Debian Bug report logs -
#737644
chrony: CVE-2014-0021: traffic amplification in cmdmon protocol
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 4 Feb 2014 16:12:01 UTC
Severity: important
Tags: fixed-upstream, security, upstream
Fixed in version chrony/1.29.1-1
Done: Joachim Wiedorn <ad_debian@joonet.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Joachim Wiedorn <ad_debian@joonet.de>:
Bug#737644; Package chrony.
(Tue, 04 Feb 2014 16:12:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Joachim Wiedorn <ad_debian@joonet.de>.
(Tue, 04 Feb 2014 16:12:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: chrony
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for chrony.
This is fixed upstream in 1.19.1 by modify chronyc protocol. New
version will support both (old and new).
CVE-2014-0021[0]:
traffic amplification in cmdmon protocol
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0021
http://security-tracker.debian.org/tracker/CVE-2014-0021
[1] http://chrony.tuxfamily.org/News.html
Regards,
Salvatore
Reply sent
to Joachim Wiedorn <ad_debian@joonet.de>:
You have taken responsibility.
(Mon, 10 Feb 2014 17:51:11 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 10 Feb 2014 17:51:11 GMT) (full text, mbox, link).
Message #10 received at 737644-close@bugs.debian.org (full text, mbox, reply):
Source: chrony
Source-Version: 1.29.1-1
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 737644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Wiedorn <ad_debian@joonet.de> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 06 Feb 2014 15:51:47 +0100
Source: chrony
Binary: chrony
Architecture: source amd64
Version: 1.29.1-1
Distribution: unstable
Urgency: high
Maintainer: Joachim Wiedorn <ad_debian@joonet.de>
Changed-By: Joachim Wiedorn <ad_debian@joonet.de>
Description:
chrony - Set the computer clock from time servers on the Net
Closes: 737644
Changes:
chrony (1.29.1-1) unstable; urgency=high
.
* New upstream release with bugfix:
- Closes: #737644: Fixing vulnerability:
CVE-2014-0021 - traffic amplification in cmdmon protocol
(incompatible with previous protocol version, but chronyc
supports both).
Checksums-Sha1:
45eff660e89098f0df2cefd6947981fbb6dc2241 1564 chrony_1.29.1-1.dsc
bf07c0afa6ab761d9863714497555fa5be578f3d 392889 chrony_1.29.1.orig.tar.gz
121e4609b16f397617926815a11c4f4ac2d99d0e 18902 chrony_1.29.1-1.debian.tar.gz
7971702476f69938131451ccd2fd0ee8160bcc4c 240342 chrony_1.29.1-1_amd64.deb
Checksums-Sha256:
032b6eba540b485567a0d920b5e3c1f484d34bf2efbb4b81d83f53b658985857 1564 chrony_1.29.1-1.dsc
658c9bb4d8c8d8ec7d0908429aa266e5f8413ba86bd4acbfd2f9669f6065af27 392889 chrony_1.29.1.orig.tar.gz
d9d72d46c97d90367c50ffec246db667e4499c2c5dcc2148fd3933c4b98c3c7e 18902 chrony_1.29.1-1.debian.tar.gz
37be1aa5be7e681f668f0ad84048dc2c0e17fc450720c96ce37e4f6171d7d0ed 240342 chrony_1.29.1-1_amd64.deb
Files:
309cab60dfb937d2fde90b07aa2a3892 1564 admin extra chrony_1.29.1-1.dsc
9d49eadac5eb49daec8cc3d92a869b0c 392889 admin extra chrony_1.29.1.orig.tar.gz
22380129990986edea63fd73d3f5f7ce 18902 admin extra chrony_1.29.1-1.debian.tar.gz
e1091f594849de79bb8acc5211d03451 240342 admin extra chrony_1.29.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJS9mh9AAoJEJxcmesFvXUKhUYIALSieSPYwwFj2HEjL44k7X+9
IWgS6TreWG+ZH/CM+lqV/POfVOTS+X9Jdf+hsNjPd1otylJqg2diYjHHNA7hY5E/
VPmdOF07oY4THbS1PSNOg91N6wkVV7I9z6+9yoVp3iNr+o8bI+rOPR44mAOUZw+G
XJm8FJMYE6Sw69mLSjQEmT0FlSh4tSmsw7GrV1v2qTdhWjilbQtHnanVByryZPIs
azMTvlzn5sx+G2t4YQvW55zSVsBqWTOzLobzmI7sooi9YAIDONTrtHaKsnPwS5vz
d2333FuCTRHNbPJbQbncQV7SvQXF2dtf3LZzVoYBYM8ck6I+m7ekFEArJk8wu/M=
=CBdq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 13 Mar 2014 07:30:46 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:00:29 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon