chrony suffers from the same traffic amplification issue that ntp does (Bug 12326). This has just been discovered and given a CVE: http://openwall.com/lists/oss-security/2014/01/17/9 No fix is available yet. Reproducible: Steps to Reproduce:
Interesting note in that thread that this shouldn't be an issue by default, nor would it be much of an issue otherwise: http://openwall.com/lists/oss-security/2014/01/19/1 If it is not vulnerable by default in our package, I think we should close this as WONTFIX.
We are indeed not affected by default (no cmdallow directive in our configuration file), but perhaps we should still issue an update for those who have enabled it? The issue is fixed in chrony 1.29.1, released on January 31: http://chrony.tuxfamily.org/News.html
Updated packages uploaded for Mageia 4 and Cauldron. Note to QA: this should also fix an issue where chrony's PID file, /var/run/chrony.pid was not being removed when the service was stopped. Please verify this. It should be a very minor issue for us, as we don't use SELinux, which is why I haven't listed it in the advisory. Details are here: https://bugzilla.redhat.com/show_bug.cgi?id=974305 Advisory: ======================== Updated chrony package fixes security vulnerability: In the chrony control protocol some replies are significantly larger than their requests, which allows an attacker to use it in an amplification attack (CVE-2014-0021). Note: in the default configuration, cmdallow is restricted to localhost, so significant amplification is only possible if the configuration has been changed to allow cmdallow from other hosts. Even from hosts whose access is denied, minor amplification is still possible. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0021 http://chrony.tuxfamily.org/News.html ======================== Updated packages in core/updates_testing: ======================== chrony-1.29.1-1.mga4 from chrony-1.29.1-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugs
Fedora has issued an advisory for this on February 3: https://lists.fedoraproject.org/pipermail/package-announce/2014-February/127837.html
URL: (none) => http://lwn.net/Vulnerabilities/584548/
How to check if chrony is working well after installing the new package?
CC: (none) => olivier.delaune
It should keep your computer's clock synchronized as it normally does.
fine here
Whiteboard: (none) => mga4-64-ok
Whiteboard: mga4-64-ok => has_procedure mga4-64-ok
Testing on Mageia 4 i586. I can confirm that before the fix, the file /var/run/chronyd.pid is not removed when the service is stopped. The update candidate fixes it. -- Validating update. Advisory in comment 3 (not pushed yet). Could someone push the advisory and a sysadmin push the update from Mageia 4 core/updates_testing to core/updates?
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure mga3-32-ok mga4-64-okCC: (none) => remi, sysadmin-bugs
advisory added
CC: (none) => tmbWhiteboard: has_procedure mga3-32-ok mga4-64-ok => has_procedure mga3-32-ok mga4-64-ok advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0052.html
Status: NEW => RESOLVEDResolution: (none) => FIXED