| Summary: | chrony new security issue CVE-2014-0021 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | olivier.delaune, rverschelde, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/584548/ | ||
| Whiteboard: | has_procedure mga3-32-ok mga4-64-ok advisory | ||
| Source RPM: | chrony-1.29-1.mga4.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-01-18 00:34:47 CET
Interesting note in that thread that this shouldn't be an issue by default, nor would it be much of an issue otherwise: http://openwall.com/lists/oss-security/2014/01/19/1 If it is not vulnerable by default in our package, I think we should close this as WONTFIX. We are indeed not affected by default (no cmdallow directive in our configuration file), but perhaps we should still issue an update for those who have enabled it? The issue is fixed in chrony 1.29.1, released on January 31: http://chrony.tuxfamily.org/News.html Updated packages uploaded for Mageia 4 and Cauldron. Note to QA: this should also fix an issue where chrony's PID file, /var/run/chrony.pid was not being removed when the service was stopped. Please verify this. It should be a very minor issue for us, as we don't use SELinux, which is why I haven't listed it in the advisory. Details are here: https://bugzilla.redhat.com/show_bug.cgi?id=974305 Advisory: ======================== Updated chrony package fixes security vulnerability: In the chrony control protocol some replies are significantly larger than their requests, which allows an attacker to use it in an amplification attack (CVE-2014-0021). Note: in the default configuration, cmdallow is restricted to localhost, so significant amplification is only possible if the configuration has been changed to allow cmdallow from other hosts. Even from hosts whose access is denied, minor amplification is still possible. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0021 http://chrony.tuxfamily.org/News.html ======================== Updated packages in core/updates_testing: ======================== chrony-1.29.1-1.mga4 from chrony-1.29.1-1.mga4.src.rpm Version:
Cauldron =>
4 Fedora has issued an advisory for this on February 3: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127837.html URL:
(none) =>
http://lwn.net/Vulnerabilities/584548/ How to check if chrony is working well after installing the new package? CC:
(none) =>
olivier.delaune It should keep your computer's clock synchronized as it normally does.
claire robinson
2014-02-10 19:44:45 CET
Whiteboard:
mga4-64-ok =>
has_procedure mga4-64-ok Testing on Mageia 4 i586. I can confirm that before the fix, the file /var/run/chronyd.pid is not removed when the service is stopped. The update candidate fixes it. -- Validating update. Advisory in comment 3 (not pushed yet). Could someone push the advisory and a sysadmin push the update from Mageia 4 core/updates_testing to core/updates? Keywords:
(none) =>
validated_update advisory added CC:
(none) =>
tmb Update pushed: http://advisories.mageia.org/MGASA-2014-0052.html Status:
NEW =>
RESOLVED |