[chrony-dev] chrony-1.29.1 released (security)

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


chrony-1.29.1 is now available. It fixes a security vulnerability in
the chrony control protocol.

The sources can be downloaded here:
http://download.tuxfamily.org/chrony/chrony-1.29.1.tar.gz

MD5 and SHA1 sums:
9d49eadac5eb49daec8cc3d92a869b0c  chrony-1.29.1.tar.gz
bf07c0afa6ab761d9863714497555fa5be578f3d  chrony-1.29.1.tar.gz

Security fixes
--------------
* Modify chronyc protocol to prevent amplification attacks (CVE-2014-0021)
  (incompatible with previous protocol version, chronyc supports both)

Upgrade to 1.29.1 is mainly recommended for users running chronyd with
public control access (given by the cmdallow directive). If upgrade is
not possible, another option is to configure firewall to rate limit
incoming packets to the command port (UDP port 323 by default).


CVE-2014-0021: Amplification in chrony control protocol

  In the chrony control protocol some replies are significantly larger
  than their requests, which allows an attacker to use it in an
  amplification attack. With hosts allowed by cmdallow (only localhost
  by default) the maximum amplification factor is 9.2. Hosts that are
  not allowed receive a small reply with error status, which allows
  amplification of up to 1.5.

  To fix the problem, the protocol has been modified to require
  padding in the request packet, so replies are never larger than
  their requests. Also, chronyd no longer sends replies with error
  status to hosts that are not allowed by cmdallow.

-- 
Miroslav Lichvar

Attachment: pgpUrp92rrAqX.pgp
Description: PGP signature



Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/