Size/MD5 checksum: 350300 40a28748d5016101c179bd4a22c08390 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_s390.deb Size/MD5 checksum: 61242 14c08344bfd0561ced0d54aa2cd23a2e sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.2.p4+dfsg-2etch4_sparc.deb Size/MD5 checksum: 58584 0e573ef22b1514b12e01fa6ac2bb1ddb http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.2.p4+dfsg-2etch4_sparc.deb Size/MD5 checksum: 332284 4589ff44bc97ad73513d8ba5419c7845 Debian GNU/Linux 5.0 alias lenny - -------------------------------- Debian (stable) - --------------- Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3.dsc Size/MD5 checksum: 1459 81e70fe84f27e3bfabdbfb9f3122492b http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz Size/MD5 checksum: 2835029 dc2b3ac9cc04b0f29df35467514c9884 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3.diff.gz Size/MD5 checksum: 300928 b568f39eda3e46f27239ad44021f968c Architecture independent packages: http://security.debian.org/pool/updates/main/n/ntp/ntp-doc_4.2.4p4+dfsg-8lenny3_all.deb Size/MD5 checksum: 927658 8db03976b7b105057ead2da4bae09219 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_alpha.deb Size/MD5 checksum: 66706 9213dcba9a99fa363f0ce48c514a008b http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_alpha.deb Size/MD5 checksum: 538492 de37b288ef933f34446ab78a8d8ed76b amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_amd64.deb Size/MD5 checksum: 63836 a0b5b030abe6a6c32591366febcec1d1 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_amd64.deb Size/MD5 checksum: 479472 277efe45a76a24da6ca14ae581d0a3a2 arm architecture (ARM) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_arm.deb Size/MD5 checksum: 61220 d4905eea52795330e517acca903059f4 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_arm.deb Size/MD5 checksum: 448164 cc28e545eb359eba225abfcb02cc4377 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_armel.deb Size/MD5 checksum: 62794 e5a43b8076a77643cc742348f0e63de1 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_armel.deb Size/MD5 checksum: 458908 3721b8d7b7a67b31db6249521dd9f015 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_hppa.deb Size/MD5 checksum: 63872 53a7009f1888c06b162c258a9bb5d6fb http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_hppa.deb Size/MD5 checksum: 485744 b8e950ba02a13ecacfe332db56c0c887 i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_i386.deb Size/MD5 checksum: 434672 6ccfb060f39cc56f39ef8806865b767d http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_i386.deb Size/MD5 checksum: 60114 2f0914ae2191ddf3f74529bc896299da ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_ia64.deb Size/MD5 checksum: 707812 eb960c732894d56589ba62d76c5ba568 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_ia64.deb Size/MD5 checksum: 76366 6b5b986e454276661e8b483f095bd16e mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_mips.deb Size/MD5 checksum: 64116 ab287c70d2c2daf7b1a8808db8dcedc9 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_mips.deb Size/MD5 checksum: 490394 0009cb5333123767dc3afcde682d9e10 mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_mipsel.deb Size/MD5 checksum: 500786 3b842b738e616f301c31cd025c595235 http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_mipsel.deb Size/MD5 checksum: 64776 fd31cdaa7a78d7e3fa072b746dd98e01 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_powerpc.deb Size/MD5 checksum: 490620 21d03b435c327c2884fe587a56fe10fb http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_powerpc.deb Size/MD5 checksum: 65470 6966f71002ae63c104e608af1a7daa3a s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/n/ntp/ntpdate_4.2.4p4+dfsg-8lenny3_s390.deb Size/MD5 checksum: 63678 4b143ad2444681bdb1ee44d395996a29 http://security.debian.org/pool/updates/main/n/ntp/ntp_4.2.4p4+dfsg-8lenny3_s390.deb Size/MD5 checksum: 474000 6fb44a33381b0d582599eb33896d8f0f These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkseo+MACgkQHYflSXNkfP9VQwCfXo8CkJ8RFDS54yWkzdwQpsCr OygAnjd6VvpA+xxzXbWUiCF/eckTpwRE =MmI9 -----END PGP SIGNATURE-----