New in version 1.29
August 9th, 2013
- Two security vulnerabilities were fixed: a crash when processing crafted commands (CVE-2012-4502) and uninitialized data sent in command replies (CVE-2012-4503).
New in version 1.27 (February 2nd, 2013)
- Support for stronger authentication via NSS or libtomcrypt has been added, reports printed by chronyc have been extended, and other improvements and bugfixes have been made.
New in version 1.26 (July 14th, 2011)
- Compatibility with Linux kernel 3.0 was added, replying on multi-homed IPv6 hosts was fixed, and other minor bugfixes and improvements were made.
New in version 1.24 (February 10th, 2010)
- Several vulnerabilities have been discovered in chronyd. These bugs can be exploited for a remote denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:
- chronyd replies to all cmdmon packets from unauthorized hosts with NOHOSTACCESS message. This can be used to create a loop between two chrony daemons which don't allow cmdmon access from each other by sending a packet with spoofed source address and port. This will cause high CPU, network and syslog usage.
- FIX: Don't reply to invalid cmdmon packets
- The client logging facility doesn't limit memory which is used to keep informations about clients. If chronyd is configured to allow access from a large IP address range, an attacker can cause chronyd to allocate large amount of memory by sending NTP or cmdmon packets with spoofed source addresses. By default only 127.0.0.1 is allowed.
- FIX: Limit client log memory size
- There are several ways that an attacker can make chronyd log messages and possibly fill up disk space. The rate for these messages should be limited.
- FIX: Limit rate of syslog messages
- These bugs have been fixed in the new Chrony 1.24 release and in Chrony 1.23.1, both available for download at the download area. Patches are here, here, and here.
- We recommend that you upgrade your Chrony package to version 1.24. If you cannot upgrade because you need compatibility with the old cmdmon protocol upgrade to 1.23.1. Upgrade via your distribution's repositories if possible: they should have patched versions available shortly.