
   SUSE Security Update: Security update for chrony
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:4147-1
Rating:             moderate
References:         #1063704 #1069468 #1082318 #1083597 #1099272 
                    #1115529 #1128846 #1156884 #1159840 #1161119 
                    #1162964 #1171806 #1172113 #1173277 #1173760 
                    #1174075 #1174911 #1180689 #1181826 #1183783 
                    #1184400 #1187906 #1190926 SLE-11424 SLE-22248 
                    SLE-22292 
Cross-References:   CVE-2020-14367
CVSS scores:
                    CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
                    CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Affected Products:
                    SUSE OpenStack Cloud Crowbar 9
                    SUSE OpenStack Cloud Crowbar 8
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud 8
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Linux Enterprise Server for SAP 12-SP3
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Server 12-SP3-LTSS
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    HPE Helion Openstack 8
______________________________________________________________________________

   An update that solves one vulnerability, contains three
   features and has 22 fixes is now available.

Description:

   This update for chrony fixes the following issues:

   Chrony was updated to 4.1:

   * Add support for NTS servers specified by IP address (matching Subject
     Alternative Name in server certificate)
   * Add source-specific configuration of trusted certificates
   * Allow multiple files and directories with trusted certificates
   * Allow multiple pairs of server keys and certificates
   * Add copy option to server/pool directive
   * Increase PPS lock limit to 40% of pulse interval
   * Perform source selection immediately after loading dump files
   * Reload dump files for addresses negotiated by NTS-KE server
   * Update seccomp filter and add less restrictive level
   * Restart ongoing name resolution on online command
   * Fix dump files to not include uncorrected offset
   * Fix initstepslew to accept time from own NTP clients
   * Reset NTP address and port when no longer negotiated by NTS-KE server
   - Update clknetsim to snapshot f89702d.

   - Ensure the correct pool packages are installed for openSUSE and SLE
     (bsc#1180689).

   - Enable syscallfilter unconditionally (bsc#1181826).

   Chrony was updated to 4.0:

   Enhancements

   - Add support for Network Time Security (NTS) authentication
   - Add support for AES-CMAC keys (AES128, AES256) with Nettle
   - Add authselectmode directive to control selection of unauthenticated
     sources
   - Add binddevice, bindacqdevice, bindcmddevice directives
   - Add confdir directive to better support fragmented configuration
   - Add sourcedir directive and "reload sources" command to support dynamic
     NTP sources specified in files
   - Add clockprecision directive
   - Add dscp directive to set Differentiated Services Code Point (DSCP)
   - Add -L option to limit log messages by severity
   - Add -p option to print whole configuration with included files
   - Add -U option to allow start under non-root user
   - Allow maxsamples to be set to 1 for faster update with -q/-Q
     option
   - Avoid replacing NTP sources with sources that have unreachable address
   - Improve pools to repeat name resolution to get "maxsources" sources
   - Improve source selection with trusted sources
   - Improve NTP loop test to prevent synchronisation to itself
   - Repeat iburst when NTP source is switched from offline state to online
   - Update clock synchronisation status and leap status more frequently
   - Update seccomp filter
   - Add "add pool" command
   - Add "reset sources" command to drop all measurements
   - Add authdata command to print details about NTP authentication
   - Add selectdata command to print details about source selection
   - Add -N option and sourcename command to print original names
     of sources
   - Add -a option to some commands to print also unresolved sources
   - Add -k, -p, -r options to clients command to select, limit, reset data
   - Bug fixes
   - Don’t set interface for NTP responses to allow asymmetric routing
   - Handle RTCs that don’t support interrupts
   - Respond to command requests with correct address on multihomed hosts
   - Removed features
   - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
   - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x
     clients using non-MD5/SHA1 keys need to use
     option "version 3")

   - By default we don't write log files but log to journald, so
     only recommend logrotate.

   - Adjust and rename the sysconfig file, so that it matches the
     expectations of chronyd.service (bsc#1173277).

   Chrony was updated to 3.5.1:

   * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

   - Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
     preconfigure chrony to use NTP servers from the  respective pools for
     SUSE and openSUSE (bsc#1156884, SLE-11424).
   - Add chrony-pool-empty to still allow installing chrony without
     preconfigured servers.
   - Use iburst in the default pool statements to speed up initial
     synchronisation (bsc#1172113).

   - Update clknetsim to version 79ffe44 (fixes bsc#1162964).

   Update to 3.5:

   + Add support for more accurate reading of PHC on Linux 5.0
   + Add support for hardware timestamping on interfaces with read-only
     timestamping configuration
   + Add support for memory locking and real-time priority on FreeBSD,
     NetBSD, Solaris
   + Update seccomp filter to work on more architectures
   + Validate refclock driver options
   + Fix bindaddress directive on FreeBSD
   + Fix transposition of hardware RX timestamp on Linux 4.13 and later
   + Fix building on non-glibc systems

   - Fix location of helper script in [email protected] (bsc#1128846).

   - Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
   - Move chrony-helper to /usr/lib/chrony/helper, because there should be no
     executables in /usr/share.
   - Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)

   Update to version 3.4

   * Enhancements

     + Add filter option to server/pool/peer directive
     + Add minsamples and maxsamples options to hwtimestamp directive
     + Add support for faster frequency adjustments in Linux 4.19
     + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
       without root privileges to remove it on exit
     + Disable sub-second polling intervals for distant NTP sources
     + Extend range of supported sub-second polling intervals
     + Get/set IPv4 destination/source address of NTP packets on FreeBSD
     + Make burst options and command useful with short polling intervals
     + Modify auto_offline option to activate when sending request failed
     + Respond from interface that received NTP request if possible
     + Add onoffline command to switch between online and offline state
       according to current system network configuration
     + Improve example NetworkManager dispatcher script

   * Bug fixes

     + Avoid waiting in Linux getrandom system call
     + Fix PPS support on FreeBSD and NetBSD

   Update to version 3.3

   * Enhancements:

     + Add burst option to server/pool directive
     + Add stratum and tai options to refclock directive
     + Add support for Nettle crypto library
     + Add workaround for missing kernel receive timestamps on Linux
     + Wait for late hardware transmit timestamps
     + Improve source selection with unreachable sources
     + Improve protection against replay attacks on symmetric mode
     + Allow PHC refclock to use socket in /var/run/chrony
     + Add shutdown command to stop chronyd
     + Simplify format of response to manual list command
     + Improve handling of unknown responses in chronyc

   * Bug fixes:

     + Respond to NTPv1 client requests with zero mode
     + Fix -x option to not require CAP_SYS_TIME under non-root user
     + Fix acquisitionport directive to work with privilege separation
     + Fix handling of socket errors on Linux to avoid high CPU usage
     + Fix chronyc to not get stuck in infinite loop after clock step

   - Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed
     default chrony.conf to add "include /etc/chrony.d/*"

   - Enable pps support

   Upgraded to version 3.2:

   Enhancements

   * Improve stability with NTP sources and reference clocks
   * Improve stability with hardware timestamping
   * Improve support for NTP interleaved modes
   * Control frequency of system clock on macOS 10.13 and later
   * Set TAI-UTC offset of system clock with leapsectz directive
   * Minimise data in client requests to improve privacy
   * Allow transmit-only hardware timestamping
   * Add support for new timestamping options introduced in Linux 4.13
   * Add root delay, root dispersion and maximum error to tracking log
   * Add mindelay and asymmetry options to server/peer/pool directive
   * Add extpps option to PHC refclock to timestamp external PPS signal
   * Add pps option to refclock directive to treat any refclock as PPS
   * Add width option to refclock directive to filter wrong pulse edges
   * Add rxfilter option to hwtimestamp directive
   * Add -x option to disable control of system clock
   * Add -l option to log to specified file instead of syslog
   * Allow multiple command-line options to be specified together
   * Allow starting without root privileges with -Q option
   * Update seccomp filter for new glibc versions
   * Dump history on exit by default with dumpdir directive
   * Use hardening compiler options by default

   Bug fixes

   * Don't drop PHC samples with low-resolution system clock
   * Ignore outliers in PHC tracking, RTC tracking, manual input
   * Increase polling interval when peer is not responding
   * Exit with error message when include directive fails
   * Don't allow slash after hostname in allow/deny directive/command
   * Try to connect to all addresses in chronyc before giving up

   Upgraded to version 3.1:

   - Enhancements

     - Add support for precise cross timestamping of PHC on Linux
     - Add minpoll, precision, nocrossts options to hwtimestamp directive
     - Add rawmeasurements option to log directive and modify measurements
       option to log only valid measurements from synchronised sources
     - Allow sub-second polling interval with NTP sources

   - Bug fixes

     - Fix time smoothing in interleaved mode

   Upgraded to version 3.0:

   - Enhancements

     - Add support for software and hardware timestamping on Linux
     - Add support for client/server and symmetric interleaved modes
     - Add support for MS-SNTP authentication in Samba
     - Add support for truncated MACs in NTPv4 packets
     - Estimate and correct for asymmetric network jitter
     - Increase default minsamples and polltarget to improve stability with
       very low jitter
     - Add maxjitter directive to limit source selection by jitter
     - Add offset option to server/pool/peer directive
     - Add maxlockage option to refclock directive
     - Add -t option to chronyd to exit after specified time
     - Add partial protection against replay attacks on symmetric mode
     - Don't reset polling interval when switching sources to online state
     - Allow rate limiting with very short intervals
     - Improve maximum server throughput on Linux and NetBSD
     - Remove dump files after start
     - Add tab-completion to chronyc with libedit/readline
     - Add ntpdata command to print details about NTP measurements
     - Allow all source options to be set in add server/peer command
     - Indicate truncated addresses/hostnames in chronyc output
     - Print reference IDs as hexadecimal numbers to avoid confusion with
       IPv4 addresses

   - Bug fixes

     - Fix crash with disabled asynchronous name resolving

   Upgraded to version 2.4.1:

   - Bug fixes

     - Fix processing of kernel timestamps on non-Linux systems
     - Fix crash with smoothtime directive
     - Fix validation of refclock sample times
     - Fix parsing of refclock directive

   update to 2.4:

   - Enhancements

     - Add orphan option to local directive for orphan mode compatible with
       ntpd
     - Add distance option to local directive to set activation threshold (1
       second by default)
     - Add maxdrift directive to set maximum allowed drift of system clock
     - Try to replace NTP sources exceeding maximum distance
     - Randomise source replacement to avoid getting stuck with bad sources
     - Randomise selection of sources from pools on start
     - Ignore reference timestamp as ntpd doesn't always set it correctly
     - Modify tracking report to use same values as seen by NTP clients
     - Add -c option to chronyc to write reports in CSV format
     - Provide detailed manual pages

   - Bug fixes

     - Fix SOCK refclock to work correctly when not specified as last refclock
     - Fix initstepslew and -q/-Q options to accept time from own NTP clients
     - Fix authentication with keys using 512-bit hash functions
     - Fix crash on exit when multiple signals are received
     - Fix conversion of very small floating-point numbers in command packets


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-4147=1

   - SUSE OpenStack Cloud Crowbar 8:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-4147=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2021-4147=1

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2021-4147=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-4147=1

   - SUSE Linux Enterprise Server for SAP 12-SP3:

      zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP3-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-4147=1

   - HPE Helion Openstack 8:

      zypper in -t patch HPE-Helion-OpenStack-8-2021-4147=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE OpenStack Cloud Crowbar 8 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE OpenStack Cloud 9 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE OpenStack Cloud 8 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - HPE Helion Openstack 8 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1


References:

   https://www.suse.com/security/cve/CVE-2020-14367.html
   https://bugzilla.suse.com/1063704
   https://bugzilla.suse.com/1069468
   https://bugzilla.suse.com/1082318
   https://bugzilla.suse.com/1083597
   https://bugzilla.suse.com/1099272
   https://bugzilla.suse.com/1115529
   https://bugzilla.suse.com/1128846
   https://bugzilla.suse.com/1156884
   https://bugzilla.suse.com/1159840
   https://bugzilla.suse.com/1161119
   https://bugzilla.suse.com/1162964
   https://bugzilla.suse.com/1171806
   https://bugzilla.suse.com/1172113
   https://bugzilla.suse.com/1173277
   https://bugzilla.suse.com/1173760
   https://bugzilla.suse.com/1174075
   https://bugzilla.suse.com/1174911
   https://bugzilla.suse.com/1180689
   https://bugzilla.suse.com/1181826
   https://bugzilla.suse.com/1183783
   https://bugzilla.suse.com/1184400
   https://bugzilla.suse.com/1187906
   https://bugzilla.suse.com/1190926

SUSE: 2021:4147-1 moderate: chrony

December 22, 2021

An update that solves one vulnerability, contains three features and has 22 fixes is now available

Summary

This update for chrony fixes the following issues: Chrony was updated to 4.1: * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Update clknetsim to snapshot f89702d. - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Enable syscallfilter unconditionally (bsc#1181826). Chrony was updated to 4.0: Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get "maxsources" sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add "add pool" command - Add "reset sources" command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3") - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Chrony was updated to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE (bsc#1156884, SLE-11424). - Add chrony-pool-empty to still allow installing chrony without preconfigured servers. - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). - Update clknetsim to version 79ffe44 (fixes bsc#1162964). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in [email protected] (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272) - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. - Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529) Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step - Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add "include /etc/chrony.d/*" - Enable pps support Upgraded to version 3.2: Enhancements * Improve stability with NTP sources and reference clocks * Improve stability with hardware timestamping * Improve support for NTP interleaved modes * Control frequency of system clock on macOS 10.13 and later * Set TAI-UTC offset of system clock with leapsectz directive * Minimise data in client requests to improve privacy * Allow transmit-only hardware timestamping * Add support for new timestamping options introduced in Linux 4.13 * Add root delay, root dispersion and maximum error to tracking log * Add mindelay and asymmetry options to server/peer/pool directive * Add extpps option to PHC refclock to timestamp external PPS signal * Add pps option to refclock directive to treat any refclock as PPS * Add width option to refclock directive to filter wrong pulse edges * Add rxfilter option to hwtimestamp directive * Add -x option to disable control of system clock * Add -l option to log to specified file instead of syslog * Allow multiple command-line options to be specified together * Allow starting without root privileges with -Q option * Update seccomp filter for new glibc versions * Dump history on exit by default with dumpdir directive * Use hardening compiler options by default Bug fixes * Don't drop PHC samples with low-resolution system clock * Ignore outliers in PHC tracking, RTC tracking, manual input * Increase polling interval when peer is not responding * Exit with error message when include directive fails * Don't allow slash after hostname in allow/deny directive/command * Try to connect to all addresses in chronyc before giving up Upgraded to version 3.1: - Enhancements - Add support for precise cross timestamping of PHC on Linux - Add minpoll, precision, nocrossts options to hwtimestamp directive - Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources - Allow sub-second polling interval with NTP sources - Bug fixes - Fix time smoothing in interleaved mode Upgraded to version 3.0: - Enhancements - Add support for software and hardware timestamping on Linux - Add support for client/server and symmetric interleaved modes - Add support for MS-SNTP authentication in Samba - Add support for truncated MACs in NTPv4 packets - Estimate and correct for asymmetric network jitter - Increase default minsamples and polltarget to improve stability with very low jitter - Add maxjitter directive to limit source selection by jitter - Add offset option to server/pool/peer directive - Add maxlockage option to refclock directive - Add -t option to chronyd to exit after specified time - Add partial protection against replay attacks on symmetric mode - Don't reset polling interval when switching sources to online state - Allow rate limiting with very short intervals - Improve maximum server throughput on Linux and NetBSD - Remove dump files after start - Add tab-completion to chronyc with libedit/readline - Add ntpdata command to print details about NTP measurements - Allow all source options to be set in add server/peer command - Indicate truncated addresses/hostnames in chronyc output - Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses - Bug fixes - Fix crash with disabled asynchronous name resolving Upgraded to version 2.4.1: - Bug fixes - Fix processing of kernel timestamps on non-Linux systems - Fix crash with smoothtime directive - Fix validation of refclock sample times - Fix parsing of refclock directive update to 2.4: - Enhancements - Add orphan option to local directive for orphan mode compatible with ntpd - Add distance option to local directive to set activation threshold (1 second by default) - Add maxdrift directive to set maximum allowed drift of system clock - Try to replace NTP sources exceeding maximum distance - Randomise source replacement to avoid getting stuck with bad sources - Randomise selection of sources from pools on start - Ignore reference timestamp as ntpd doesn't always set it correctly - Modify tracking report to use same values as seen by NTP clients - Add -c option to chronyc to write reports in CSV format - Provide detailed manual pages - Bug fixes - Fix SOCK refclock to work correctly when not specified as last refclock - Fix initstepslew and -q/-Q options to accept time from own NTP clients - Fix authentication with keys using 512-bit hash functions - Fix crash on exit when multiple signals are received - Fix conversion of very small floating-point numbers in command packets Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE OpenStack Cloud Crowbar 9: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-4147=1 - SUSE OpenStack Cloud Crowbar 8: zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-4147=1 - SUSE OpenStack Cloud 9: zypper in -t patch SUSE-OpenStack-Cloud-9-2021-4147=1 - SUSE OpenStack Cloud 8: zypper in -t patch SUSE-OpenStack-Cloud-8-2021-4147=1 - SUSE Linux Enterprise Server for SAP 12-SP4: zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-4147=1 - SUSE Linux Enterprise Server for SAP 12-SP3: zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-4147=1 - SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1 - SUSE Linux Enterprise Server 12-SP4-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-4147=1 - SUSE Linux Enterprise Server 12-SP3-LTSS: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-4147=1 - SUSE Linux Enterprise Server 12-SP3-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-4147=1 - SUSE Linux Enterprise Server 12-SP2-BCL: zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-4147=1 - HPE Helion Openstack 8: zypper in -t patch HPE-Helion-OpenStack-8-2021-4147=1 Package List: - SUSE OpenStack Cloud Crowbar 9 (x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE OpenStack Cloud Crowbar 8 (x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE OpenStack Cloud 9 (x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE OpenStack Cloud 8 (x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1 - HPE Helion Openstack 8 (x86_64): chrony-4.1-5.9.1 chrony-debuginfo-4.1-5.9.1 chrony-debugsource-4.1-5.9.1

References

#1063704 #1069468 #1082318 #1083597 #1099272

#1115529 #1128846 #1156884 #1159840 #1161119

#1162964 #1171806 #1172113 #1173277 #1173760

#1174075 #1174911 #1180689 #1181826 #1183783

#1184400 #1187906 #1190926 SLE-11424 SLE-22248

SLE-22292

Cross- CVE-2020-14367

CVSS scores:

CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Affected Products:

SUSE OpenStack Cloud Crowbar 9

SUSE OpenStack Cloud Crowbar 8

SUSE OpenStack Cloud 9

SUSE OpenStack Cloud 8

SUSE Linux Enterprise Server for SAP 12-SP4

SUSE Linux Enterprise Server for SAP 12-SP3

SUSE Linux Enterprise Server 12-SP5

SUSE Linux Enterprise Server 12-SP4-LTSS

SUSE Linux Enterprise Server 12-SP3-LTSS

SUSE Linux Enterprise Server 12-SP3-BCL

SUSE Linux Enterprise Server 12-SP2-BCL

HPE Helion Openstack 8

https://www.suse.com/security/cve/CVE-2020-14367.html

https://bugzilla.suse.com/1063704

https://bugzilla.suse.com/1069468

https://bugzilla.suse.com/1082318

https://bugzilla.suse.com/1083597

https://bugzilla.suse.com/1099272

https://bugzilla.suse.com/1115529

https://bugzilla.suse.com/1128846

https://bugzilla.suse.com/1156884

https://bugzilla.suse.com/1159840

https://bugzilla.suse.com/1161119

https://bugzilla.suse.com/1162964

https://bugzilla.suse.com/1171806

https://bugzilla.suse.com/1172113

https://bugzilla.suse.com/1173277

https://bugzilla.suse.com/1173760

https://bugzilla.suse.com/1174075

https://bugzilla.suse.com/1174911

https://bugzilla.suse.com/1180689

https://bugzilla.suse.com/1181826

https://bugzilla.suse.com/1183783

https://bugzilla.suse.com/1184400

https://bugzilla.suse.com/1187906

https://bugzilla.suse.com/1190926

Severity

Announcement ID: SUSE-SU-2021:4147-1

Rating: moderate

Advisories

What Are You Looking For?

Popular Tags

SUSE: 2021:4147-1 moderate: chrony

Summary

References

News

Advisories

HOWTOs

Features

What You Need to Know about the Sysrv-K Cryptomining Botnet in Less than a Minute

Strengthen Your Linux Endpoint Security & Zero Trust Strategy with Defense-in-Depth & Endpoint Encryption

Call for Contributors with Knowledge of Linux Firewalls!

How To Create a Transparent Proxy through the Tor Network to Protect Your Privacy Online with archtorify & kalitorify

You are Tracked Online - Why? And How To Avoid Being Tracked Online

About Us

Powered By

Advisories

What Are You Looking For?

Popular Tags

SUSE: 2021:4147-1 moderate: chrony

Summary

References

Get the Latest News & Insights

News

Advisories

HOWTOs

Features

What You Need to Know about the Sysrv-K Cryptomining Botnet in Less than a Minute

Strengthen Your Linux Endpoint Security & Zero Trust Strategy with Defense-in-Depth & Endpoint Encryption

Call for Contributors with Knowledge of Linux Firewalls!

How To Create a Transparent Proxy through the Tor Network to Protect Your Privacy Online with archtorify & kalitorify

You are Tracked Online - Why? And How To Avoid Being Tracked Online

About Us

Powered By