-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Network Time Protocol
Packet Vulnerability
Advisory ID: cisco-sa-20090923-ntp
Revision 1.0
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
Autokey is a security model for authenticating Network Time Protocol
(NTP) servers to clients, using public key cryptography.
The currently installed version of Tomcat depends on
your patch deployment history.
c. Third party library update for ntp.
The Network Time Protocol (NTP) is used to synchronize a computer's
time with a referenced time source.
ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the
following security issue. Note that the same security issue is
present in the ESX Service Console as described in section d. of
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.
II. Problem Description
CVE Id(s) : CVE-2009-0159 CVE-2009-1252
CERT advisory : VU#853097
Debian Bug : 525373
Several remote vulnerabilities have been discovered in NTP, the Network
Time Protocol reference implementation. The Common Vulnerabilities and
Exposures project identifies the following problems:
CVE-2009-0159
A buffer overflow in ntpq allow a remote NTP server to create a
bandwidth consumption.
Background
==========
NTP is a set of the Network Time Protocol programs.
Affected packages
=================
-------------------------------------------------------------------
* hosted products are VMware Workstation, Player, ACE, Server, Fusion.
b. ESXi userworld update for ntp
The Network Time Protocol (NTP) is used to synchronize the time of
a computer client or server to another server or reference time
source.
A vulnerability in ntpd could allow a remote attacker to cause a
denial of service (CPU and bandwidth consumption) by using
Background
==========
NTP contains the client and daemon implementations for the Network Time
Protocol.
Affected packages
=================
-------------------------------------------------------------------
Background
==========
ntp contains the client and daemon implementations for the Network Time
Protocol.
Affected packages
=================
-------------------------------------------------------------------
Debian-specific: no
CVE Id(s) : CVE-2009-0021
Debian Bug : 511227
It has been discovered that NTP, an implementation of the Network Time
Protocol, does not properly check the result of an OpenSSL function
for verifying cryptographic signatures, which may ultimately lead to
the acceptance of unauthenticated time information. (Note that
cryptographic authentication of time servers is often not enabled in
the first place.)
