Upstream has issued an advisory today (August 21): https://www.openwall.com/lists/oss-security/2020/08/21/1 Updated package uploaded for Cauldron. Patched package uploaded for Mageia 7. Advisory: ======================== Updated chrony package fixes security vulnerability: Chrony's method of opening its PID file could allow a compromised chrony user account to overwrite files in certain parts of the filesystem with chrony's PID, using a symlink attack (CVE-2020-14367). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14367 https://www.openwall.com/lists/oss-security/2020/08/21/1 ======================== Updated packages in core/updates_testing: ======================== chrony-3.4-2.1.mga7 from chrony-3.4-2.1.mga7.src.rpm
QA Contact: (none) => securityComponent: RPM Packages => Security
64-bit Plasma system. No installation issues. Disabled NTP, set the clock to the wrong time enabled NTP again. Time was automatically reset. Looks good. OKing and validating. Advisory in Comment 0.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0341.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Fedora has issued an advisory for this today (August 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/6WKABKNLCSC3MACCWU6OM2YGWVWFWFMU/
Severity: normal => major