" 20 Jan 2016: chrony-2.2.1 and chrony-1.31.2 released Security fixes Restrict authentication of NTP server/peer to specified key (CVE-2016-1567) CVE-2016-1567: Impersonation between authenticated peers When a server/peer was specified with a key number to enable authentication with a symmetric key, packets received from the server/peer were accepted if they were authenticated with any of the keys contained in the key file and not just the specified key. This allowed an attacker who knew one key of a client/peer to modify packets from its servers/peers that were authenticated with other keys in a man-in-the-middle (MITM) attack. For example, in a network where each NTP association had a separate key and all hosts had only keys they needed, a client of a server could not attack other clients of the server, but it could attack the server and also attack its own clients (i.e. modify packets from other servers). To not allow the server/peer to be authenticated with other keys, the authentication test was extended to check if the key ID in the received packet is equal to the configured key number. As a consequence, it’s no longer possible to authenticate two peers to each other with two different keys, both peers have to be configured to use the same key. This issue was discovered by Matt Street of Cisco ASIG. "
Arch teams, please test and mark stable: =net-misc/chrony-2.2.1 Targeted stable KEYWORDS : amd64 hppa ppc ppc64 sparc x86
Stable for HPPA PPC64.
amd64 stable
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2016-1567 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1567): chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
GLSA Vote: No
