[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#719132: marked as done (chrony: New version, fixes security bugs)

Your message dated Sat, 21 Dec 2013 12:18:32 +0000
with message-id <E1VuLVo-0000Lr-4n@franck.debian.org>
and subject line Bug#719132: fixed in chrony 1.29-1
has caused the Debian Bug report #719132,
regarding chrony: New version, fixes security bugs
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
719132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=719132
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: chrony
Version: 1.26-4
Severity: important

8 Aug 2013 : chrony-1.29 released

It fixes the following security vulnerabilities:

    Fix crash when processing crafted commands (CVE-2012-4502)
    (possible with IP addresses allowed by cmdallow and localhost)
    Don't send uninitialized data in SUBNETS_ACCESSED and CLIENT_ACCESSES
    replies (CVE-2012-4503) (not used by chronyc)

and includes other changes:

    Drop support for SUBNETS_ACCESSED and CLIENT_ACCESSES commands

CVE-2012-4502: Buffer overflow when processing crafted command packets

When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES command
requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES, 
RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is calculated, 
the number of items stored in the packet is not validated. A crafted command 
request/reply can be used to crash the server/client. Only clients allowed 
by cmdallow (by default only localhost) can crash the server. With chrony 
versions 1.25 and 1.26 this bug has a smaller security impact as the server 
requires the clients to be authenticated in order to process the subnet and 
client accesses commands. In 1.27 and 1.28, however, the invalid calculated 
length is included also in the authentication check which may cause another 
crash. CVE-2012-4503: Uninitialized data in command replies The 
RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can contain 
uninitalized data from stack when the client logging is disabled or a bad 
subnet is requested. These commands were never used by chronyc and they 
require the client to be authenticated since version 1.25.


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages chrony depends on:
ii  dpkg          1.16.10
ii  install-info  5.1.dfsg.1-3
ii  libc6         2.17-1
ii  libedit2      2.11-20080614-5
ii  net-tools     1.60-24.2
ii  timelimit     1.8-1
ii  ucf           3.0025+nmu3

Versions of packages chrony recommends:
ii  udev  175-7.2

chrony suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: chrony
Source-Version: 1.29-1

We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 719132@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joachim Wiedorn <ad_debian@joonet.de> (supplier of updated chrony package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 20 Dec 2013 23:35:25 +0100
Source: chrony
Binary: chrony
Architecture: source amd64
Version: 1.29-1
Distribution: unstable
Urgency: medium
Maintainer: Joachim Wiedorn <ad_debian@joonet.de>
Changed-By: Joachim Wiedorn <ad_debian@joonet.de>
Description: 
 chrony     - Set the computer clock from time servers on the Net
Closes: 637514 646732 652207 705768 719132 719203
Changes: 
 chrony (1.29-1) unstable; urgency=medium
 .
   * New upstream release with some bugfixes:
     - Closes: #719132: new upstream version, fixes security bugs.
     - Closes: #719203: Fixing vulnerabilities:
         CVE-2012-4502 - Buffer overflow,
         CVE-2012-4503 - Uninitialized data.
 .
   * debian/control:
     - Set myself as new maintainer. Closes: #705768
     - Bump to Standards-Version 3.9.5.
     - Move to debhelper >= 9 and compat level 9.
     - Update package descriptions.
     - Add Vcs fields to new git repository.
     - Add dependency to lsb-base (for init script).
     - Add build dependency to libtomcrypt-dev.
   * Move to source format 3.0 (quilt).
   * Add the following patch files:  (Closes: #637514)
     - 01_fix-small-typo-in-manpages
     - 03_recreate-always-getdate-c
     - 04_do-not-look-for-ncurses    (Closes: #646732)
     - 05_disable-installation-of-license
   * debian/rules:
     - Move to dh-based rules file.
     - Enable parallel builds.
 .
   * Add debian/watch file.
   * Full update of debian/copyright file.
   * Add debian/doc-base file.
   * Full update of debian/README.Debian file.
   * Update debian/postinst, debian/postrm, debian/prerm.
   * Remove obsolete debian/preinst. Reduce mailing within postinst.
   * Do not use old md5sum file anymore for ucf in postinst script.
   * Add status action in init script (debian/init). Closes: #652207
   * Add debian/install file for installing example of chrony.conf.
   * Reduce debian/dirs file for use with debhelper 9.
Checksums-Sha1: 
 165a0e22dac426a70bff0eb9cf0474644ead46c6 1894 chrony_1.29-1.dsc
 442fb7d62a6f23bf1057864a3dbdfa55e1b6eb35 392880 chrony_1.29.orig.tar.gz
 edd3f283be83e4c0f521a347a837f7653d752f44 19008 chrony_1.29-1.debian.tar.gz
 54e0cbd50c62573a3438d6a536243e95e5fa2226 239766 chrony_1.29-1_amd64.deb
Checksums-Sha256: 
 0bd9873663eb18b52bc044d1d3ad06472b6494a9f0b98319348ea2f9882068de 1894 chrony_1.29-1.dsc
 c685f072ba0663ab026a7f56870ab2c246bd97ca4629dd2e1899617bd16ad39b 392880 chrony_1.29.orig.tar.gz
 64214a323a1e352149498f182e705d68023e0ffba49286328b52fa658737701e 19008 chrony_1.29-1.debian.tar.gz
 2ba47824e635d615d34c429f9f2359d9ae902772082f348dfc0ce77cd142095b 239766 chrony_1.29-1_amd64.deb
Files: 
 60e1729f519114f9b9c9dc4fcc3d5487 1894 admin extra chrony_1.29-1.dsc
 6e1a8ee2ce6632bedc2f8b5cdccfa69f 392880 admin extra chrony_1.29.orig.tar.gz
 344bda4f82dfd43636d46e843da5754d 19008 admin extra chrony_1.29-1.debian.tar.gz
 2153c9950cbd51289d940a867a296950 239766 admin extra chrony_1.29-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJStYMOAAoJEAFx4YKK4JNFL/wQAIwJy1lXVI5j2mdKIgJakkE5
Y5qtW4Xkw920PeYGb5KVr/bA5VWUDdFbcx6r46nATqMghQ38Y7Li0HpcMVINtAxl
mNHfLB8iLfyhfmj1pObgE/L3uVzq65mkzhNufHh+n+NF3ZBYl4dA76bpkyRmw9Dx
+rtQ3bGH7tYXN/fJM8TR8T4lwQGJ9YofXONKOwTPXCnkVehS4HM6EvTM1NPQD8t9
YBg1B7r9Waa+YITDPweD0ifkuRbE8N/VNLIq7iLwROyBcr6uR6nG/Q5P+yteZ2vJ
abb5r6Rp4XOnMqtaBOtbMxC7BkyVCASBWjRjIPN1abbWAGGmLnH8eQBeER+Dzjy3
gyY9MpmFejG8QDYpUJo6YGnlTIp8X0GZYmRNFKVeybbyfuOcVJdp67HUI+d0iUA5
km7LQ2xXXZTxAkUTAA9yduTUAKgKrkAD8pLNGglL/pTEDT6KYngIH1PZm60myssa
1akT0jVT7r3mKNnJDBq3MSCDNZd7hOiKmJYC2XDzLHd4oQeIaghWtlHlNsq81Lii
wLftfE6i2a80zPbJgpb7SiYcwHoRo0TRzRkQR98zDZ4Zn1P/kziWrE1iclKgPFiI
JEy/Tc64zA/SVR/Yjr2fTuQMkeImriPMGGZ+R+v5V3NjP1Tfynfu6c0Eu6t9fRfj
lPXSXypgXweI/DvHRv2x
=2D5E
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: