ntp-4.2.2p1-9.el5 is the latest in RHEL5 from what I can tell, those security patches below are already applied. Although I agree it's an outdated version.
Cheers, Stephen -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of E-Mail Sent to this address will be added to the BlackLists Sent: Wednesday, November 10, 2010 5:02 PM To: [email protected] Subject: Re: [ntp:questions] Local clock - sync issue On 11/10/2010 1:06 PM, Stephen Vaughan wrote: > I don't think we will upgrade, we're using standardized > environment with rhel5. (Shrug) You may want to consider REHL4 & REHL5 recommendations to update to 4.2.4p8: CVE-2009-3563 RHSA-2009:1648 Severity M Fixed 20091208 ntp_request.c in ntpd in NTP before 4.2.4p8, and 4.2.5, allows remote attackers to cause a denial of service (CPU and bandwidth consumption) by using MODE_PRIVATE to send a spoofed (1) request or (2) response packet that triggers a continuous exchange of MODE_PRIVATE error responses between two NTP daemons. Mentioned in RHSA-2009-1651 for RHEL3 also. (4.2.4p8) Which would also cover: CVE-2009-0159 RHSA-2009:1039 Severity L Fixed 20090518 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code CVE-2009-1252 RHSA-2009:1039 Severity I Fixed 20090129 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. CVE-2009-0021 RHSA-2009:0046 Severity M Fixed 20090518 NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. ... and issues even older than those. -- E-Mail Sent to this address <[email protected]> will be added to the BlackLists. _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions This email and any attachments may contain confidential and proprietary information of Blackboard that is for the sole use of the intended recipient. If you are not the intended recipient, disclosure, copying, re-distribution or other use of any of this information is strictly prohibited. Please immediately notify the sender and delete this transmission if you received this email in error. _______________________________________________ questions mailing list [email protected] http://lists.ntp.org/listinfo/questions
