ntp-4.2.6p5-12.1.0.1.AXS4

エラータID: AXSA:2017-2400:02

Release date: 
Friday, November 10, 2017 - 15:54
Subject: 
ntp-4.2.6p5-12.1.0.1.AXS4
Affected Channels: 
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity: 
Moderate
Description: 

The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.

Security Fix(es):

* Two vulnerabilities were discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. (CVE-2017-6463, CVE-2017-6464)

* A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash. (CVE-2017-6462)

Asianux would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues.

CVE-2017-6462
Buffer overflow in the legacy Datum Programmable Time Server (DPTS)
refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows
local users to have unspecified impact via a crafted /dev/datum
device.
CVE-2017-6463
NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote
authenticated users to cause a denial of service (daemon crash) via an
invalid setting in a :config directive, related to the unpeer option.
CVE-2017-6464
NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to
cause a denial of service (ntpd crash) via a malformed mode
configuration directive.

Solution: 

Update packages.

CVEs: 
CVE-2017-6462
Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.
CVE-2017-6463
NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.
CVE-2017-6464
NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.
Additional Info: 

N/A

Download: 

SRPMS
  1. ntp-4.2.6p5-12.1.0.1.AXS4.src.rpm
    MD5: f79274a10ca18ea897cb28fdbf32edce
    SHA-256: a2e2524a7f28fb45a47fb62ee558f69e980f727b6e4f7f4f1058c51eadd71d34
    Size: 4.12 MB

Asianux Server 4 for x86
  1. ntp-4.2.6p5-12.1.0.1.AXS4.i686.rpm
    MD5: 01e0ad54b3c95ecc1d4d6b18843b5b53
    SHA-256: 78fa1bc0e77f621232cb4caaeb40c7003dabb3d87bd3597d0e0ff17a2dac985f
    Size: 593.16 kB
  2. ntpdate-4.2.6p5-12.1.0.1.AXS4.i686.rpm
    MD5: eda961a050c122056d39244c79091154
    SHA-256: f05c3f839108993cafb19d64564a1a812e98a958bf27d7f5d6d3b0c73cb86ce5
    Size: 77.75 kB

Asianux Server 4 for x86_64
  1. ntp-4.2.6p5-12.1.0.1.AXS4.x86_64.rpm
    MD5: e9cfe48b20f7095f2c5aac79c91627a6
    SHA-256: 9508193effc3b96ba508583ec55d1efcdffe5239ae1f3f3a8328c7a25d2745a1
    Size: 598.74 kB
  2. ntpdate-4.2.6p5-12.1.0.1.AXS4.x86_64.rpm
    MD5: 9c8bf9b0ac5ca04fc55e2981b85b4a5a
    SHA-256: 14d4378f5f0b336c845edaf2eb600d86765556014cfb139b887e00642e8b614d
    Size: 77.85 kB