SUSE Security Update: Security update for chrony
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0845-1
Rating:             moderate
References:         #1099272 #1115529 #1128846 #1162964 #1172113 
                    #1173277 #1174075 #1174911 #1180689 #1181826 
                    #1187906 #1190926 #1194229 SLE-17334 
Cross-References:   CVE-2020-14367
CVSS scores:
                    CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
                    CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Desktop 15-SP3
                    SUSE Linux Enterprise High Performance Computing 15-SP3
                    SUSE Linux Enterprise Installer 15-SP3
                    SUSE Linux Enterprise Micro 5.0
                    SUSE Linux Enterprise Micro 5.1
                    SUSE Linux Enterprise Module for Basesystem 15-SP3
                    SUSE Linux Enterprise Realtime Extension 15-SP2
                    SUSE Linux Enterprise Server 15-SP3
                    SUSE Linux Enterprise Server for SAP Applications 15-SP3
                    SUSE Manager Proxy 4.2
                    SUSE Manager Server 4.2
______________________________________________________________________________

   An update that solves one vulnerability, contains one
   feature and has 12 fixes is now available.

Description:

   This update for chrony fixes the following issues:

   Chrony was updated to 4.1, bringing features and bugfixes.

   Update to 4.1

     * Add support for NTS servers specified by IP address (matching Subject
       Alternative Name in server certificate)
     * Add source-specific configuration of trusted certificates
     * Allow multiple files and directories with trusted certificates
     * Allow multiple pairs of server keys and certificates
     * Add copy option to server/pool directive
     * Increase PPS lock limit to 40% of pulse interval
     * Perform source selection immediately after loading dump files
     * Reload dump files for addresses negotiated by NTS-KE server
     * Update seccomp filter and add less restrictive level
     * Restart ongoing name resolution on online command
     * Fix dump files to not include uncorrected offset
     * Fix initstepslew to accept time from own NTP clients
     * Reset NTP address and port when no longer negotiated by NTS-KE server

   - Ensure the correct pool packages are installed for openSUSE and SLE
     (bsc#1180689).
   - Fix pool package dependencies, so that SLE prefers chrony-pool-suse
     over chrony-pool-empty. (bsc#1194229)

   - Enable syscallfilter unconditionally [bsc#1181826].

   Update to 4.0

     - Enhancements

       - Add support for Network Time Security (NTS) authentication
       - Add support for AES-CMAC keys (AES128, AES256) with Nettle
       - Add authselectmode directive to control selection of unauthenticated
         sources
       - Add binddevice, bindacqdevice, bindcmddevice directives
       - Add confdir directive to better support fragmented configuration
       - Add sourcedir directive and "reload sources" command to support
         dynamic NTP sources specified in files
       - Add clockprecision directive
       - Add dscp directive to set Differentiated Services Code Point (DSCP)
       - Add -L option to limit log messages by severity
       - Add -p option to print whole configuration with included files
       - Add -U option to allow start under non-root user
       - Allow maxsamples to be set to 1 for faster update with -q/-Q
         option
       - Avoid replacing NTP sources with sources that have unreachable
         address
       - Improve pools to repeat name resolution to get "maxsources" sources
       - Improve source selection with trusted sources
       - Improve NTP loop test to prevent synchronisation to itself
       - Repeat iburst when NTP source is switched from offline state to
         online
       - Update clock synchronisation status and leap status more frequently
       - Update seccomp filter
       - Add "add pool" command
       - Add "reset sources" command to drop all measurements
       - Add authdata command to print details about NTP authentication
       - Add selectdata command to print details about source selection
       - Add -N option and sourcename command to print original names
         of sources
       - Add -a option to some commands to print also unresolved sources
       - Add -k, -p, -r options to clients command to select, limit, reset
         data

     - Bug fixes

       - Don’t set interface for NTP responses to allow asymmetric routing
       - Handle RTCs that don’t support interrupts
       - Respond to command requests with correct address on multihomed hosts
     - Removed features
       - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
       - Drop support for long (non-standard) MACs in NTPv4 packets (chrony
         2.x clients using non-MD5/SHA1 keys need to use
         option "version 3")
       - Drop support for line editing with GNU Readline

   - By default we don't write log files but log to journald, so
     only recommend logrotate.

   - Adjust and rename the sysconfig file, so that it matches the
     expectations of chronyd.service (bsc#1173277).

   Update to 3.5.1:

     * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

   - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

   - Use iburst in the default pool statements to speed up initial
     synchronisation (bsc#1172113).




   Update to 3.5:

   + Add support for more accurate reading of PHC on Linux 5.0
   + Add support for hardware timestamping on interfaces with read-only
     timestamping configuration
   + Add support for memory locking and real-time priority on FreeBSD,
     NetBSD, Solaris
   + Update seccomp filter to work on more architectures
   + Validate refclock driver options
   + Fix bindaddress directive on FreeBSD
   + Fix transposition of hardware RX timestamp on Linux 4.13 and later
   + Fix building on non-glibc systems

   - Fix location of helper script in [email protected] (bsc#1128846).


   - Read runtime servers from /var/run/netconfig/chrony.servers to fix
     bsc#1099272.
   - Move chrony-helper to /usr/lib/chrony/helper, because there should be no
     executables in /usr/share.

   Update to version 3.4

     * Enhancements

       + Add filter option to server/pool/peer directive
       + Add minsamples and maxsamples options to hwtimestamp directive
       + Add support for faster frequency adjustments in Linux 4.19
       + Change default pidfile to /var/run/chrony/chronyd.pid to allow
         chronyd without root privileges to remove it on exit
       + Disable sub-second polling intervals for distant NTP sources
       + Extend range of supported sub-second polling intervals
       + Get/set IPv4 destination/source address of NTP packets on FreeBSD
       + Make burst options and command useful with short polling intervals
       + Modify auto_offline option to activate when sending request failed
       + Respond from interface that received NTP request if possible
       + Add onoffline command to switch between online and offline state
         according to current system network configuration
       + Improve example NetworkManager dispatcher script

     * Bug fixes

       + Avoid waiting in Linux getrandom system call
       + Fix PPS support on FreeBSD and NetBSD

   Update to version 3.3

     * Enhancements:

       + Add burst option to server/pool directive
       + Add stratum and tai options to refclock directive
       + Add support for Nettle crypto library
       + Add workaround for missing kernel receive timestamps on Linux
       + Wait for late hardware transmit timestamps
       + Improve source selection with unreachable sources
       + Improve protection against replay attacks on symmetric mode
       + Allow PHC refclock to use socket in /var/run/chrony
       + Add shutdown command to stop chronyd
       + Simplify format of response to manual list command
       + Improve handling of unknown responses in chronyc

     * Bug fixes:

       + Respond to NTPv1 client requests with zero mode
       + Fix -x option to not require CAP_SYS_TIME under non-root user
       + Fix acquisitionport directive to work with privilege separation
       + Fix handling of socket errors on Linux to avoid high CPU usage
       + Fix chronyc to not get stuck in infinite loop after clock step


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Realtime Extension 15-SP2:

      zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-845=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-845=1

   - SUSE Linux Enterprise Micro 5.1:

      zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-845=1

   - SUSE Linux Enterprise Micro 5.0:

      zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-845=1

   - SUSE Linux Enterprise Installer 15-SP3:

      zypper in -t patch SUSE-SLE-INSTALLER-15-SP3-2022-845=1



Package List:

   - SUSE Linux Enterprise Realtime Extension 15-SP2 (x86_64):

      augeas-1.10.1-3.9.1
      augeas-debuginfo-1.10.1-3.9.1
      augeas-debugsource-1.10.1-3.9.1
      augeas-devel-1.10.1-3.9.1
      augeas-lenses-1.10.1-3.9.1
      libaugeas0-1.10.1-3.9.1
      libaugeas0-debuginfo-1.10.1-3.9.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64):

      augeas-1.10.1-3.9.1
      augeas-debuginfo-1.10.1-3.9.1
      augeas-debugsource-1.10.1-3.9.1
      augeas-devel-1.10.1-3.9.1
      augeas-lenses-1.10.1-3.9.1
      chrony-4.1-150300.16.3.1
      chrony-debuginfo-4.1-150300.16.3.1
      chrony-debugsource-4.1-150300.16.3.1
      libaugeas0-1.10.1-3.9.1
      libaugeas0-debuginfo-1.10.1-3.9.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):

      chrony-pool-empty-4.1-150300.16.3.1
      chrony-pool-suse-4.1-150300.16.3.1

   - SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64):

      augeas-1.10.1-3.9.1
      augeas-debuginfo-1.10.1-3.9.1
      augeas-debugsource-1.10.1-3.9.1
      augeas-lenses-1.10.1-3.9.1
      chrony-4.1-150300.16.3.1
      chrony-debuginfo-4.1-150300.16.3.1
      chrony-debugsource-4.1-150300.16.3.1
      libaugeas0-1.10.1-3.9.1
      libaugeas0-debuginfo-1.10.1-3.9.1

   - SUSE Linux Enterprise Micro 5.1 (noarch):

      chrony-pool-suse-4.1-150300.16.3.1

   - SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64):

      augeas-1.10.1-3.9.1
      augeas-debuginfo-1.10.1-3.9.1
      augeas-debugsource-1.10.1-3.9.1
      augeas-lenses-1.10.1-3.9.1
      libaugeas0-1.10.1-3.9.1
      libaugeas0-debuginfo-1.10.1-3.9.1

   - SUSE Linux Enterprise Installer 15-SP3 (aarch64 ppc64le s390x x86_64):

      augeas-1.10.1-3.9.1


References:

   https://www.suse.com/security/cve/CVE-2020-14367.html
   https://bugzilla.suse.com/1099272
   https://bugzilla.suse.com/1115529
   https://bugzilla.suse.com/1128846
   https://bugzilla.suse.com/1162964
   https://bugzilla.suse.com/1172113
   https://bugzilla.suse.com/1173277
   https://bugzilla.suse.com/1174075
   https://bugzilla.suse.com/1174911
   https://bugzilla.suse.com/1180689
   https://bugzilla.suse.com/1181826
   https://bugzilla.suse.com/1187906
   https://bugzilla.suse.com/1190926
   https://bugzilla.suse.com/1194229