FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
719f06af-e45e-11ea-95a1-c3b8167b8026	chrony <= 3.5.1 data corruption through symlink vulnerability writing the pidfile Miroslav Lichvar reports: chrony-3.5.1 [...] fixes a security issue in writing of the pidfile. When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss. This issue was reported by Matthias Gerstner of SUSE. Discovery 2020-08-06 Entry 2020-08-22 chrony lt 3.5.1 https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html CVE-2020-14367
c4571ca8-053d-44c9-ab3c-89b1372ad0a5	chrony -- multiple vulnerabilities Chrony News reports: CVE-2015-1853: DoS attack on authenticated symmetric NTP associations CVE-2015-1821: Heap-based buffer overflow in access configuration CVE-2015-1822: Use of uninitialized pointer in command processing Discovery 2015-02-17 Entry 2015-04-18 chrony lt 1.31.1 http://chrony.tuxfamily.org/News.html CVE-2015-1821 CVE-2015-1822 CVE-2015-1853

VuXML ID

Description

719f06af-e45e-11ea-95a1-c3b8167b8026

chrony <= 3.5.1 data corruption through symlink vulnerability writing the pidfile

Miroslav Lichvar reports:

chrony-3.5.1 [...] fixes a security issue in writing of the pidfile.

When chronyd is configured to save the pidfile in a directory where the chrony user has write permissions (e.g. /var/run/chrony - the default since chrony-3.4), an attacker that compromised the chrony user account could create a symbolic link at the location of the pidfile to make chronyd starting with root privileges follow the symlink and write its process ID to a file for which the chrony user doesn't have write permissions, causing a denial of service, or data loss.

This issue was reported by Matthias Gerstner of SUSE.

Discovery 2020-08-06
Entry 2020-08-22
chrony

lt 3.5.1

https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2020/08/msg00000.html
CVE-2020-14367

c4571ca8-053d-44c9-ab3c-89b1372ad0a5

chrony -- multiple vulnerabilities

Chrony News reports:

CVE-2015-1853: DoS attack on authenticated symmetric NTP associations

CVE-2015-1821: Heap-based buffer overflow in access configuration

CVE-2015-1822: Use of uninitialized pointer in command processing

Discovery 2015-02-17
Entry 2015-04-18
chrony

lt 1.31.1

http://chrony.tuxfamily.org/News.html
CVE-2015-1821
CVE-2015-1822
CVE-2015-1853