[ntp:questions] Local clock - sync issue
Stephen Vaughan
Stephen.Vaughan at blackboard.com
Thu Nov 11 15:53:12 UTC 2010
ntp-4.2.2p1-9.el5 is the latest in RHEL5 from what I can tell, those security patches below are already applied. Although I agree it's an outdated version.
Cheers,
Stephen
-----Original Message-----
From: questions-bounces+stephen.vaughan=blackboard.com at lists.ntp.org [mailto:questions-bounces+stephen.vaughan=blackboard.com at lists.ntp.org] On Behalf Of E-Mail Sent to this address will be added to the BlackLists
Sent: Wednesday, November 10, 2010 5:02 PM
To: questions at lists.ntp.org
Subject: Re: [ntp:questions] Local clock - sync issue
On 11/10/2010 1:06 PM, Stephen Vaughan wrote:
> I don't think we will upgrade, we're using standardized
> environment with rhel5.
(Shrug)
You may want to consider REHL4 & REHL5 recommendations
to update to 4.2.4p8:
CVE-2009-3563 RHSA-2009:1648 Severity M Fixed 20091208
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5,
allows remote attackers to cause a denial of service
(CPU and bandwidth consumption) by using MODE_PRIVATE
to send a spoofed (1) request or (2) response packet
that triggers a continuous exchange of MODE_PRIVATE
error responses between two NTP daemons.
Mentioned in RHSA-2009-1651 for RHEL3 also.
(4.2.4p8) Which would also cover:
CVE-2009-0159 RHSA-2009:1039 Severity L Fixed 20090518
Stack-based buffer overflow in the cookedprint function
in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2
allows remote NTP servers to execute arbitrary code
CVE-2009-1252 RHSA-2009:1039 Severity I Fixed 20090129
Stack-based buffer overflow in the crypto_recv function
in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5
before 4.2.5p74, when OpenSSL and autokey are enabled,
allows remote attackers to execute arbitrary code via
a crafted packet containing an extension field.
CVE-2009-0021 RHSA-2009:0046 Severity M Fixed 20090518
NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does
not properly check the return value from the OpenSSL
EVP_VerifyFinal function, which allows remote attackers
to bypass validation of the certificate chain via a
malformed SSL/TLS signature for DSA and ECDSA keys,
a similar vulnerability to CVE-2008-5077.
... and issues even older than those.
--
E-Mail Sent to this address <BlackList at Anitech-Systems.com>
will be added to the BlackLists.
_______________________________________________
questions mailing list
questions at lists.ntp.org
http://lists.ntp.org/listinfo/questions
This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error.
More information about the questions
mailing list