Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-742-1 chrony

Debian Security Advisory

DLA-742-1 chrony -- LTS security update

Date Reported:

13 Dec 2016

Affected Packages:

chrony

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 812923, Bug 568492.
In Mitre's CVE dictionary: CVE-2016-1567.

More information:

It was discovered that Chrony, a versatile implementation of the Network Time Protocol, did not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

This update also resolves Debian bug #568492.

For Debian 7 Wheezy, these problems have been fixed in version 1.24-3.1+deb7u4.

We recommend that you upgrade your chrony packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS