Home / vulnerabilitiesPDF  

Mandriva Linux Security Advisory 2015-202

Posted on 13 April 2015
Source : packetstormsecurity.org Link

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2015:202
http://www.mandriva.com/en/support/security/
_______________________________________________________________________

Package : ntp
Date : April 10, 2015
Affected: Business Server 1.0, Business Server 2.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in ntp:

The symmetric-key feature in the receive function in ntp_proto.c
in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC
field has a nonzero length, which makes it easier for man-in-the-middle
attackers to spoof packets by omitting the MAC (CVE-2015-1798).

The symmetric-key feature in the receive function in ntp_proto.c
in ntpd in NTP before 4.2.8p2 performs state-variable updates
upon receiving certain invalid packets, which makes it easier
for man-in-the-middle attackers to cause a denial of service
(synchronization loss) by spoofing the source IP address of a peer
(CVE-2015-1799).

The updated packages provides a solution for these security issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
_______________________________________________________________________

Updated Packages:

Mandriva Business Server 1/X86_64:
b0f98e6b8700e3e3413582fe28d1ba06 mbs1/x86_64/ntp-4.2.6p5-8.4.mbs1.x86_64.rpm
d864780718c95368bf9ec81643e35e5d mbs1/x86_64/ntp-client-4.2.6p5-8.4.mbs1.x86_64.rpm
6f457df52d46fb8e6b0fe44aead752eb mbs1/x86_64/ntp-doc-4.2.6p5-8.4.mbs1.x86_64.rpm
b4bff3de733ea6d2839a77a9211ce02b mbs1/SRPMS/ntp-4.2.6p5-8.4.mbs1.src.rpm

Mandriva Business Server 2/X86_64:
e9ac2f3465bcc50199aef8a4d553927f mbs2/x86_64/ntp-4.2.6p5-16.3.mbs2.x86_64.rpm
cf2970c3c56efbfa84f964532ad64544 mbs2/x86_64/ntp-client-4.2.6p5-16.3.mbs2.x86_64.rpm
1ae1b1d3c2e7bdea25c01c33652b6169 mbs2/x86_64/ntp-doc-4.2.6p5-16.3.mbs2.noarch.rpm
d250433009fd187361bda6338dc5eede mbs2/SRPMS/ntp-4.2.6p5-16.3.mbs2.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/en/support/security/advisories/

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVJ6PCmqjQ0CJFipgRAkidAKCQXSLNnIG/bOaH5Cf128VX61GlgwCfcOtE
KGIFB9onVvWrhThuQdgmYJg=
=QHmi
-----END PGP SIGNATURE-----

 

TOP