summaryrefslogtreecommitdiffstats
path: root/debian/NEWS
diff options
context:
space:
mode:
Diffstat (limited to 'debian/NEWS')
-rw-r--r--debian/NEWS58
1 files changed, 58 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..c25bd51
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,58 @@
+chrony (3.4-2) unstable; urgency=medium
+
+ To reduce the range of operations available to chronyd, and thereby decrease
+ the kernel attack surface, a system call filter is now active by default
+ wherever¹ possible.
+ Please, take into account that this change prevents the use of the
+ “mailonchange” directive in chrony.conf as the chronyd process will not be
+ allowed to fork and execute the sendmail binary. Therefore, it is fundamental
+ to disable the system call filter to continue using this directive!
+
+ To do so, edit the /etc/default/chrony file and substitute the “-F -1”
+ parameter with “-F 0”. Restart chrony afterward.
+
+ ¹Are currently excluded alpha, ia64, m68k, riscv64, sh4 and sparc64
+ architectures due to lack of support in “libseccomp” and/or the Linux kernel.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 10 Feb 2019 18:44:22 +0100
+
+chrony (2.2.1-1) unstable; urgency=medium
+
+ In chrony versions before 2.2, the 'chrony.keys' file contained a command
+ key used for run-time configuration via the 'chronyc' command-line tool.
+ Starting from this version, support for this authentication method has been
+ dropped in favor of a Unix domain socket accessible only *locally* by root or
+ the _chrony system user. Consequently, if you refuse to use the 'chrony.keys'
+ file template provided by the maintainers when upgrading, please don’t forget
+ to manually remove the obsolete command key (ID 1) in the aforementioned file.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 07 Feb 2016 17:02:30 +0100
+
+chrony (2.1.1-1) unstable; urgency=medium
+
+ From this version, 'chronyd' will strictly act as an NTP client by default. If
+ you want it to serve time to other systems, please do so by configuring the
+ 'allow' directive.
+
+ -- Vincent Blut <vincent.debian@free.fr> Mon, 12 Oct 2015 19:12:39 +0200
+
+chrony (1.31.1-1) unstable; urgency=medium
+
+ From now on, we use the "hwclockfile" directive in /etc/chrony/chrony.conf.
+ Basically, it makes the detection of the standard (Local or UTC time) set
+ in /etc/adjtime — and used by the hardware clock — clearer compared to the
+ text processing method we used to use in the post install script to complete
+ the same task. Note that it overrides the "rtconutc" directive.
+
+ Also, we now create the _chrony system user to which chronyd will drop root
+ privileges. For users already allowing chronyd to drop root privileges in
+ favor of the user configured by the "user" directive in
+ /etc/chrony/chrony.conf, your configuration will remain unchanged and will
+ still work as intended.
+ However, some users might use a custom init script to accomplish the same
+ task by invoking chronyd with the '-u' option. We advise you to drop this
+ option from your init script before upgrading, otherwise you’ll have to
+ readjust the owner of the /var/l{ib,og}/chrony directories (recursively) to
+ the user you configured in your init script.
+
+ -- Vincent Blut <vincent.debian@free.fr> Sun, 6 Sep 2015 22:14:54 +0200