Package: release.debian.org
Severity: important
User: release.debian@packages.debian.org
Usertags: unblock
Hello release team,
because of three CVE security messages I have made an updated package
of chrony which is now on mentors.debian.net.
Please unblock package chrony/1.30-2.
The RFS can be seen here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782173
The updated package fixes three RC bugs:
* It includes the following security fixes (Closes: #782160):
- Fix CVE-2015-1853: Protect authenticated symmetric NTP
associations against DoS attacks.
- Fix CVE-2015-1821: Fix access configuration with subnet
size indivisible by 4.
- Fix CVE-2015-1822: Fix initialization of reply slots for
authenticated commands.
Details are in the attached debdiff.
Please unblock package chrony/1.30-2.
Many thanks for your work,
---
Have a nice day.
Joachim (Germany)
diff -urN d10/debian/changelog d14/debian/changelog
--- d10/debian/changelog 2014-08-10 19:10:56.0 +0200
+++ d14/debian/changelog 2015-04-09 00:31:10.0 +0200
@@ -1,3 +1,19 @@
+chrony (1.30-2) unstable; urgency=medium
+
+ * New upstream release.
+ * It includes the following security fixes (Closes: #782160):
+- Fix CVE-2015-1853: Protect authenticated symmetric NTP
+ associations against DoS attacks.
+- Fix CVE-2015-1821: Fix access configuration with subnet
+ size indivisible by 4.
+- Fix CVE-2015-1822: Fix initialization of reply slots for
+ authenticated commands.
+ * debian/control:
+ - Update e-mail address of myself.
+ - Add Vincent Blut as co-maintainer.
+
+ -- Joachim Wiedorn joodeb...@joonet.de Thu, 09 Apr 2015 00:06:34 +0200
+
chrony (1.30-1) unstable; urgency=medium
* New upstream release with following bugfixes:
diff -urN d10/debian/control d14/debian/control
--- d10/debian/control 2014-08-08 20:40:03.0 +0200
+++ d14/debian/control 2015-04-09 00:05:48.0 +0200
@@ -1,7 +1,8 @@
Source: chrony
Section: admin
Priority: extra
-Maintainer: Joachim Wiedorn ad_deb...@joonet.de
+Maintainer: Joachim Wiedorn joodeb...@joonet.de
+Uploaders: Vincent Blut vincent.deb...@free.fr
Standards-Version: 3.9.5
Build-Depends: debhelper (= 9),
texinfo, bison,
diff -urN d10/debian/patches/11_protect-authenticated-symmetric-ass.patch d14/debian/patches/11_protect-authenticated-symmetric-ass.patch
--- d10/debian/patches/11_protect-authenticated-symmetric-ass.patch 1970-01-01 01:00:00.0 +0100
+++ d14/debian/patches/11_protect-authenticated-symmetric-ass.patch 2015-04-08 23:50:45.0 +0200
@@ -0,0 +1,72 @@
+From d856bd34c4862398411d29200520e3a3b1d4569e Mon Sep 17 00:00:00 2001
+From: Miroslav Lichvar mlich...@redhat.com
+Date: Thu, 5 Mar 2015 12:44:30 +0100
+Subject: ntp: protect authenticated symmetric associations against DoS attacks
+
+An attacker knowing that NTP hosts A and B are peering with each other
+(symmetric association) can send a packet with random timestamps to host
+A with source address of B which will set the NTP state variables on A
+to the values sent by the attacker. Host A will then send on its next
+poll to B a packet with originate timestamp that doesn't match the
+transmit timestamp of B and the packet will be dropped. If the attacker
+does this periodically for both hosts, they won't be able to synchronize
+to each other. It is a denial-of-service attack.
+
+According to [1], NTP authentication is supposed to protect symmetric
+associations against this attack, but in the NTPv3 (RFC 1305) and NTPv4
+(RFC 5905) specifications the state variables are updated before the
+authentication check is performed, which means the association is
+vulnerable to the attack even when authentication is enabled.
+
+To fix this problem, save the originate and local timestamps only when
+the authentication check (test5) passed.
+
+[1] https://www.eecis.udel.edu/~mills/onwire.html
+
+diff --git a/ntp_core.c b/ntp_core.c
+index ebb6a7c..e654c88 100644
+--- a/ntp_core.c
b/ntp_core.c
+@@ -914,9 +914,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
+
+ /* */
+
+- /* Save local receive timestamp */
+- inst-local_rx = *now;
+-
+ pkt_leap = (message-lvm 6) 0x3;
+ if (pkt_leap == 0x3) {
+ source_is_synchronized = 0;
+@@ -948,14 +945,6 @@ receive_packet(NTP_Packet *message, struct timeval *now, double now_err, NCR_Ins
+ test2 = 1; /* Success */
+ }
+
+- /* Regardless of any validity checks we apply, we are required to
+- save this field from the packet into the ntp source
+- instance record. See RFC1305 section 3.4.4, peer.org - pkt.xmt
+- peer.peerpoll - pkt.poll. Note we can't do this assignment
+- before test1 has been carried out!! */
+-
+- inst-remote_orig = message-transmit_ts;
+-
+ /* Test 3 requires that pkt.org
