Projects / chrony / Comments

Comments for chrony

09 Feb 2010 15:56 jhasler

Chrony 1.24 is now available. It includes the following improvements and
new features:

* Support for reference clocks (SHM, SOCK, PPS drivers)
* IPv6 support
* Linux capabilities support (to drop root privileges)
* Memory locking support on Linux
* Real-time scheduler support on Linux
* Leap second support on Linux
* Support for editline
* Many bug fixes and improvements

This is suitable for production use.

Download the tarball from the "Download" page at
<http://chrony.tuxfamily.org>.

09 Feb 2010 15:56 jhasler

------------------------------------------------------------------------
Chrony Security Advisory jhasler@chrony.tuxfamily.org
http://www.chrony.tuxfamily.org
February 04, 2010
------------------------------------------------------------------------

Package : chrony
Vulnerability : denial of service
Problem type : remote
Version-specific: no
CVE IDs : CVE-2010-0292 CVE-2010-0293 CVE-2010-0294

Several vulnerabilities have been discovered in chronyd, the Chrony NTP
server/client. These bugs can be exploited for a remote denial of service.
The Common Vulnerabilities and Exposures project identifies the following
problems:

CVE-2010-0292
chronyd replies to all cmdmon packets from unauthorized hosts with
NOHOSTACCESS message. This can be used to create a loop between two chrony
daemons which don't allow cmdmon access from each other by sending a packet
with spoofed source address and port. This will cause high CPU, network and
syslog usage.

FIX: Don't reply to invalid cmdmon packets

CVE-2010-0293
The client logging facility doesn't limit memory which is used to keep
informations about clients. If chronyd is configured to allow access
from a large IP address range, an attacker can cause chronyd to
allocate large amount of memory by sending NTP or cmdmon packets with
spoofed source addresses. By default only 127.0.0.1 is allowed.

FIX: Limit client log memory size

CVE-2010-0294
There are several ways that an attacker can make chronyd log messages and
possibly fill up disk space. The rate for these messages should be limited.

FIX: Limit rate of syslog messages

These bugs have been fixed in the new Chrony 1.24 release and in Chrony
1.23.1, both available for download at http://www.chrony.tuxfamily.org.
Patches are available from the Git repository on the Web site.

We recommend that you upgrade your Chrony package to version 1.24. If you
cannot upgrade because you need compatibility with the old cmdmon protocol
upgrade to 1.23.1. Upgrade via your distribution's repositories if
possible: they should have patched versions available shortly.

Screenshot

Project Spotlight

ReciJournal

An open, cross-platform journaling program.

Screenshot

Project Spotlight

Veusz

A scientific plotting package.