Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits: 8f2aa9a5 by Salvatore Bonaccorso at 2020-08-24T20:20:15+02:00 Mark CVE-2020-14367/chrony as non-issue While problematic sourcewise up to the fixed version in Debian the issue is mitigated by not using /run/chrony/chronyd.pid for the pidfile as the pidfile location in stretch used the default /var/run/chronyd.pid and later versions override the setting to /run/chronyd.pid. - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -21525,11 +21525,13 @@ CVE-2020-14368 RESERVED CVE-2020-14367 [Insecure writing to PID file] RESERVED - - chrony 3.5.1-1 + - chrony 3.5.1-1 (unimportant) NOTE: https://www.openwall.com/lists/oss-security/2020/08/21/1 NOTE: Fixed by: https://git.tuxfamily.org/chrony/chrony.git/commit/util.c?id=7a4c396bba8f92a3ee8018620983529152050c74 (4.0-pre1) NOTE: Fixed by: https://git.tuxfamily.org/chrony/chrony.git/commit/main.c?id=e18903a6b56341481a2e08469c0602010bf7bfe3 (4.0-pre1) NOTE: Minimal backport: https://git.tuxfamily.org/chrony/chrony.git/commit/?id=f00fed20092b6a42283f29c6ee1f58244d74b545 (3.5.1) + NOTE: Debian packaging relocates chronyd.pid as well to /run since 3.1-3 + NOTE: additionally mitigating the issue. Earlier versions used /var/run/chronyd.pid. CVE-2020-14366 RESERVED CVE-2020-14365 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f2aa9a554520cba7b12432d233745e24d91f616 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f2aa9a554520cba7b12432d233745e24d91f616 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits