Thursday, June 4, 2009

Security Update: ntp

One security update has been released today: ntp. There are two buffer-overflow problems that occurred to ntp prior to 4.2.4p7, so these were patched, even though one of the doesn't affect Slackware at all due to non linkable ntp package with ssl.

There are two other updates, which are pkgtool and liboil.

Here's the -Current changelog:
Wed Jun 3 18:17:19 CDT 2009
a/pkgtools-12.34567890-noarch-6.tgz: Patched makepkg to warn about possible problems with /usr/share/info usage. Thanks to Robby Workman.

l/liboil-0.3.16-i486-1.txz: Upgraded to liboil-0.3.16.

n/ntp-4.2.4p7-i486-1.txz: Upgraded to ntp-4.2.4p7.
Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows arbitrary code execution by a malicious remote NTP server.
Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 allows remote attackers to execute arbitrary code.
This does not affect the Slackware ntpd as it does not link with openssl.
For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252
(* Security fix *)
On x86_64 changelog, there are two more packages included:
a/kernel-modules-2.6.29.4-x86_64-2.txz: Fixed missing rc.modules symlink.
Thanks to Ricardo Felipe Klein.

extra/tightvnc/tightvnc-1.3.10-x86_64-1.txz: Upgraded to tightvnc-1.3.10.