Security update for chrony

Announcement ID: SUSE-SU-2021:4147-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2020-14367 ( SUSE ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
  • CVE-2020-14367 ( NVD ): 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Affected Products:
  • HPE Helion OpenStack 8
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE OpenStack Cloud 8
  • SUSE OpenStack Cloud 9
  • SUSE OpenStack Cloud Crowbar 8
  • SUSE OpenStack Cloud Crowbar 9

An update that solves one vulnerability, contains three features and has 22 security fixes can now be installed.

Description:

This update for chrony fixes the following issues:

Chrony was updated to 4.1:

  • Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate)
  • Add source-specific configuration of trusted certificates
  • Allow multiple files and directories with trusted certificates
  • Allow multiple pairs of server keys and certificates
  • Add copy option to server/pool directive
  • Increase PPS lock limit to 40% of pulse interval
  • Perform source selection immediately after loading dump files
  • Reload dump files for addresses negotiated by NTS-KE server
  • Update seccomp filter and add less restrictive level
  • Restart ongoing name resolution on online command
  • Fix dump files to not include uncorrected offset
  • Fix initstepslew to accept time from own NTP clients
  • Reset NTP address and port when no longer negotiated by NTS-KE server
  • Update clknetsim to snapshot f89702d.

  • Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).

  • Enable syscallfilter unconditionally (bsc#1181826).

Chrony was updated to 4.0:

Enhancements

  • Add support for Network Time Security (NTS) authentication
  • Add support for AES-CMAC keys (AES128, AES256) with Nettle
  • Add authselectmode directive to control selection of unauthenticated sources
  • Add binddevice, bindacqdevice, bindcmddevice directives
  • Add confdir directive to better support fragmented configuration
  • Add sourcedir directive and "reload sources" command to support dynamic NTP sources specified in files
  • Add clockprecision directive
  • Add dscp directive to set Differentiated Services Code Point (DSCP)
  • Add -L option to limit log messages by severity
  • Add -p option to print whole configuration with included files
  • Add -U option to allow start under non-root user
  • Allow maxsamples to be set to 1 for faster update with -q/-Q option
  • Avoid replacing NTP sources with sources that have unreachable address
  • Improve pools to repeat name resolution to get "maxsources" sources
  • Improve source selection with trusted sources
  • Improve NTP loop test to prevent synchronisation to itself
  • Repeat iburst when NTP source is switched from offline state to online
  • Update clock synchronisation status and leap status more frequently
  • Update seccomp filter
  • Add "add pool" command
  • Add "reset sources" command to drop all measurements
  • Add authdata command to print details about NTP authentication
  • Add selectdata command to print details about source selection
  • Add -N option and sourcename command to print original names of sources
  • Add -a option to some commands to print also unresolved sources
  • Add -k, -p, -r options to clients command to select, limit, reset data
  • Bug fixes
  • Don’t set interface for NTP responses to allow asymmetric routing
  • Handle RTCs that don’t support interrupts
  • Respond to command requests with correct address on multihomed hosts
  • Removed features
  • Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
  • Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option "version 3")

  • By default we don't write log files but log to journald, so only recommend logrotate.

  • Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

Chrony was updated to 3.5.1:

  • Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

  • Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE (bsc#1156884, SLE-11424).

  • Add chrony-pool-empty to still allow installing chrony without preconfigured servers.
  • Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

  • Update clknetsim to version 79ffe44 (fixes bsc#1162964).

Update to 3.5:

  • Add support for more accurate reading of PHC on Linux 5.0
  • Add support for hardware timestamping on interfaces with read-only timestamping configuration
  • Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
  • Update seccomp filter to work on more architectures
  • Validate refclock driver options
  • Fix bindaddress directive on FreeBSD
  • Fix transposition of hardware RX timestamp on Linux 4.13 and later
  • Fix building on non-glibc systems

  • Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

  • Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)

  • Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
  • Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)

Update to version 3.4

  • Enhancements

  • Add filter option to server/pool/peer directive

  • Add minsamples and maxsamples options to hwtimestamp directive
  • Add support for faster frequency adjustments in Linux 4.19
  • Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit
  • Disable sub-second polling intervals for distant NTP sources
  • Extend range of supported sub-second polling intervals
  • Get/set IPv4 destination/source address of NTP packets on FreeBSD
  • Make burst options and command useful with short polling intervals
  • Modify auto_offline option to activate when sending request failed
  • Respond from interface that received NTP request if possible
  • Add onoffline command to switch between online and offline state according to current system network configuration
  • Improve example NetworkManager dispatcher script

  • Bug fixes

  • Avoid waiting in Linux getrandom system call

  • Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  • Enhancements:

  • Add burst option to server/pool directive

  • Add stratum and tai options to refclock directive
  • Add support for Nettle crypto library
  • Add workaround for missing kernel receive timestamps on Linux
  • Wait for late hardware transmit timestamps
  • Improve source selection with unreachable sources
  • Improve protection against replay attacks on symmetric mode
  • Allow PHC refclock to use socket in /var/run/chrony
  • Add shutdown command to stop chronyd
  • Simplify format of response to manual list command
  • Improve handling of unknown responses in chronyc

  • Bug fixes:

  • Respond to NTPv1 client requests with zero mode

  • Fix -x option to not require CAP_SYS_TIME under non-root user
  • Fix acquisitionport directive to work with privilege separation
  • Fix handling of socket errors on Linux to avoid high CPU usage
  • Fix chronyc to not get stuck in infinite loop after clock step

  • Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add "include /etc/chrony.d/*"

  • Enable pps support

Upgraded to version 3.2:

Enhancements

  • Improve stability with NTP sources and reference clocks
  • Improve stability with hardware timestamping
  • Improve support for NTP interleaved modes
  • Control frequency of system clock on macOS 10.13 and later
  • Set TAI-UTC offset of system clock with leapsectz directive
  • Minimise data in client requests to improve privacy
  • Allow transmit-only hardware timestamping
  • Add support for new timestamping options introduced in Linux 4.13
  • Add root delay, root dispersion and maximum error to tracking log
  • Add mindelay and asymmetry options to server/peer/pool directive
  • Add extpps option to PHC refclock to timestamp external PPS signal
  • Add pps option to refclock directive to treat any refclock as PPS
  • Add width option to refclock directive to filter wrong pulse edges
  • Add rxfilter option to hwtimestamp directive
  • Add -x option to disable control of system clock
  • Add -l option to log to specified file instead of syslog
  • Allow multiple command-line options to be specified together
  • Allow starting without root privileges with -Q option
  • Update seccomp filter for new glibc versions
  • Dump history on exit by default with dumpdir directive
  • Use hardening compiler options by default

Bug fixes

  • Don't drop PHC samples with low-resolution system clock
  • Ignore outliers in PHC tracking, RTC tracking, manual input
  • Increase polling interval when peer is not responding
  • Exit with error message when include directive fails
  • Don't allow slash after hostname in allow/deny directive/command
  • Try to connect to all addresses in chronyc before giving up

Upgraded to version 3.1:

  • Enhancements

  • Add support for precise cross timestamping of PHC on Linux

  • Add minpoll, precision, nocrossts options to hwtimestamp directive
  • Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources
  • Allow sub-second polling interval with NTP sources

  • Bug fixes

  • Fix time smoothing in interleaved mode

Upgraded to version 3.0:

  • Enhancements

  • Add support for software and hardware timestamping on Linux

  • Add support for client/server and symmetric interleaved modes
  • Add support for MS-SNTP authentication in Samba
  • Add support for truncated MACs in NTPv4 packets
  • Estimate and correct for asymmetric network jitter
  • Increase default minsamples and polltarget to improve stability with very low jitter
  • Add maxjitter directive to limit source selection by jitter
  • Add offset option to server/pool/peer directive
  • Add maxlockage option to refclock directive
  • Add -t option to chronyd to exit after specified time
  • Add partial protection against replay attacks on symmetric mode
  • Don't reset polling interval when switching sources to online state
  • Allow rate limiting with very short intervals
  • Improve maximum server throughput on Linux and NetBSD
  • Remove dump files after start
  • Add tab-completion to chronyc with libedit/readline
  • Add ntpdata command to print details about NTP measurements
  • Allow all source options to be set in add server/peer command
  • Indicate truncated addresses/hostnames in chronyc output
  • Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses

  • Bug fixes

  • Fix crash with disabled asynchronous name resolving

Upgraded to version 2.4.1:

  • Bug fixes

  • Fix processing of kernel timestamps on non-Linux systems

  • Fix crash with smoothtime directive
  • Fix validation of refclock sample times
  • Fix parsing of refclock directive

update to 2.4:

  • Enhancements

  • Add orphan option to local directive for orphan mode compatible with ntpd

  • Add distance option to local directive to set activation threshold (1 second by default)
  • Add maxdrift directive to set maximum allowed drift of system clock
  • Try to replace NTP sources exceeding maximum distance
  • Randomise source replacement to avoid getting stuck with bad sources
  • Randomise selection of sources from pools on start
  • Ignore reference timestamp as ntpd doesn't always set it correctly
  • Modify tracking report to use same values as seen by NTP clients
  • Add -c option to chronyc to write reports in CSV format
  • Provide detailed manual pages

  • Bug fixes

  • Fix SOCK refclock to work correctly when not specified as last refclock

  • Fix initstepslew and -q/-Q options to accept time from own NTP clients
  • Fix authentication with keys using 512-bit hash functions
  • Fix crash on exit when multiple signals are received
  • Fix conversion of very small floating-point numbers in command packets

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • HPE Helion OpenStack 8
    zypper in -t patch HPE-Helion-OpenStack-8-2021-4147=1
  • SUSE OpenStack Cloud 8
    zypper in -t patch SUSE-OpenStack-Cloud-8-2021-4147=1
  • SUSE OpenStack Cloud 9
    zypper in -t patch SUSE-OpenStack-Cloud-9-2021-4147=1
  • SUSE OpenStack Cloud Crowbar 8
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-4147=1
  • SUSE OpenStack Cloud Crowbar 9
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-4147=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
    zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-4147=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
    zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-4147=1
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-4147=1
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-4147=1
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-ESPOS-2021-4147=1
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-4147=1
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2021-4147=1
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-4147=1
  • SUSE Linux Enterprise High Performance Computing 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1
  • SUSE Linux Enterprise Server 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-4147=1

Package List:

  • HPE Helion OpenStack 8 (x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE OpenStack Cloud 8 (x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE OpenStack Cloud 9 (x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE OpenStack Cloud Crowbar 8 (x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE OpenStack Cloud Crowbar 9 (x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4 (ppc64le x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3 (x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3 (aarch64 x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3 (aarch64 ppc64le s390x x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (aarch64 x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (aarch64 ppc64le s390x x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise High Performance Computing 12 SP5 (aarch64 x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server 12 SP5 (aarch64 ppc64le s390x x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5 (ppc64le x86_64)
    • chrony-4.1-5.9.1
    • chrony-debuginfo-4.1-5.9.1
    • chrony-debugsource-4.1-5.9.1

References: