[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: squeeze update of chrony?

On Fri, Feb 05, 2016 at 04:17:00AM +0100, Paul Gevers wrote:
Hi Vincent,

Hello Paul,

On 05-02-16 01:56, Vincent Blut wrote:
+chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium
+  * Fix CVE-2016-1567: retrict authentication of server/peer
+                       to specified key

I suggest you close bug 812923 in the changelog. The bts is smart enough
to track different trees.

Indeed, I forgot about that.

+This patch fixes CVE-2016-1567 in chrony 1.24. Prior to version 1.31.2,
+chrony does not verify peer associations of symmetric keys when
+packets, which might allow remote attackers to conduct impersonation
+via an arbitrary trusted key, aka a "skeleton key." This issue also
+chrony 2.2 and has been fixed in version 2.2.1.

I assume I read this text wrong if it appears that the issue is not in
testing/sid (because than the security tracker needs to be updated). How
I read it (the first times) is that prior to version 1.31.2 and in the
2.2 branch the issue exists, anything between 1.31.2 and 2.2 would than
be fine, but I am pretty sure that is not what you meant.

I’ll make things clearer. In fact, all releases before 1.31.2 are affected, same thing for all releases from the 2.x branch prior to 2.2.1.

So, I assume you intent to fix testing and sid soon as well right?

That’s the plan, yes. By the way, I’ll contact you in the next few days to review 2.2.1-1 which is mostly ready.

And although this vulnerability is tagged as no-dsa, you can still
prepare a point release update and communicate with the RT to get it in.

Yes, I’ll fix this in jessie and wheezy.



PS: did you on purpose not create a squeeze-lts branch in your git repo?

Well, do you have any tips to properly handle this? I guess using
"gbp import-dsc" would do the trick but…

P.S. I’d like to apologize for my “long” silence, but I’m facing a shitstorm IRL. :-/

Attachment: signature.asc
Description: PGP signature

Reply to: