Debian Bug report logs -
#812923
chrony: CVE-2016-1567
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 27 Jan 2016 21:51:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Found in versions chrony/1.24-3.1+deb7u3, chrony/1.24-3, chrony/1.24-3+squeeze2, chrony/1.30-2, chrony/2.1.1-1, chrony/1.30-2+deb8u1
Fixed in versions chrony/1.24-3.1+deb7u4, chrony/1.30-2+deb8u2, chrony/1.24-3+squeeze3, chrony/2.2.1-1
Done: Vincent Blut <vincent.debian@free.fr>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Vincent Blut <vincent.debian@free.fr>
:
Bug#812923
; Package src:chrony
.
(Wed, 27 Jan 2016 21:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Vincent Blut <vincent.debian@free.fr>
.
(Wed, 27 Jan 2016 21:51:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: chrony
Version: 1.30-2
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for chrony.
CVE-2016-1567[0]:
| chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer
| associations of symmetric keys when authenticating packets, which
| might allow remote attackers to conduct impersonation attacks via an
| arbitrary trusted key, aka a "skeleton key."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-1567
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions chrony/1.24-3+squeeze2.
Request was from Vincent Blut <vincent.debian@free.fr>
to control@bugs.debian.org
.
(Fri, 05 Feb 2016 20:57:08 GMT) (full text, mbox, link).
Marked as found in versions chrony/1.24-3.1+deb7u3.
Request was from Vincent Blut <vincent.debian@free.fr>
to control@bugs.debian.org
.
(Fri, 05 Feb 2016 20:57:09 GMT) (full text, mbox, link).
Marked as found in versions chrony/1.30-2+deb8u1.
Request was from Vincent Blut <vincent.debian@free.fr>
to control@bugs.debian.org
.
(Fri, 05 Feb 2016 20:57:11 GMT) (full text, mbox, link).
Marked as found in versions chrony/2.1.1-1.
Request was from Vincent Blut <vincent.debian@free.fr>
to control@bugs.debian.org
.
(Fri, 05 Feb 2016 20:57:12 GMT) (full text, mbox, link).
Reply sent
to Vincent Blut <vincent.debian@free.fr>
:
You have taken responsibility.
(Sat, 13 Feb 2016 01:36:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Sat, 13 Feb 2016 01:36:04 GMT) (full text, mbox, link).
Message #18 received at 812923-close@bugs.debian.org (full text, mbox, reply):
Source: chrony
Source-Version: 1.24-3+squeeze3
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 812923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Blut <vincent.debian@free.fr> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 Feb 2016 17:34:59 +0100
Source: chrony
Binary: chrony
Architecture: source amd64
Version: 1.24-3+squeeze3
Distribution: squeeze-lts
Urgency: medium
Maintainer: John G. Hasler <jhasler@debian.org>
Changed-By: Vincent Blut <vincent.debian@free.fr>
Description:
chrony - Sets your computer's clock from time servers on the Net
Closes: 812923
Changes:
chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium
.
* Fix CVE-2016-1567: retrict authentication of server/peer
to specified key (Closes: #812923)
* debian/applied/:
- Add 14_restrict-authentication-of-server-peer-to-specified-key.patch,
and update the series file accordingly.
Checksums-Sha1:
7a7efc7eb92694cc29de9a7caa830a3de215ed28 1646 chrony_1.24-3+squeeze3.dsc
fe477cfbab78b58ff204f611b1da4395e44ce154 267349 chrony_1.24-3+squeeze3.diff.gz
7e6cf2eac59e7a6c4a836a3e31ed51495d54a6ea 364788 chrony_1.24-3+squeeze3_amd64.deb
Checksums-Sha256:
ea299e70275640a3d6391276a94a451943a892d25276fb6239285bb917dbc3c2 1646 chrony_1.24-3+squeeze3.dsc
cde31890934c2219c1d3d5494563ddea94ad86c72620eb17dfbf1991e9d74c3d 267349 chrony_1.24-3+squeeze3.diff.gz
0af41a903128c7e4674d63ea3dba5c7714bfa3d98746e5838c4f83e453f885f0 364788 chrony_1.24-3+squeeze3_amd64.deb
Files:
73f448156b54d94351e4f1eda3363945 1646 admin extra chrony_1.24-3+squeeze3.dsc
0e21e0f4a4e8ca01093be2dd8c5c4f8c 267349 admin extra chrony_1.24-3+squeeze3.diff.gz
871ad58f0861c161e0b5ed28e1106d33 364788 admin extra chrony_1.24-3+squeeze3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWvoX2AAoJEHkhUlJ7dZIeuCkP/RK5v97ATyX3oOThMXZNJ5u+
hhvGuPW/t/btE+AnslFtTQfHxo4Bn+vu4y9F3c7iGxGv3DDgT+sbJJbl2D5F4Ejz
l8rMubMSLOvAISeiifoR2QHt9HQqSurQs75oaY+wZxlfJgURp7ST3Tu7V12hmNfO
n/afch46UQVNstS3FECeD5vYDiKAdEvAjvCoZqq55TEi7CcpVgXBofeOLqDTbW3X
M8W1N/5o69EdNAFGn5PiETENonecorS+Gh5A63aWadOPTyAt/ylOmY4XJn7hzmbK
qI6XOm993CvEOu/6gtmUSoHR8cbOs1uwtZT25lt3VR/25jbLnFq0CYg58v5fJuCV
Ii2mWkZCt4lT5elvXSFF16EHoOFXvtpPcivC/VhEUtbeR3mYYEqmlXbfjg0Hdkv4
J9/I/FbQWDK6ULDX3lvUTt3Ujg62DlzpTMEXQjnPvVeDQeQ6kcmzwglfDELTTtyE
tdXlymdXiRi77tt1xDM0+Y9qUbHygQpd1vgJALUyax3EBJH7gFqGU9BMOohbSGwl
ONMNlvBKP45rNJBRhgt7wFmePfCbsER4lG7Um1yXl6MmVny8/u3E1IdxIHzyvFcJ
evQ9OHDz8Nvt5QVAfSFbWd/gQA0iZUNRoc8CuUWPDwoFSMQffINQ+7AvH3l+IkZY
8fW+KFxdOFsv+FJX/ALG
=+nSh
-----END PGP SIGNATURE-----
Marked as found in versions chrony/1.24-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sat, 13 Feb 2016 05:21:04 GMT) (full text, mbox, link).
Reply sent
to Vincent Blut <vincent.debian@free.fr>
:
You have taken responsibility.
(Fri, 01 Apr 2016 18:51:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 01 Apr 2016 18:51:09 GMT) (full text, mbox, link).
Message #25 received at 812923-close@bugs.debian.org (full text, mbox, reply):
Source: chrony
Source-Version: 2.2.1-1
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 812923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Blut <vincent.debian@free.fr> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Mar 2016 14:42:23 +0100
Source: chrony
Binary: chrony
Architecture: source
Version: 2.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Vincent Blut <vincent.debian@free.fr>
Changed-By: Vincent Blut <vincent.debian@free.fr>
Description:
chrony - Versatile implementation of the Network Time Protocol
Closes: 568492 812923 818234
Changes:
chrony (2.2.1-1) unstable; urgency=medium
.
* Import upstream versions 2.2 and 2.2.1:
- Please see /usr/share/doc/chrony/changelog.gz for the release notes.
- The 2.2.1 release version fixes CVE-2016-1567. (Closes: #812923)
.
* debian/chrony.conf:
- Drop the commandkey directive. It is obsolete since the introduction of a
Unix domain command socket in chrony 2.2.
- Fix keyfile directive commentary.
.
* debian/chrony.keys:
- New file template.
.
* debian/chrony.lintian-overrides:
- New file used to force lintian to stop complaining about the “chrony.keys”
file modes (0640).
.
* debian/chrony.ppp.ip-down:
- Drop obsolete authentication method to the chronyd daemon. This is now
handled by the usage of a Unix domain command socket.
.
* debian/chrony.ppp.ip-up:
- Drop obsolete authentication method to the chronyd daemon. This is now
handled by the usage of a Unix domain command socket.
- Reinstate the “burst” chronyc command.
.
* debian/control:
- Build depend on libseccomp-dev ≥ 2.2.3-3~. We need it to provide syscall
filtering.
- Fix a typo relative to the name of an architecture.
- Build depend on pkg-config.
- Restrict libcap-dev build dependency on Linux only.
- Depend on iproute2 instead of net-tools.
- Drop timelimit dependency.
- Update Vcs-Git to use HTTPS.
- Bump standard-version to 3.9.7 (no changes required).
.
* debian/copyright:
- Update copyright year for debian/*.
.
* debian/init:
- Make use of “ip r” instead of “netstat -rn”. (Closes: #818234)
- Delete unused “FLAGS” variable.
- Do not execute ip and chronyc through timelimit.
- Don’t call chronyc using its absolute path.
- Check if the value of the DAEMON variable is executable.
- Drop the two seconds delay as it should be unnecessary.
- Drop obsolete authentication method from the putonline() function.
- Fix indentation issue in the putonline() function.
.
* debian/logrotate:
- Do not pass the “-a” option to chronyc, it’s no longer necessary.
.
* debian/NEWS:
- Add a comment about the command key suppression from the “chrony.keys”
file.
.
* debian/patches/:
- Drop 01_do-not-install-copying-file.patch, not needed anymore.
↳ Remove reference to that patch from the series file.
.
* debian/postinst:
- Do not create an ID/key pair for command authentication. Configuration
and monitoring via chronyc is now done using Unix domain socket accessible
by root or by the system user to which chronyd will drop root privileges,
i.e. _chrony.
.
* debian/postrm:
- Remove /var/lib/chrony content only on purge. (Closes: #568492)
.
* debian/README.Debian:
- Drop obsolete statement.
.
* debian/rules:
- Build with --enable-scfilter.
- Install the “chrony.keys” file in /etc/chrony/ with 0640 modes.
- Override dh_fixperms to prevent it from modifying modes of the
“chrony.keys” file. By default, dh_fixperms tries to set the default modes
(0644).
- Move the “chronyd.sock” file from /var/run/chrony to /run/chrony.
Checksums-Sha1:
aca9a0a3059e5a40180ad4a4e12ff4385a659273 1774 chrony_2.2.1-1.dsc
290b761478dc90d4921c98b7030ead07c49f2afd 340514 chrony_2.2.1.orig.tar.gz
89500f9eda892149c8333c6075c2971df204c258 23776 chrony_2.2.1-1.debian.tar.xz
Checksums-Sha256:
a4bc863c5da7f3ec0c0abfc15c189e6ac97ba020120d04fbf48fcc70fcc197aa 1774 chrony_2.2.1-1.dsc
4776fa8e80d698723e9a88eb882170951f6c45860545d84ae9f9d8b9bbd73796 340514 chrony_2.2.1.orig.tar.gz
c4e5619407ea43508e8d4e3fb9bc402d0898bf97fe2a0ea9732d8e4b86ac4e8a 23776 chrony_2.2.1-1.debian.tar.xz
Files:
c699c3afaaf73de7bce247e0740b294b 1774 net optional chrony_2.2.1-1.dsc
ce46990540aab3670d093311ee43fe17 340514 net optional chrony_2.2.1.orig.tar.gz
1e2eb9ad6c0087c56b0c32a6755f0b20 23776 net optional chrony_2.2.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJW/r5kAAoJEJxcmesFvXUKbk0H/1otGBmMkD8EFp6TnX5kMo5a
9k3vM43GwoDp1aC6XoIAIwrnS47Vali3dYmt5RrLJ1OPCRLhU9ShTyaIXaFwbYrj
0loc/HITkYjWo9v30+ai4+MUFqJ5xgRAaxaLcFJLqFWgOCyilhGhu1WCGb9lbpN/
wvuKJnGUBiLvDMB0BnMwKtWT9Ss9xY9J6sSjGlKVo1YYE2CjedT6BoKUbb3CHebz
+Pci6fT/g9ixsTbh7hf2/d/jB9dCm637ANi1XHpORSjyUg0ygTHZ6bj09aKjpVhe
kUsqxF/CKFG3Ed2+uLymElrZfBcGJXQqsByy1MKkEwCTl0Li9ezMF+KlMkG+1l8=
=yLDB
-----END PGP SIGNATURE-----
Reply sent
to Vincent Blut <vincent.debian@free.fr>
:
You have taken responsibility.
(Wed, 25 May 2016 21:48:52 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 25 May 2016 21:48:53 GMT) (full text, mbox, link).
Message #30 received at 812923-close@bugs.debian.org (full text, mbox, reply):
Source: chrony
Source-Version: 1.30-2+deb8u2
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 812923@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Blut <vincent.debian@free.fr> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 21 May 2016 02:27:34 +0200
Source: chrony
Binary: chrony
Architecture: source amd64
Version: 1.30-2+deb8u2
Distribution: jessie
Urgency: medium
Maintainer: Joachim Wiedorn <joodebian@joonet.de>
Changed-By: Vincent Blut <vincent.debian@free.fr>
Description:
chrony - Set the computer clock from time servers on the Net
Closes: 568492 763542 812923
Changes:
chrony (1.30-2+deb8u2) jessie; urgency=medium
.
* Fix CVE-2016-1567: Restrict authentication of server/peer to specified
key. (Closes: #812923)
.
* debian/postrm:
- Remove /var/lib/chrony on purge only. (Closes: #568492)
.
* debian/logrotate:
- Rework postrotate script. (Closes: #763542)
Checksums-Sha1:
98cc6d600faba89028345e4cc98c9c10862ae597 1610 chrony_1.30-2+deb8u2.dsc
20b2e09e0cb81fe2f9885a41fe17e86c573f4a67 25136 chrony_1.30-2+deb8u2.debian.tar.xz
620b238285eb49a916f53c7bdded383669270855 252924 chrony_1.30-2+deb8u2_amd64.deb
Checksums-Sha256:
481a2765c5545776fa2a719f2bf9676aa4ee7e90290a9e3328d076ec92f630e4 1610 chrony_1.30-2+deb8u2.dsc
4eda715c2b455b227c7b9c256abcc66e5e029bd1a29297099abf3a321e256500 25136 chrony_1.30-2+deb8u2.debian.tar.xz
1cea85b2e5e796afce2f9b8529b4d3955266eca9619a8b5bcd4f88103c005307 252924 chrony_1.30-2+deb8u2_amd64.deb
Files:
7f2fff73027bf1ba71654342feb99d16 1610 admin extra chrony_1.30-2+deb8u2.dsc
30df4e238e9bd2644e806b15c1e18b0d 25136 admin extra chrony_1.30-2+deb8u2.debian.tar.xz
a28dd93c1dbdc3816bdfea4f64dd7e36 252924 admin extra chrony_1.30-2+deb8u2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXRezFAAoJEJxcmesFvXUKK7kIAIKOXlYSH1l9dCRjjRcTIHwM
JHMNjlwPwOQ69k/iKwnUwlc0pplYkOYcxdq9YU2DN3hbpngCcqdM/Nm/hcAd+lnM
0ZQWrNMMTcD8E4mVZGAcUg4Nl9uRZ6/lPI8Rrkhe7NTKE7gIaJ9B4nIzsKe7AM1R
OE3y/SwdEVzw0Kb0dwskm+SA00WPsTbVSoCzAuJY8Hw7+nPeENhrLPXq451lOtG9
IrphauPqZ/5T9JzQ4qEQB+cQ0zco4K1NIR7oftGJiycLQ/3PNMPw2gY2DuC/WEts
hi4FYZ/iTZOabQ4nzTkvqFmSXwuZ3arqceHqAXyOs/wzRod8Z9eRPmXLGZKoMCA=
=1dMJ
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 21 Jul 2016 07:26:57 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 14 Dec 2016 16:45:06 GMT) (full text, mbox, link).
Marked as fixed in versions chrony/1.24-3.1+deb7u4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 14 Dec 2016 16:45:07 GMT) (full text, mbox, link).
Bug archived.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Wed, 14 Dec 2016 16:45:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:34:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.