SUSE: 2022:0845-1 moderate: chrony
Summary
This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get "maxsources" sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add "add pool" command - Add "reset sources" command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3") - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Realtime Extension 15-SP2: zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-845=1 - SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-845=1 - SUSE Linux Enterprise Micro 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-845=1 - SUSE Linux Enterprise Micro 5.0: zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-845=1 - SUSE Linux Enterprise Installer 15-SP3: zypper in -t patch SUSE-SLE-INSTALLER-15-SP3-2022-845=1 Package List: - SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64): augeas-1.10.1-3.9.1 augeas-debuginfo-1.10.1-3.9.1 augeas-debugsource-1.10.1-3.9.1 augeas-devel-1.10.1-3.9.1 augeas-lenses-1.10.1-3.9.1 libaugeas0-1.10.1-3.9.1 libaugeas0-debuginfo-1.10.1-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): augeas-1.10.1-3.9.1 augeas-debuginfo-1.10.1-3.9.1 augeas-debugsource-1.10.1-3.9.1 augeas-devel-1.10.1-3.9.1 augeas-lenses-1.10.1-3.9.1 chrony-4.1-150300.16.3.1 chrony-debuginfo-4.1-150300.16.3.1 chrony-debugsource-4.1-150300.16.3.1 libaugeas0-1.10.1-3.9.1 libaugeas0-debuginfo-1.10.1-3.9.1 - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch): chrony-pool-empty-4.1-150300.16.3.1 chrony-pool-suse-4.1-150300.16.3.1 - SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64): augeas-1.10.1-3.9.1 augeas-debuginfo-1.10.1-3.9.1 augeas-debugsource-1.10.1-3.9.1 augeas-lenses-1.10.1-3.9.1 chrony-4.1-150300.16.3.1 chrony-debuginfo-4.1-150300.16.3.1 chrony-debugsource-4.1-150300.16.3.1 libaugeas0-1.10.1-3.9.1 libaugeas0-debuginfo-1.10.1-3.9.1 - SUSE Linux Enterprise Micro 5.1 (noarch): chrony-pool-suse-4.1-150300.16.3.1 - SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64): augeas-1.10.1-3.9.1 augeas-debuginfo-1.10.1-3.9.1 augeas-debugsource-1.10.1-3.9.1 augeas-lenses-1.10.1-3.9.1 libaugeas0-1.10.1-3.9.1 libaugeas0-debuginfo-1.10.1-3.9.1 - SUSE Linux Enterprise Installer 15-SP3 (aarch64 ppc64le s390x x86_64): augeas-1.10.1-3.9.1
References
#1099272 #1115529 #1128846 #1162964 #1172113
#1173277 #1174075 #1174911 #1180689 #1181826
#1187906 #1190926 #1194229 SLE-17334
Cross- CVE-2020-14367
CVSS scores:
CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected Products:
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise Installer 15-SP3
SUSE Linux Enterprise Micro 5.0
SUSE Linux Enterprise Micro 5.1
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Manager Proxy 4.2
SUSE Manager Server 4.2
https://www.suse.com/security/cve/CVE-2020-14367.html
https://bugzilla.suse.com/1099272
https://bugzilla.suse.com/1115529
https://bugzilla.suse.com/1128846
https://bugzilla.suse.com/1162964
https://bugzilla.suse.com/1172113
https://bugzilla.suse.com/1173277
https://bugzilla.suse.com/1174075
https://bugzilla.suse.com/1174911
https://bugzilla.suse.com/1180689
https://bugzilla.suse.com/1181826
https://bugzilla.suse.com/1187906
https://bugzilla.suse.com/1190926
https://bugzilla.suse.com/1194229
