[chrony-dev] [GIT] chrony/chrony.git branch, 1.31-security, created. 1.31-4-gc4bedce

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


This is an automated email from git. It was enerated because a ref
change was pushed to the repository "chrony/chrony.git".

The branch, 1.31-security has been created
        at  c4bedce1f45f71f8ba3b837ecc72de890d98d06e (commit)

- Log -----------------------------------------------------------------
commit c4bedce1f45f71f8ba3b837ecc72de890d98d06e
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date:   Mon Mar 30 15:19:12 2015 +0200

    doc: update NEWS

commit 79eacdb7e694c7e6681b68006425df3faca51aec
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date:   Mon Mar 30 15:13:27 2015 +0200

    cmdmon: fix initialization of allocated reply slots
    
    When allocating memory to save unacknowledged replies to authenticated
    command requests, the last "next" pointer was not initialized to NULL.
    When all allocated reply slots were used, the next reply could be
    written to an invalid memory instead of allocating a new slot for it.
    
    An attacker that has the command key and is allowed to access cmdmon
    (only localhost is allowed by default) could exploit this to crash
    chronyd or possibly execute arbitrary code with the privileges of the
    chronyd process.

commit cf19042ecb656b8afec0cc4906e7dd3ea9266ac8
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date:   Mon Mar 30 14:41:37 2015 +0200

    addrfilt: fix access configuration with subnet size indivisible by 4
    
    When NTP or cmdmon access was configured (from chrony.conf or via
    authenticated cmdmon) with a subnet size that is indivisible by 4 and
    an address that has nonzero bits in the 4-bit subnet remainder (e.g.
    192.168.15.0/22 or f000::/3), the new setting was written to an
    incorrect location, possibly outside the allocated array.
    
    An attacker that has the command key and is allowed to access cmdmon
    (only localhost is allowed by default) could exploit this to crash
    chronyd or possibly execute arbitrary code with the privileges of the
    chronyd process.

commit d856bd34c4862398411d29200520e3a3b1d4569e
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date:   Thu Mar 5 12:44:30 2015 +0100

    ntp: protect authenticated symmetric associations against DoS attacks
    
    An attacker knowing that NTP hosts A and B are peering with each other
    (symmetric association) can send a packet with random timestamps to host
    A with source address of B which will set the NTP state variables on A
    to the values sent by the attacker. Host A will then send on its next
    poll to B a packet with originate timestamp that doesn't match the
    transmit timestamp of B and the packet will be dropped. If the attacker
    does this periodically for both hosts, they won't be able to synchronize
    to each other. It is a denial-of-service attack.
    
    According to [1], NTP authentication is supposed to protect symmetric
    associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4
    (RFC 5905) specifications the state variables are updated before the
    authentication check is performed, which means the association is
    vulnerable to the attack even when authentication is enabled.
    
    To fix this problem, save the originate and local timestamps only when
    the authentication check (test5) passed.
    
    [1] https://www.eecis.udel.edu/~mills/onwire.html

-----------------------------------------------------------------------


hooks/post-receive
--
chrony/chrony.git

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/