Chrony News

• Home
• News
• Download
• FAQ
• Git
• Introduction
• Mailing Lists
• Manual

1 Feb 2013 : New Version Released

Chrony 1.27 is now available. It includes the following improvements:

• Added support for stronger authentication keys via NSS or libtomcrypt library
• Extended tracking, sources and activity reports printed by chronyc
• The daemon now waits in foreground until it is fully initialized
• Other bug fixes and improvements

This is a production release.

Download the tarball here.

13 July 2011 : New Version Released

Chrony 1.26 is now available. It includes the following improvements:

• Added compatibility with Linux 3.0 and later
• Fixed replying on multihomed IPv6 hosts
• Other minor bug fixes and improvements

This is a production release.

Download the tarball here.

4 May 2011 : New Version Released

Chrony 1.25 is now available. It includes the following improvements and new features:

• Improved accuracy with NTP sources and reference clocks
• Improved source selection and polling interval adjustment
• Delayed server name resolving
• Many bug fixes and improvements

This is a production release.

Download the tarball here.

4 February 2010: Security Advisory

Several vulnerabilities have been discovered in chronyd. These bugs can be exploited for a remote denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2010-0292
chronyd replies to all cmdmon packets from unauthorized hosts with NOHOSTACCESS message. This can be used to create a loop between two chrony daemons which don't allow cmdmon access from each other by sending a packet with spoofed source address and port. This will cause high CPU, network and syslog usage.

FIX: Don't reply to invalid cmdmon packets

CVE-2010-0293
The client logging facility doesn't limit memory which is used to keep informations about clients. If chronyd is configured to allow access from a large IP address range, an attacker can cause chronyd to allocate large amount of memory by sending NTP or cmdmon packets with spoofed source addresses. By default only 127.0.0.1 is allowed.

FIX: Limit client log memory size

CVE-2010-0294
There are several ways that an attacker can make chronyd log messages and possibly fill up disk space. The rate for these messages should be limited.

FIX: Limit rate of syslog messages

These bugs have been fixed in the new Chrony 1.24 release and in Chrony 1.23.1, both available for download at the download area. Patches are here, here, and here.

We recommend that you upgrade your Chrony package to version 1.24. If you cannot upgrade because you need compatibility with the old cmdmon protocol upgrade to 1.23.1. Upgrade via your distribution's repositories if possible: they should have patched versions available shortly.

4 February 2010 : New Version Released

Chrony 1.24 is now available. It includes the following improvements and new features:

• Support for reference clocks (SHM, SOCK, PPS drivers)
• IPv6 support
• Linux capabilities support (to drop root privileges)
• Memory locking support on Linux
• Real-time scheduler support on Linux
• Leap second support on Linux
• Support for editline
• Many bug fixes and improvements

This is a production release.

Download the tarball here.