Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 254098 (CVE-2009-0021)

Summary: net-misc/ntp<4.2.4_p6 incorrect checks for malformed signatures (CVE-2009-0021)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: base-system, gengor
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.ocert.org/advisories/ocert-2008-016.html
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Robert Buchholz (RETIRED) gentoo-dev 2009-01-07 13:33:06 UTC 
ntpd uses the OpenSSL EVP_VerifyFinal function and incorrectly check the return code, refer to bug 251346 for details.

ntpd upstream will release a patch shortly.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-01-07 18:31:32 UTC 
public via URL
Comment 2 SpanKY gentoo-dev 2009-01-10 13:11:31 UTC 
ntp-4.2.4_p6 now in the tree
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-10 17:22:59 UTC 
Arches, please test and mark stable:
=net-misc/ntp-4.2.4_p6
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 4 Markus Meier gentoo-dev 2009-01-11 13:45:03 UTC 
amd64/x86 stable
Comment 5 Guy Martin (RETIRED) gentoo-dev 2009-01-11 14:23:55 UTC 
hppa stable
Comment 6 Brent Baude (RETIRED) gentoo-dev 2009-01-12 15:49:41 UTC 
ppc64 done
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-01-13 11:08:30 UTC 
alpha/ia64/s390/sh/sparc stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2009-01-13 17:31:03 UTC 
ppc stable and i guess we want a GLSA on this one.
Comment 9 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-03-31 11:43:24 UTC 
GLSA filed.
Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev 2009-04-05 14:02:02 UTC 
GLSA 200904-05