1. Gentoo Linux Security Advisory
| Advisory Reference | GLSA 200904-05 / ntp |
| Release Date | April 05, 2009 |
| Latest Revision | April 05, 2009: 01 |
| Impact | normal |
| Exploitable | remote |
| Package | Vulnerable versions | Unaffected versions | Architecture(s) |
| net-misc/ntp | < 4.2.4_p6 | >= 4.2.4_p6 | All supported architectures |
Related bugreports: #254098
An error in the OpenSSL certificate chain validation in ntp might allow for spoofing attacks.
ntp contains the client and daemon implementations for the Network Time Protocol.
It has been reported that ntp incorrectly checks the return value of the EVP_VerifyFinal(), a vulnerability related to CVE-2008-5077 (GLSA 200902-02).
A remote attacker could exploit this vulnerability to spoof arbitrary names to conduct Man-In-The-Middle attacks and intercept sensitive information.
There is no known workaround at this time.
All ntp users should upgrade to the latest version:
Code Listing 3.1: Resolution |
# emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/ntp-4.2.4_p6" |