Описание
OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| openntpd | fixed | 1:6.0p1-1 | package | |
| openntpd | not-affected | jessie | package | |
| openntpd | not-affected | wheezy | package |
Примечания
https://www.openwall.com/lists/oss-security/2016/05/23/2
Authenticated TLS "contraints" introduced in 2015-03-24 OpenNTPD 5.7p4
Option is not enabled at buildtime.
Связанные уязвимости
OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.
OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.
OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.