| Name | CVE-2016-1567 |
| Description | chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-414-1, DLA-742-1 |
| Debian Bugs | 812923 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| chrony (PTS) | jessie | 1.30-2+deb8u2 | fixed |
| stretch | 3.0-4+deb9u2 | fixed | |
| buster | 3.4-4+deb10u2 | fixed | |
| bullseye | 4.0-8+deb11u2 | fixed | |
| bookworm | 4.3-2+deb12u1 | fixed | |
| sid, trixie | 4.6.1-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| chrony | source | squeeze | 1.24-3+squeeze3 | DLA-414-1 | ||
| chrony | source | wheezy | 1.24-3.1+deb7u4 | DLA-742-1 | ||
| chrony | source | jessie | 1.30-2+deb8u2 | |||
| chrony | source | (unstable) | 2.2.1-1 | low | 812923 |
http://www.talosintel.com/reports/TALOS-2016-0071/
http://chrony.tuxfamily.org/news.html#_20_jan_2016_chrony_2_2_1_and_chrony_1_31_2_released
Fix for 2.x http://git.tuxfamily.org/chrony/chrony.git/commit/?id=a78bf9725a7b481ebff0e0c321294ba767f2c1d8
Fix for 1.x http://git.tuxfamily.org/chrony/chrony.git/commit/?h=1.31-security&id=df46e5ca5d70be1c0ae037f96b4b038362703832