[chrony-users] chrony-3.5.1 released (security)

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

chrony-3.5.1 is now available. It fixes a security issue in writing of
the pidfile.

The source code can be downloaded here:

SHA256 sum:

Changes since version 3.5:

Security fixes
* Create new file when writing pidfile (CVE-2020-14367)

CVE-2020-14367: Insecure writing of pidfile

When chronyd is configured to save the pidfile in a directory where the
chrony user has write permissions (e.g. /var/run/chrony - the default
since chrony-3.4), an attacker that compromised the chrony user account
could create a symbolic link at the location of the pidfile to make
chronyd starting with root privileges follow the symlink and write its
process ID to a file for which the chrony user doesn't have write
permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE.

Miroslav Lichvar

Attachment: signature.asc
Description: PGP signature

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/