Your message dated Sat, 13 Feb 2016 01:33:52 +0000
with message-id <[email protected]>
and subject line Bug#812923: fixed in chrony 1.24-3+squeeze3
has caused the Debian Bug report #812923,
regarding chrony: CVE-2016-1567
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
812923: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812923
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: chrony
Version: 1.30-2
Severity: important
Tags: security upstream fixed-upstream
Hi,
the following vulnerability was published for chrony.
CVE-2016-1567[0]:
| chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer
| associations of symmetric keys when authenticating packets, which
| might allow remote attackers to conduct impersonation attacks via an
| arbitrary trusted key, aka a "skeleton key."
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-1567
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: chrony
Source-Version: 1.24-3+squeeze3
We believe that the bug you reported is fixed in the latest version of
chrony, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vincent Blut <[email protected]> (supplier of updated chrony package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 Feb 2016 17:34:59 +0100
Source: chrony
Binary: chrony
Architecture: source amd64
Version: 1.24-3+squeeze3
Distribution: squeeze-lts
Urgency: medium
Maintainer: John G. Hasler <[email protected]>
Changed-By: Vincent Blut <[email protected]>
Description:
chrony - Sets your computer's clock from time servers on the Net
Closes: 812923
Changes:
chrony (1.24-3+squeeze3) squeeze-lts; urgency=medium
.
* Fix CVE-2016-1567: retrict authentication of server/peer
to specified key (Closes: #812923)
* debian/applied/:
- Add 14_restrict-authentication-of-server-peer-to-specified-key.patch,
and update the series file accordingly.
Checksums-Sha1:
7a7efc7eb92694cc29de9a7caa830a3de215ed28 1646 chrony_1.24-3+squeeze3.dsc
fe477cfbab78b58ff204f611b1da4395e44ce154 267349 chrony_1.24-3+squeeze3.diff.gz
7e6cf2eac59e7a6c4a836a3e31ed51495d54a6ea 364788
chrony_1.24-3+squeeze3_amd64.deb
Checksums-Sha256:
ea299e70275640a3d6391276a94a451943a892d25276fb6239285bb917dbc3c2 1646
chrony_1.24-3+squeeze3.dsc
cde31890934c2219c1d3d5494563ddea94ad86c72620eb17dfbf1991e9d74c3d 267349
chrony_1.24-3+squeeze3.diff.gz
0af41a903128c7e4674d63ea3dba5c7714bfa3d98746e5838c4f83e453f885f0 364788
chrony_1.24-3+squeeze3_amd64.deb
Files:
73f448156b54d94351e4f1eda3363945 1646 admin extra chrony_1.24-3+squeeze3.dsc
0e21e0f4a4e8ca01093be2dd8c5c4f8c 267349 admin extra
chrony_1.24-3+squeeze3.diff.gz
871ad58f0861c161e0b5ed28e1106d33 364788 admin extra
chrony_1.24-3+squeeze3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJWvoX2AAoJEHkhUlJ7dZIeuCkP/RK5v97ATyX3oOThMXZNJ5u+
hhvGuPW/t/btE+AnslFtTQfHxo4Bn+vu4y9F3c7iGxGv3DDgT+sbJJbl2D5F4Ejz
l8rMubMSLOvAISeiifoR2QHt9HQqSurQs75oaY+wZxlfJgURp7ST3Tu7V12hmNfO
n/afch16UQVNstS3FECeD5vYDiKAdEvAjvCoZqq55TEi7CcpVgXBofeOLqDTbW3X
M8W1N/5o69EdNAFGn5PiETENonecorS+Gh5A63aWadOPTyAt/ylOmY4XJn7hzmbK
qI6XOm993CvEOu/6gtmUSoHR8cbOs1uwtZT25lt3VR/25jbLnFq0CYg58v5fJuCV
Ii2mWkZCt4lT5elvXSFF16EHoOFXvtpPcivC/VhEUtbeR3mYYEqmlXbfjg0Hdkv4
J9/I/FbQWDK6ULDX3lvUTt3Ujg62DlzpTMEXQjnPvVeDQeQ6kcmzwglfDELTTtyE
tdXlymdXiRi77tt1xDM0+Y9qUbHygQpd1vgJALUyax3EBJH7gFqGU9BMOohbSGwl
ONMNlvBKP45rNJBRhgt7wFmePfCbsER4lG7Um1yXl6MmVny8/u3E1IdxIHzyvFcJ
evQ9OHDz8Nvt5QVAfSFbWd/gQA0iZUNRoc8CuUWPDwoFSMQffINQ+7AvH3l+IkZY
8fW+KFxdOFsv+FJX/ALG
=+nSh
-----END PGP SIGNATURE-----
--- End Message ---
