Mandriva Linux Security Advisory 2009-007 - A flaw was found in how NTP checked the return value of signature verification. A remote attacker could use this to bypass certificate validation by using a malformed SSL/TLS signature. The updated packages have been patched to prevent this issue.
c9e99a6102c7efbed61e4bae8c6ba69c917268c68c4c956a0db78af8c0f45be8
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:007
http://www.mandriva.com/security/
_______________________________________________________________________
Package : ntp
Date : January 13, 2009
Affected: 2008.0, 2008.1, 2009.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A flaw was found in how NTP checked the return value of signature
verification. A remote attacker could use this to bypass certificate
validation by using a malformed SSL/TLS signature (CVE-2009-0021).
The updated packages have been patched to prevent this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
91f0330a936cb343029aec711da0ce4f 2008.0/i586/ntp-4.2.4-10.1mdv2008.0.i586.rpm
e7e6559f0431ff856d0da0b1d5a590a4 2008.0/i586/ntp-client-4.2.4-10.1mdv2008.0.i586.rpm
05f3b3c5777f6bef48ee85fefeaff8a8 2008.0/i586/ntp-doc-4.2.4-10.1mdv2008.0.i586.rpm
a9cd3b03e611b517664ffae074da31da 2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
e68c5263d456ec90d157787e70b17b99 2008.0/x86_64/ntp-4.2.4-10.1mdv2008.0.x86_64.rpm
85e0c28eae68bcdcca997c5c2bb9bf8c 2008.0/x86_64/ntp-client-4.2.4-10.1mdv2008.0.x86_64.rpm
ffbd2a9f924478d27f33ad13e1c4e250 2008.0/x86_64/ntp-doc-4.2.4-10.1mdv2008.0.x86_64.rpm
a9cd3b03e611b517664ffae074da31da 2008.0/SRPMS/ntp-4.2.4-10.1mdv2008.0.src.rpm
Mandriva Linux 2008.1:
1a9909288448845fa41b220b50917ee1 2008.1/i586/ntp-4.2.4-15.1mdv2008.1.i586.rpm
6693319db15308f559912c9fe989bdd6 2008.1/i586/ntp-client-4.2.4-15.1mdv2008.1.i586.rpm
63758cadb1cf81ebb7bef096dc285f2f 2008.1/i586/ntp-doc-4.2.4-15.1mdv2008.1.i586.rpm
ca06251ccab188cdb4f28fba35190eb6 2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
9c7b290e643cae08556bd3b1f6380926 2008.1/x86_64/ntp-4.2.4-15.1mdv2008.1.x86_64.rpm
7fd00c9b82a0ca577962d59975433071 2008.1/x86_64/ntp-client-4.2.4-15.1mdv2008.1.x86_64.rpm
f99d1d7980dd6788a0f0c4924241a6d3 2008.1/x86_64/ntp-doc-4.2.4-15.1mdv2008.1.x86_64.rpm
ca06251ccab188cdb4f28fba35190eb6 2008.1/SRPMS/ntp-4.2.4-15.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
82ed4b25f0a0c1c607e5819ec1d70603 2009.0/i586/ntp-4.2.4-18.1mdv2009.0.i586.rpm
71855df81d8dd138d54fb24f5c221a5b 2009.0/i586/ntp-client-4.2.4-18.1mdv2009.0.i586.rpm
30874a706c15d4086df8493af51f5082 2009.0/i586/ntp-doc-4.2.4-18.1mdv2009.0.i586.rpm
248052356a2606f377debf55257b6855 2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
c6462453877b538618e8bf8d0132b1a3 2009.0/x86_64/ntp-4.2.4-18.1mdv2009.0.x86_64.rpm
abe80d9922eb665d6e5be56197895a68 2009.0/x86_64/ntp-client-4.2.4-18.1mdv2009.0.x86_64.rpm
eb780b2e38ebb1b4ee1999c4f0429231 2009.0/x86_64/ntp-doc-4.2.4-18.1mdv2009.0.x86_64.rpm
248052356a2606f377debf55257b6855 2009.0/SRPMS/ntp-4.2.4-18.1mdv2009.0.src.rpm
Corporate 3.0:
d1593543a5d37e6b8ea2c8468ce1d0d3 corporate/3.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm
fc6c1a4605258d876c8a09d7d0d116ef corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm
Corporate 3.0/X86_64:
1214dd1fed42c4acd3ad36da9bd8b0ea corporate/3.0/x86_64/ntp-4.2.0-2.1.C30mdk.x86_64.rpm
fc6c1a4605258d876c8a09d7d0d116ef corporate/3.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm
Corporate 4.0:
dcc6abed648d3baac3233264bc107517 corporate/4.0/i586/ntp-4.2.0-21.3.20060mlcs4.i586.rpm
d1c9cf4d821856af81ce574fa08c1f52 corporate/4.0/i586/ntp-client-4.2.0-21.3.20060mlcs4.i586.rpm
50c665296cd7d09f4e98ae04e998e350 corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm
Corporate 4.0/X86_64:
6c41fd0f995d8cf8cf216bf82e062de0 corporate/4.0/x86_64/ntp-4.2.0-21.3.20060mlcs4.x86_64.rpm
da7f3cd1385ae2250cd191182079c037 corporate/4.0/x86_64/ntp-client-4.2.0-21.3.20060mlcs4.x86_64.rpm
50c665296cd7d09f4e98ae04e998e350 corporate/4.0/SRPMS/ntp-4.2.0-21.3.20060mlcs4.src.rpm
Multi Network Firewall 2.0:
d7ff99538a0da678adcc5606913bc1b6 mnf/2.0/i586/ntp-4.2.0-2.1.C30mdk.i586.rpm
c8af767376df674dd434307c628e30cd mnf/2.0/SRPMS/ntp-4.2.0-2.1.C30mdk.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJbRVSmqjQ0CJFipgRAt23AJ43dVc9u32PRtOsFf8+xdJzSIx+wACdFIK3
LT/YaZTGtZnOdbhIr2LV9dg=
=23nb
-----END PGP SIGNATURE-----