GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Sun Apr 05, 2009 2:26 pm Post subject: [ GLSA 200904-05 ] ntp: Certificate validation error |
|
|
Gentoo Linux Security Advisory
Title: ntp: Certificate validation error (GLSA 200904-05)
Severity: normal
Exploitable: remote
Date: April 05, 2009
Bug(s): #254098
ID: 200904-05
Synopsis
An error in the OpenSSL certificate chain validation in ntp might allow for
spoofing attacks.
Background
ntp contains the client and daemon implementations for the Network Time
Protocol.
Affected Packages
Package: net-misc/ntp
Vulnerable: < 4.2.4_p6
Unaffected: >= 4.2.4_p6
Architectures: All supported architectures
Description
It has been reported that ntp incorrectly checks the return value of
the EVP_VerifyFinal(), a vulnerability related to CVE-2008-5077 (GLSA
200902-02).
Impact
A remote attacker could exploit this vulnerability to spoof arbitrary
names to conduct Man-In-The-Middle attacks and intercept sensitive
information.
Workaround
There is no known workaround at this time.
Resolution
All ntp users should upgrade to the latest version:
Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p6" |
References
CVE-2008-5077
CVE-2009-0021
GLSA 200902-02
Last edited by GLSA on Mon Jun 10, 2013 4:30 am; edited 1 time in total |
|