+---
+(4.2.4p6) 2009/01/07 Released by Harlan Stenn <stenn@ntp.org>
+
+* [Sec 1111] Fix incorrect check of EVP_VerifyFinal()'s return value.
+* Update the copyright year.
+
---
(4.2.4p5) 2008/08/17 Released by Harlan Stenn <stenn@ntp.org>
+NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
+
+Focus: Security Fix
+
+Severity: Low
+
+This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
+the OpenSSL library relating to the incorrect checking of the return
+value of EVP_VerifyFinal function.
+
+Credit for finding this issue goes to the Google Security Team for
+finding the original issue with OpenSSL, and to ocert.org for finding
+the problem in NTP and telling us about it.
+
+This is a recommended upgrade.
+---
NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
Focus: Minor Bugfixes
<pre>
***********************************************************************
* *
-* Copyright (c) David L. Mills 1992-2008 *
+* Copyright (c) David L. Mills 1992-2009 *
* *
* Permission to use, copy, modify, and distribute this software and *
* its documentation for any purpose with or without fee is hereby *
*/
EVP_VerifyInit(&ctx, peer->digest);
EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
- if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey))
+ if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
return (XEVNT_SIG);
if (peer->crypto & CRYPTO_FLAG_VRFY) {
# [???] To start an RC cycle: RC->yes
# To release from an RC cycle: rcpoint-> GO
# ReleaseCandidate. 'yes' or 'no'.
-releasecandidate=no
+releasecandidate=yes
#releasecandidate=no
# ChangeLog tag
CLTAG=NTP_4_2_0
projects / thirdparty / ntp.git / commitdiff
