CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2009-0021 – ntp incorrectly checks for malformed signatures
https://notcve.org/view.php?id=CVE-2009-0021
NTP 4.2.4 before 4.2.4p5 and 4.2.5 before 4.2.5p150 does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys, a similar vulnerability to CVE-2008-5077. NTP versiones 4.2.4 anteriores a 4.2.4p5 y versiones 4.2.5 anteriores a 4.2.5p150, no comprueba apropiadamente el valor devuelto de la función EVP_VerifyFinal de OpenSSL, que permite a los atacantes remotos omitir la comprobación de la cadena de certificados por medio de una firma de SSL/TLS malformada para las claves DSA y ECDSA, una vulnerabilidad similar a CVE-2008-5077. • http://lists.apple.com/archives/security-announce/2009/May/msg00002.html http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.html http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html http://secunia.com/advisories/33406 http://secunia.com/advisories/33558 http://secunia.com/advisories/33648 http://secunia.com/advisories/34642 http://secunia.com/advisories/35074 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.531177 • CWE-287: Improper Authentication •
CVSS: 5.0EPSS: 0%CPEs: 7EXPL: 0CVE-2004-0657
https://notcve.org/view.php?id=CVE-2004-0657
Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP server to return the wrong date/time offset when a client requests a date/time that is more than 34 years away from the server's time. • http://marc.info/?l=bugtraq&m=108922292425219&w=2 http://www.kb.cert.org/vuls/id/584606 https://exchange.xforce.ibmcloud.com/vulnerabilities/15406 • CWE-190: Integer Overflow or Wraparound •