News

23 Jun 2015: chrony-2.1.1 released

Bug fixes

  • Fix clock stepping by integer number of seconds on Linux

22 Jun 2015: chrony-2.1 released

Enhancements

  • Add support for Mac OS X

  • Try to replace unreachable and falseticker servers/peers specified by name like pool sources

  • Add leaponly option to smoothtime directive to allow synchronised leap smear between multiple servers

  • Use specific reference ID when smoothing served time

  • Add smoothing command to report time smoothing status

  • Add smoothtime command to activate or reset time smoothing

Bug fixes

  • Fix crash in source selection with preferred sources

  • Fix resetting of time smoothing

  • Include packet precision in peer dispersion

  • Fix crash in chronyc on invalid command syntax

27 Apr 2015: chrony-2.0 released

Enhancements

  • Update to NTP version 4 (RFC 5905)

  • Add pool directive to specify pool of NTP servers

  • Add leapsecmode directive to select how to correct clock for leap second

  • Add smoothtime directive to smooth served time and enable leap smear

  • Add minsources directive to set required number of selectable sources

  • Add minsamples and maxsamples options for all sources

  • Add tempcomp configuration with list of points

  • Allow unlimited number of NTP sources, refclocks and keys

  • Allow unreachable sources to remain selected

  • Improve source selection

  • Handle offline sources as unreachable

  • Open NTP server port only when necessary (client access is allowed by allow directive/command or peer/broadcast is configured)

  • Change default bindcmdaddress to loopback address

  • Change default maxdelay to 3 seconds

  • Change default stratumweight to 0.001

  • Update adjtimex synchronisation status

  • Use system headers for adjtimex

  • Check for memory allocation errors

  • Reduce memory usage

  • Add configure options to compile without NTP, cmdmon, refclock support

  • Extend makestep command to set automatic clock stepping

Bug fixes

  • Add sanity checks for time and frequency offset

  • Don’t report synchronised status during leap second

  • Don’t combine reference clocks with close NTP sources

  • Fix accepting requests from configured sources

  • Fix initial fallback drift setting

7 Apr 2015: chrony-1.31.1 released

Security fixes

  • Protect authenticated symmetric NTP associations against DoS attacks (CVE-2015-1853)

  • Fix access configuration with subnet size indivisible by 4 (CVE-2015-1821)

  • Fix initialization of reply slots for authenticated commands (CVE-2015-1822)

CVE-2015-1853: DoS attack on authenticated symmetric NTP associations

An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet with random timestamps to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn’t match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won’t be able to synchronize to each other.

Authentication using a symmetric key can fully protect against this attack, but in implementations following the NTPv3 (RFC 1305) or NTPv4 (RFC 5905) specification the state variables were updated even when the authentication check failed and the association was not protected.

CVE-2015-1821: Heap-based buffer overflow in access configuration

When NTP or cmdmon access was configured (from chrony.conf or via authenticated cmdmon) with a subnet size that is indivisible by 4 and an address that has nonzero bits in the 4-bit subnet remainder (e.g. 192.168.15.0/22 or f000::/3), the new setting was written to an incorrect location, possibly outside the allocated array.

An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process.

CVE-2015-1822: Use of uninitialized pointer in command processing

When allocating memory to save unacknowledged replies to authenticated command requests, the last "next" pointer was not initialized to NULL. When all allocated reply slots were used, the next reply could be written to an invalid memory instead of allocating a new slot for it.

An attacker that has the command key and is allowed to access cmdmon (only localhost is allowed by default) could exploit this to crash chronyd or possibly execute arbitrary code with the privileges of the chronyd process.

10 Sep 2014: chrony-1.31 released

Enhancements

  • Support operation in other NTP eras (next era begins in 2036), NTP time is mapped to [-50, +86] years around build date by default

  • Restore time from driftfile with -s when RTC is missing/unsupported

  • Close connected client sockets when not waiting for reply

  • Use one client socket with random port when acquisitionport is 0

  • Use NTP packets instead of UDP echo for presend

  • Don’t adjust polling interval when sending fails

  • Allow binding to addresses that don’t exist yet

  • Ignore measurements around leap second

  • Improve detection of unexpected time jumps

  • Include example of logrotate configuration, systemd services and NetworkManager dispatcher script

Bug fixes

  • Reconnect client sockets for each request to follow changes in network configuration automatically

  • Restart timer when polling interval is changed on reset

1 Jul 2014: chrony-1.30 released

Enhancements

  • Add asynchronous name resolving with POSIX threads

  • Add PTP hardware clock (PHC) refclock driver

  • Add new generic clock driver to slew by adjusting frequency only (without kernel PLL or adjtime) and use it on Linux

  • Add rtcautotrim directive to trim RTC automatically

  • Add hwclockfile directive to share RTC LOCAL/UTC setting with hwclock

  • Add maxslewrate directive to set maximum allowed slew rate

  • Add maxdispersion option for refclocks

  • Add -q/-Q options to set clock/print offset once and exit

  • Allow directives to be specified on chronyd command line

  • Replace frequency scaling in Linux driver with retaining of tick

  • Try to detect unexpected forward time jumps and reset state

  • Exit with non-zero code when maxchange limit is reached

  • Improve makestep to not start and stop slew unnecessarily

  • Change default corrtimeratio to 3.0 to improve frequency accuracy

  • Announce leap second only on last day of June and December

  • Use separate connected client sockets for each NTP server

  • Remove separate NTP implementation used for initstepslew

  • Limit maximum minpoll set by KoD RATE to default maxpoll

  • Don’t send NTP requests with unknown key

  • Print warning when source is added with unknown key

  • Take leap second in PPS refclock from locked source

  • Make reading of RTC for initial trim more reliable

  • Don’t create cmdmon sockets when cmdport is 0

  • Add configure option to set default user to drop root privileges

  • Add configure option to compile with debug messages

  • Print debug messages when -d is used more than once

  • Change format of messages written to terminal with -d

  • Write fatal messages also to stderr with -n

  • Use IP_RECVERR socket option in chronyc to not wait unnecessarily

  • Shorten default chronyc timeout for localhost

  • Change default hostname in chronyc from localhost to 127.0.0.1

  • Print error message on invalid syntax with all chronyc commands

  • Include simulation test suite using clknetsim

Bug fixes

  • Fix crash when selecting with multiple preferred sources

  • Fix frequency calculation with large frequency offsets

  • Fix code writing drift and RTC files to compile correctly

  • Fix -4/-6 options in chronyc to not reset hostname set by -h

  • Fix refclock sample validation with sub-second polling interval

  • Set stratum correctly with non-PPS SOCK refclock and local stratum

  • Modify dispersion accounting in refclocks to prevent PPS getting stuck with large dispersion and not accepting new samples