安全公告详情

NS-SA-2021-0186

2021-09-24 11:25:36

简介

important: ntp/ImageMagick security update

严重级别

important

主题

An update for ntp/ImageMagick is now available for NewStart CGSL MAIN 5.05/CGSL CORE 5.05.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

ntp: ntpdate is a program for retrieving the date and time from NTP servers.
ImageMagick: ImageMagick-devel contains the static libraries and header files you'll need to develop ImageMagick applications using the Magick++ C++ bindings. ImageMagick is an image manipulation program. If you want to create applications that will use Magick++ code or APIs, you'll need to install ImageMagick-c++-devel, ImageMagick-devel and ImageMagick. You don't need to install it if you just want to use ImageMagick, or if you want to develop/compile applications using the ImageMagick C interface, however.


Security Fix(es):
ntp: A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. An attacker who can send a large number of packets with the spoofed IPv4 address of the upstream server can use this flaw to modify the victim's clock by a limited amount or cause ntpd to exit.(CVE-2020-13817)
ntp: bugfix
ImageMagick: A flaw was found in ImageMagick. The -authenticate option is mishandled allowing user-controlled password set for a PDF file to possibly inject additional shell commands via coders/pdf.c. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-29599)
ImageMagick: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 5.05.F12B2.

影响组件

  • ntp
  • ImageMagick

影响产品

  • CGSL MAIN 5.05
  • CGSL CORE 5.05

更新包

{"fix":[{"product":"CGSL MAIN 5.05","pkgs":[{"binary":["ntpdate-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm","sntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm","ntp-doc-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.noarch.rpm","ntp-debuginfo-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm","ntp-perl-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.noarch.rpm","ntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm"],"source":"ntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.src.rpm"},{"binary":["ImageMagick-c++-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-devel-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-debuginfo-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-doc-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-c++-devel-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-perl-6.9.10.68-5.el7_9.x86_64.rpm"],"source":"ImageMagick-6.9.10.68-5.el7_9.src.rpm"}]},{"product":"CGSL CORE 5.05","pkgs":[{"binary":["ntpdate-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm","sntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm","ntp-doc-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.noarch.rpm","ntp-debuginfo-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm","ntp-perl-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.noarch.rpm","ntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.x86_64.rpm"],"source":"ntp-4.2.6p5-29.el7_8.2.cgslv5_5.0.1.g2486a10.src.rpm"},{"binary":["ImageMagick-c++-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-devel-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-debuginfo-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-doc-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-c++-devel-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-6.9.10.68-5.el7_9.x86_64.rpm","ImageMagick-perl-6.9.10.68-5.el7_9.x86_64.rpm"],"source":"ImageMagick-6.9.10.68-5.el7_9.src.rpm"}]}]}

CVE

参考