openSUSE Security Update: Security update for chrony ______________________________________________________________________________
Announcement ID: openSUSE-SU-2022:0845-1 Rating: moderate References: #1099272 #1115529 #1128846 #1162964 #1172113 #1173277 #1174075 #1174911 #1180689 #1181826 #1187906 #1190926 #1194229 SLE-17334 Cross-References: CVE-2020-14367 CVSS scores: CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected Products: openSUSE Leap 15.3 ______________________________________________________________________________
An update that solves one vulnerability, contains one feature and has 12 fixes is now available.
This update for chrony fixes the following issues:
Chrony was updated to 4.1, bringing features and bugfixes.
Update to 4.1
* Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)
- Enable syscallfilter unconditionally [bsc#1181826].
Update to 4.0
- Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get "maxsources" sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add "add pool" command - Add "reset sources" command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data
- Bug fixes
- Don���t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don���t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3") - Drop support for line editing with GNU Readline
- By default we don't write log files but log to journald, so only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).
Update to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)
- Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
Update to version 3.4
+ Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
+ Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step
To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-845=1
- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):
augeas-1.10.1-3.9.1 augeas-debuginfo-1.10.1-3.9.1 augeas-debugsource-1.10.1-3.9.1 augeas-devel-1.10.1-3.9.1 augeas-lense-tests-1.10.1-3.9.1 augeas-lenses-1.10.1-3.9.1 chrony-4.1-150300.16.3.1 chrony-debuginfo-4.1-150300.16.3.1 chrony-debugsource-4.1-150300.16.3.1 libaugeas0-1.10.1-3.9.1 libaugeas0-debuginfo-1.10.1-3.9.1
- openSUSE Leap 15.3 (x86_64):
augeas-devel-32bit-1.10.1-3.9.1 libaugeas0-32bit-1.10.1-3.9.1 libaugeas0-32bit-debuginfo-1.10.1-3.9.1
- openSUSE Leap 15.3 (noarch):
chrony-pool-empty-4.1-150300.16.3.1 chrony-pool-openSUSE-4.1-150300.16.3.1 chrony-pool-suse-4.1-150300.16.3.1
https://www.suse.com/security/cve/CVE-2020-14367.html https://bugzilla.suse.com/1099272 https://bugzilla.suse.com/1115529 https://bugzilla.suse.com/1128846 https://bugzilla.suse.com/1162964 https://bugzilla.suse.com/1172113 https://bugzilla.suse.com/1173277 https://bugzilla.suse.com/1174075 https://bugzilla.suse.com/1174911 https://bugzilla.suse.com/1180689 https://bugzilla.suse.com/1181826 https://bugzilla.suse.com/1187906 https://bugzilla.suse.com/1190926 https://bugzilla.suse.com/1194229