Debian Bug report logs -
#782160
chrony: Multiple issues: CVE-2015-1821 CVE-2015-1822 CVE-2015-1853
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 8 Apr 2015 18:09:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in version chrony/1.30-1
Fixed in version chrony/1.30-2
Done: Joachim Wiedorn <joodebian@joonet.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Joachim Wiedorn <ad_debian@joonet.de>
:
Bug#782160
; Package src:chrony
.
(Wed, 08 Apr 2015 18:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Joachim Wiedorn <ad_debian@joonet.de>
.
(Wed, 08 Apr 2015 18:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: chrony
Version: 1.30-1
Severity: grave
Tags: security upstream patch fixed-upstream
*** /tmp/chrony.reportbug
Package: chrony
Severity: FILLINSEVERITY
Tags: security
Hi,
the following vulnerabilities were published for chrony. Note, that I
choosed severity grave, since two CVEs seem to potentially be
exploited to execute arbitrary code and chronyd is running as root.
Please lower the severity if you don't agree (I don't know chrony very
well):
CVE-2015-1821[0]:
Heap out of bound write in address filter
CVE-2015-1822[1]:
uninitialized pointer in cmdmon reply slots
CVE-2015-1853[2]:
authentication doesn't protect symmetric associations against DoS attacks
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1821
[1] https://security-tracker.debian.org/tracker/CVE-2015-1822
[2] https://security-tracker.debian.org/tracker/CVE-2015-1853
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Joachim Wiedorn <joodebian@joonet.de>
:
You have taken responsibility.
(Fri, 10 Apr 2015 15:51:06 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 10 Apr 2015 15:51:06 GMT) (full text, mbox, link).
Message #10 received at 782160-close@bugs.debian.org (full text, mbox, reply):
Source: chrony
Source-Version: 1.30-2
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 782160@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Wiedorn <joodebian@joonet.de> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 10 Apr 2015 11:41:31 +0200
Source: chrony
Binary: chrony
Architecture: source
Version: 1.30-2
Distribution: unstable
Urgency: medium
Maintainer: Joachim Wiedorn <joodebian@joonet.de>
Changed-By: Joachim Wiedorn <joodebian@joonet.de>
Description:
chrony - Set the computer clock from time servers on the Net
Closes: 782160
Changes:
chrony (1.30-2) unstable; urgency=medium
.
* With the following security bugfixes (Closes: #782160):
- Fix CVE-2015-1853: Protect authenticated symmetric NTP
associations against DoS attacks.
- Fix CVE-2015-1821: Fix access configuration with subnet
size indivisible by 4.
- Fix CVE-2015-1822: Fix initialization of reply slots for
authenticated commands.
* debian/control:
- Update e-mail address of myself.
- Add Vincent Blut as co-maintainer.
Checksums-Sha1:
90a844e0f263b90c0f47adc4b47e405b124b67ab 2046 chrony_1.30-2.dsc
5b3e26ce27cf8791c4af7639b541d569c0701c08 24392 chrony_1.30-2.debian.tar.xz
Checksums-Sha256:
f54104a121ebecc55b50e55eb30713543cd95f5e8aea66d532ea20615f6bd181 2046 chrony_1.30-2.dsc
826c1b4111c991bffa10b26e5ff42d16718c3454550654e0a3bb7aaf315e547b 24392 chrony_1.30-2.debian.tar.xz
Files:
d5e4baaffa5a6005e8764a0e4389df16 2046 admin extra chrony_1.30-2.dsc
7507786201f508505276bf441e137e39 24392 admin extra chrony_1.30-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQJ8BAEBCgBmBQJVJ9R9XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXREMUUxMzE2RTkzQTc2MEE4MTA0RDg1RkFC
QjNBNjgwMTg2NDlBQTA2AAoJELs6aAGGSaoGEU4QAK9wAy+1sGk2zwWAvsc1WfQ5
Uh/D0ZNfbeK8b+DsaW219yBnCis0Wcepj36cQ1xKkBEJMmyDBqdsQ1wB0pL35LzH
2ICfgoNVgzHgLsld+ExBDMJSS5F2ZRk/JgO5kT6sqhNmoMH1Xi2Uqusg159SAN5s
uNeJV5Mpte0dUp/FbLz6dteGBdhROA8ARSc0SezITirGEJmn84k7G12a8mh5yBys
XfVV+fRlLJy+If0NAbBjhHGKKkWmzSJTb+IBKX0iS023Lv7umoZ/ZM2A4ffiVsmU
IDfmLDCIJei/x/xGPhqcyKmc8e3u31jnkYDtbLPYQpRhTAqecE75Pdeuf9QHYLoR
nx1l42hBykjEfVVUJfx1qNNSm+S4sOsTaLYTTJR1nZD/guEcalmiyUEW08pfnjb3
Dwf9aVnF0XTCpKHaJXf4fxI4nPGDgZqOwrRcFeb+0LQywreRVkM4wH/ptpD8GGpb
hsPdZAhLn/oqAp7wjs5FZTF4paMBbQlw2GxmmVz94MuR9GJ2rU9u2qm2LmHryrnf
h0CQoH1Wi8RA6MT4/x58KsuCL1EFcsXdGA+uWx92KBZhubsENqCgUz0g8g/nSVlQ
Cp/u85mnrRlMco+AifXILRibNbEpCQtRtO5BrxAgqzpx+S7EBDnqe3898Uj/sjBj
E3bjSMcRKS0gIzwZ/ZB0
=k/gR
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Joachim Wiedorn <ad_debian@joonet.de>
:
Bug#782160
; Package src:chrony
.
(Fri, 10 Apr 2015 19:36:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>
:
Extra info received and forwarded to list. Copy sent to Joachim Wiedorn <ad_debian@joonet.de>
.
(Fri, 10 Apr 2015 19:36:08 GMT) (full text, mbox, link).
Message #15 received at 782160@bugs.debian.org (full text, mbox, reply):
Hello Joachim,
the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of chrony:
https://security-tracker.debian.org/tracker/CVE-2015-1821
https://security-tracker.debian.org/tracker/CVE-2015-1822
https://security-tracker.debian.org/tracker/CVE-2015-1853
Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated. If you planned to prepare a fixed
wheezy version, it should not be too hard to handle squeeze at the same
time since squeeze has the same upstream version than wheezy.
If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development
If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.
If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.
Thank you very much.
Raphaël Hertzog,
on behalf of the Debian LTS team.
PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Information forwarded
to debian-bugs-dist@lists.debian.org, Joachim Wiedorn <ad_debian@joonet.de>
:
Bug#782160
; Package src:chrony
.
(Fri, 10 Apr 2015 21:03:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Joachim Wiedorn <joodebian@joonet.de>
:
Extra info received and forwarded to list. Copy sent to Joachim Wiedorn <ad_debian@joonet.de>
.
(Fri, 10 Apr 2015 21:03:21 GMT) (full text, mbox, link).
Message #20 received at 782160@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Raphael,
Raphael Hertzog wrote on 2015-04-10 21:33:
> Would you like to take care of this yourself? We are still understaffed so
> any help is always highly appreciated. If you planned to prepare a fixed
> wheezy version, it should not be too hard to handle squeeze at the same
> time since squeeze has the same upstream version than wheezy.
At first I have looked for patching the Wheezy package. It was doable.
Now I will test it on my (main) PC, which still have Wheezy installed.
Then I think it should be easy for Squeeze, too.
You will hear from me.
---
Have a nice day.
Joachim (Germany)
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#782160
; Package src:chrony
.
(Fri, 10 Apr 2015 22:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Joachim Wiedorn <joodebian@joonet.de>
:
Extra info received and forwarded to list.
(Fri, 10 Apr 2015 22:18:04 GMT) (full text, mbox, link).
Message #25 received at 782160@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hello Raphael,
Raphael Hertzog wrote on 2015-04-10 21:33:
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
I would be very pleased, if someone of the LTS team could sponsor
my both packages:
for squeeze-security: chrony 1.24-3+squeeze2
see here: http://www.joonet.de/sources/chrony/squeeze-security/
Both architectures were produced with pbuilder in a clean environment.
The deb files were not tested!
for wheezy-security: chrony 1.24-3.1+deb7u3
see here: http://www.joonet.de/sources/chrony/wheezy-security/
Both architectures were produced with pbuilder in a clean environment.
The deb file for amd64 were tested, but not for i386.
For your information:
In the "debian" directory I have added a directory "applied" with
all applied patches to the sources, because both packages still
have source format 1.0. Only the three patches 11, 12, 13 are
new.
Changes since the last uploads:
* With the following security bugfixes (See: #782160):
- Fix CVE-2015-1853: Protect authenticated symmetric NTP
associations against DoS attacks.
- Fix CVE-2015-1821: Fix access configuration with subnet
size indivisible by 4.
- Fix CVE-2015-1822: Fix initialization of reply slots for
authenticated commands.
---
Have a nice day.
Joachim (Germany)
[signature.asc (application/pgp-signature, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Joachim Wiedorn <joodebian@joonet.de>
:
Bug#782160
; Package src:chrony
.
(Sun, 12 Apr 2015 12:03:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Alessandro Ghedini <ghedo@debian.org>
:
Extra info received and forwarded to list. Copy sent to Joachim Wiedorn <joodebian@joonet.de>
.
(Sun, 12 Apr 2015 12:03:05 GMT) (full text, mbox, link).
Message #30 received at 782160@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Joachim,
> Raphael Hertzog wrote on 2015-04-10 21:33:
>
> > If that workflow is a burden to you, feel free to just prepare an
> > updated source package and send it to debian-lts@lists.debian.org
> > (via a debdiff, or with an URL pointing to the the source package,
> > or even with a pointer to your packaging repository), and the members
> > of the LTS team will take care of the rest. Indicate clearly whether you
> > have tested the updated package or not.
>
> I would be very pleased, if someone of the LTS team could sponsor
> my both packages:
>
> for squeeze-security: chrony 1.24-3+squeeze2
> see here: http://www.joonet.de/sources/chrony/squeeze-security/
> Both architectures were produced with pbuilder in a clean environment.
> The deb files were not tested!
>
> for wheezy-security: chrony 1.24-3.1+deb7u3
> see here: http://www.joonet.de/sources/chrony/wheezy-security/
> Both architectures were produced with pbuilder in a clean environment.
> The deb file for amd64 were tested, but not for i386.
>
> For your information:
> In the "debian" directory I have added a directory "applied" with
> all applied patches to the sources, because both packages still
> have source format 1.0. Only the three patches 11, 12, 13 are
> new.
>
> Changes since the last uploads:
>
> * With the following security bugfixes (See: #782160):
> - Fix CVE-2015-1853: Protect authenticated symmetric NTP
> associations against DoS attacks.
> - Fix CVE-2015-1821: Fix access configuration with subnet
> size indivisible by 4.
> - Fix CVE-2015-1822: Fix initialization of reply slots for
> authenticated commands.
The wheezy update looks good, though in the future I'd avoid adding unnecessary
changes to the package (the debian/applied/ directory in this case) since it
makes reviewing the update harder.
Anyway, thanks for preparing the updated packages, I'll take care of the wheezy
DSA in a bit.
Cheers
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Joachim Wiedorn <joodebian@joonet.de>
:
Bug#782160
; Package src:chrony
.
(Sun, 12 Apr 2015 15:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Thorsten Alteholz <debian@alteholz.de>
:
Extra info received and forwarded to list. Copy sent to Joachim Wiedorn <joodebian@joonet.de>
.
(Sun, 12 Apr 2015 15:15:04 GMT) (full text, mbox, link).
Message #35 received at 782160@bugs.debian.org (full text, mbox, reply):
Hi Joachim,
thanks alot for preparing the package, I just uploaded it.
On Sat, 11 Apr 2015, Joachim Wiedorn wrote:
> I would be very pleased, if someone of the LTS team could sponsor
> my both packages:
I have only one remark. The packages for Squeeze need to go to
"squeeze-lts" instead of "oldstable-security" now.
Thorsten
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 24 May 2015 07:55:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:24:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.