- ------------------------------------------------------------------------- Debian Security Advisory DSA-3222-1 This email address is being protected from spambots. You need JavaScript enabled to view it. http://www.debian.org/security/ Alessandro Ghedini April 12, 2015 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : chrony CVE ID : CVE-2015-1821 CVE-2015-1822 CVE-2015-1853 Debian Bug : 782160 Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony, an alternative NTP client and server: CVE-2015-1821 Using particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code. CVE-2015-1822 When allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code. CVE-2015-1853 When peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers. For the stable distribution (wheezy), these problems have been fixed in version 1.24-3.1+deb7u3. For the unstable distribution (sid), these problems have been fixed in version 1.30-2. We recommend that you upgrade your chrony packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
Debian: DSA-3222-1: chrony security update
Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony, an alternative NTP client and server: CVE-2015-1821
You are not authorised to post comments.