Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: NTP Security Advisory

  1. #1
    Senior Member
    Join Date
    Dec 2012
    Posts
    151

    NTP Security Advisory

    Meinberg Security Advisory 1405 was issued on 22 Decmber 2014 about vulnerabilities detected in versions 4.2.6 and earlier of the NTP package.

    Version 4.2.8 was subsequently released and is already made available by many distros, but apparently not yet by Debian.

  2. #2
    Senior Member
    Join Date
    Dec 2012
    Posts
    151
    It ma be noteworthy that the NTP security bug fix was Apple's first ever automated security update pushed on Mac OS users.

    The NTP developer himself offers an update for Windows users.

    Until now, Debian does not care.

  3. #3
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631

    just a suggestion

    Greetings, Philo.

    Your Debian NTP security concern may get more attention & action posted on Klaus K's
    debian-knoppix developer's mailing list, rather than here. See for example:
    https://lists.debian.org/debian-knop.../maillist.html

  4. #4
    Senior Member
    Join Date
    Dec 2012
    Posts
    151
    Hi, utu.

    Debian is well aware:

    https://security-tracker.debian.org/.../CVE-2014-9295

    I am sure KK also knows and is just waiting for the Debian maintainer/packer to move.

  5. #5
    Senior Member
    Join Date
    Dec 2012
    Posts
    151
    I should have said 'packager'.

  6. #6
    Moderator Moderator
    Join Date
    Nov 2010
    Location
    Germany/ Dietzenbach
    Posts
    1,124
    You don't need to wait for any action of KK. Use aptitude, install the security update of ntp and you'll get
    ntp jessie, sid 1:4.2.6.p5+dfsg-3.2 fixed

  7. #7
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Hello, Werner.
    Could you be more explicit to some of us novices that use Synaptic,
    on just what commands to put into aptitude to get the desired result?
    Thanks in advance.
    Last edited by utu; 12-28-2014 at 01:31 AM.

  8. #8
    Moderator Moderator
    Join Date
    Nov 2010
    Location
    Germany/ Dietzenbach
    Posts
    1,124
    Type within a terminal
    Code:
    su
    aptitude
    to get the ncurses based frontend of aptitude
    • => [F10] => Actions => Update package list
    • You''ll see the line "--- Security updates" => [Enter]
    • go down with the arrow key to the line "--- net......" => [Enter]
    • go down to "--- main ......" => [Enter]
    • go down to "i ntp ......"
    • use [+] or [F10] =>Package => Install
    • use [g] [g] to install the security update
    • use [q] to quit aptitude.

    Be carefull! Knoppix is a mix of different versions and sometimes you'll get many problems if you want to install security updates and you need experience to solve the violated dependicies. When in doubt use
    [F10] => Actions => Cancel pending actions
    within aptitude.
    Last edited by Werner P. Schulz; 12-28-2014 at 06:33 PM. Reason: not only [+] from the num-block works

  9. #9
    Senior Member registered user
    Join Date
    May 2006
    Location
    Columbia, Maryland USA
    Posts
    1,631
    Thanks, Werner.

    I belatedly note that for my Knoppix 7.4.2 that if I look at
    Synaptic>properties>versions, there are other version choices
    including the testing dfsg-3(testing) already available under
    package>force version. Seems like that might be a viable
    means of upgrade for Knoppixers as well. What do you think?

    I have a similar but different situation with another Debian-derived LiveUSB,
    with which you are familiar, that uses ntpdate without ntp, and for
    which no version alternatives similar to Knoppix's show up in Synaptic.
    I presume you would recommend your aptitude approach for that system's
    security upgrade as well?

    Also, a belated seasons greetings to you.

  10. #10
    Moderator Moderator
    Join Date
    Nov 2010
    Location
    Germany/ Dietzenbach
    Posts
    1,124
    You can use synaptic, but the big disadvantage: it doesn't differ between updates and security updates and it cannot try to solve violated dependencies. Within Knoppix I would never do a simple update because the different version problem, and sometimes also security updates are difficult or impossible for this reason. For example try to install the security update of pidgin.

    Within MX-14 I can also see different versions under package > force version for "ntpdate". Perhaps you have to reload the package list.

    Why not mention MX-14? It is a very nice and little Live system and also suitable for HD installation. With the HD installation of MX-14 you have not the problems which you get with a HD installation of Knoppix.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •