Meinberg Security Advisory 1405 was issued on 22 Decmber 2014 about vulnerabilities detected in versions 4.2.6 and earlier of the NTP package.

Version 4.2.8 was subsequently released and is already made available by many distros, but apparently not yet by Debian.

It ma be noteworthy that the NTP security bug fix was Apple's first ever automated security update pushed on Mac OS users.

The NTP developer himself offers an update for Windows users.

Until now, Debian does not care.

Greetings, Philo.

Your Debian NTP security concern may get more attention & action posted on Klaus K's
debian-knoppix developer's mailing list, rather than here. See for example:
https://lists.debian.org/debian-knoppix/2014/12/maillist.html

Hi, utu.

Debian is well aware:

https://security-tracker.debian.org/tracker/CVE-2014-9295

I am sure KK also knows and is just waiting for the Debian maintainer/packer to move.

I should have said 'packager'.

You don't need to wait for any action of KK. Use aptitude, install the security update of ntp and you'll get



ntp jessie, sid

1:4.2.6.p5+dfsg-3.2
fixed

Hello, Werner.
Could you be more explicit to some of us novices that use Synaptic,
on just what commands to put into aptitude to get the desired result?
Thanks in advance.

Type within a terminal
su
aptitudeto get the ncurses based frontend of aptitude

=> [F10] => Actions => Update package list
You''ll see the line "--- Security updates" => [Enter]
go down with the arrow key to the line "--- net......" => [Enter]
go down to "--- main ......" => [Enter]
go down to "i ntp ......"
use [+] or [F10] =>Package => Install
use [g] [g] to install the security update
use [q] to quit aptitude.

Be carefull! Knoppix is a mix of different versions and sometimes you'll get many problems if you want to install security updates and you need experience to solve the violated dependicies. When in doubt use
[F10] => Actions => Cancel pending actions
within aptitude.

Thanks, Werner.

I belatedly note that for my Knoppix 7.4.2 that if I look at
Synaptic>properties>versions, there are other version choices
including the testing dfsg-3(testing) already available under
package>force version. Seems like that might be a viable
means of upgrade for Knoppixers as well. What do you think?

I have a similar but different situation with another Debian-derived LiveUSB,
with which you are familiar, that uses ntpdate without ntp, and for
which no version alternatives similar to Knoppix's show up in Synaptic.
I presume you would recommend your aptitude approach for that system's
security upgrade as well?

Also, a belated seasons greetings to you.

You can use synaptic, but the big disadvantage: it doesn't differ between updates and security updates and it cannot try to solve violated dependencies. Within Knoppix I would never do a simple update because the different version problem, and sometimes also security updates are difficult or impossible for this reason. For example try to install the security update of pidgin.

Within MX-14 I can also see different versions under package > force version for "ntpdate". Perhaps you have to reload the package list.

Why not mention MX-14? It is a very nice and little Live system and also suitable for HD installation. With the HD installation of MX-14 you have not the problems which you get with a HD installation of Knoppix.

My (current) assessment with regard to Security Advisory CVE-2014-9295:

Knoppix 7.4.2 LiveDVD-size LiveUSB Synaptic shows a current status for
ntp having version 1:4.2.6.p5 +dfsg-2 which has a security problem;

Knoppix 7.4.2 LiveDVD-size LiveUSB Synaptic shows an unforced upgrade option for
ntp to version 1:4.2.6.p5 +dfsg-3.2 which would upgrade it to 'fixed'; and

AntiX/MX-14.3 LiveCD-size LiveUSB Synaptic shows a current status for
ntpdate having version 1:4.2.6.p5 +dfsg-2 +deb7u1 which is (already) 'fixed'.

In other words, current Knoppix 7.4.2 has a problem, but an easy fix; and
current MX-14.3, CD-size, doesn't have this problem.

A number of distros (Arch, Ubuntu, RedHat, et alii) promptly (on 22 Dec 2014) informed their users about the problem and then where to go for a solution. Regrettably, Knoppix did neither.

Again and again:
Knoppix isn't a distribution! (http://knoppix.net/wiki/Category:Hard_drive_Installation#Warning:_Knoppix_ is_a_Live_Linux_DVD)

I Should Have Known Better. Now I Know.