I'm currently try to get Centos 5.7 PCI compliant but keep getting the following in regards to NTP

Description: Possible vulnerability in ntpd Severity: Potential Problem CVE: CVE-2001-0414 Impact: If this vulnerability is present, a remote attacker could gain root access to an affected system. Resolution NTP Software Downloads Upgrade to NTP 4.2.4p8 or higher, or upgrade as designated by Linux vendor

I'm currently on 4.2.2p1 and can't find any way to upgrade. Any suggestions would be welcome.
[Moderator edit: Fix URL.]

Generally the way to check is to run



but in this case it does not work because it seems that that CVE is so old that it predates Redhat adding CVE numbers to their changelog. However, there is an entry in the changelog

Quote:

and since that's the day after CVE-2001-0414 is dated I think it's a reasonable assumption that it is the fix. I'm also not quite sure of the recommendation to upgrade to 4.2.4 or higher since 4.2.2 was released in 2006 I would really expect it to contain the fix for a security problem reported in 2001! The CVE itself says to upgrade to later than 4.0.99k to fix the problem so this also means that 4.2.2 is OK. What is fixed in 4.2.4p8 is CVE-2009-1252 and that does have an entry in the changelog for RHEL's 4.2.2.

Mods: the link in the OP's post leads nowhere because of a trailing "]"

Seems like yet another case of the stupidity of PCI compliance checks that are more concerned with version numbers than actual security. Please point your PCI police to TUV's policy of Backporting of Security Fixes.

THanks everyone for the advise. I will see how I get on.