From owner-freebsd-announce Mon Apr 9 22: 4:11 2001 Delivered-To: freebsd-announce@freebsd.org Received: from peter3.wemm.org (c1315225-a.plstn1.sfba.home.com [65.0.135.147]) by hub.freebsd.org (Postfix) with ESMTP id 0C9F037B422 for ; Mon, 9 Apr 2001 22:04:07 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: from overcee.netplex.com.au (overcee.wemm.org [10.0.0.3]) by peter3.wemm.org (8.11.0/8.11.0) with ESMTP id f3A546M92402 for ; Mon, 9 Apr 2001 22:04:06 -0700 (PDT) (envelope-from peter@netplex.com.au) Received: by overcee.netplex.com.au (Postfix, from userid 433) id BFAB338FE; Mon, 9 Apr 2001 22:04:06 -0700 (PDT) To: announce@freebsd.org Message-Id: <20010410050406.BFAB338FE@overcee.netplex.com.au> Date: Mon, 9 Apr 2001 22:04:06 -0700 (PDT) From: peter@netplex.com.au (Peter Wemm) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From grog@lemis.com Mon Apr 9 19:46:20 2001 Return-Path: Date: Tue, 10 Apr 2001 12:16:09 +0930 From: Greg Lehey To: announce@FreeBSD.org Subject: FreeBSD Core Team statement on Wind River acquisition Message-ID: <20010410121609.A11588@wantadilla.lemis.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Organization: LEMIS, PO Box 460, Echunga SA 5153, Australia Phone: +61-8-8388-8286 Fax: +61-8-8388-8725 Mobile: +61-418-838-708 WWW-Home-Page: http://www.lemis.com/~grog X-PGP-Fingerprint: 6B 7B C3 8C 61 CD 54 AF 13 24 52 F8 6D A4 95 EF The FreeBSD Core Team welcomes the attention that the press has given to Wind River Systems' acquisition of the software assets of Berkeley Software Design Inc. The FreeBSD project looks forward to a long and fruitful collaboration with Wind River Systems. Unfortunately, a couple of points in some reports are inaccurate or misleading. The FreeBSD Core Team would like to clarify: Wind River Systems has generously agreed to sponsor the FreeBSD Project, as Berkeley Software Design had previously done, but it has not ``acquired'' the project nor the operating system. FreeBSD is a free software (``open source'') project, which by its nature cannot be ``acquired''. The direction of the FreeBSD project is determined only by its developers. This correction relates only to certain incorrect reports, and is by no means a reflection on Wind River Systems' intentions or the relationship between Wind River Systems and the FreeBSD project. In addition, some reports speak of ``Jason Hubbard''. The correct name is Jordan Hubbard. The FreeBSD Core Team: Satoshi Asami David Greenman Jordan K. Hubbard Greg Lehey Warner Losh Doug Rabson Mike Smith Robert Watson Peter Wemm -- Finger grog@lemis.com for PGP public key See complete headers for address and phone numbers This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Apr 12 13:58:30 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B232837B446; Thu, 12 Apr 2001 13:58:21 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from jedgar@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3CKwLe45352; Thu, 12 Apr 2001 13:58:21 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 12 Apr 2001 13:58:21 -0700 (PDT) Message-Id: <200104122058.f3CKwLe45352@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: jedgar set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:31.ntpd Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:31 Security Advisory FreeBSD, Inc. Topic: ntpd contains potential remote compromise Category: core/ports Module: ntpd Announced: 2001-04-06 Credits: Przemyslaw Frasunek Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction date. Ports collection prior to the correction date. Corrected: 2001-04-06 (FreeBSD 4.2-STABLE, 3.5-STABLE, and ports) Vendor status: Vendor notified. FreeBSD only: NO I. Background The ntpd daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. Older versions of ntpd, such as those in FreeBSD 3.x, were named xntpd. II. Problem Description An overflowable buffer exists in the ntpd daemon related to the building of a response for a query with a large readvar argument. Due to insufficient bounds checking, a remote attacker may be able to cause arbitrary code to be executed as the user running the ntpd daemon, usually root. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2, and versions of the ntpd port prior to ntp-4.0.99k_2 contain this problem. The base system and ports collections that will ship with FreeBSD 4.3 do not contain this problem since it was corrected before the release. III. Impact Malicious remote users may be able to execute arbitrary code on an ntpd server as the user running the ntpd daemon, usually root. The ntpd daemon is not enabled by default. If you have not enabled ntpd, your system is not vulnerable. IV. Workaround Disable the ntpd daemon using the following command: # kill -KILL `cat /var/run/ntpd.pid` Additionally, the ntpd daemon should be disabled in the system's startup configuration file /etc/rc.conf, normally accomplished by changing "xntpd_enable=YES" to "xntpd_enable=NO". Since NTP is a stateless UDP-based protocol, source addresses can be spoofed rendering firewalling ineffective for stopping this vulnerability. V. Solution [Base system] One of the following: 1) Upgrade to FreeBSD 4.2-STABLE or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch.asc The folllowing patch applies to FreeBSD 3.x. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: [FreeBSD 4.x] # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/usr.sbin/ntp # make all install [FreeBSD 3.x] # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/usr.sbin/xntpd # make all install Finally, if ntpd is already running then kill and restart the ntpd daemon: perform the following command as root: # kill -KILL `cat /var/run/ntpd.pid` && /usr/sbin/ntpd [Ports collection] Use one of the following options to upgrade the ntpd software, then kill and restart the ntpd daemon if it is already running. To kill and restart the ntpd daemon, perform the following command as root: # kill -KILL `cat /var/run/ntpd.pid` && /usr/local/sbin/ntpd 1) Upgrade your entire ports collection and rebuild the ntpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntp-4.0.99k_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntp-4.0.99k_2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntp-4.0.99k_2.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the ntpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBOs5Oi1UuHi5z0oilAQGb+QP+MqTyEGJBziGnw2gHwAnK3lAaMFyKurBc cgpm61uWpOBsTnJGJ9t5uI3IGPjxsjjmyZR2ONYMIUCRC2b6MA21oEsenD3F8Jeu UphzKdv9IswnSkZFRI5v0PoFtUOKihDU1SLfp2DKjJel8HralhYuDiCOQ/pIpGCj emIKnwcGVu4= =FTKv -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message