An error in the OpenSSL certificate chain validation in ntp might allow for spoofing attacks.
|Package||net-misc/ntp on all architectures|
|Affected versions||< 4.2.4_p6|
|Unaffected versions||>= 4.2.4_p6|
ntp contains the client and daemon implementations for the Network Time Protocol.
It has been reported that ntp incorrectly checks the return value of the EVP_VerifyFinal(), a vulnerability related to CVE-2008-5077 (GLSA 200902-02).
A remote attacker could exploit this vulnerability to spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information.
There is no known workaround at this time.
All ntp users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p6"
April 05, 2009
April 05, 2009: 01