DSA-3222-1 chrony -- chronyID: oval:org.secpod.oval:def:602039 | Date: (C)2015-04-14 (M)2023-02-20 |
Class: PATCH | Family: unix |
Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony, an alternative NTP client and server: CVE-2015-1821 Using particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service or execute arbitrary code. CVE-2015-1822 When allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service or execute arbitrary code. CVE-2015-1853 When peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers.