Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

ntp: Certificate validation error — GLSA 200904-05

An error in the OpenSSL certificate chain validation in ntp might allow for spoofing attacks.

Affected packages

Package net-misc/ntp on all architectures
Affected versions < 4.2.4_p6
Unaffected versions >= 4.2.4_p6

Background

ntp contains the client and daemon implementations for the Network Time Protocol.

Description

It has been reported that ntp incorrectly checks the return value of the EVP_VerifyFinal(), a vulnerability related to CVE-2008-5077 (GLSA 200902-02).

Impact

A remote attacker could exploit this vulnerability to spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information.

Workaround

There is no known workaround at this time.

Resolution

All ntp users should upgrade to the latest version: 

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p6"

References

Release date
April 05, 2009

Latest revision
April 05, 2009: 01

Severity
normal

Exploitable
remote

Bugzilla entries