important: ntp/dhcp security update
An update for ntp/dhcp is now available for NewStart CGSL MAIN 4.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
ntp: The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts ntp-wait and ntptrace are in the ntp-perl package and the ntpdate program is in the ntpdate package. The documentation is in the ntp-doc package.
dhcp: DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server. The overall purpose of DHCP is to make it easier to administer a large network. To use DHCP on your network, install a DHCP service (or relay agent), and on clients run a DHCP client daemon. The dhclient package provides the ISC DHCP client daemon.
ntp: A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash.(CVE-2017-6462)
ntp: A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6463)
ntp: A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6464)
dhcp: An out-of-bound memory access flaw was found in the way dhclient processed a DHCP response packet. A malicious DHCP server could potentially use this flaw to crash dhclient processes running on DHCP client machines via a crafted DHCP response packet.(CVE-2018-5732)
dhcp: A denial of service flaw was found in the way dhcpd handled reference counting when processing client requests. A malicious DHCP client could use this flaw to trigger a reference count overflow on the server side, potentially causing dhcpd to crash, by sending large amounts of traffic.(CVE-2018-5733)
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Remember the build tag is 4.05.F11.