Updated chrony packages fix security vulnerabilities
Publication date: 23 Apr 2015Modification date: 23 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2015-1821 , CVE-2015-1822 , CVE-2015-1853
Description
Updated chrony package fixes security vulnerabilities:
Using particular address/subnet pairs when configuring access control would
cause an invalid memory write. This could allow attackers to cause a denial
of service (crash) or execute arbitrary code (CVE-2015-1821).
When allocating memory to save unacknowledged replies to authenticated
command requests, a pointer would be left uninitialized, which could trigger
an invalid memory write. This could allow attackers to cause a denial of
service (crash) or execute arbitrary code (CVE-2015-1822).
When peering with other NTP hosts using authenticated symmetric association,
the internal state variables would be updated before the MAC of the NTP
messages was validated. This could allow a remote attacker to cause a denial
of service by impeding synchronization between NTP peers (CVE-2015-1853).
References
- https://bugs.mageia.org/show_bug.cgi?id=15647
- http://chrony.tuxfamily.org/News.html
- https://www.debian.org/security/2015/dsa-3222
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1821
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1822
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1853
SRPMS
4/core
- chrony-1.29.1-1.1.mga4