Sfdwhf

"Murder!" The knight said

I encountered my boss during an on-site interview at another company. Should I bring it up when seeing him next time?

Make me a metasequence

If nine coins are tossed, what is the probability that the number of heads is even?

The change directory (cd) command is not working with a USB drive

Whom do I have to contact for a ticket refund in case of denied boarding (in the EU)?

Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?

How can atoms be electrically neutral when there is a difference in the positions of the charges?

A "strange" unit radio astronomy

How can I handle a player who pre-plans arguments about my rulings on RAW?

What is the wife of a henpecked husband called?

Do authors have to be politically correct in article-writing?

When should a commit not be version tagged?

I can't die. Who am I?

GeometricMean definition

Which aircraft had such a luxurious-looking navigator's station?

Logistics of a hovering watercraft in a fantasy setting

What are these green text/line displays shown during the livestream of Crew Dragon's approach to dock with the ISS?

What is the difference between throw e and throw new Exception(e)?

What's the difference between a cart and a wagon?

Is my plan for fixing my water heater leak bad?

How to approximate rolls for potions of healing using only d6's?

How to speed up a process

What type of postprocessing gives the effect of people standing out

How to update ntpd to the latest version to patch the latest vulnerability?

how to update to latest ntp patch 4.2.8p12 on ubuntu 18.04Patch for new 64bit kernel vulnerability?How do I disable ntpd?How to patch the Vulnerability [CVE-2014-0224] in OpenSSL?ntpd not adjusting the timeupdate to latest version of usb_modeswitchupgrade ubuntu to the latest released versionUpdate Manager doesn't show the latest version for upgradeAt what time intervals does ntpd update the time?How do I update kernel to the latest mainline version?VirtualBox 5.1 on Ubuntu Server 17.10

0

3

This week a new attack on the Network Time Protocol Daemon (ntpd) was demonstrated, see this paper. This could potentially wreak havoc with my HTTPS website or other time sensitive services I am running.

According to the article, to remain safe, clients and servers alike should run at least NTP version 4.2.8p4.

Running ntpd --version on my Ubuntu Server 14.04.3 LTS machine gives me ntpd 4.2.6p5 which is still vulnerable. This is even after running apt-get update, apt-get upgrade and apt-get dist-upgrade.

Apparently I can download the latest version from ntp.org myself. But I am unsure if this will conflict with my existing ntpd install done via apt-get. Also they only offer the download via HTTP and their method of ensuring authenticity is by using an MD5 hash checksum... I am looking forward to my NSA backdoored patch. I really wish people would use GPG signatures.

1. Does Ubuntu plan to release a security patch to upgrade ntpd to 4.2.8p4 any time soon? What will be needed to get the fix?




2. If I read the code and assumed the 4.2.8p4 version available for download on the ntp.org website was trustworthy, how can I install that without conflicts?

server upgrade updates security ntp

share|improve this question

asked Oct 25 '15 at 3:43

RexRex

312

add a comment | 

0

3

This week a new attack on the Network Time Protocol Daemon (ntpd) was demonstrated, see this paper. This could potentially wreak havoc with my HTTPS website or other time sensitive services I am running.

According to the article, to remain safe, clients and servers alike should run at least NTP version 4.2.8p4.

Running ntpd --version on my Ubuntu Server 14.04.3 LTS machine gives me ntpd 4.2.6p5 which is still vulnerable. This is even after running apt-get update, apt-get upgrade and apt-get dist-upgrade.

Apparently I can download the latest version from ntp.org myself. But I am unsure if this will conflict with my existing ntpd install done via apt-get. Also they only offer the download via HTTP and their method of ensuring authenticity is by using an MD5 hash checksum... I am looking forward to my NSA backdoored patch. I really wish people would use GPG signatures.

1. Does Ubuntu plan to release a security patch to upgrade ntpd to 4.2.8p4 any time soon? What will be needed to get the fix?




2. If I read the code and assumed the 4.2.8p4 version available for download on the ntp.org website was trustworthy, how can I install that without conflicts?

server upgrade updates security ntp

share|improve this question

asked Oct 25 '15 at 3:43

RexRex

312

add a comment | 

This week a new attack on the Network Time Protocol Daemon (ntpd) was demonstrated, see this paper. This could potentially wreak havoc with my HTTPS website or other time sensitive services I am running.

According to the article, to remain safe, clients and servers alike should run at least NTP version 4.2.8p4.

Running ntpd --version on my Ubuntu Server 14.04.3 LTS machine gives me ntpd 4.2.6p5 which is still vulnerable. This is even after running apt-get update, apt-get upgrade and apt-get dist-upgrade.

Apparently I can download the latest version from ntp.org myself. But I am unsure if this will conflict with my existing ntpd install done via apt-get. Also they only offer the download via HTTP and their method of ensuring authenticity is by using an MD5 hash checksum... I am looking forward to my NSA backdoored patch. I really wish people would use GPG signatures.

1. Does Ubuntu plan to release a security patch to upgrade ntpd to 4.2.8p4 any time soon? What will be needed to get the fix?




2. If I read the code and assumed the 4.2.8p4 version available for download on the ntp.org website was trustworthy, how can I install that without conflicts?

server upgrade updates security ntp

share|improve this question

asked Oct 25 '15 at 3:43

RexRex

312

share|improve this question

asked Oct 25 '15 at 3:43

RexRex

312

share|improve this question

asked Oct 25 '15 at 3:43

RexRex

312

asked Oct 25 '15 at 3:43

RexRex

312

asked Oct 25 '15 at 3:43

RexRex

312

1 Answer
1

active

oldest

votes

0

1. Install checkinstall, read man checkinstall and use checkinstall to keep track of the files installed.




2. Download, build and install the version of ntpd that you need, overwriting Ubuntu's. Check to see that you can make uninstall (by reading Makefile), or keep track of the files installed.




3. When Ubuntu updates ntpd to, or beyond, the desired version, return to the source directory and make uninstall. Then sudo apt-get install --reinstall ntpd should get you re-synchronized with the official version.

Note: I have not tried this, so I may be wrong.

share|improve this answer

edited Nov 9 '15 at 16:26

answered Oct 25 '15 at 4:59

waltinatorwaltinator

22.6k74169

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Great, thanks. The install procedure worked more or less how you said. wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p4.tar.gz && tar xvfz ntp-4.2.8p4.tar.gz && cd ntp-4.2.8p4/ && ./configure && make && make install. Then ntpd --version which showed the new version ntpd 4.2.8p4.
  
  – Rex
  Oct 31 '15 at 1:04
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f689565%2fhow-to-update-ntpd-to-the-latest-version-to-patch-the-latest-vulnerability%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

0

1. Install checkinstall, read man checkinstall and use checkinstall to keep track of the files installed.




2. Download, build and install the version of ntpd that you need, overwriting Ubuntu's. Check to see that you can make uninstall (by reading Makefile), or keep track of the files installed.




3. When Ubuntu updates ntpd to, or beyond, the desired version, return to the source directory and make uninstall. Then sudo apt-get install --reinstall ntpd should get you re-synchronized with the official version.

Note: I have not tried this, so I may be wrong.

share|improve this answer

edited Nov 9 '15 at 16:26

answered Oct 25 '15 at 4:59

waltinatorwaltinator

22.6k74169

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Great, thanks. The install procedure worked more or less how you said. wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p4.tar.gz && tar xvfz ntp-4.2.8p4.tar.gz && cd ntp-4.2.8p4/ && ./configure && make && make install. Then ntpd --version which showed the new version ntpd 4.2.8p4.
  
  – Rex
  Oct 31 '15 at 1:04
  

  
  
  
  

add a comment | 

0

1. Install checkinstall, read man checkinstall and use checkinstall to keep track of the files installed.




2. Download, build and install the version of ntpd that you need, overwriting Ubuntu's. Check to see that you can make uninstall (by reading Makefile), or keep track of the files installed.




3. When Ubuntu updates ntpd to, or beyond, the desired version, return to the source directory and make uninstall. Then sudo apt-get install --reinstall ntpd should get you re-synchronized with the official version.

Note: I have not tried this, so I may be wrong.

share|improve this answer

edited Nov 9 '15 at 16:26

answered Oct 25 '15 at 4:59

waltinatorwaltinator

22.6k74169

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Great, thanks. The install procedure worked more or less how you said. wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p4.tar.gz && tar xvfz ntp-4.2.8p4.tar.gz && cd ntp-4.2.8p4/ && ./configure && make && make install. Then ntpd --version which showed the new version ntpd 4.2.8p4.
  
  – Rex
  Oct 31 '15 at 1:04
  

  
  
  
  

add a comment | 

1. Install checkinstall, read man checkinstall and use checkinstall to keep track of the files installed.




2. Download, build and install the version of ntpd that you need, overwriting Ubuntu's. Check to see that you can make uninstall (by reading Makefile), or keep track of the files installed.




3. When Ubuntu updates ntpd to, or beyond, the desired version, return to the source directory and make uninstall. Then sudo apt-get install --reinstall ntpd should get you re-synchronized with the official version.

Note: I have not tried this, so I may be wrong.

share|improve this answer

edited Nov 9 '15 at 16:26

answered Oct 25 '15 at 4:59

waltinatorwaltinator

22.6k74169

share|improve this answer

edited Nov 9 '15 at 16:26

answered Oct 25 '15 at 4:59

waltinatorwaltinator

22.6k74169

answered Oct 25 '15 at 4:59

waltinatorwaltinator

22.6k74169

answered Oct 25 '15 at 4:59

waltinatorwaltinator

22.6k74169