[CentOS] NTP Vulnerability?

Sat Dec 20 03:19:23 UTC 2014
Peter Lawler <centos at bleeter.id.au>

C7 - 
http://lists.centos.org/pipermail/centos-announce/2014-December/020850.html
C6 - 
http://lists.centos.org/pipermail/centos-announce/2014-December/020852.html
C5 - 
http://lists.centos.org/pipermail/centos-announce/2014-December/020851.html

On 20/12/14 14:04, Eero Volotinen wrote:
> fixed in:
>
>
> https://rhn.redhat.com/errata/RHSA-2014-2025.html
> https://rhn.redhat.com/errata/RHSA-2014-2024.html
>
> maybe it's soon in centos too..
>
> 2014-12-20 4:42 GMT+02:00 listmail <listmail at entertech.com>:
>
>> I just saw this:
>>
>> https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
>>
>> which includes this:
>> " A remote attacker can send a carefully crafted packet that can overflow a
>> stack buffer and potentially allow malicious code to be executed with the
>> privilege level of the ntpd process. All NTP4 releases before 4.2.8 are
>> vulnerable."
>>
>> "This vulnerability is resolved with NTP-stable4.2.8 on December 19, 2014."
>>
>> I guess no one has had time to respond yet. Wonder if I should shut down my
>> external NTP services as a precaution?
>>
>> --Bill
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>