Florian Weimer discovered two security problems in the Chrony time synchronisation software (buffer overflows and use of uninitialised data in command replies).

For the oldstable distribution (squeeze), these problems will be fixed soon in 1.24-3+squeeze1 (due to a technical restriction in the archive processing scripts the two updates cannot be released together). For the stable distribution (wheezy), these problems have been fixed in version 1.24-3.1+deb7u2. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your chrony packages.

It consists of a pair of programs : `chronyd'. This is a daemon which runs in background on the system. It obtains measurements (e.g. via the network) of the system's offset relative to other systems, and adjusts the system time accordingly. For isolated systems, the user can periodically enter the correct time by hand (using `chronyc'). In either case, `chronyd' determines the rate at which the computer gains or loses time, and compensates for this. Chronyd implements the NTP protocol and can act as either a client or a server. `chronyc'. This is a command-line driven control and monitoring program. An administrator can use this to fine-tune various parameters within the daemon, add or delete servers etc whilst the daemon is running.

chrony on Debian Linux

This check tests the installed software version using the apt package manager.

• http://www.debian.org/security/2013/dsa-2760.html

---

Updated on 2015-03-25