Current version in ports is vulnerable to the following issues Protect authenticated symmetric NTP associations against DoS attacks (CVE-2015-1853) Fix access configuration with subnet size indivisible by 4 (CVE-2015-1821) Fix initialization of reply slots for authenticated commands (CVE-2015-1822) Update to 1.31.1
A commit references this bug: Author: jbeich Date: Sat Apr 18 09:27:52 UTC 2015 New revision: 384214 URL: https://svnweb.freebsd.org/changeset/ports/384214 Log: Document chrony multiple vulnerabilites. PR: 199508 Changes: head/security/vuxml/vuln.xml
I've marked current version vulnerable, so the users are aware. It's up to the reporter, maintainer or any other interested party to provide update.
I added two characters to the Makefile and ran 'make makesum'. Index: Makefile =================================================================== --- Makefile (revision 386406) +++ Makefile (working copy) @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= chrony -PORTVERSION= 1.31 +PORTVERSION= 1.31.1 CATEGORIES= net MASTER_SITES= http://download.tuxfamily.org/chrony/ Index: distinfo =================================================================== --- distinfo (revision 386406) +++ distinfo (working copy) @@ -1,2 +1,2 @@ -SHA256 (chrony-1.31.tar.gz) = a35e1cae46ecbe14af2023bb47a72a03d79591b2ff65f0072b3400153224996d -SIZE (chrony-1.31.tar.gz) = 395742 +SHA256 (chrony-1.31.1.tar.gz) = 0ba9f4b58e20b2eaae921eb8c798108ef72d8ea6fdcc7eb0167b56690d212348 +SIZE (chrony-1.31.1.tar.gz) = 395797
Created attachment 157057 [details] Patch for net/chrony security update from 1.31 to 1.31.1 Change log: - Update to 1.31.1 to resolve CVE-2015-1799, CVE-2015-1821, and CVE-2015-1822 - Regenerate patches with `make makepatch` to quiet portlint - Strip binaries Details: Item 2 -- portlint error on patches resolved by patch: WARN: /basejail/usr/ports/net/chrony/files/patch-examples-chrony.conf.example: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' to ensure proper patch format. WARN: /basejail/usr/ports/net/chrony/files/patch-examples-chrony.conf.example2: patch was not generated using ``make makepatch''. It is recommended to use ``make makepatch'' to ensure proper patch format. 0 fatal errors and 2 warnings found. Item 3 -- Poudriere testport error resolved by patch (gmake errors out on install-strip so just use STRIP_CMD for both binaries): Warning: 'bin/chronyc' is not stripped consider trying INSTALL_TARGET=install-strip or using ${STRIP_CMD} Warning: 'sbin/chronyd' is not stripped consider trying INSTALL_TARGET=install-strip or using ${STRIP_CMD}
Created attachment 157058 [details] Poudriere Build Logs from 10.1-RELEASE amd64 Can a committer evaluate applying this on the basis of maintainer timeout? 3 CVEs still affect the port. PR has been open a month with no comment from maintainer. Major/minor release is the same and upstream only resolved the 3 CVEs in this release and bumped the patch level version. Build time tested on 11-CURRENT amd64/i386, 10.1-RELEASE amd64/i386, 9.3-RELEASE amd64/i386, and 8.4-RELEASE amd64 Run time tested on 10.1-RELEASE Jason
testing@work
A commit references this bug: Author: pi Date: Sat May 23 18:59:13 UTC 2015 New revision: 387180 URL: https://svnweb.freebsd.org/changeset/ports/387180 Log: net/chrony: 1.31 -> 1.31.1 - Update to 1.31.1 to resolve CVE-2015-1799, CVE-2015-1821, and CVE-2015-1822 - Regenerate patches with `make makepatch` to quiet portlint - Strip binaries PR: 199508 Submitted by: Jason Unovitch <jason.unovitch@gmail.com> Approved by: masaki@club.kyutech.ac.jp (maintainer timeout) Changes: head/net/chrony/Makefile head/net/chrony/distinfo head/net/chrony/files/patch-examples-chrony.conf.example head/net/chrony/files/patch-examples-chrony.conf.example2
Testbuild on 10.1a, 9.3a, 8.4i done, looks fine. Committed, thanks very much!
A commit references this bug: Author: pi Date: Sat May 30 17:55:06 UTC 2015 New revision: 387976 URL: https://svnweb.freebsd.org/changeset/ports/387976 Log: net/chrony: Security update to 1.31.1 MFH: r387180 PR: 199508 Security: CVE-2015-1799, CVE-2015-1821, CVE-2015-1822 Approved by: ports-secteam Changes: branches/2015Q2/net/chrony/Makefile branches/2015Q2/net/chrony/distinfo branches/2015Q2/net/chrony/files/patch-examples-chrony.conf.example branches/2015Q2/net/chrony/files/patch-examples-chrony.conf.example2