| Summary: | chrony new security issue CVE-2016-1567 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/673463/ | ||
| Whiteboard: | has_procedure MGA5-32-OK advisory | ||
| Source RPM: | chrony-1.31.1-1.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2016-01-25 02:04:03 CET
Fedora has issued an advisory for this on January 23: https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html Advisory: ======================== Updated chrony package fixes security vulnerability: In chrony before 1.31.2, when used with symmetric key encryption, the client would accept packets encrypted with keys for any configured server, allowing a server to impersonate other servers to clients, thus performing a man-in- the-middle attack (CVE-2016-1567). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1567 http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released http://www.talosintel.com/reports/TALOS-2016-0071/ https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175969.html
David Walser
2016-01-25 20:31:36 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/673463/ Working fine on Mageia 5 i586. You can use "chronyc sources" (as root) to verify that it's synchronized with your configured ntp server(s). Whiteboard:
(none) =>
has_procedure MGA5-32-OK
Dave Hodgins
2016-01-28 19:55:21 CET
Keywords:
(none) =>
validated_update An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0038.html Status:
NEW =>
RESOLVED |