rpm package
opensuse/chrony&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/chrony&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-14367 | Med | 6.0 | < 4.1-5.2 | 4.1-5.2 | Aug 24, 2020 | A flaw was found in chrony versions before 3.5.1 when creating the PID file under the /var/run/chrony folder. The file is created during chronyd startup while still running as the root user, and when it's opened for writing, chronyd does not check for an existing symbolic link wi | |
| CVE-2014-0021 | Hig | 7.5 | < 2.4.1-1.1 | 2.4.1-1.1 | Nov 15, 2019 | Chrony before 1.29.1 has traffic amplification in cmdmon protocol | |
| CVE-2016-1567 | Hig | 8.1 | < 2.4.1-1.1 | 2.4.1-1.1 | Jan 26, 2016 | chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." | |
| CVE-2012-4503 | — | < 2.4.1-1.1 | 2.4.1-1.1 | Nov 5, 2013 | cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the | ||
| CVE-2012-4502 | — | < 2.4.1-1.1 | 2.4.1-1.1 | Nov 5, 2013 | Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4) |
- affected < 4.1-5.2fixed 4.1-5.2
A flaw was found in chrony versions before 3.5.1 when creating the PID file under the /var/run/chrony folder. The file is created during chronyd startup while still running as the root user, and when it's opened for writing, chronyd does not check for an existing symbolic link wi
- affected < 2.4.1-1.1fixed 2.4.1-1.1
Chrony before 1.29.1 has traffic amplification in cmdmon protocol
- affected < 2.4.1-1.1fixed 2.4.1-1.1
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
- CVE-2012-4503Nov 5, 2013affected < 2.4.1-1.1fixed 2.4.1-1.1
cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the
- CVE-2012-4502Nov 5, 2013affected < 2.4.1-1.1fixed 2.4.1-1.1
Multiple integer overflows in pktlength.c in Chrony before 1.29 allow remote attackers to cause a denial of service (crash) via a crafted (1) REQ_SUBNETS_ACCESSED or (2) REQ_CLIENT_ACCESSES command request to the PKL_CommandLength function or crafted (3) RPY_SUBNETS_ACCESSED, (4)