[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of chrony?

Hi Vincent,

On 05-02-16 01:56, Vincent Blut wrote:
> +chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium
> +
> +  * Fix CVE-2016-1567: retrict authentication of server/peer
> +                       to specified key

I suggest you close bug 812923 in the changelog. The bts is smart enough
to track different trees.

> +This patch fixes CVE-2016-1567 in chrony 1.24. Prior to version 1.31.2,
> +chrony does not verify peer associations of symmetric keys when
> authenticating
> +packets, which might allow remote attackers to conduct impersonation
> attacks
> +via an arbitrary trusted key, aka a "skeleton key." This issue also
> affects
> +chrony 2.2 and has been fixed in version 2.2.1.

I assume I read this text wrong if it appears that the issue is not in
testing/sid (because than the security tracker needs to be updated). How
I read it (the first times) is that prior to version 1.31.2 and in the
2.2 branch the issue exists, anything between 1.31.2 and 2.2 would than
be fine, but I am pretty sure that is not what you meant.

So, I assume you intent to fix testing and sid soon as well right?

And although this vulnerability is tagged as no-dsa, you can still
prepare a point release update and communicate with the RT to get it in.


PS: did you on purpose not create a squeeze-lts branch in your git repo?

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: