Bug 476807 (CVE-2009-0021)
Summary: | CVE-2009-0021 ntp incorrectly checks for malformed signatures | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mark J. Cox <mjc> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | kreilly, maurizio, mlichvar, security-response-team, syeghiay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-01-29 09:50:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 479696, 479697, 479698, 479699 | ||
Bug Blocks: |
Description
Mark J. Cox
2008-12-17 09:25:38 UTC
Public now via oCERT advisory: http://www.ocert.org/advisories/ocert-2008-016.html Fixed upstream in ntp 4.2.4p6, quoting Changelog: * [Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value. and NEWS file: NTP 4.2.4p6 (Harlan Stenn <stenn>, 2009/01/07) Focus: Security Fix Severity: Low This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting the OpenSSL library relating to the incorrect checking of the return value of EVP_VerifyFinal function. Credit for finding this issue goes to the Google Security Team for finding the original issue with OpenSSL, and to ocert.org for finding the problem in NTP and telling us about it. Upstream bug: https://support.ntp.org/bugs/show_bug.cgi?id=1111 Upstream patch: http://ntp.bkbits.net:8080/ntp-stable/?PAGE=patch&REV=4965b200omtG93jknLgTe7Im_jeN-Q ntp-4.2.4p6-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. ntp-4.2.4p6-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0046.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-0544 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-0547 |