[ntp:questions] Local clock - sync issue
E-Mail Sent to this address will be added to the BlackLists
Null at BlackList.Anitech-Systems.invalid
Wed Nov 10 22:02:01 UTC 2010
On 11/10/2010 1:06 PM, Stephen Vaughan wrote:
> I don't think we will upgrade, we're using standardized
> environment with rhel5.
(Shrug)
You may want to consider REHL4 & REHL5 recommendations
to update to 4.2.4p8:
CVE-2009-3563 RHSA-2009:1648 Severity M Fixed 20091208
ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5,
allows remote attackers to cause a denial of service
(CPU and bandwidth consumption) by using MODE_PRIVATE
to send a spoofed (1) request or (2) response packet
that triggers a continuous exchange of MODE_PRIVATE
error responses between two NTP daemons.
Mentioned in RHSA-2009-1651 for RHEL3 also.
(4.2.4p8) Which would also cover:
CVE-2009-0159 RHSA-2009:1039 Severity L Fixed 20090518
Stack-based buffer overflow in the cookedprint function
in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2
allows remote NTP servers to execute arbitrary code
CVE-2009-1252 RHSA-2009:1039 Severity I Fixed 20090129
Stack-based buffer overflow in the crypto_recv function
in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5
before 4.2.5p74, when OpenSSL and autokey are enabled,
allows remote attackers to execute arbitrary code via
a crafted packet containing an extension field.
CVE-2009-0021 RHSA-2009:0046 Severity M Fixed 20090518
NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does
not properly check the return value from the OpenSSL
EVP_VerifyFinal function, which allows remote attackers
to bypass validation of the certificate chain via a
malformed SSL/TLS signature for DSA and ECDSA keys,
a similar vulnerability to CVE-2008-5077.
... and issues even older than those.
--
E-Mail Sent to this address <BlackList at Anitech-Systems.com>
will be added to the BlackLists.
More information about the questions
mailing list