On Fri, Feb 05, 2016 at 04:17:00AM +0100, Paul Gevers wrote:
Hi Vincent,
Hello Paul,
On 05-02-16 01:56, Vincent Blut wrote:+chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium + + * Fix CVE-2016-1567: retrict authentication of server/peer + to specified keyI suggest you close bug 812923 in the changelog. The bts is smart enough to track different trees.
Indeed, I forgot about that.
+This patch fixes CVE-2016-1567 in chrony 1.24. Prior to version 1.31.2, +chrony does not verify peer associations of symmetric keys when authenticating +packets, which might allow remote attackers to conduct impersonation attacks +via an arbitrary trusted key, aka a "skeleton key." This issue also affects +chrony 2.2 and has been fixed in version 2.2.1.I assume I read this text wrong if it appears that the issue is not in testing/sid (because than the security tracker needs to be updated). How I read it (the first times) is that prior to version 1.31.2 and in the 2.2 branch the issue exists, anything between 1.31.2 and 2.2 would than be fine, but I am pretty sure that is not what you meant.
I’ll make things clearer. In fact, all releases before 1.31.2 are affected, same thing for all releases from the 2.x branch prior to 2.2.1.
So, I assume you intent to fix testing and sid soon as well right?
That’s the plan, yes. By the way, I’ll contact you in the next few days to review 2.2.1-1 which is mostly ready.
And although this vulnerability is tagged as no-dsa, you can still prepare a point release update and communicate with the RT to get it in.
Yes, I’ll fix this in jessie and wheezy. Cheers, Vincent
PaulPS: did you on purpose not create a squeeze-lts branch in your git repo?
Well, do you have any tips to properly handle this? I guess using "gbp import-dsc" would do the trick but…P.S. I’d like to apologize for my “long” silence, but I’m facing a shitstorm IRL. :-/
Attachment:
signature.asc
Description: PGP signature