[Secure-testing-team] Bug#782160: chrony: Multiple issues: CVE-2015-1821 CVE-2015-1822 CVE-2015-1853
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 8 18:07:12 UTC 2015
Source: chrony
Version: 1.30-1
Severity: grave
Tags: security upstream patch fixed-upstream
*** /tmp/chrony.reportbug
Package: chrony
Severity: FILLINSEVERITY
Tags: security
Hi,
the following vulnerabilities were published for chrony. Note, that I
choosed severity grave, since two CVEs seem to potentially be
exploited to execute arbitrary code and chronyd is running as root.
Please lower the severity if you don't agree (I don't know chrony very
well):
CVE-2015-1821[0]:
Heap out of bound write in address filter
CVE-2015-1822[1]:
uninitialized pointer in cmdmon reply slots
CVE-2015-1853[2]:
authentication doesn't protect symmetric associations against DoS attacks
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-1821
[1] https://security-tracker.debian.org/tracker/CVE-2015-1822
[2] https://security-tracker.debian.org/tracker/CVE-2015-1853
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Secure-testing-team
mailing list