[SECURITY] [DLA 742-1] chrony security update

2016-12-1317:41:49

lists.debian.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.015

Percentile

86.8%

JSON

Package : chrony
Version : 1.24-3.1+deb7u4
CVE ID : CVE-2016-1567
Debian Bug : 812923 568492

It was discovered that Chrony, a versatile implementation of the
Network Time Protocol, did not verify peer associations of symmetric
keys when authenticating packets, which might allow remote attackers
to conduct impersonation attacks via an arbitrary trusted key, aka a
"skeleton key."

This update also resolves Debian bug #568492.

For Debian 7 "Wheezy", these problems have been fixed in version
1.24-3.1+deb7u4.

We recommend that you upgrade your chrony packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8armhfchrony< 1.30-2+deb8u2chrony_1.30-2+deb8u2_armhf.deb
Debian8s390xchrony< 1.30-2+deb8u2chrony_1.30-2+deb8u2_s390x.deb
Debian7armhfchrony< 1.24-3.1+deb7u4chrony_1.24-3.1+deb7u4_armhf.deb
Debian8mipselchrony< 1.30-2+deb8u2chrony_1.30-2+deb8u2_mipsel.deb
Debian7allchrony< 1.24-3.1+deb7u4chrony_1.24-3.1+deb7u4_all.deb
Debian8allchrony< 1.30-2+deb8u2chrony_1.30-2+deb8u2_all.deb
Debian7armelchrony< 1.24-3.1+deb7u4chrony_1.24-3.1+deb7u4_armel.deb
Debian8ppc64elchrony< 1.30-2+deb8u2chrony_1.30-2+deb8u2_ppc64el.deb
Debian8mipschrony< 1.30-2+deb8u2chrony_1.30-2+deb8u2_mips.deb
Debian6amd64chrony< 1.24-3+squeeze3chrony_1.24-3+squeeze3_amd64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	armhf	chrony	< 1.30-2+deb8u2	chrony_1.30-2+deb8u2_armhf.deb
Debian	8	s390x	chrony	< 1.30-2+deb8u2	chrony_1.30-2+deb8u2_s390x.deb
Debian	7	armhf	chrony	< 1.24-3.1+deb7u4	chrony_1.24-3.1+deb7u4_armhf.deb
Debian	8	mipsel	chrony	< 1.30-2+deb8u2	chrony_1.30-2+deb8u2_mipsel.deb
Debian	7	all	chrony	< 1.24-3.1+deb7u4	chrony_1.24-3.1+deb7u4_all.deb
Debian	8	all	chrony	< 1.30-2+deb8u2	chrony_1.30-2+deb8u2_all.deb
Debian	7	armel	chrony	< 1.24-3.1+deb7u4	chrony_1.24-3.1+deb7u4_armel.deb
Debian	8	ppc64el	chrony	< 1.30-2+deb8u2	chrony_1.30-2+deb8u2_ppc64el.deb
Debian	8	mips	chrony	< 1.30-2+deb8u2	chrony_1.30-2+deb8u2_mips.deb
Debian	6	amd64	chrony	< 1.24-3+squeeze3	chrony_1.24-3+squeeze3_amd64.deb