Upstream information

CVE-2012-4503 at MITRE

Description

cmdmon.c in Chrony before 1.29 allows remote attackers to obtain potentially sensitive information from stack memory via vectors related to (1) an invalid subnet in a RPY_SUBNETS_ACCESSED command to the handle_subnets_accessed function or (2) a RPY_CLIENT_ACCESSES command to the handle_client_accesses function when client logging is disabled, which causes uninitialized data to be included in a reply.

SUSE information

Overall state of this security issue: Ignore

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 5
Vector AV:N/AC:L/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None
No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Module for Basesystem 15
  • chrony >= 3.2-7.19
Patchnames:
SUSE Linux Enterprise Module for Basesystem 15 GA chrony
SUSE Linux Enterprise Server 12 SP2
  • chrony >= 2.3-3.110
Patchnames:
SUSE Linux Enterprise Server 12 SP2 GA chrony
SUSE Linux Enterprise Server 12 SP3
  • chrony >= 2.3-3.110
Patchnames:
SUSE Linux Enterprise Server 12 SP3 GA chrony
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2
  • chrony >= 2.3-3.110
Patchnames:
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 GA chrony
openSUSE Leap 15.0
  • chrony >= 3.2-lp150.5.5
Patchnames:
openSUSE Leap 15.0 GA chrony
openSUSE Tumbleweed
  • chrony >= 2.4.1-1.1
Patchnames:
openSUSE Tumbleweed GA chrony