Joined: 12 May 2004
|Posted: Sun Apr 05, 2009 2:26 pm Post subject: [ GLSA 200904-05 ] ntp: Certificate validation error
|Gentoo Linux Security Advisory
Title: ntp: Certificate validation error (GLSA 200904-05)
Date: April 05, 2009
An error in the OpenSSL certificate chain validation in ntp might allow for spoofing attacks.
ntp contains the client and daemon implementations for the Network Time Protocol.
Vulnerable: < 4.2.4_p6
Unaffected: >= 4.2.4_p6
Architectures: All supported architectures
It has been reported that ntp incorrectly checks the return value of the EVP_VerifyFinal(), a vulnerability related to CVE-2008-5077 (GLSA 200902-02).
A remote attacker could exploit this vulnerability to spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information.
There is no known workaround at this time.
All ntp users should upgrade to the latest version:
|# emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p6"