I haven't seen an announcement anywhere, but I noticed it on the FTP
server this morning. It is dated Friday evening.
ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
I tried it out with the exploit posted by "babcia padlina
ltd. <[EMAIL PROTECTED]>" and it seems to be safe. I never had
a machine that the exploit worked against, but my ntp servers would exit
with a segfault when it was run against them. The new server does not
exit.
I am sending a copy of this message to Dr. Mills, in the hopes that he can
confim for us that k23 is a final, fixed, version for this exploit.
Also, someone on the ntp newsgroup this weekend said that the FreeBSD
patch prevented the overflow, but still corrupted data because of an off
by one error.
--
William Colburn, "Sysprog" <[EMAIL PROTECTED]>
Computer Center, New Mexico Institute of Mining and Technology
http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn
