SUSE 5185 Published by

A chrony security update has been released for openSUSE Leap 15.3.



openSUSE-SU-2022:0845-1: moderate: Security update for chrony


openSUSE Security Update: Security update for chrony
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0845-1
Rating: moderate
References: #1099272 #1115529 #1128846 #1162964 #1172113
#1173277 #1174075 #1174911 #1180689 #1181826
#1187906 #1190926 #1194229 SLE-17334
Cross-References: CVE-2020-14367
CVSS scores:
CVE-2020-14367 (NVD) : 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
CVE-2020-14367 (SUSE): 6 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Affected Products:
openSUSE Leap 15.3
______________________________________________________________________________

An update that solves one vulnerability, contains one
feature and has 12 fixes is now available.

Description:

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

* Add support for NTS servers specified by IP address (matching Subject
Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE server

- Ensure the correct pool packages are installed for openSUSE and SLE
(bsc#1180689).
- Fix pool package dependencies, so that SLE prefers chrony-pool-suse
over chrony-pool-empty. (bsc#1194229)

- Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

- Enhancements

- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of unauthenticated
sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented configuration
- Add sourcedir directive and "reload sources" command to support
dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point (DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have unreachable
address
- Improve pools to repeat name resolution to get "maxsources" sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state to
online
- Update clock synchronisation status and leap status more frequently
- Update seccomp filter
- Add "add pool" command
- Add "reset sources" command to drop all measurements
- Add authdata command to print details about NTP authentication
- Add selectdata command to print details about source selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved sources
- Add -k, -p, -r options to clients command to select, limit, reset
data

- Bug fixes

- Don???t set interface for NTP responses to allow asymmetric routing
- Handle RTCs that don???t support interrupts
- Respond to command requests with correct address on multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets (chrony
2.x clients using non-MD5/SHA1 keys need to use
option "version 3")
- Drop support for line editing with GNU Readline

- By default we don't write log files but log to journald, so
only recommend logrotate.

- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).



Update to 3.5:

+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only
timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD,
NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems

- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

- Read runtime servers from /var/run/netconfig/chrony.servers to fix
bsc#1099272.
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no
executables in /usr/share.

Update to version 3.4

* Enhancements

+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow
chronyd without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script

* Bug fixes

+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

* Enhancements:

+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc

* Bug fixes:

+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 15.3:

zypper in -t patch openSUSE-SLE-15.3-2022-845=1


Package List:

- openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64):

augeas-1.10.1-3.9.1
augeas-debuginfo-1.10.1-3.9.1
augeas-debugsource-1.10.1-3.9.1
augeas-devel-1.10.1-3.9.1
augeas-lense-tests-1.10.1-3.9.1
augeas-lenses-1.10.1-3.9.1
chrony-4.1-150300.16.3.1
chrony-debuginfo-4.1-150300.16.3.1
chrony-debugsource-4.1-150300.16.3.1
libaugeas0-1.10.1-3.9.1
libaugeas0-debuginfo-1.10.1-3.9.1

- openSUSE Leap 15.3 (x86_64):

augeas-devel-32bit-1.10.1-3.9.1
libaugeas0-32bit-1.10.1-3.9.1
libaugeas0-32bit-debuginfo-1.10.1-3.9.1

- openSUSE Leap 15.3 (noarch):

chrony-pool-empty-4.1-150300.16.3.1
chrony-pool-openSUSE-4.1-150300.16.3.1
chrony-pool-suse-4.1-150300.16.3.1

References:

  https://www.suse.com/security/cve/CVE-2020-14367.html
  https://bugzilla.suse.com/1099272
  https://bugzilla.suse.com/1115529
  https://bugzilla.suse.com/1128846
  https://bugzilla.suse.com/1162964
  https://bugzilla.suse.com/1172113
  https://bugzilla.suse.com/1173277
  https://bugzilla.suse.com/1174075
  https://bugzilla.suse.com/1174911
  https://bugzilla.suse.com/1180689
  https://bugzilla.suse.com/1181826
  https://bugzilla.suse.com/1187906
  https://bugzilla.suse.com/1190926
  https://bugzilla.suse.com/1194229