Security update for chrony
Announcement ID: | SUSE-SU-2021:4147-1 |
---|---|
Rating: | moderate |
References: |
|
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves one vulnerability, contains three features and has 22 security fixes can now be installed.
Description:
This update for chrony fixes the following issues:
Chrony was updated to 4.1:
- Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate)
- Add source-specific configuration of trusted certificates
- Allow multiple files and directories with trusted certificates
- Allow multiple pairs of server keys and certificates
- Add copy option to server/pool directive
- Increase PPS lock limit to 40% of pulse interval
- Perform source selection immediately after loading dump files
- Reload dump files for addresses negotiated by NTS-KE server
- Update seccomp filter and add less restrictive level
- Restart ongoing name resolution on online command
- Fix dump files to not include uncorrected offset
- Fix initstepslew to accept time from own NTP clients
- Reset NTP address and port when no longer negotiated by NTS-KE server
-
Update clknetsim to snapshot f89702d.
-
Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
-
Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented configuration
- Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point (DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q option
- Avoid replacing NTP sources with sources that have unreachable address
- Improve pools to repeat name resolution to get "maxsources" sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state to online
- Update clock synchronisation status and leap status more frequently
- Update seccomp filter
- Add "add pool" command
- Add "reset sources" command to drop all measurements
- Add authdata command to print details about NTP authentication
- Add selectdata command to print details about source selection
- Add -N option and sourcename command to print original names of sources
- Add -a option to some commands to print also unresolved sources
- Add -k, -p, -r options to clients command to select, limit, reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
-
Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3")
-
By default we don't write log files but log to journald, so only recommend logrotate.
-
Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
-
Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
-
Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without preconfigured servers.
-
Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).
-
Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
- Add support for more accurate reading of PHC on Linux 5.0
- Add support for hardware timestamping on interfaces with read-only timestamping configuration
- Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
- Update seccomp filter to work on more architectures
- Validate refclock driver options
- Fix bindaddress directive on FreeBSD
- Fix transposition of hardware RX timestamp on Linux 4.13 and later
-
Fix building on non-glibc systems
-
Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
-
Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
-
Enhancements
-
Add filter option to server/pool/peer directive
- Add minsamples and maxsamples options to hwtimestamp directive
- Add support for faster frequency adjustments in Linux 4.19
- Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit
- Disable sub-second polling intervals for distant NTP sources
- Extend range of supported sub-second polling intervals
- Get/set IPv4 destination/source address of NTP packets on FreeBSD
- Make burst options and command useful with short polling intervals
- Modify auto_offline option to activate when sending request failed
- Respond from interface that received NTP request if possible
- Add onoffline command to switch between online and offline state according to current system network configuration
-
Improve example NetworkManager dispatcher script
-
Bug fixes
-
Avoid waiting in Linux getrandom system call
- Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
-
Enhancements:
-
Add burst option to server/pool directive
- Add stratum and tai options to refclock directive
- Add support for Nettle crypto library
- Add workaround for missing kernel receive timestamps on Linux
- Wait for late hardware transmit timestamps
- Improve source selection with unreachable sources
- Improve protection against replay attacks on symmetric mode
- Allow PHC refclock to use socket in /var/run/chrony
- Add shutdown command to stop chronyd
- Simplify format of response to manual list command
-
Improve handling of unknown responses in chronyc
-
Bug fixes:
-
Respond to NTPv1 client requests with zero mode
- Fix -x option to not require CAP_SYS_TIME under non-root user
- Fix acquisitionport directive to work with privilege separation
- Fix handling of socket errors on Linux to avoid high CPU usage
-
Fix chronyc to not get stuck in infinite loop after clock step
-
Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add "include /etc/chrony.d/*"
-
Enable pps support
Upgraded to version 3.2:
Enhancements
- Improve stability with NTP sources and reference clocks
- Improve stability with hardware timestamping
- Improve support for NTP interleaved modes
- Control frequency of system clock on macOS 10.13 and later
- Set TAI-UTC offset of system clock with leapsectz directive
- Minimise data in client requests to improve privacy
- Allow transmit-only hardware timestamping
- Add support for new timestamping options introduced in Linux 4.13
- Add root delay, root dispersion and maximum error to tracking log
- Add mindelay and asymmetry options to server/peer/pool directive
- Add extpps option to PHC refclock to timestamp external PPS signal
- Add pps option to refclock directive to treat any refclock as PPS
- Add width option to refclock directive to filter wrong pulse edges
- Add rxfilter option to hwtimestamp directive
- Add -x option to disable control of system clock
- Add -l option to log to specified file instead of syslog
- Allow multiple command-line options to be specified together
- Allow starting without root privileges with -Q option
- Update seccomp filter for new glibc versions
- Dump history on exit by default with dumpdir directive
- Use hardening compiler options by default
Bug fixes
- Don't drop PHC samples with low-resolution system clock
- Ignore outliers in PHC tracking, RTC tracking, manual input
- Increase polling interval when peer is not responding
- Exit with error message when include directive fails
- Don't allow slash after hostname in allow/deny directive/command
- Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
-
Enhancements
-
Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources
-
Allow sub-second polling interval with NTP sources
-
Bug fixes
-
Fix time smoothing in interleaved mode
Upgraded to version 3.0:
-
Enhancements
-
Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
-
Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
-
Bug fixes
-
Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
-
Bug fixes
-
Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
-
Enhancements
-
Add orphan option to local directive for orphan mode compatible with ntpd
- Add distance option to local directive to set activation threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it correctly
- Modify tracking report to use same values as seen by NTP clients
- Add -c option to chronyc to write reports in CSV format
-
Provide detailed manual pages
-
Bug fixes
-
Fix SOCK refclock to work correctly when not specified as last refclock
- Fix initstepslew and -q/-Q options to accept time from own NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in command packets
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
HPE Helion OpenStack 8
zypper in -t patch HPE-Helion-OpenStack-8-2021-4147=1
-
SUSE OpenStack Cloud 8
zypper in -t patch SUSE-OpenStack-Cloud-8-2021-4147=1
-
SUSE OpenStack Cloud 9
zypper in -t patch SUSE-OpenStack-Cloud-9-2021-4147=1
-
SUSE OpenStack Cloud Crowbar 8
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-4147=1
-
SUSE OpenStack Cloud Crowbar 9
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-4147=1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP3
zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-4147=1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP4
zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-4147=1
-
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-4147=1
-
SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-4147=1
-
SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
zypper in -t patch SUSE-SLE-SERVER-12-SP3-ESPOS-2021-4147=1
-
SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-4147=1
-
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2021-4147=1
-
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-4147=1
-
SUSE Linux Enterprise High Performance Computing 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1
-
SUSE Linux Enterprise Server 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1
Package List:
-
HPE Helion OpenStack 8 (x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE OpenStack Cloud 8 (x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE OpenStack Cloud 9 (x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE OpenStack Cloud Crowbar 8 (x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE OpenStack Cloud Crowbar 9 (x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 (x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 (aarch64 x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 (aarch64 ppc64le s390x x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (aarch64 x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (aarch64 ppc64le s390x x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
-
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
- chrony-4.1-5.9.1
- chrony-debuginfo-4.1-5.9.1
- chrony-debugsource-4.1-5.9.1
References:
- https://www.suse.com/security/cve/CVE-2020-14367.html
- https://bugzilla.suse.com/show_bug.cgi?id=1063704
- https://bugzilla.suse.com/show_bug.cgi?id=1069468
- https://bugzilla.suse.com/show_bug.cgi?id=1082318
- https://bugzilla.suse.com/show_bug.cgi?id=1083597
- https://bugzilla.suse.com/show_bug.cgi?id=1099272
- https://bugzilla.suse.com/show_bug.cgi?id=1115529
- https://bugzilla.suse.com/show_bug.cgi?id=1128846
- https://bugzilla.suse.com/show_bug.cgi?id=1156884
- https://bugzilla.suse.com/show_bug.cgi?id=1159840
- https://bugzilla.suse.com/show_bug.cgi?id=1161119
- https://bugzilla.suse.com/show_bug.cgi?id=1162964
- https://bugzilla.suse.com/show_bug.cgi?id=1171806
- https://bugzilla.suse.com/show_bug.cgi?id=1172113
- https://bugzilla.suse.com/show_bug.cgi?id=1173277
- https://bugzilla.suse.com/show_bug.cgi?id=1173760
- https://bugzilla.suse.com/show_bug.cgi?id=1174075
- https://bugzilla.suse.com/show_bug.cgi?id=1174911
- https://bugzilla.suse.com/show_bug.cgi?id=1180689
- https://bugzilla.suse.com/show_bug.cgi?id=1181826
- https://bugzilla.suse.com/show_bug.cgi?id=1183783
- https://bugzilla.suse.com/show_bug.cgi?id=1184400
- https://bugzilla.suse.com/show_bug.cgi?id=1187906
- https://bugzilla.suse.com/show_bug.cgi?id=1190926
- https://jira.suse.com/browse/SLE-11424
- https://jira.suse.com/browse/SLE-22248
- https://jira.suse.com/browse/SLE-22292