Hi Vincent, On 05-02-16 01:56, Vincent Blut wrote: > +chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium > + > + * Fix CVE-2016-1567: retrict authentication of server/peer > + to specified key I suggest you close bug 812923 in the changelog. The bts is smart enough to track different trees. > +This patch fixes CVE-2016-1567 in chrony 1.24. Prior to version 1.31.2, > +chrony does not verify peer associations of symmetric keys when > authenticating > +packets, which might allow remote attackers to conduct impersonation > attacks > +via an arbitrary trusted key, aka a "skeleton key." This issue also > affects > +chrony 2.2 and has been fixed in version 2.2.1. I assume I read this text wrong if it appears that the issue is not in testing/sid (because than the security tracker needs to be updated). How I read it (the first times) is that prior to version 1.31.2 and in the 2.2 branch the issue exists, anything between 1.31.2 and 2.2 would than be fine, but I am pretty sure that is not what you meant. So, I assume you intent to fix testing and sid soon as well right? And although this vulnerability is tagged as no-dsa, you can still prepare a point release update and communicate with the RT to get it in. Paul PS: did you on purpose not create a squeeze-lts branch in your git repo?
Attachment:
signature.asc
Description: OpenPGP digital signature