[Full-disclosure] [ MDVSA-2009:007 ] ntp

From: <security_at_nospam>
Date: Wed Jan 14 2009 - 01:49:01 GMT
To: full-disclosure@lists.grok.org.uk

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mandriva Linux Security Advisory MDVSA-2009:007 http://www.mandriva.com/security/

Package : ntp Date : January 13, 2009 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

A flaw was found in how NTP checked the return value of signature verification. A remote attacker could use this to bypass certificate validation by using a malformed SSL/TLS signature (CVE-2009-0021).

The updated packages have been patched to prevent this issue.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021

Updated Packages:

Mandriva Linux 2008.0: 91f0330a936cb343029aec711da0ce4f 2008.0/i586/ntp-4.2.4-10.1mdv2008.0.i586.rpm e7e6559f0431ff856d0da0b1d5a590a4 2008.0/i586/ntp-client-4.2.4-10.1mdv2008.0.i586.rpm 05f3b3c5777f6bef48ee85fefeaff8a8 2008.0/i586/ntp-doc-4.2.4-10.1mdv2008.0.i586.rpm a9cd3b03e611b517664ffae074da31da 2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64: e68c5263d456ec90d157787e70b17b99 2008.0/x86_64/ntp-4.2.4-10.1mdv2008.0.x86_64.rpm 85e0c28eae68bcdcca997c5c2bb9bf8c 2008.0/x86_64/ntp-client-4.2.4-10.1mdv2008.0.x86_64.rpm ffbd2a9f924478d27f33ad13e1c4e250 2008.0/x86_64/ntp-doc-4.2.4-10.1mdv2008.0.x86_64.rpm a9cd3b03e611b517664ffae074da31da 2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

Mandriva Linux 2008.1: 1a9909288448845fa41b220b50917ee1 2008.1/i586/ntp-4.2.4-15.1mdv2008.1.i586.rpm 6693319db15308f559912c9fe989bdd6 2008.1/i586/ntp-client-4.2.4-15.1mdv2008.1.i586.rpm 63758cadb1cf81ebb7bef096dc285f2f 2008.1/i586/ntp-doc-4.2.4-15.1mdv2008.1.i586.rpm ca06251ccab188cdb4f28fba35190eb6 2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

Mandriva Linux 2008.1/X86_64: 9c7b290e643cae08556bd3b1f6380926 2008.1/x86_64/ntp-4.2.4-15.1mdv2008.1.x86_64.rpm 7fd00c9b82a0ca577962d59975433071 2008.1/x86_64/ntp-client-4.2.4-15.1mdv2008.1.x86_64.rpm f99d1d7980dd6788a0f0c4924241a6d3 2008.1/x86_64/ntp-doc-4.2.4-15.1mdv2008.1.x86_64.rpm ca06251ccab188cdb4f28fba35190eb6 2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

Mandriva Linux 2009.0: 82ed4b25f0a0c1c607e5819ec1d70603 2009.0/i586/ntp-4.2.4-18.1mdv2009.0.i586.rpm 71855df81d8dd138d54fb24f5c221a5b 2009.0/i586/ntp-client-4.2.4-18.1mdv2009.0.i586.rpm 30874a706c15d4086df8493af51f5082 2009.0/i586/ntp-doc-4.2.4-18.1mdv2009.0.i586.rpm 248052356a2606f377debf55257b6855 2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

Mandriva Linux 2009.0/X86_64: c6462453877b538618e8bf8d0132b1a3 2009.0/x86_64/ntp-4.2.4-18.1mdv2009.0.x86_64.rpm abe80d9922eb665d6e5be56197895a68 2009.0/x86_64/ntp-client-4.2.4-18.1mdv2009.0.x86_64.rpm eb780b2e38ebb1b4ee1999c4f0429231 2009.0/x86_64/ntp-doc-4.2.4-18.1mdv2009.0.x86_64.rpm 248052356a2606f377debf55257b6855 2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

Corporate 3.0:
d1593543a5d37e6b8ea2c8468ce1d0d3 corporate/3.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm fc6c1a4605258d876c8a09d7d0d116ef corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
1214dd1fed42c4acd3ad36da9bd8b0ea corporate/3.0/x86_64/ntp-4.2.0-2.1.C30mdk.x86_64.rpm fc6c1a4605258d876c8a09d7d0d116ef corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

Corporate 4.0: dcc6abed648d3baac3233264bc107517 corporate/4.0/i586/ntp-4.2.0-21.3.20060mlcs4.i586.rpm d1c9cf4d821856af81ce574fa08c1f52 corporate/4.0/i586/ntp-client-4.2.0-21.3.20060mlcs4.i586.rpm 50c665296cd7d09f4e98ae04e998e350 corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

Corporate 4.0/X86_64: 6c41fd0f995d8cf8cf216bf82e062de0 corporate/4.0/x86_64/ntp-4.2.0-21.3.20060mlcs4.x86_64.rpm da7f3cd1385ae2250cd191182079c037 corporate/4.0/x86_64/ntp-client-4.2.0-21.3.20060mlcs4.x86_64.rpm 50c665296cd7d09f4e98ae04e998e350 corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
d7ff99538a0da678adcc5606913bc1b6 mnf/2.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm c8af767376df674dd434307c628e30cd mnf/2.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbRVSmqjQ0CJFipgRAt23AJ43dVc9u32PRtOsFf8+xdJzSIx+wACdFIK3 LT/YaZTGtZnOdbhIr2LV9dg=
=23nb
-----END PGP SIGNATURE-----

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/

This message: [ Message body ]
Next message: security_at_nospam: "[Full-disclosure] [ MDVSA-2009:008 ] qemu"
Previous message: Pete Licoln: "Re: [Full-disclosure] Trigger Abuse of MDSYS.SDO_TOPO_DROP_FTBL in Oracle 10g R1 and R2"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]