Topic: ntpd stack-based buffer-overflow vulnerability CVE Name: CVE-2009-1252 Announced: 2009-06-10 Affected: All supported versions of FreeBSD. (7.0-STABLE, 7.2-STABLE, etc.) Background: The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. Problem Description: The ntpd(8) daemon is prone to a stack-based buffer-overflow when it is configured to use the 'autokey' security model. Impact: This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing denial-of-service conditions. Workaround: Use IP based restrictions in ntpd(8) itself or in IP firewalls to restrict which systems can send NTP packets to ntpd(8). Solution: Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. Correction details: The following list contains the revision numbers of each file that was corrected in FreeBSD.