Bug 199508 - net/chrony: update to 1.31 to fix multiple security vulnerabilities
Summary: net/chrony: update to 1.31 to fix multiple security vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Kurt Jaeger
URL:
Keywords: needs-patch, security
Depends on:
Blocks:
 
Reported: 2015-04-18 01:09 UTC by Sevan Janiyan
Modified: 2015-05-30 17:55 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (masaki)


Attachments
Patch for net/chrony security update from 1.31 to 1.31.1 (2.85 KB, patch)
2015-05-22 20:45 UTC, Jason Unovitch
no flags Details | Diff
Poudriere Build Logs from 10.1-RELEASE amd64 (20.06 KB, text/x-log)
2015-05-22 20:51 UTC, Jason Unovitch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-04-18 01:09:43 UTC
Current version in ports is vulnerable to the following issues
Protect authenticated symmetric NTP associations against DoS attacks (CVE-2015-1853)
Fix access configuration with subnet size indivisible by 4 (CVE-2015-1821)
Fix initialization of reply slots for authenticated commands (CVE-2015-1822)

Update to 1.31.1
Comment 1 commit-hook freebsd_committer 2015-04-18 09:28:27 UTC
A commit references this bug:

Author: jbeich
Date: Sat Apr 18 09:27:52 UTC 2015
New revision: 384214
URL: https://svnweb.freebsd.org/changeset/ports/384214

Log:
  Document chrony multiple vulnerabilites.

  PR:		199508

Changes:
  head/security/vuxml/vuln.xml
Comment 2 Jan Beich freebsd_committer 2015-04-18 09:31:33 UTC
I've marked current version vulnerable, so the users are aware.
It's up to the reporter, maintainer or any other interested party to provide update.
Comment 3 Kevin Thompson 2015-05-15 14:02:32 UTC
I added two characters to the Makefile and ran 'make makesum'.


Index: Makefile
===================================================================
--- Makefile    (revision 386406)
+++ Makefile    (working copy)
@@ -2,7 +2,7 @@
 # $FreeBSD$

 PORTNAME=      chrony
-PORTVERSION=   1.31
+PORTVERSION=   1.31.1
 CATEGORIES=    net
 MASTER_SITES=  http://download.tuxfamily.org/chrony/

Index: distinfo
===================================================================
--- distinfo    (revision 386406)
+++ distinfo    (working copy)
@@ -1,2 +1,2 @@
-SHA256 (chrony-1.31.tar.gz) = a35e1cae46ecbe14af2023bb47a72a03d79591b2ff65f0072b3400153224996d
-SIZE (chrony-1.31.tar.gz) = 395742
+SHA256 (chrony-1.31.1.tar.gz) = 0ba9f4b58e20b2eaae921eb8c798108ef72d8ea6fdcc7eb0167b56690d212348
+SIZE (chrony-1.31.1.tar.gz) = 395797
Comment 4 Jason Unovitch freebsd_committer 2015-05-22 20:45:27 UTC
Created attachment 157057 [details]
Patch for net/chrony security update from 1.31 to 1.31.1

Change log:
- Update to 1.31.1 to resolve CVE-2015-1799, CVE-2015-1821, and CVE-2015-1822
- Regenerate patches with `make makepatch` to quiet portlint
- Strip binaries

Details:
Item 2 -- portlint error on patches resolved by patch:
WARN: /basejail/usr/ports/net/chrony/files/patch-examples-chrony.conf.example: patch was not generated using ``make makepatch''.  It is recommended to use ``make makepatch'' to ensure proper patch format.
WARN: /basejail/usr/ports/net/chrony/files/patch-examples-chrony.conf.example2: patch was not generated using ``make makepatch''.  It is recommended to use ``make makepatch'' to ensure proper patch format.
0 fatal errors and 2 warnings found.

Item 3 -- Poudriere testport error resolved by patch (gmake errors out on install-strip so just use STRIP_CMD for both binaries):
Warning: 'bin/chronyc' is not stripped consider trying INSTALL_TARGET=install-strip or using ${STRIP_CMD}
Warning: 'sbin/chronyd' is not stripped consider trying INSTALL_TARGET=install-strip or using ${STRIP_CMD}
Comment 5 Jason Unovitch freebsd_committer 2015-05-22 20:51:12 UTC
Created attachment 157058 [details]
Poudriere Build Logs from 10.1-RELEASE amd64

Can a committer evaluate applying this on the basis of maintainer timeout? 3 CVEs still affect the port. PR has been open a month with no comment from maintainer. Major/minor release is the same and upstream only resolved the 3 CVEs in this release and bumped the patch level version.

Build time tested on 11-CURRENT amd64/i386, 10.1-RELEASE amd64/i386, 9.3-RELEASE amd64/i386, and 8.4-RELEASE amd64

Run time tested on 10.1-RELEASE

Jason
Comment 6 Kurt Jaeger freebsd_committer 2015-05-23 18:44:02 UTC
testing@work
Comment 7 commit-hook freebsd_committer 2015-05-23 18:59:37 UTC
A commit references this bug:

Author: pi
Date: Sat May 23 18:59:13 UTC 2015
New revision: 387180
URL: https://svnweb.freebsd.org/changeset/ports/387180

Log:
  net/chrony: 1.31 -> 1.31.1

  - Update to 1.31.1 to resolve CVE-2015-1799, CVE-2015-1821, and CVE-2015-1822
  - Regenerate patches with `make makepatch` to quiet portlint
  - Strip binaries

  PR:		199508
  Submitted by:	Jason Unovitch <jason.unovitch@gmail.com>
  Approved by:	masaki@club.kyutech.ac.jp (maintainer timeout)

Changes:
  head/net/chrony/Makefile
  head/net/chrony/distinfo
  head/net/chrony/files/patch-examples-chrony.conf.example
  head/net/chrony/files/patch-examples-chrony.conf.example2
Comment 8 Kurt Jaeger freebsd_committer 2015-05-23 19:00:24 UTC
Testbuild on 10.1a, 9.3a, 8.4i done, looks fine.

Committed, thanks very much!
Comment 9 commit-hook freebsd_committer 2015-05-30 17:55:10 UTC
A commit references this bug:

Author: pi
Date: Sat May 30 17:55:06 UTC 2015
New revision: 387976
URL: https://svnweb.freebsd.org/changeset/ports/387976

Log:
  net/chrony: Security update to 1.31.1

  MFH: r387180

  PR:		199508
  Security:	CVE-2015-1799, CVE-2015-1821, CVE-2015-1822
  Approved by:	ports-secteam

Changes:
  branches/2015Q2/net/chrony/Makefile
  branches/2015Q2/net/chrony/distinfo
  branches/2015Q2/net/chrony/files/patch-examples-chrony.conf.example
  branches/2015Q2/net/chrony/files/patch-examples-chrony.conf.example2