31 Jan 2014 : chrony-1.29.1 released

It fixes the following security vulnerability:

Upgrade to 1.29.1 is mainly recommended for users running chronyd with public control access (given by the cmdallow directive). If upgrade is not possible, another option is to configure firewall to rate limit incoming packets to the command port (UDP port 323 by default).

CVE-2014-0021: Amplification in chrony control protocol

In the chrony control protocol some replies are significantly larger than their requests, which allows an attacker to use it in an amplification attack. With hosts allowed by cmdallow (only localhost by default) the maximum amplification factor is 9.2. Hosts that are not allowed receive a small reply with error status, which allows amplification of up to 1.5.

To fix the problem, the protocol has been modified to require padding in the request packet, so replies are never larger than their requests. Also, chronyd no longer sends replies with error status to hosts that are not allowed by cmdallow.

Download the tarball here.

8 Aug 2013 : chrony-1.29 released

It fixes the following security vulnerabilities:

and includes other changes:

CVE-2012-4502: Buffer overflow when processing crafted command packets

When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES, RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is calculated, the number of items stored in the packet is not validated.

A crafted command request/reply can be used to crash the server/client. Only clients allowed by cmdallow (by default only localhost) can crash the server.

With chrony versions 1.25 and 1.26 this bug has a smaller security impact as the server requires the clients to be authenticated in order to process the subnet and client accesses commands. In 1.27 and 1.28, however, the invalid calculated length is included also in the authentication check which may cause another crash.

CVE-2012-4503: Uninitialized data in command replies

The RPY_SUBNETS_ACCESSED and RPY_CLIENT_ACCESSES command replies can contain uninitalized data from stack when the client logging is disabled or a bad subnet is requested. These commands were never used by chronyc and they require the client to be authenticated since version 1.25.

Download the tarball here.

17 Jul 2013 : chrony-1.28 released

It includes the following changes:

Download the tarball here.

1 Feb 2013 : New Version Released

Chrony 1.27 is now available. It includes the following improvements:

This is a production release.

Download the tarball here.

13 July 2011 : New Version Released

Chrony 1.26 is now available. It includes the following improvements:

This is a production release.

Download the tarball here.

4 May 2011 : New Version Released

Chrony 1.25 is now available. It includes the following improvements and new features:

This is a production release.

Download the tarball here.

4 February 2010: Security Advisory

Several vulnerabilities have been discovered in chronyd. These bugs can be exploited for a remote denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:

CVE-2010-0292
chronyd replies to all cmdmon packets from unauthorized hosts with NOHOSTACCESS message. This can be used to create a loop between two chrony daemons which don't allow cmdmon access from each other by sending a packet with spoofed source address and port. This will cause high CPU, network and syslog usage.

FIX: Don't reply to invalid cmdmon packets

CVE-2010-0293
The client logging facility doesn't limit memory which is used to keep informations about clients. If chronyd is configured to allow access from a large IP address range, an attacker can cause chronyd to allocate large amount of memory by sending NTP or cmdmon packets with spoofed source addresses. By default only 127.0.0.1 is allowed.

FIX: Limit client log memory size

CVE-2010-0294
There are several ways that an attacker can make chronyd log messages and possibly fill up disk space. The rate for these messages should be limited.

FIX: Limit rate of syslog messages

These bugs have been fixed in the new Chrony 1.24 release and in Chrony 1.23.1, both available for download at the download area. Patches are here, here, and here.

We recommend that you upgrade your Chrony package to version 1.24. If you cannot upgrade because you need compatibility with the old cmdmon protocol upgrade to 1.23.1. Upgrade via your distribution's repositories if possible: they should have patched versions available shortly.

4 February 2010 : New Version Released

Chrony 1.24 is now available. It includes the following improvements and new features:

This is a production release.

Download the tarball here.