FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd
jhell
jhell at DataIX.net
Thu Jan 7 08:58:46 UTC 2010
With the directions in this message you will receive the following error:
make: don't know how to make
/usr/obj/usr/src/usr.sbin/ntp/ntpd/../libparse/libparse.a. Stop
Should state (minimal)
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart
Please note this for next time. This is the second time I have counted
that this has been overlooked.
On Wed, 6 Jan 2010 17:55, security-advisories@ wrote:
> ---------------------------- PGP Command Output ----------------------------
> gpg: Signature made Wed Jan 6 17:32:00 2010 EST using DSA key ID CA6CDFB2
> gpg: Good signature from "FreeBSD Security Officer <security-officer at FreeBSD.org>"
> ----------- Begin PGP Signed Message Verified 2010-01-07 03:50:19 ----------
>
> =============================================================================
> FreeBSD-SA-10:02.ntpd Security Advisory
> The FreeBSD Project
>
> Topic: ntpd mode 7 denial of service
>
> Category: contrib
> Module: ntpd
> Announced: 2010-01-06
> Affects: All supported versions of FreeBSD.
> Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2)
> 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6)
> 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10)
> 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE)
> 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9)
> 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15)
> CVE Name: CVE-2009-3563
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:http://security.FreeBSD.org/>.
>
> I. Background
>
> The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
> used to synchronize the time of a computer system to a reference time
> source.
>
> II. Problem Description
>
> If ntpd receives a mode 7 (MODE_PRIVATE) request or error response
> from a source address not listed in either a 'restrict ... noquery'
> or a 'restrict ... ignore' section it will log the even and send
> a mode 7 error response.
>
> III. Impact
>
> If an attacker can spoof such a packet from a source IP of an affected
> ntpd to the same or a different affected ntpd, the host(s) will endlessly
> send error responses to each other and log each event, consuming network
> bandwidth, CPU and possibly disk space.
>
> IV. Workaround
>
> Proper filtering of mode 7 NTP packets by a firewall can limit the
> number of systems used to attack your resources.
>
> V. Solution
>
> Perform one of the following:
>
> 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE,
> or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or
> RELENG_6_3 security branch dated after the correction date.
>
> 2) To patch your present system:
>
> The following patches have been verified to apply to FreeBSD 6.3, 6.4,
> 7.1, 7.2, and 8.0 systems.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc
>
> b) Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/usr.sbin/ntp/ntpd
> # make obj && make depend && make && make install
> # /etc/rc.d/ntpd restart
>
> VI. Correction details
>
> The following list contains the revision numbers of each file that was
> corrected in FreeBSD.
>
> CVS:
>
> Branch Revision
> Path
> -------------------------------------------------------------------------
> RELENG_6
> src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.2
> RELENG_6_4
> src/UPDATING 1.416.2.40.2.13
> src/sys/conf/newvers.sh 1.69.2.18.2.15
> src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.1.2.1
> RELENG_6_3
> src/UPDATING 1.416.2.37.2.20
> src/sys/conf/newvers.sh 1.69.2.15.2.19
> src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.20.1
> RELENG_7
> src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.2
> RELENG_7_2
> src/UPDATING 1.507.2.23.2.9
> src/sys/conf/newvers.sh 1.72.2.11.2.10
> src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.4.1
> RELENG_7_1
> src/UPDATING 1.507.2.13.2.13
> src/sys/conf/newvers.sh 1.72.2.9.2.14
> src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.2.1
> RELENG_8
> src/contrib/ntp/ntpd/ntp_request.c 1.2.2.1
> RELENG_8_0
> src/UPDATING 1.632.2.7.2.5
> src/sys/conf/newvers.sh 1.83.2.6.2.5
> src/contrib/ntp/ntpd/ntp_request.c 1.2.4.1
> -------------------------------------------------------------------------
>
> Subversion:
>
> Branch/path Revision
> -------------------------------------------------------------------------
> stable/6/ r201679
> releng/6.4/ r201679
> releng/6.3/ r201679
> stable/7/ r201679
> releng/7.2/ r201679
> releng/7.1/ r201679
> stable/8/ r201679
> releng/8.0/ r201679
> head/ r200576
> -------------------------------------------------------------------------
>
> VII. References
>
> http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode
> https://support.ntp.org/bugs/show_bug.cgi?id=1331
> http://www.kb.cert.org/vuls/id/568372
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563
>
> The latest revision of this advisory is available at
> http://security.FreeBSD.org/advisories/FreeBSD-SA-10:02.ntpd.asc
>
> ------------ End PGP Signed Message Verified 2010-01-07 03:50:19 -----------
>
--
Thu Jan 7 03:50:18 2010
jhell
More information about the freebsd-security
mailing list