Subject: perfSONAR Announcements
CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
- From: Jason Zurawski <>
- To: perfsonar-announce <>,
- Subject: CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
- Date: Fri, 19 Dec 2014 17:24:19 -0500
The year wouldn’t be complete without at least one more security concern for
everyone to be aware of. Turn your attention to the following -
“CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets”:
Information is is still scarce on this thus far, we have not seen any word
come down on the CentOS mailing lists regarding packages. There is some
chatter on the actual issue tracker item that is useful:
- “Autokey Authentication”, sometimes used in the /etc/ntp.conf file,
is at risk. This is not a default for RHEL, or the perfSONAR Toolkit. If
you added any in, you may want to reconsider.
- untrusted hosts that are allowed to send control messages can cause
a buffer overflow. By default, RHEL and perfSONAR Toolkit permissions allow
only localhost based control communication. If you changed this for whatever
reason, you may want to reconsider.
- DOS possibility through special message creation, but will not
allow any remote code execution. Will require an upstream patch to fully
The perfSONAR project will keep watch on the situation and alert when its
time to download patches. We will take this opportunity to remind everyone
that the 3.4 version of the perfSONAR toolkit has a automatic update feature
Consider enabling this if you haven’t done so, and please upgrade to 3.4 if
you haven’t done so.
Thanks, and Happy Festivus;
- CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets, Jason Zurawski, 12/19/2014
Archive powered by MHonArc 2.6.16.