I'm currently try to get Centos 5.7 PCI compliant but keep getting the following in regards to NTP
Description: Possible vulnerability in ntpd Severity: Potential Problem CVE: CVE-2001-0414 Impact: If this vulnerability is present, a remote attacker could gain root access to an affected system. Resolution [url=http://www.ntp.org/downloads.html]NTP Software Downloads[/url] Upgrade to NTP 4.2.4p8 or higher, or upgrade as designated by Linux vendor
I'm currently on 4.2.2p1 and can't find any way to upgrade. Any suggestions would be welcome.
[Moderator edit: Fix URL.]
PCI Compliance NTP
Re: PCI Compliance NTP
Generally the way to check is to run
[code]
rpm -q --changelog ntp | grep CVE-xxxx-xxxx
[/code]
but in this case it does not work because it seems that that CVE is so old that it predates Redhat adding CVE numbers to their changelog. However, there is an entry in the changelog
[quote]
* Thu Apr 05 2001 Preston Brown
- security patch for ntpd
[/quote]
and since that's the day after CVE-2001-0414 is dated I think it's a reasonable assumption that it is the fix. I'm also not quite sure of the recommendation to upgrade to 4.2.4 or higher since 4.2.2 was released in 2006 I would really expect it to contain the fix for a security problem reported in 2001! The CVE itself says to upgrade to later than 4.0.99k to fix the problem so this also means that 4.2.2 is OK. What [u]is[/u] fixed in 4.2.4p8 is CVE-2009-1252 and that does have an entry in the changelog for RHEL's 4.2.2.
Mods: the link in the OP's post leads nowhere because of a trailing "]"
[code]
rpm -q --changelog ntp | grep CVE-xxxx-xxxx
[/code]
but in this case it does not work because it seems that that CVE is so old that it predates Redhat adding CVE numbers to their changelog. However, there is an entry in the changelog
[quote]
* Thu Apr 05 2001 Preston Brown
- security patch for ntpd
[/quote]
and since that's the day after CVE-2001-0414 is dated I think it's a reasonable assumption that it is the fix. I'm also not quite sure of the recommendation to upgrade to 4.2.4 or higher since 4.2.2 was released in 2006 I would really expect it to contain the fix for a security problem reported in 2001! The CVE itself says to upgrade to later than 4.0.99k to fix the problem so this also means that 4.2.2 is OK. What [u]is[/u] fixed in 4.2.4p8 is CVE-2009-1252 and that does have an entry in the changelog for RHEL's 4.2.2.
Mods: the link in the OP's post leads nowhere because of a trailing "]"
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
PCI Compliance NTP
Seems like yet another case of the stupidity of PCI compliance checks that are more concerned with version numbers than actual security. Please point your PCI police to [url=http://wiki.centos.org/FAQ/General?highlight=%28TUV%29#head-d29a2b7e61ffc544973098f9dd49fe4663efba50]TUV[/url]'s policy of [url=http://www.redhat.com/security/updates/backporting/]Backporting of Security Fixes[/url].
Re: PCI Compliance NTP
THanks everyone for the advise. I will see how I get on.