Executive Summary
| Summary | |
|---|---|
| Title | ntp security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2006:0393 | First vendor Publication | 2006-08-10 |
| Vendor | RedHat | Last vendor Modification | 2006-08-10 |
| Severity (Vendor) | Low | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 4.6 | Attack Range | Local |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 3.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: Updated ntp packages that fix several bugs are now available. This update has been rated as having low security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64 3. Problem description: The Network Time Protocol (NTP) is used to synchronize a computer's time with a reference time source. The NTP daemon (ntpd), when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes ntpd to run with different privileges than intended. (CVE-2005-2496) The following issues have also been addressed in this update: - - The init script had several problems - - The script executed on upgrade could fail - - The man page for ntpd indicated the wrong option for specifying a chroot directory - - The ntp daemon could crash with the message "Exiting: No more memory!" - - There is a new option for syncing the hardware clock after a successful run of ntpdate Users of ntp should upgrade to these updated packages, which resolve these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. 5. Bug IDs fixed (http://bugzilla.redhat.com/): 142926 - multiple problems with ntpd init.d script 149652 - CVE-2005-2496 improper group set when running ntpd 166773 - ntp %post scriptlet fails on upgrade, if ntpd is disabled. 177052 - ntpd dies with the error "Exiting: out of memory!" 187003 - ntpdate not invoked when supplying the -x option |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2006-0393.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:9669 | |||
| Oval ID: | oval:org.mitre.oval:def:9669 | ||
| Title: | The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended. | ||
| Description: | The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2005-2496 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
| Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 801-1 (ntp) File : nvt/deb_801_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 19055 | NTP ntpd -u Group Permission Weakness |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2006-08-30 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2006-0393.nasl - Type : ACT_GATHER_INFO |
| 2006-08-14 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2006-0393.nasl - Type : ACT_GATHER_INFO |
| 2006-01-15 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-175-1.nasl - Type : ACT_GATHER_INFO |
| 2005-09-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2005-812.nasl - Type : ACT_GATHER_INFO |
| 2005-09-06 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-801.nasl - Type : ACT_GATHER_INFO |
| 2005-08-29 | Name : The remote NTP server is affected by a privilege escalation vulnerability. File : ntp_incorrect_group_privs.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:50:00 |
|
