lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1LMusP-0002OP-K6@titan.mandriva.com>
Date: Tue, 13 Jan 2009 18:49:01 -0700
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:007 ] ntp


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:007
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : ntp
 Date    : January 13, 2009
 Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
           Multi Network Firewall 2.0
 _______________________________________________________________________

 Problem Description:

 A flaw was found in how NTP checked the return value of signature
 verification.  A remote attacker could use this to bypass certificate
 validation by using a malformed SSL/TLS signature (CVE-2009-0021).
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 91f0330a936cb343029aec711da0ce4f  2008.0/i586/ntp-4.2.4-10.1mdv2008.0.i586.rpm
 e7e6559f0431ff856d0da0b1d5a590a4  2008.0/i586/ntp-client-4.2.4-10.1mdv2008.0.i586.rpm
 05f3b3c5777f6bef48ee85fefeaff8a8  2008.0/i586/ntp-doc-4.2.4-10.1mdv2008.0.i586.rpm 
 a9cd3b03e611b517664ffae074da31da  2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 e68c5263d456ec90d157787e70b17b99  2008.0/x86_64/ntp-4.2.4-10.1mdv2008.0.x86_64.rpm
 85e0c28eae68bcdcca997c5c2bb9bf8c  2008.0/x86_64/ntp-client-4.2.4-10.1mdv2008.0.x86_64.rpm
 ffbd2a9f924478d27f33ad13e1c4e250  2008.0/x86_64/ntp-doc-4.2.4-10.1mdv2008.0.x86_64.rpm 
 a9cd3b03e611b517664ffae074da31da  2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 1a9909288448845fa41b220b50917ee1  2008.1/i586/ntp-4.2.4-15.1mdv2008.1.i586.rpm
 6693319db15308f559912c9fe989bdd6  2008.1/i586/ntp-client-4.2.4-15.1mdv2008.1.i586.rpm
 63758cadb1cf81ebb7bef096dc285f2f  2008.1/i586/ntp-doc-4.2.4-15.1mdv2008.1.i586.rpm 
 ca06251ccab188cdb4f28fba35190eb6  2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 9c7b290e643cae08556bd3b1f6380926  2008.1/x86_64/ntp-4.2.4-15.1mdv2008.1.x86_64.rpm
 7fd00c9b82a0ca577962d59975433071  2008.1/x86_64/ntp-client-4.2.4-15.1mdv2008.1.x86_64.rpm
 f99d1d7980dd6788a0f0c4924241a6d3  2008.1/x86_64/ntp-doc-4.2.4-15.1mdv2008.1.x86_64.rpm 
 ca06251ccab188cdb4f28fba35190eb6  2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 82ed4b25f0a0c1c607e5819ec1d70603  2009.0/i586/ntp-4.2.4-18.1mdv2009.0.i586.rpm
 71855df81d8dd138d54fb24f5c221a5b  2009.0/i586/ntp-client-4.2.4-18.1mdv2009.0.i586.rpm
 30874a706c15d4086df8493af51f5082  2009.0/i586/ntp-doc-4.2.4-18.1mdv2009.0.i586.rpm 
 248052356a2606f377debf55257b6855  2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 c6462453877b538618e8bf8d0132b1a3  2009.0/x86_64/ntp-4.2.4-18.1mdv2009.0.x86_64.rpm
 abe80d9922eb665d6e5be56197895a68  2009.0/x86_64/ntp-client-4.2.4-18.1mdv2009.0.x86_64.rpm
 eb780b2e38ebb1b4ee1999c4f0429231  2009.0/x86_64/ntp-doc-4.2.4-18.1mdv2009.0.x86_64.rpm 
 248052356a2606f377debf55257b6855  2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm

 Corporate 3.0:
 d1593543a5d37e6b8ea2c8468ce1d0d3  corporate/3.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm 
 fc6c1a4605258d876c8a09d7d0d116ef  corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 1214dd1fed42c4acd3ad36da9bd8b0ea  corporate/3.0/x86_64/ntp-4.2.0-2.1.C30mdk.x86_64.rpm 
 fc6c1a4605258d876c8a09d7d0d116ef  corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm

 Corporate 4.0:
 dcc6abed648d3baac3233264bc107517  corporate/4.0/i586/ntp-4.2.0-21.3.20060mlcs4.i586.rpm
 d1c9cf4d821856af81ce574fa08c1f52  corporate/4.0/i586/ntp-client-4.2.0-21.3.20060mlcs4.i586.rpm 
 50c665296cd7d09f4e98ae04e998e350  corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 6c41fd0f995d8cf8cf216bf82e062de0  corporate/4.0/x86_64/ntp-4.2.0-21.3.20060mlcs4.x86_64.rpm
 da7f3cd1385ae2250cd191182079c037  corporate/4.0/x86_64/ntp-client-4.2.0-21.3.20060mlcs4.x86_64.rpm 
 50c665296cd7d09f4e98ae04e998e350  corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm

 Multi Network Firewall 2.0:
 d7ff99538a0da678adcc5606913bc1b6  mnf/2.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm 
 c8af767376df674dd434307c628e30cd  mnf/2.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFJbRVSmqjQ0CJFipgRAt23AJ43dVc9u32PRtOsFf8+xdJzSIx+wACdFIK3
LT/YaZTGtZnOdbhIr2LV9dg=
=23nb
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ