Security update for chrony

Announcement ID: SUSE-SU-2022:0845-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2020-14367 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
  • CVE-2020-14367 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected Products:
  • Basesystem Module 15-SP3
  • openSUSE Leap 15.3
  • SUSE Linux Enterprise Desktop 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise Micro 5.0
  • SUSE Linux Enterprise Micro 5.1
  • SUSE Linux Enterprise Real Time 15 SP2
  • SUSE Linux Enterprise Real Time 15 SP3
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Manager Proxy 4.2
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Server 4.2

An update that solves one vulnerability, contains one feature and has 12 security fixes can now be installed.

Description:

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  • Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate)
  • Add source-specific configuration of trusted certificates
  • Allow multiple files and directories with trusted certificates
  • Allow multiple pairs of server keys and certificates
  • Add copy option to server/pool directive
  • Increase PPS lock limit to 40% of pulse interval
  • Perform source selection immediately after loading dump files
  • Reload dump files for addresses negotiated by NTS-KE server
  • Update seccomp filter and add less restrictive level
  • Restart ongoing name resolution on online command
  • Fix dump files to not include uncorrected offset
  • Fix initstepslew to accept time from own NTP clients
  • Reset NTP address and port when no longer negotiated by NTS-KE server

  • Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).

  • Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

  • Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  • Enhancements

    • Add support for Network Time Security (NTS) authentication
    • Add support for AES-CMAC keys (AES128, AES256) with Nettle
    • Add authselectmode directive to control selection of unauthenticated sources
    • Add binddevice, bindacqdevice, bindcmddevice directives
    • Add confdir directive to better support fragmented configuration
    • Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files
    • Add clockprecision directive
    • Add dscp directive to set Differentiated Services Code Point (DSCP)
    • Add -L option to limit log messages by severity
    • Add -p option to print whole configuration with included files
    • Add -U option to allow start under non-root user
    • Allow maxsamples to be set to 1 for faster update with -q/-Q option
    • Avoid replacing NTP sources with sources that have unreachable address
    • Improve pools to repeat name resolution to get "maxsources" sources
    • Improve source selection with trusted sources
    • Improve NTP loop test to prevent synchronisation to itself
    • Repeat iburst when NTP source is switched from offline state to online
    • Update clock synchronisation status and leap status more frequently
    • Update seccomp filter
    • Add "add pool" command
    • Add "reset sources" command to drop all measurements
    • Add authdata command to print details about NTP authentication
    • Add selectdata command to print details about source selection
    • Add -N option and sourcename command to print original names of sources
    • Add -a option to some commands to print also unresolved sources
    • Add -k, -p, -r options to clients command to select, limit, reset data
  • Bug fixes

    • Don’t set interface for NTP responses to allow asymmetric routing
    • Handle RTCs that don’t support interrupts
    • Respond to command requests with correct address on multihomed hosts
    • Removed features
    • Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    • Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3")
    • Drop support for line editing with GNU Readline
  • By default we don't write log files but log to journald, so only recommend logrotate.

  • Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  • Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

  • Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

  • Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

Update to 3.5:

  • Add support for more accurate reading of PHC on Linux 5.0
  • Add support for hardware timestamping on interfaces with read-only timestamping configuration
  • Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
  • Update seccomp filter to work on more architectures
  • Validate refclock driver options
  • Fix bindaddress directive on FreeBSD
  • Fix transposition of hardware RX timestamp on Linux 4.13 and later
  • Fix building on non-glibc systems

  • Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

  • Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.

  • Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

Update to version 3.4

  • Enhancements

    • Add filter option to server/pool/peer directive
    • Add minsamples and maxsamples options to hwtimestamp directive
    • Add support for faster frequency adjustments in Linux 4.19
    • Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit
    • Disable sub-second polling intervals for distant NTP sources
    • Extend range of supported sub-second polling intervals
    • Get/set IPv4 destination/source address of NTP packets on FreeBSD
    • Make burst options and command useful with short polling intervals
    • Modify auto_offline option to activate when sending request failed
    • Respond from interface that received NTP request if possible
    • Add onoffline command to switch between online and offline state according to current system network configuration
    • Improve example NetworkManager dispatcher script
  • Bug fixes

    • Avoid waiting in Linux getrandom system call
    • Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  • Enhancements:

    • Add burst option to server/pool directive
    • Add stratum and tai options to refclock directive
    • Add support for Nettle crypto library
    • Add workaround for missing kernel receive timestamps on Linux
    • Wait for late hardware transmit timestamps
    • Improve source selection with unreachable sources
    • Improve protection against replay attacks on symmetric mode
    • Allow PHC refclock to use socket in /var/run/chrony
    • Add shutdown command to stop chronyd
    • Simplify format of response to manual list command
    • Improve handling of unknown responses in chronyc
  • Bug fixes:

    • Respond to NTPv1 client requests with zero mode
    • Fix -x option to not require CAP_SYS_TIME under non-root user
    • Fix acquisitionport directive to work with privilege separation
    • Fix handling of socket errors on Linux to avoid high CPU usage
    • Fix chronyc to not get stuck in infinite loop after clock step

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server 15 SP3
    zypper in -t patch SUSE-SLE-INSTALLER-15-SP3-2022-845=1
  • openSUSE Leap 15.3
    zypper in -t patch SUSE-2022-845=1
  • Basesystem Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-845=1
  • SUSE Linux Enterprise Real Time 15 SP2
    zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-845=1
  • SUSE Linux Enterprise Micro 5.0
    zypper in -t patch SUSE-SUSE-MicroOS-5.0-2022-845=1
  • SUSE Linux Enterprise Micro 5.1
    zypper in -t patch SUSE-SUSE-MicroOS-5.1-2022-845=1

Package List:

  • SUSE Linux Enterprise Server 15 SP3 (aarch64 ppc64le s390x x86_64)
    • augeas-1.10.1-3.9.1
    • augeas-lenses-1.10.1-3.9.1
    • libaugeas0-1.10.1-3.9.1
  • openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64 i586)
    • chrony-debuginfo-4.1-150300.16.3.1
    • chrony-4.1-150300.16.3.1
    • chrony-debugsource-4.1-150300.16.3.1
  • openSUSE Leap 15.3 (noarch)
    • chrony-pool-openSUSE-4.1-150300.16.3.1
    • chrony-pool-suse-4.1-150300.16.3.1
    • chrony-pool-empty-4.1-150300.16.3.1
  • Basesystem Module 15-SP3 (aarch64 ppc64le s390x x86_64)
    • augeas-devel-1.10.1-3.9.1
    • libaugeas0-debuginfo-1.10.1-3.9.1
    • augeas-1.10.1-3.9.1
    • chrony-4.1-150300.16.3.1
    • libaugeas0-1.10.1-3.9.1
    • chrony-debuginfo-4.1-150300.16.3.1
    • augeas-debugsource-1.10.1-3.9.1
    • augeas-lenses-1.10.1-3.9.1
    • augeas-debuginfo-1.10.1-3.9.1
    • chrony-debugsource-4.1-150300.16.3.1
  • Basesystem Module 15-SP3 (noarch)
    • chrony-pool-suse-4.1-150300.16.3.1
    • chrony-pool-empty-4.1-150300.16.3.1
  • SUSE Linux Enterprise Real Time 15 SP2 (x86_64)
    • augeas-devel-1.10.1-3.9.1
    • libaugeas0-debuginfo-1.10.1-3.9.1
    • augeas-1.10.1-3.9.1
    • libaugeas0-1.10.1-3.9.1
    • augeas-debugsource-1.10.1-3.9.1
    • augeas-lenses-1.10.1-3.9.1
    • augeas-debuginfo-1.10.1-3.9.1
  • SUSE Linux Enterprise Micro 5.0 (aarch64 x86_64)
    • libaugeas0-debuginfo-1.10.1-3.9.1
    • augeas-1.10.1-3.9.1
    • libaugeas0-1.10.1-3.9.1
    • augeas-debugsource-1.10.1-3.9.1
    • augeas-lenses-1.10.1-3.9.1
    • augeas-debuginfo-1.10.1-3.9.1
  • SUSE Linux Enterprise Micro 5.1 (aarch64 s390x x86_64)
    • libaugeas0-debuginfo-1.10.1-3.9.1
    • augeas-1.10.1-3.9.1
    • chrony-4.1-150300.16.3.1
    • libaugeas0-1.10.1-3.9.1
    • chrony-debuginfo-4.1-150300.16.3.1
    • augeas-debugsource-1.10.1-3.9.1
    • augeas-lenses-1.10.1-3.9.1
    • augeas-debuginfo-1.10.1-3.9.1
    • chrony-debugsource-4.1-150300.16.3.1
  • SUSE Linux Enterprise Micro 5.1 (noarch)
    • chrony-pool-suse-4.1-150300.16.3.1

References: