安全公告详情

NS-SA-2019-0127

2019-07-17 15:02:58

简介

important: ntp/dhcp security update

严重级别

important

主题

An update for ntp/dhcp is now available for NewStart CGSL MAIN 4.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

ntp: The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts ntp-wait and ntptrace are in the ntp-perl package and the ntpdate program is in the ntpdate package. The documentation is in the ntp-doc package.
dhcp: DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server. The overall purpose of DHCP is to make it easier to administer a large network. To use DHCP on your network, install a DHCP service (or relay agent), and on clients run a DHCP client daemon. The dhclient package provides the ISC DHCP client daemon.


Security Fix(es):
ntp: A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash.(CVE-2017-6462)
ntp: A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6463)
ntp: A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6464)
ntp: bugfix
dhcp: An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client machines via a crafted DHCP response packet.(CVE-2018-5732)
dhcp: A denial of service flaw was found in the way dhcpd handled reference counting when processing client requests. A malicious DHCP client could use this flaw to trigger a reference count overflow on the server side, potentially causing dhcpd to crash, by sending large amounts of traffic.(CVE-2018-5733)
dhcp: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 4.05.F11.

影响组件

  • ntp
  • dhcp

影响产品

  • CGSL MAIN 4.05

更新包

{"fix":[{"product":"CGSL MAIN 4.05","pkgs":[{"binary":["ntp-4.2.6p5-12.el6.centos.2.x86_64.rpm","ntpdate-4.2.6p5-12.el6.centos.2.x86_64.rpm","ntp-debuginfo-4.2.6p5-12.el6.centos.2.x86_64.rpm","ntp-doc-4.2.6p5-12.el6.centos.2.noarch.rpm","ntp-perl-4.2.6p5-12.el6.centos.2.x86_64.rpm"],"source":"ntp-4.2.6p5-12.el6.centos.2.src.rpm"},{"binary":["dhclient-4.1.1-53.P1.el6.centos.3.x86_64.rpm","dhcp-4.1.1-53.P1.el6.centos.3.x86_64.rpm","dhcp-common-4.1.1-53.P1.el6.centos.3.x86_64.rpm","dhcp-debuginfo-4.1.1-53.P1.el6.centos.3.x86_64.rpm","dhcp-devel-4.1.1-53.P1.el6.centos.3.x86_64.rpm"],"source":"dhcp-4.1.1-53.P1.el6.centos.3.src.rpm"}]}]}

CVE

参考