[chrony-announce] chrony-3.5.1 released (security) |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-announce Archives ]
chrony-3.5.1 is now available. It fixes a security issue in writing of the pidfile. The source code can be downloaded here: https://download.tuxfamily.org/chrony/chrony-3.5.1.tar.gz SHA256 sum: 1ba82f70db85d414cd7420c39858e3ceca4b9eb8b028cbe869512c3a14a2dca7 Changes since version 3.5: Security fixes -------------- * Create new file when writing pidfile (CVE-2020-14367) CVE-2020-14367: Insecure writing of pidfile ------------------------------------------- When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss. This issue was reported by Matthias Gerstner of SUSE. -- Miroslav Lichvar
Attachment:
signature.asc
Description: PGP signature
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |