[chrony-dev] chrony-1.29.1 released (security) |
[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]
chrony-1.29.1 is now available. It fixes a security vulnerability in the chrony control protocol. The sources can be downloaded here: http://download.tuxfamily.org/chrony/chrony-1.29.1.tar.gz MD5 and SHA1 sums: 9d49eadac5eb49daec8cc3d92a869b0c chrony-1.29.1.tar.gz bf07c0afa6ab761d9863714497555fa5be578f3d chrony-1.29.1.tar.gz Security fixes -------------- * Modify chronyc protocol to prevent amplification attacks (CVE-2014-0021) (incompatible with previous protocol version, chronyc supports both) Upgrade to 1.29.1 is mainly recommended for users running chronyd with public control access (given by the cmdallow directive). If upgrade is not possible, another option is to configure firewall to rate limit incoming packets to the command port (UDP port 323 by default). CVE-2014-0021: Amplification in chrony control protocol In the chrony control protocol some replies are significantly larger than their requests, which allows an attacker to use it in an amplification attack. With hosts allowed by cmdallow (only localhost by default) the maximum amplification factor is 9.2. Hosts that are not allowed receive a small reply with error status, which allows amplification of up to 1.5. To fix the problem, the protocol has been modified to require padding in the request packet, so replies are never larger than their requests. Also, chronyd no longer sends replies with error status to hosts that are not allowed by cmdallow. -- Miroslav Lichvar
Attachment:
pgpUrp92rrAqX.pgp
Description: PGP signature
Mail converted by MHonArc 2.6.19+ | http://listengine.tuxfamily.org/ |