Date: 09 January 2009
References: ESB-2009.0009 ESB-2009.0039 ESB-2009.0102 ESB-2009.0194 ESB-2009.0326 ESB-2009.0459 ASB-2012.0154
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2009.0025 -- [UNIX/Linux][Ubuntu]
NTP vulnerability
9 January 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: NTP
Publisher: Ubuntu
Operating System: Ubuntu
UNIX variants (UNIX, Linux, OSX)
Impact: Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0021
Ref: ESB-2009.0009
Original Bulletin: http://www.ubuntu.com/usn/usn-705-1
Comment: This advisory references vulnerabilities in products which run on
platforms other than Ubuntu. It is recommended that administrators
running NTP check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
===========================================================
Ubuntu Security Notice USN-705-1 January 08, 2009
ntp vulnerability
CVE-2009-0021
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
ntp-refclock 1:4.2.0a+stable-8.1ubuntu6.1
ntp-simple 1:4.2.0a+stable-8.1ubuntu6.1
Ubuntu 7.10:
ntp 1:4.2.4p0+dfsg-1ubuntu2.1
Ubuntu 8.04 LTS:
ntp 1:4.2.4p4+dfsg-3ubuntu2.1
Ubuntu 8.10:
ntp 1:4.2.4p4+dfsg-6ubuntu2.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
It was discovered that NTP did not properly perform signature verification.
A remote attacker could exploit this to bypass certificate validation via
a malformed SSL/TLS signature.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.1.diff.gz
Size/MD5: 268991 14166f5e0933968dd3a23db799bc3e45
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.1.dsc
Size/MD5: 872 01f2feda3ccc49b651948cccbd3a8dc9
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable.orig.tar.gz
Size/MD5: 2272395 30f8b3d5b970c14dce5c6d8c922afa3e
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.0a+stable-8.1ubuntu6.1_all.deb
Size/MD5: 890912 9e95577b5de6166f4c140f8c8d94a878
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.1_amd64.deb
Size/MD5: 34728 ae79310d84cf954c745741dc3577a111
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.1_amd64.deb
Size/MD5: 136030 598ebb288aa3e3bf2cbdde435e939925
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.1_amd64.deb
Size/MD5: 270246 8d66671574a8bdec39f40ee97844e7a2
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.1_amd64.deb
Size/MD5: 47596 4478446cb6a262180a2a5f055434709f
http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.1_amd64.deb
Size/MD5: 223814 1e2d67925cc2fb3509262ff42fbad9f1
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.1_i386.deb
Size/MD5: 33610 b55a8c87bbff16a99cac7c03689846b7
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.1_i386.deb
Size/MD5: 121362 76052fc1e3e25fccc256f52b5a81fe1a
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.1_i386.deb
Size/MD5: 256456 edb3ce6ee23a5b17dbe60065c6141137
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.1_i386.deb
Size/MD5: 44314 054706327c06bd7085dd95533a2f8653
http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.1_i386.deb
Size/MD5: 198136 c0c4aa0d7862afbfd5c6300b00cbadb1
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.1_powerpc.deb
Size/MD5: 36868 5f56589b8e6d931eb40e90d0667123da
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.1_powerpc.deb
Size/MD5: 134860 9f0273dfe7b9ecb632f5598800d86148
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.1_powerpc.deb
Size/MD5: 271210 1b3fe8f1df3e88bcbfa3e2ad05509021
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.1_powerpc.deb
Size/MD5: 48924 d448c4182005d934a815370a16bf639a
http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.1_powerpc.deb
Size/MD5: 221924 fbc5b6e77bd48e3c6309630bf75bc12d
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-server_4.2.0a+stable-8.1ubuntu6.1_sparc.deb
Size/MD5: 34126 fa41cd244d976002da1719a05b4e5d34
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-simple_4.2.0a+stable-8.1ubuntu6.1_sparc.deb
Size/MD5: 126440 83e78b6cebce198f494accde5f8109f9
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.0a+stable-8.1ubuntu6.1_sparc.deb
Size/MD5: 261340 f9ac80e3066fc27f8d90e0a9452fdc9f
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.0a+stable-8.1ubuntu6.1_sparc.deb
Size/MD5: 46458 1b0b4e24a4b84536f36e8199c99e899a
http://security.ubuntu.com/ubuntu/pool/universe/n/ntp/ntp-refclock_4.2.0a+stable-8.1ubuntu6.1_sparc.deb
Size/MD5: 207226 1c9f149b54c62c34bd8c0db78397f32e
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p0+dfsg-1ubuntu2.1.diff.gz
Size/MD5: 204671 8b3ad7bc7fcf61c96d693520fac38d1b
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p0+dfsg-1ubuntu2.1.dsc
Size/MD5: 1022 b0025f920e1b82bd87d7dc4dcefe186f
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p0+dfsg.orig.tar.gz
Size/MD5: 2818698 acec1d168b1eee361663503a147a36a2
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.4p0+dfsg-1ubuntu2.1_all.deb
Size/MD5: 926916 c831ee4cbd5cf1f339222f0d647d83fd
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p0+dfsg-1ubuntu2.1_amd64.deb
Size/MD5: 478830 a66b398d72813d6e69593f554ece3d49
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p0+dfsg-1ubuntu2.1_amd64.deb
Size/MD5: 63738 009e8e25208b3d4e6c85a217f21e51f6
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p0+dfsg-1ubuntu2.1_i386.deb
Size/MD5: 434302 59db103784625a64a6d3b85c84e7a3d1
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p0+dfsg-1ubuntu2.1_i386.deb
Size/MD5: 59786 c1f5155f0ed8923e008d9c84a2d5aa1c
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p0+dfsg-1ubuntu2.1_lpia.deb
Size/MD5: 436942 644b72bc4a824a357c974ad859c460ab
http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p0+dfsg-1ubuntu2.1_lpia.deb
Size/MD5: 59746 b7de5524ef4ccb1f46c082991d8ef6f3
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p0+dfsg-1ubuntu2.1_powerpc.deb
Size/MD5: 490806 ec7eb553edb9b13432e3b48b977f55c5
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p0+dfsg-1ubuntu2.1_powerpc.deb
Size/MD5: 65372 6101469e4814fc417b634f4605c5a53a
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p0+dfsg-1ubuntu2.1_sparc.deb
Size/MD5: 445516 4342158ea469470c3690bebe99b75e99
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p0+dfsg-1ubuntu2.1_sparc.deb
Size/MD5: 60856 79e18a358cb433a6cbade44a0a35a525
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.1.diff.gz
Size/MD5: 284579 9e08da1552a923822e1bbaf5fb3436dd
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.1.dsc
Size/MD5: 1046 853f79c9adc8408d3aab196f1272eba6
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz
Size/MD5: 2835029 dc2b3ac9cc04b0f29df35467514c9884
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.4p4+dfsg-3ubuntu2.1_all.deb
Size/MD5: 927834 cac7fc2329948f73b6ab0adf754f1ad0
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.1_amd64.deb
Size/MD5: 477022 17bb3e93c93823dd1547ccbe805f3af8
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.1_amd64.deb
Size/MD5: 64902 3b2e7fb24fc4cfa4fce36abb9d0fa050
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.1_i386.deb
Size/MD5: 432244 b2decf1f133358a005d8246ab7f729ff
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.1_i386.deb
Size/MD5: 60938 859ebf211dc1d8289ac1962c325e3b13
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.1_lpia.deb
Size/MD5: 435050 440d6f4a4a7abf4d3b78819fd7330820
http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.1_lpia.deb
Size/MD5: 60878 31532ef8de50c832504d4b40ed8351f6
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.1_powerpc.deb
Size/MD5: 490126 436b8543b2d708778e5f59d1b056ead0
http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.1_powerpc.deb
Size/MD5: 66486 af994b85876a6593cd9ca858dea952aa
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-3ubuntu2.1_sparc.deb
Size/MD5: 441952 b064fbc298503d77b58c91a24deb5423
http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-3ubuntu2.1_sparc.deb
Size/MD5: 61658 c3223d40d9e80c8853b2641e6fce9ca4
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.2.diff.gz
Size/MD5: 303328 719ed85f0b4e20da182139a67095e392
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.2.dsc
Size/MD5: 1555 23207d443f9e2e9b45e7d4ee1e119fb5
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg.orig.tar.gz
Size/MD5: 2835029 dc2b3ac9cc04b0f29df35467514c9884
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp-doc_4.2.4p4+dfsg-6ubuntu2.2_all.deb
Size/MD5: 928470 b1c804df6fb0b4ae228ec7abe1e793a1
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.2_amd64.deb
Size/MD5: 486910 5870f9ac417b1b1ce228505e92feab05
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.2_amd64.deb
Size/MD5: 65818 2244cf99ce575c89462dbf5957867324
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.2_i386.deb
Size/MD5: 441962 faeae95f06d7dffaf50c7518cbefafd9
http://security.ubuntu.com/ubuntu/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.2_i386.deb
Size/MD5: 62028 970e81fb55f431229c1e16abb0cdffdc
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.2_lpia.deb
Size/MD5: 441376 d9b344dab0f38a2446623ed162c6ddb4
http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.2_lpia.deb
Size/MD5: 61790 41b3ada3415ba5df30adb8a68d7b82f5
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.2_powerpc.deb
Size/MD5: 490946 b03e8fd6576efee8d8b94c73434fb5cb
http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.2_powerpc.deb
Size/MD5: 66840 2a71d6fcfbc7af61626fb4ad135dfb1d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/n/ntp/ntp_4.2.4p4+dfsg-6ubuntu2.2_sparc.deb
Size/MD5: 449000 3733f4a7bfada8ee07d02eb6cfa1c26c
http://ports.ubuntu.com/pool/main/n/ntp/ntpdate_4.2.4p4+dfsg-6ubuntu2.2_sparc.deb
Size/MD5: 62538 c0a429dc421b7c900795270f3842e41e
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSWaSQCh9+71yA2DNAQJ4WQP9HKnY3qvOpTz2m3fCxMQmwW6zSzznlLvQ
ZlgnSI7b8fwoiDXIBywKIBusx4taae4koJ74KHoD7rO7GHaR+sA2rAH0mybhx159
tNQdLRWiB3HUkiWHvX5pl3XugxzvZsnGBI/haQH1w/rNhcXhMj5Pf0RVhNaJ3XmK
2DhIQBYS+dI=
=asro
-----END PGP SIGNATURE-----
|