SUSE Security Update: Security update for chrony
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:4147-1
Rating:             moderate
References:         #1063704 #1069468 #1082318 #1083597 #1099272 
                    #1115529 #1128846 #1156884 #1159840 #1161119 
                    #1162964 #1171806 #1172113 #1173277 #1173760 
                    #1174075 #1174911 #1180689 #1181826 #1183783 
                    #1184400 #1187906 #1190926 SLE-11424 SLE-22248 
                    SLE-22292 
Cross-References:   CVE-2020-14367
CVSS scores:
                    CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
                    CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Affected Products:
                    SUSE OpenStack Cloud Crowbar 9
                    SUSE OpenStack Cloud Crowbar 8
                    SUSE OpenStack Cloud 9
                    SUSE OpenStack Cloud 8
                    SUSE Linux Enterprise Server for SAP 12-SP4
                    SUSE Linux Enterprise Server for SAP 12-SP3
                    SUSE Linux Enterprise Server 12-SP5
                    SUSE Linux Enterprise Server 12-SP4-LTSS
                    SUSE Linux Enterprise Server 12-SP3-LTSS
                    SUSE Linux Enterprise Server 12-SP3-BCL
                    SUSE Linux Enterprise Server 12-SP2-BCL
                    HPE Helion Openstack 8
______________________________________________________________________________

   An update that solves one vulnerability, contains three
   features and has 22 fixes is now available.

Description:

   This update for chrony fixes the following issues:

   Chrony was updated to 4.1:

   * Add support for NTS servers specified by IP address (matching Subject
     Alternative Name in server certificate)
   * Add source-specific configuration of trusted certificates
   * Allow multiple files and directories with trusted certificates
   * Allow multiple pairs of server keys and certificates
   * Add copy option to server/pool directive
   * Increase PPS lock limit to 40% of pulse interval
   * Perform source selection immediately after loading dump files
   * Reload dump files for addresses negotiated by NTS-KE server
   * Update seccomp filter and add less restrictive level
   * Restart ongoing name resolution on online command
   * Fix dump files to not include uncorrected offset
   * Fix initstepslew to accept time from own NTP clients
   * Reset NTP address and port when no longer negotiated by NTS-KE server
   - Update clknetsim to snapshot f89702d.

   - Ensure the correct pool packages are installed for openSUSE and SLE
     (bsc#1180689).

   - Enable syscallfilter unconditionally (bsc#1181826).

   Chrony was updated to 4.0:

   Enhancements

   - Add support for Network Time Security (NTS) authentication
   - Add support for AES-CMAC keys (AES128, AES256) with Nettle
   - Add authselectmode directive to control selection of unauthenticated
     sources
   - Add binddevice, bindacqdevice, bindcmddevice directives
   - Add confdir directive to better support fragmented configuration
   - Add sourcedir directive and "reload sources" command to support dynamic
     NTP sources specified in files
   - Add clockprecision directive
   - Add dscp directive to set Differentiated Services Code Point (DSCP)
   - Add -L option to limit log messages by severity
   - Add -p option to print whole configuration with included files
   - Add -U option to allow start under non-root user
   - Allow maxsamples to be set to 1 for faster update with -q/-Q
     option
   - Avoid replacing NTP sources with sources that have unreachable address
   - Improve pools to repeat name resolution to get "maxsources" sources
   - Improve source selection with trusted sources
   - Improve NTP loop test to prevent synchronisation to itself
   - Repeat iburst when NTP source is switched from offline state to online
   - Update clock synchronisation status and leap status more frequently
   - Update seccomp filter
   - Add "add pool" command
   - Add "reset sources" command to drop all measurements
   - Add authdata command to print details about NTP authentication
   - Add selectdata command to print details about source selection
   - Add -N option and sourcename command to print original names
     of sources
   - Add -a option to some commands to print also unresolved sources
   - Add -k, -p, -r options to clients command to select, limit, reset data
   - Bug fixes
   - Don’t set interface for NTP responses to allow asymmetric routing
   - Handle RTCs that don’t support interrupts
   - Respond to command requests with correct address on multihomed hosts
   - Removed features
   - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
   - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x
     clients using non-MD5/SHA1 keys need to use
     option "version 3")

   - By default we don't write log files but log to journald, so
     only recommend logrotate.

   - Adjust and rename the sysconfig file, so that it matches the
     expectations of chronyd.service (bsc#1173277).

   Chrony was updated to 3.5.1:

   * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

   - Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
     preconfigure chrony to use NTP servers from the  respective pools for
     SUSE and openSUSE (bsc#1156884, SLE-11424).
   - Add chrony-pool-empty to still allow installing chrony without
     preconfigured servers.
   - Use iburst in the default pool statements to speed up initial
     synchronisation (bsc#1172113).

   - Update clknetsim to version 79ffe44 (fixes bsc#1162964).

   Update to 3.5:

   + Add support for more accurate reading of PHC on Linux 5.0
   + Add support for hardware timestamping on interfaces with read-only
     timestamping configuration
   + Add support for memory locking and real-time priority on FreeBSD,
     NetBSD, Solaris
   + Update seccomp filter to work on more architectures
   + Validate refclock driver options
   + Fix bindaddress directive on FreeBSD
   + Fix transposition of hardware RX timestamp on Linux 4.13 and later
   + Fix building on non-glibc systems

   - Fix location of helper script in [email protected] (bsc#1128846).

   - Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
   - Move chrony-helper to /usr/lib/chrony/helper, because there should be no
     executables in /usr/share.
   - Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)

   Update to version 3.4

   * Enhancements

     + Add filter option to server/pool/peer directive
     + Add minsamples and maxsamples options to hwtimestamp directive
     + Add support for faster frequency adjustments in Linux 4.19
     + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
       without root privileges to remove it on exit
     + Disable sub-second polling intervals for distant NTP sources
     + Extend range of supported sub-second polling intervals
     + Get/set IPv4 destination/source address of NTP packets on FreeBSD
     + Make burst options and command useful with short polling intervals
     + Modify auto_offline option to activate when sending request failed
     + Respond from interface that received NTP request if possible
     + Add onoffline command to switch between online and offline state
       according to current system network configuration
     + Improve example NetworkManager dispatcher script

   * Bug fixes

     + Avoid waiting in Linux getrandom system call
     + Fix PPS support on FreeBSD and NetBSD

   Update to version 3.3

   * Enhancements:

     + Add burst option to server/pool directive
     + Add stratum and tai options to refclock directive
     + Add support for Nettle crypto library
     + Add workaround for missing kernel receive timestamps on Linux
     + Wait for late hardware transmit timestamps
     + Improve source selection with unreachable sources
     + Improve protection against replay attacks on symmetric mode
     + Allow PHC refclock to use socket in /var/run/chrony
     + Add shutdown command to stop chronyd
     + Simplify format of response to manual list command
     + Improve handling of unknown responses in chronyc

   * Bug fixes:

     + Respond to NTPv1 client requests with zero mode
     + Fix -x option to not require CAP_SYS_TIME under non-root user
     + Fix acquisitionport directive to work with privilege separation
     + Fix handling of socket errors on Linux to avoid high CPU usage
     + Fix chronyc to not get stuck in infinite loop after clock step

   - Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed
     default chrony.conf to add "include /etc/chrony.d/*"

   - Enable pps support

   Upgraded to version 3.2:

   Enhancements

   * Improve stability with NTP sources and reference clocks
   * Improve stability with hardware timestamping
   * Improve support for NTP interleaved modes
   * Control frequency of system clock on macOS 10.13 and later
   * Set TAI-UTC offset of system clock with leapsectz directive
   * Minimise data in client requests to improve privacy
   * Allow transmit-only hardware timestamping
   * Add support for new timestamping options introduced in Linux 4.13
   * Add root delay, root dispersion and maximum error to tracking log
   * Add mindelay and asymmetry options to server/peer/pool directive
   * Add extpps option to PHC refclock to timestamp external PPS signal
   * Add pps option to refclock directive to treat any refclock as PPS
   * Add width option to refclock directive to filter wrong pulse edges
   * Add rxfilter option to hwtimestamp directive
   * Add -x option to disable control of system clock
   * Add -l option to log to specified file instead of syslog
   * Allow multiple command-line options to be specified together
   * Allow starting without root privileges with -Q option
   * Update seccomp filter for new glibc versions
   * Dump history on exit by default with dumpdir directive
   * Use hardening compiler options by default

   Bug fixes

   * Don't drop PHC samples with low-resolution system clock
   * Ignore outliers in PHC tracking, RTC tracking, manual input
   * Increase polling interval when peer is not responding
   * Exit with error message when include directive fails
   * Don't allow slash after hostname in allow/deny directive/command
   * Try to connect to all addresses in chronyc before giving up

   Upgraded to version 3.1:

   - Enhancements

     - Add support for precise cross timestamping of PHC on Linux
     - Add minpoll, precision, nocrossts options to hwtimestamp directive
     - Add rawmeasurements option to log directive and modify measurements
       option to log only valid measurements from synchronised sources
     - Allow sub-second polling interval with NTP sources

   - Bug fixes

     - Fix time smoothing in interleaved mode

   Upgraded to version 3.0:

   - Enhancements

     - Add support for software and hardware timestamping on Linux
     - Add support for client/server and symmetric interleaved modes
     - Add support for MS-SNTP authentication in Samba
     - Add support for truncated MACs in NTPv4 packets
     - Estimate and correct for asymmetric network jitter
     - Increase default minsamples and polltarget to improve stability with
       very low jitter
     - Add maxjitter directive to limit source selection by jitter
     - Add offset option to server/pool/peer directive
     - Add maxlockage option to refclock directive
     - Add -t option to chronyd to exit after specified time
     - Add partial protection against replay attacks on symmetric mode
     - Don't reset polling interval when switching sources to online state
     - Allow rate limiting with very short intervals
     - Improve maximum server throughput on Linux and NetBSD
     - Remove dump files after start
     - Add tab-completion to chronyc with libedit/readline
     - Add ntpdata command to print details about NTP measurements
     - Allow all source options to be set in add server/peer command
     - Indicate truncated addresses/hostnames in chronyc output
     - Print reference IDs as hexadecimal numbers to avoid confusion with
       IPv4 addresses

   - Bug fixes

     - Fix crash with disabled asynchronous name resolving

   Upgraded to version 2.4.1:

   - Bug fixes

     - Fix processing of kernel timestamps on non-Linux systems
     - Fix crash with smoothtime directive
     - Fix validation of refclock sample times
     - Fix parsing of refclock directive

   update to 2.4:

   - Enhancements

     - Add orphan option to local directive for orphan mode compatible with
       ntpd
     - Add distance option to local directive to set activation threshold (1
       second by default)
     - Add maxdrift directive to set maximum allowed drift of system clock
     - Try to replace NTP sources exceeding maximum distance
     - Randomise source replacement to avoid getting stuck with bad sources
     - Randomise selection of sources from pools on start
     - Ignore reference timestamp as ntpd doesn't always set it correctly
     - Modify tracking report to use same values as seen by NTP clients
     - Add -c option to chronyc to write reports in CSV format
     - Provide detailed manual pages

   - Bug fixes

     - Fix SOCK refclock to work correctly when not specified as last refclock
     - Fix initstepslew and -q/-Q options to accept time from own NTP clients
     - Fix authentication with keys using 512-bit hash functions
     - Fix crash on exit when multiple signals are received
     - Fix conversion of very small floating-point numbers in command packets


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE OpenStack Cloud Crowbar 9:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-4147=1

   - SUSE OpenStack Cloud Crowbar 8:

      zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-4147=1

   - SUSE OpenStack Cloud 9:

      zypper in -t patch SUSE-OpenStack-Cloud-9-2021-4147=1

   - SUSE OpenStack Cloud 8:

      zypper in -t patch SUSE-OpenStack-Cloud-8-2021-4147=1

   - SUSE Linux Enterprise Server for SAP 12-SP4:

      zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-4147=1

   - SUSE Linux Enterprise Server for SAP 12-SP3:

      zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP5:

      zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP4-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP3-LTSS:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP3-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-4147=1

   - SUSE Linux Enterprise Server 12-SP2-BCL:

      zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-4147=1

   - HPE Helion Openstack 8:

      zypper in -t patch HPE-Helion-OpenStack-8-2021-4147=1



Package List:

   - SUSE OpenStack Cloud Crowbar 9 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE OpenStack Cloud Crowbar 8 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE OpenStack Cloud 9 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE OpenStack Cloud 8 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server for SAP 12-SP3 (ppc64le x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP3-LTSS (aarch64 ppc64le s390x x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1

   - HPE Helion Openstack 8 (x86_64):

      chrony-4.1-5.9.1
      chrony-debuginfo-4.1-5.9.1
      chrony-debugsource-4.1-5.9.1


References:

   https://www.suse.com/security/cve/CVE-2020-14367.html
   https://bugzilla.suse.com/1063704
   https://bugzilla.suse.com/1069468
   https://bugzilla.suse.com/1082318
   https://bugzilla.suse.com/1083597
   https://bugzilla.suse.com/1099272
   https://bugzilla.suse.com/1115529
   https://bugzilla.suse.com/1128846
   https://bugzilla.suse.com/1156884
   https://bugzilla.suse.com/1159840
   https://bugzilla.suse.com/1161119
   https://bugzilla.suse.com/1162964
   https://bugzilla.suse.com/1171806
   https://bugzilla.suse.com/1172113
   https://bugzilla.suse.com/1173277
   https://bugzilla.suse.com/1173760
   https://bugzilla.suse.com/1174075
   https://bugzilla.suse.com/1174911
   https://bugzilla.suse.com/1180689
   https://bugzilla.suse.com/1181826
   https://bugzilla.suse.com/1183783
   https://bugzilla.suse.com/1184400
   https://bugzilla.suse.com/1187906
   https://bugzilla.suse.com/1190926