[chrony-dev] [GIT] chrony/chrony.git branch, 1.31-security, updated. 1.3

[chrony-dev] [GIT] chrony/chrony.git branch, 1.31-security, updated. 1.31.1-4-gaabb564

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]

To: chrony-dev@xxxxxxxxxxxxxxxxxxxx
Subject: [chrony-dev] [GIT] chrony/chrony.git branch, 1.31-security, updated. 1.31.1-4-gaabb564
From: git@xxxxxxxxxxxxx
Date: Wed, 20 Jan 2016 12:48:47 +0100

This is an automated email from git. It was enerated because a ref
change was pushed to the repository "chrony/chrony.git".

The branch, 1.31-security has been updated
       via  aabb56432088ce0e14c0fe3016b4751cc9247977 (commit)
       via  df46e5ca5d70be1c0ae037f96b4b038362703832 (commit)
       via  370ba5e8fc7e18e3b19f18c4a35f0e439597426b (commit)
      from  463093803de86931165c2d7f76355ab0733f5f3c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit aabb56432088ce0e14c0fe3016b4751cc9247977
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date:   Mon Jan 11 15:42:36 2016 +0100

    doc: update NEWS

commit df46e5ca5d70be1c0ae037f96b4b038362703832
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date:   Fri Jan 8 15:03:09 2016 +0100

    ntp: restrict authentication of server/peer to specified key
    
    When a server/peer was specified with a key number to enable
    authentication with a symmetric key, packets received from the
    server/peer were accepted if they were authenticated with any of
    the keys contained in the key file and not just the specified key.
    
    This allowed an attacker who knew one key of a client/peer to modify
    packets from its servers/peers that were authenticated with other
    keys in a man-in-the-middle (MITM) attack. For example, in a network
    where each NTP association had a separate key and all hosts had only
    keys they needed, a client of a server could not attack other clients
    of the server, but it could attack the server and also attack its own
    clients (i.e. modify packets from other servers).
    
    To not allow the server/peer to be authenticated with other keys
    extend the authentication test to check if the key ID in the received
    packet is equal to the configured key number. As a consequence, it's
    no longer possible to authenticate two peers to each other with two
    different keys, both peers have to be configured to use the same key.
    
    This issue was discovered by Matt Street of Cisco ASIG.

commit 370ba5e8fc7e18e3b19f18c4a35f0e439597426b
Author: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
Date:   Fri Apr 10 10:35:21 2015 +0200

    doc: warn that unauthenticated peers are vulnerable to DoS attack

-----------------------------------------------------------------------

Summary of changes:
 NEWS           |    7 +++++++
 chrony.texi.in |   18 ++++++++++++++++++
 ntp_core.c     |    3 ++-
 3 files changed, 27 insertions(+), 1 deletion(-)


hooks/post-receive
--
chrony/chrony.git

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Messages sorted by: [ date | thread ]
Prev by Date: [chrony-dev] [GIT] chrony/chrony.git branch, master, updated. 2.2-89-gb80df51
Next by Date: [chrony-dev] [GIT] chrony/chrony.git annotated tag, 1.31.2, created. 1.31.2
Previous by thread: [chrony-dev] [GIT] chrony/chrony.git branch, master, updated. 2.2-89-gb80df51
Next by thread: [chrony-dev] [GIT] chrony/chrony.git annotated tag, 1.31.2, created. 1.31.2

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/