Security update for chrony

Announcement ID: SUSE-SU-2025:20862-1
Release Date: 2025-10-17T12:02:52Z
Rating: moderate
References:
Affected Products:
  • SUSE Linux Micro 6.1

An update that has one fix can now be installed.

Description:

This update for chrony fixes the following issues:

  • Update to version 4.8:
  • Add maxunreach option to limit selection of unreachable sources
  • Add -u option to chronyc to drop root privileges (default chronyc user is set by configure script)
  • Fix refclock extpps option to work on Linux >= 6.15

  • Validate refclock samples for reachability updates

  • Fix racy socket creation which allows privilege escalation to root (bsc#1246544)

  • Update to version 4.7:

  • Add opencommands directive to select remote monitoring commands
  • Add interval option to driftfile directive
  • Add waitsynced and waitunsynced options to local directive
  • Add sanity checks for integer values in configuration
  • Add support for systemd Type=notify service
  • Add RTC refclock driver
  • Allow PHC refclock to be specified with network interface name
  • Don’t require multiple refclock samples per poll to simplify filter configuration
  • Keep refclock reachable when dropping samples with large delay
  • Improve quantile-based filtering to adapt faster to larger delay
  • Improve logging of selection failures
  • Detect clock interference from other processes
  • Try to reopen message log (-l option) on cyclelogs command
  • Fix sourcedir reloading to not multiply sources
  • Fix tracking offset after failed clock step
  • Drop support for NTS with Nettle < 3.6 and GnuTLS < 3.6.14

  • Drop support for building without POSIX threads

  • Update to version 4.6.1:

  • Add ntsaeads directive to enable only selected AEAD algorithms for NTS.
  • Negotiate use of compliant NTS keys with AES-128-GCM-SIV AEAD algorithm.

  • Switch to compliant NTS keys if first response from server is NTS NAK.

  • Drop rcFOO symlinks for CODE16 (PED-266).

  • Update to version 4.6:

  • Add activate option to local directive to set activation threshold
  • Add ipv4 and ipv6 options to server/pool/peer directive
  • Add kod option to ratelimit directive for server KoD RATE support
  • Add leapseclist directive to read NIST/IERS leap-seconds.list file
  • Add ptpdomain directive to set PTP domain for NTP over PTP
  • Allow disabling pidfile
  • Improve copy server option to accept unsynchronised status instantly
  • Log one selection failure on start
  • Add offset command to modify source offset correction
  • Add timestamp sources to ntpdata report
  • Fix crash on sources reload during initstepslew or RTC initialisation
  • Fix source refreshment to not repeat failed name resolving attempts

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Micro 6.1
    zypper in -t patch SUSE-SLE-Micro-6.1-306=1

Package List:

  • SUSE Linux Micro 6.1 (aarch64 ppc64le s390x x86_64)
    • chrony-debugsource-4.8-slfo.1.1_1.1
    • chrony-4.8-slfo.1.1_1.1
    • chrony-debuginfo-4.8-slfo.1.1_1.1
  • SUSE Linux Micro 6.1 (noarch)
    • chrony-pool-suse-4.8-slfo.1.1_1.1
    • chrony-pool-empty-4.8-slfo.1.1_1.1

References: