SUSE Security Update: Security update for chrony
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:0845-2
Rating:             moderate
References:         #1099272 #1115529 #1128846 #1162964 #1172113 
                    #1173277 #1174075 #1174911 #1180689 #1181826 
                    #1187906 #1190926 #1194229 SLE-17334 
Cross-References:   CVE-2020-14367
CVSS scores:
                    CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
                    CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Affected Products:
                    SUSE Linux Enterprise Micro 5.2
______________________________________________________________________________

   An update that solves one vulnerability, contains one
   feature and has 12 fixes is now available.

Description:

   This update for chrony fixes the following issues:

   Chrony was updated to 4.1, bringing features and bugfixes.

   Update to 4.1

     * Add support for NTS servers specified by IP address (matching Subject
       Alternative Name in server certificate)
     * Add source-specific configuration of trusted certificates
     * Allow multiple files and directories with trusted certificates
     * Allow multiple pairs of server keys and certificates
     * Add copy option to server/pool directive
     * Increase PPS lock limit to 40% of pulse interval
     * Perform source selection immediately after loading dump files
     * Reload dump files for addresses negotiated by NTS-KE server
     * Update seccomp filter and add less restrictive level
     * Restart ongoing name resolution on online command
     * Fix dump files to not include uncorrected offset
     * Fix initstepslew to accept time from own NTP clients
     * Reset NTP address and port when no longer negotiated by NTS-KE server

   - Ensure the correct pool packages are installed for openSUSE and SLE
     (bsc#1180689).
   - Fix pool package dependencies, so that SLE prefers chrony-pool-suse
     over chrony-pool-empty. (bsc#1194229)

   - Enable syscallfilter unconditionally [bsc#1181826].

   Update to 4.0

     - Enhancements

       - Add support for Network Time Security (NTS) authentication
       - Add support for AES-CMAC keys (AES128, AES256) with Nettle
       - Add authselectmode directive to control selection of unauthenticated
         sources
       - Add binddevice, bindacqdevice, bindcmddevice directives
       - Add confdir directive to better support fragmented configuration
       - Add sourcedir directive and "reload sources" command to support
         dynamic NTP sources specified in files
       - Add clockprecision directive
       - Add dscp directive to set Differentiated Services Code Point (DSCP)
       - Add -L option to limit log messages by severity
       - Add -p option to print whole configuration with included files
       - Add -U option to allow start under non-root user
       - Allow maxsamples to be set to 1 for faster update with -q/-Q
         option
       - Avoid replacing NTP sources with sources that have unreachable
         address
       - Improve pools to repeat name resolution to get "maxsources" sources
       - Improve source selection with trusted sources
       - Improve NTP loop test to prevent synchronisation to itself
       - Repeat iburst when NTP source is switched from offline state to
         online
       - Update clock synchronisation status and leap status more frequently
       - Update seccomp filter
       - Add "add pool" command
       - Add "reset sources" command to drop all measurements
       - Add authdata command to print details about NTP authentication
       - Add selectdata command to print details about source selection
       - Add -N option and sourcename command to print original names
         of sources
       - Add -a option to some commands to print also unresolved sources
       - Add -k, -p, -r options to clients command to select, limit, reset
         data

     - Bug fixes

       - Don’t set interface for NTP responses to allow asymmetric routing
       - Handle RTCs that don’t support interrupts
       - Respond to command requests with correct address on multihomed hosts
     - Removed features
       - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
       - Drop support for long (non-standard) MACs in NTPv4 packets (chrony
         2.x clients using non-MD5/SHA1 keys need to use
         option "version 3")
       - Drop support for line editing with GNU Readline

   - By default we don't write log files but log to journald, so
     only recommend logrotate.

   - Adjust and rename the sysconfig file, so that it matches the
     expectations of chronyd.service (bsc#1173277).

   Update to 3.5.1:

     * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

   - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

   - Use iburst in the default pool statements to speed up initial
     synchronisation (bsc#1172113).




   Update to 3.5:

   + Add support for more accurate reading of PHC on Linux 5.0
   + Add support for hardware timestamping on interfaces with read-only
     timestamping configuration
   + Add support for memory locking and real-time priority on FreeBSD,
     NetBSD, Solaris
   + Update seccomp filter to work on more architectures
   + Validate refclock driver options
   + Fix bindaddress directive on FreeBSD
   + Fix transposition of hardware RX timestamp on Linux 4.13 and later
   + Fix building on non-glibc systems

   - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).


   - Read runtime servers from /var/run/netconfig/chrony.servers to fix
     bsc#1099272.
   - Move chrony-helper to /usr/lib/chrony/helper, because there should be no
     executables in /usr/share.

   Update to version 3.4

     * Enhancements

       + Add filter option to server/pool/peer directive
       + Add minsamples and maxsamples options to hwtimestamp directive
       + Add support for faster frequency adjustments in Linux 4.19
       + Change default pidfile to /var/run/chrony/chronyd.pid to allow
         chronyd without root privileges to remove it on exit
       + Disable sub-second polling intervals for distant NTP sources
       + Extend range of supported sub-second polling intervals
       + Get/set IPv4 destination/source address of NTP packets on FreeBSD
       + Make burst options and command useful with short polling intervals
       + Modify auto_offline option to activate when sending request failed
       + Respond from interface that received NTP request if possible
       + Add onoffline command to switch between online and offline state
         according to current system network configuration
       + Improve example NetworkManager dispatcher script

     * Bug fixes

       + Avoid waiting in Linux getrandom system call
       + Fix PPS support on FreeBSD and NetBSD

   Update to version 3.3

     * Enhancements:

       + Add burst option to server/pool directive
       + Add stratum and tai options to refclock directive
       + Add support for Nettle crypto library
       + Add workaround for missing kernel receive timestamps on Linux
       + Wait for late hardware transmit timestamps
       + Improve source selection with unreachable sources
       + Improve protection against replay attacks on symmetric mode
       + Allow PHC refclock to use socket in /var/run/chrony
       + Add shutdown command to stop chronyd
       + Simplify format of response to manual list command
       + Improve handling of unknown responses in chronyc

     * Bug fixes:

       + Respond to NTPv1 client requests with zero mode
       + Fix -x option to not require CAP_SYS_TIME under non-root user
       + Fix acquisitionport directive to work with privilege separation
       + Fix handling of socket errors on Linux to avoid high CPU usage
       + Fix chronyc to not get stuck in infinite loop after clock step


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Micro 5.2:

      zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-845=1



Package List:

   - SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64):

      augeas-1.10.1-3.9.1
      augeas-debuginfo-1.10.1-3.9.1
      augeas-debugsource-1.10.1-3.9.1
      augeas-lenses-1.10.1-3.9.1
      libaugeas0-1.10.1-3.9.1
      libaugeas0-debuginfo-1.10.1-3.9.1


References:

   https://www.suse.com/security/cve/CVE-2020-14367.html
   https://bugzilla.suse.com/1099272
   https://bugzilla.suse.com/1115529
   https://bugzilla.suse.com/1128846
   https://bugzilla.suse.com/1162964
   https://bugzilla.suse.com/1172113
   https://bugzilla.suse.com/1173277
   https://bugzilla.suse.com/1174075
   https://bugzilla.suse.com/1174911
   https://bugzilla.suse.com/1180689
   https://bugzilla.suse.com/1181826
   https://bugzilla.suse.com/1187906
   https://bugzilla.suse.com/1190926
   https://bugzilla.suse.com/1194229

SUSE: 2022:0845-2 moderate: chrony

April 19, 2022
An update that solves one vulnerability, contains one feature and has 12 fixes is now available

Summary

This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get "maxsources" sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add "add pool" command - Add "reset sources" command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3") - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Micro 5.2: zypper in -t patch SUSE-SUSE-MicroOS-5.2-2022-845=1 Package List: - SUSE Linux Enterprise Micro 5.2 (aarch64 s390x x86_64): augeas-1.10.1-3.9.1 augeas-debuginfo-1.10.1-3.9.1 augeas-debugsource-1.10.1-3.9.1 augeas-lenses-1.10.1-3.9.1 libaugeas0-1.10.1-3.9.1 libaugeas0-debuginfo-1.10.1-3.9.1

References

#1099272 #1115529 #1128846 #1162964 #1172113

#1173277 #1174075 #1174911 #1180689 #1181826

#1187906 #1190926 #1194229 SLE-17334

Cross- CVE-2020-14367

CVSS scores:

CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Affected Products:

SUSE Linux Enterprise Micro 5.2

https://www.suse.com/security/cve/CVE-2020-14367.html

https://bugzilla.suse.com/1099272

https://bugzilla.suse.com/1115529

https://bugzilla.suse.com/1128846

https://bugzilla.suse.com/1162964

https://bugzilla.suse.com/1172113

https://bugzilla.suse.com/1173277

https://bugzilla.suse.com/1174075

https://bugzilla.suse.com/1174911

https://bugzilla.suse.com/1180689

https://bugzilla.suse.com/1181826

https://bugzilla.suse.com/1187906

https://bugzilla.suse.com/1190926

https://bugzilla.suse.com/1194229

Severity
Announcement ID: SUSE-SU-2022:0845-2
Rating: moderate

Related News

News

Powered By

Footer Logo

Linux Security - Your source for Top Linux News, Advisories, HowTo's and Feature Release.

Powered By

Footer Logo