On 11/10/2010 1:06 PM, Stephen Vaughan wrote: > I don't think we will upgrade, we're using standardized > environment with rhel5.
(Shrug) You may want to consider REHL4 & REHL5 recommendations to update to 4.2.4p8: CVE-2009-3563 RHSA-2009:1648 Severity M Fixed 20091208 ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. Mentioned in RHSA-2009-1651 for RHEL3 also. (4.2.4p8) Which would also cover: CVE-2009-0159 RHSA-2009:1039 Severity L Fixed 20090518 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code CVE-2009-1252 RHSA-2009:1039 Severity I Fixed 20090129 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. CVE-2009-0021 RHSA-2009:0046 Severity M Fixed 20090518 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. ... and issues even older than those. -- E-Mail Sent to this address <[email protected]> will be added to the BlackLists. _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
