Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets


Chronological Thread 
  • From: Jason Zurawski <>
  • To: perfsonar-announce <>,
  • Cc:
  • Subject: [perfsonar-user] CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
  • Date: Fri, 19 Dec 2014 17:24:19 -0500

Greetings All;

The year wouldn’t be complete without at least one more security concern for
everyone to be aware of. Turn your attention to the following -
“CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets”:

https://access.redhat.com/security/cve/CVE-2014-9295

Information is is still scarce on this thus far, we have not seen any word
come down on the CentOS mailing lists regarding packages. There is some
chatter on the actual issue tracker item that is useful:

https://bugzilla.redhat.com/show_bug.cgi?id=1176037

Their read:

- “Autokey Authentication”, sometimes used in the /etc/ntp.conf file,
is at risk. This is not a default for RHEL, or the perfSONAR Toolkit. If
you added any in, you may want to reconsider.

- untrusted hosts that are allowed to send control messages can cause
a buffer overflow. By default, RHEL and perfSONAR Toolkit permissions allow
only localhost based control communication. If you changed this for whatever
reason, you may want to reconsider.

- DOS possibility through special message creation, but will not
allow any remote code execution. Will require an upstream patch to fully
address.

The perfSONAR project will keep watch on the situation and alert when its
time to download patches. We will take this opportunity to remind everyone
that the 3.4 version of the perfSONAR toolkit has a automatic update feature
available:

http://docs.perfsonar.net/manage_update.html#automatic-updates

Consider enabling this if you haven’t done so, and please upgrade to 3.4 if
you haven’t done so.

Thanks, and Happy Festivus;

-jason


Archive powered by MHonArc 2.6.16.

Top of Page