Upstream has announced three security issues today (April 7): http://chrony.tuxfamily.org/News.html The issues are fixed in 1.31.1. It got mentioned on oss-security as well: http://openwall.com/lists/oss-security/2015/04/07/5 Mageia 4 and Mageia 5 are affected. For Mageia 5, we can just update to 1.31.1. For Mageia 4, we'll probably want to see if we can get backported patches for 1.29.1. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
A more direct mention of this on oss-security: http://openwall.com/lists/oss-security/2015/04/07/10
RHEL7 has chrony 1.29.1, so some backported patches may show up there. Unfortunately, Fedora 19 is no longer supported, so Fedora won't be backporting patches to 1.29.1. Ubuntu 14.10 also has 1.29.1.
Severity: normal => major
chrony-1.31.1-1.mga5 uploaded for Cauldron.
Version: Cauldron => 4Whiteboard: MGA5TOO, MGA4TOO => (none)
Keeping my eyes peeled here: https://git.centos.org/log/rpms!chrony.git/refs!heads!c7 http://packages.ubuntu.com/utopic/admin/chrony
CC: (none) => mageiaAssignee: bugsquad => luigiwalser
Debian has issued an advisory for this on April 12: https://lists.debian.org/debian-security-announce/2015/msg00110.html
URL: (none) => http://lwn.net/Vulnerabilities/640166/
Patched package uploaded for Mageia 4. Advisory: ======================== Updated chrony package fixes security vulnerabilities: Using particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code (CVE-2015-1821). When allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code (CVE-2015-1822). When peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers (CVE-2015-1853). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1821 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1822 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1853 http://chrony.tuxfamily.org/News.html https://www.debian.org/security/2015/dsa-3222 ======================== Updated packages in core/updates_testing: ======================== chrony-1.29.1-1.1.mga4 from chrony-1.29.1-1.1.mga4.src.rpm
Assignee: luigiwalser => qa-bugs
Works fine on Mageia 4 i586.
Whiteboard: (none) => MGA4-32-OK
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA4-32-OK => MGA4-32-OK advisoryCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0163.html
Status: NEW => RESOLVEDResolution: (none) => FIXED