CentOS Local Security Checks : CentOS Update for ntp CESA-2009:0046 centos5 i386

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.880814

Categoría: CentOS Local Security Checks

Título: CentOS Update for ntp CESA-2009:0046 centos5 i386

Resumen: The remote host is missing an update for the 'ntp'; package(s) announced via the referenced advisory.

Descripción: Summary:
The remote host is missing an update for the 'ntp'
package(s) announced via the referenced advisory.

Vulnerability Insight:
The Network Time Protocol (NTP) is used to synchronize a computer's time
with a referenced time source.

A flaw was discovered in the way the ntpd daemon checked the return value
of the OpenSSL EVP_VerifyFinal function. On systems using NTPv4
authentication, this could lead to an incorrect verification of
cryptographic signatures, allowing time-spoofing attacks. (CVE-2009-0021)

Note: This issue only affects systems that have enabled NTP authentication.
By default, NTP authentication is not enabled.

All ntp users are advised to upgrade to the updated packages, which contain
a backported patch to resolve this issue. After installing the update, the
ntpd daemon will restart automatically.

Affected Software/OS:
ntp on CentOS 5

Solution:
Please install the updated packages.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2009-0021
1021533
http://www.securitytracker.com/id?1021533
20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses
http://www.securityfocus.com/archive/1/499827/100/0/threaded
33406
http://secunia.com/advisories/33406
33558
http://secunia.com/advisories/33558
33648
http://secunia.com/advisories/33648
34642
http://secunia.com/advisories/34642
35074
http://secunia.com/advisories/35074
ADV-2009-0042
http://www.vupen.com/english/advisories/2009/0042
ADV-2009-1297
http://www.vupen.com/english/advisories/2009/1297
APPLE-SA-2009-05-12
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
RHSA-2009:0046
http://www.redhat.com/support/errata/RHSA-2009-0046.html
SSA:2009-014-03
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.531177
SUSE-SR:2009:005
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.html
SUSE-SR:2009:008
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
TA09-133A
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
[announce] 20090108 NTP 4.2.4p6 Released
https://lists.ntp.org/pipermail/announce/2009-January/000055.html
http://support.apple.com/kb/HT3549
http://www.ocert.org/advisories/ocert-2008-016.html
oval:org.mitre.oval:def:10035
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10035

Copyright Copyright (C) 2011 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.880814
Categoría:	CentOS Local Security Checks
Título:	CentOS Update for ntp CESA-2009:0046 centos5 i386
Resumen:	The remote host is missing an update for the 'ntp'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'ntp' package(s) announced via the referenced advisory. Vulnerability Insight: The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. A flaw was discovered in the way the ntpd daemon checked the return value of the OpenSSL EVP_VerifyFinal function. On systems using NTPv4 authentication, this could lead to an incorrect verification of cryptographic signatures, allowing time-spoofing attacks. (CVE-2009-0021) Note: This issue only affects systems that have enabled NTP authentication. By default, NTP authentication is not enabled. All ntp users are advised to upgrade to the updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically. Affected Software/OS: ntp on CentOS 5 Solution: Please install the updated packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-0021 1021533 http://www.securitytracker.com/id?1021533 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.securityfocus.com/archive/1/499827/100/0/threaded 33406 http://secunia.com/advisories/33406 33558 http://secunia.com/advisories/33558 33648 http://secunia.com/advisories/33648 34642 http://secunia.com/advisories/34642 35074 http://secunia.com/advisories/35074 ADV-2009-0042 http://www.vupen.com/english/advisories/2009/0042 ADV-2009-1297 http://www.vupen.com/english/advisories/2009/1297 APPLE-SA-2009-05-12 http://lists.apple.com/archives/security-announce/2009/May/msg00002.html RHSA-2009:0046 http://www.redhat.com/support/errata/RHSA-2009-0046.html SSA:2009-014-03 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.531177 SUSE-SR:2009:005 http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.html SUSE-SR:2009:008 http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html TA09-133A http://www.us-cert.gov/cas/techalerts/TA09-133A.html [announce] 20090108 NTP 4.2.4p6 Released https://lists.ntp.org/pipermail/announce/2009-January/000055.html http://support.apple.com/kb/HT3549 http://www.ocert.org/advisories/ocert-2008-016.html oval:org.mitre.oval:def:10035 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10035
Copyright	Copyright (C) 2011 Greenbone AG