chrony-2.4.1-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10345 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z chrony-2.4.1-1.1 on GA media These are all security issues fixed in the chrony-2.4.1-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10345 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10345 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2012-4502/ SUSE CVE CVE-2012-4502 page https://www.suse.com/security/cve/CVE-2012-4503/ SUSE CVE CVE-2012-4503 page https://www.suse.com/security/cve/CVE-2014-0021/ SUSE CVE CVE-2014-0021 page https://www.suse.com/security/cve/CVE-2016-1567/ SUSE CVE CVE-2016-1567 page openSUSE Tumbleweed chrony-2.4.1-1.1 chrony-2.4.1-1.1 as a component of openSUSE Tumbleweed Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) RPY_CLIENT_ACCESSES, (5) RPY_CLIENT_ACCESSES_BY_INDEX, or (6) RPY_MANUAL_LIST command reply to the PKL_ReplyLength function, which triggers an out-of-bounds read or buffer overflow. NOTE: versions 1.27 and 1.28 do not require authentication to exploit. CVE-2012-4502 openSUSE Tumbleweed:chrony-2.4.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4502.html CVE-2012-4502 cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply. CVE-2012-4503 openSUSE Tumbleweed:chrony-2.4.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-4503.html CVE-2012-4503 Chrony before 1.29.1 has traffic amplification in cmdmon protocol CVE-2014-0021 openSUSE Tumbleweed:chrony-2.4.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0021.html CVE-2014-0021 chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." CVE-2016-1567 openSUSE Tumbleweed:chrony-2.4.1-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-1567.html CVE-2016-1567