[ntp:questions] Local clock - sync issue

Stephen Vaughan Stephen.Vaughan at blackboard.com
Thu Nov 11 15:53:12 UTC 2010


ntp-4.2.2p1-9.el5 is the latest in RHEL5 from what I can tell, those security patches below are already applied. Although I agree it's an outdated version.

Cheers,
Stephen


-----Original Message-----
From: questions-bounces+stephen.vaughan=blackboard.com at lists.ntp.org [mailto:questions-bounces+stephen.vaughan=blackboard.com at lists.ntp.org] On Behalf Of E-Mail Sent to this address will be added to the BlackLists
Sent: Wednesday, November 10, 2010 5:02 PM
To: questions at lists.ntp.org
Subject: Re: [ntp:questions] Local clock - sync issue

On 11/10/2010 1:06 PM, Stephen Vaughan wrote:
> I don't think we will upgrade, we're using standardized
>  environment with rhel5.

(Shrug)

You may want to consider REHL4 & REHL5 recommendations
 to update to 4.2.4p8:

 CVE-2009-3563 RHSA-2009:1648 Severity M Fixed 20091208
  ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5,
   allows remote attackers to cause a denial of service
   (CPU and bandwidth consumption) by using MODE_PRIVATE
   to send a spoofed (1) request or (2) response packet
   that triggers a continuous exchange of MODE_PRIVATE
   error responses between two NTP daemons.

  Mentioned in RHSA-2009-1651 for RHEL3 also.


(4.2.4p8) Which would also cover:
 CVE-2009-0159 RHSA-2009:1039 Severity L Fixed 20090518
  Stack-based buffer overflow in the cookedprint function
   in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2
   allows remote NTP servers to execute arbitrary code

 CVE-2009-1252 RHSA-2009:1039 Severity I Fixed 20090129
  Stack-based buffer overflow in the crypto_recv function
   in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5
   before 4.2.5p74, when OpenSSL and autokey are enabled,
   allows remote attackers to execute arbitrary code via
   a crafted packet containing an extension field.

 CVE-2009-0021 RHSA-2009:0046 Severity M Fixed 20090518
  NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does
   not properly check the return value from the OpenSSL
   EVP_VerifyFinal function, which allows remote attackers
   to bypass validation of the certificate chain via a
   malformed SSL/TLS signature for DSA and ECDSA keys,
   a similar vulnerability to CVE-2008-5077.

 ... and issues even older than those.

--
E-Mail Sent to this address <BlackList at Anitech-Systems.com>
  will be added to the BlackLists.

_______________________________________________
questions mailing list
questions at lists.ntp.org
http://lists.ntp.org/listinfo/questions

This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.



More information about the questions mailing list