diff options
Diffstat (limited to 'debian/NEWS')
-rw-r--r-- | debian/NEWS | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..c25bd51 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,58 @@ +chrony (3.4-2) unstable; urgency=medium + + To reduce the range of operations available to chronyd, and thereby decrease + the kernel attack surface, a system call filter is now active by default + wherever¹ possible. + Please, take into account that this change prevents the use of the + “mailonchange” directive in chrony.conf as the chronyd process will not be + allowed to fork and execute the sendmail binary. Therefore, it is fundamental + to disable the system call filter to continue using this directive! + + To do so, edit the /etc/default/chrony file and substitute the “-F -1” + parameter with “-F 0”. Restart chrony afterward. + + ¹Are currently excluded alpha, ia64, m68k, riscv64, sh4 and sparc64 + architectures due to lack of support in “libseccomp” and/or the Linux kernel. + + -- Vincent Blut <vincent.debian@free.fr> Sun, 10 Feb 2019 18:44:22 +0100 + +chrony (2.2.1-1) unstable; urgency=medium + + In chrony versions before 2.2, the 'chrony.keys' file contained a command + key used for run-time configuration via the 'chronyc' command-line tool. + Starting from this version, support for this authentication method has been + dropped in favor of a Unix domain socket accessible only *locally* by root or + the _chrony system user. Consequently, if you refuse to use the 'chrony.keys' + file template provided by the maintainers when upgrading, please don’t forget + to manually remove the obsolete command key (ID 1) in the aforementioned file. + + -- Vincent Blut <vincent.debian@free.fr> Sun, 07 Feb 2016 17:02:30 +0100 + +chrony (2.1.1-1) unstable; urgency=medium + + From this version, 'chronyd' will strictly act as an NTP client by default. If + you want it to serve time to other systems, please do so by configuring the + 'allow' directive. + + -- Vincent Blut <vincent.debian@free.fr> Mon, 12 Oct 2015 19:12:39 +0200 + +chrony (1.31.1-1) unstable; urgency=medium + + From now on, we use the "hwclockfile" directive in /etc/chrony/chrony.conf. + Basically, it makes the detection of the standard (Local or UTC time) set + in /etc/adjtime — and used by the hardware clock — clearer compared to the + text processing method we used to use in the post install script to complete + the same task. Note that it overrides the "rtconutc" directive. + + Also, we now create the _chrony system user to which chronyd will drop root + privileges. For users already allowing chronyd to drop root privileges in + favor of the user configured by the "user" directive in + /etc/chrony/chrony.conf, your configuration will remain unchanged and will + still work as intended. + However, some users might use a custom init script to accomplish the same + task by invoking chronyd with the '-u' option. We advise you to drop this + option from your init script before upgrading, otherwise you’ll have to + readjust the owner of the /var/l{ib,og}/chrony directories (recursively) to + the user you configured in your init script. + + -- Vincent Blut <vincent.debian@free.fr> Sun, 6 Sep 2015 22:14:54 +0200 |