Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2476 ntp security update 22 December 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ntp Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-9296 CVE-2014-9295 CVE-2014-9294 CVE-2014-9293 Reference: ESB-2014.2473 ESB-2014.2472 Original Bulletin: http://www.debian.org/security/2014/dsa-3108 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3108-1 security@debian.org http://www.debian.org/security/ Florian Weimer December 20, 2014 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : ntp CVE ID : CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 Debian Bug : 773576 Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol. CVE-2014-9293 ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities). CVE-2014-9294 The ntp-keygen utility generated weak MD5 keys with insufficient entropy. CVE-2014-9295 ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code. CVE-2014-9296 The general packet processing function in ntpd did not handle an error case correctly. The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6). Keys explicitly generated by "ntp-keygen -M" should be regenerated. For the stable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u1. We recommend that you upgrade your ntp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJUleVzAAoJEL97/wQC1SS+idoIAIFlvZ3V4xG+2iUeYYuwHJ+Y +tkxWt/O6o5UA2uxeOuy8AHZX1N+VI+VhZxTRsIXdXPRJOPbPwHXTI3bMKJ7ARQ9 wZmqc2lYJ9vHY3xRNg+vk+UJ8+vbxmXf+QE8o0MQC8u6Q+aHl8+3o2tvGcw0nxIX PaOpA/tg86JTEYlrlS4mLCATgr9UACVUal0NR/W82QMTAfe3NttGGCyuWjmHCCQ4 cn6rzzBk8wrc1E0Kx/dkuiMwhpEdlkmtBK5K+Y07hQmy/Ks8fN1WgDzTlba/fGkm nR0az4HbiSqalvnXM0O/vr4lSqr2tEjUAGE92fRVOHwDAYuX+n9rb9vORbQEJ9A= =u8r8 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVJdy1RLndAQH1ShLAQLbYhAAgEA/BJTlP7HGqOiEcXZCtyld7gOC7GPP IA53qiOMGsCWTjDvP3JN0YOch7B1bcJAE6yRvwaA2FHRpoX9pEhHgTWLZYmWhcEc sDysVP9qfOFRtNkXBGfYVZtCIEkXGICbpVYfCpcDPKUzSkS8nXAgNCXogy6riOYj emTPuCDeHYtKFiIRPhsEaNG865XDS5zJJ0TFiY1a96K388tBbQUaukUW4QlOdNsH YyP193i0lsXUu+OGibXuzB4RpRkgJ8NE5oDUn0M32q+2bVsuZjIDtwdp3jtmkzxv IqHfvr+pc88VxSrHOH48FpaLwlGZW995OzMW5AIKhbJvryvtxoiINXpsjvjtpOCc 2m/23XSF+44DpAgxkVoL/8vit6G+jbXmWloV7BSOSyHXWZlPRpfIsxE/iZoOKxeu xLSFpedAj4La2LPuVyppRr6ReuGdmUZv+HK2TclkXHefRnQds30Z6mGlxQh5bdJM 6mbKqzqAx/6J8qwv57ufzLPqoN4GZdigFpzSpwuerj2mkHmv3OAMy3oU/ozoV5GA rR8oHzfcTmqRiZYmr0jdz6LshhoSYdgKYvULPo009CaClSmpLwVFWjGZix6egy+Y W8RZYo6UYxWgMTU6aosru3D5Y1MuTvxRoEy/jIb5T8CfC1DZqFh+hlsbO/EsH3wQ OOMgxT1atJ4= =tEFb -----END PGP SIGNATURE-----