SUSE-SU-2022:0845-1

Source
https://www.suse.com/support/update/announcement/2022/suse-su-20220845-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2022:0845-1.json
JSON Data
https://api.osv.dev/v1/vulns/SUSE-SU-2022:0845-1
Related
Published
2022-03-15T10:41:19Z
Modified
2022-03-15T10:41:19Z
Summary
Security update for chrony
Details

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

  • Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate)
  • Add source-specific configuration of trusted certificates
  • Allow multiple files and directories with trusted certificates
  • Allow multiple pairs of server keys and certificates
  • Add copy option to server/pool directive
  • Increase PPS lock limit to 40% of pulse interval
  • Perform source selection immediately after loading dump files
  • Reload dump files for addresses negotiated by NTS-KE server
  • Update seccomp filter and add less restrictive level
  • Restart ongoing name resolution on online command
  • Fix dump files to not include uncorrected offset
  • Fix initstepslew to accept time from own NTP clients
  • Reset NTP address and port when no longer negotiated by NTS-KE server

    • Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
    • Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

    • Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

  • Enhancements

    • Add support for Network Time Security (NTS) authentication
    • Add support for AES-CMAC keys (AES128, AES256) with Nettle
    • Add authselectmode directive to control selection of unauthenticated sources
    • Add binddevice, bindacqdevice, bindcmddevice directives
    • Add confdir directive to better support fragmented configuration
    • Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files
    • Add clockprecision directive
    • Add dscp directive to set Differentiated Services Code Point (DSCP)
    • Add -L option to limit log messages by severity
    • Add -p option to print whole configuration with included files
    • Add -U option to allow start under non-root user
    • Allow maxsamples to be set to 1 for faster update with -q/-Q option
    • Avoid replacing NTP sources with sources that have unreachable address
    • Improve pools to repeat name resolution to get 'maxsources' sources
    • Improve source selection with trusted sources
    • Improve NTP loop test to prevent synchronisation to itself
    • Repeat iburst when NTP source is switched from offline state to online
    • Update clock synchronisation status and leap status more frequently
    • Update seccomp filter
    • Add 'add pool' command
    • Add 'reset sources' command to drop all measurements
    • Add authdata command to print details about NTP authentication
    • Add selectdata command to print details about source selection
    • Add -N option and sourcename command to print original names of sources
    • Add -a option to some commands to print also unresolved sources
    • Add -k, -p, -r options to clients command to select, limit, reset data
  • Bug fixes

    • Don’t set interface for NTP responses to allow asymmetric routing
    • Handle RTCs that don’t support interrupts
    • Respond to command requests with correct address on multihomed hosts
  • Removed features

    • Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
    • Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3')
    • Drop support for line editing with GNU Readline

      • By default we don't write log files but log to journald, so only recommend logrotate.

      • Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

  • Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

    • Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

    • Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

Update to 3.5:

  • Add support for more accurate reading of PHC on Linux 5.0
  • Add support for hardware timestamping on interfaces with read-only timestamping configuration
  • Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
  • Update seccomp filter to work on more architectures
  • Validate refclock driver options
  • Fix bindaddress directive on FreeBSD
  • Fix transposition of hardware RX timestamp on Linux 4.13 and later
  • Fix building on non-glibc systems

  • Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

  • Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.

  • Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

Update to version 3.4

  • Enhancements

    • Add filter option to server/pool/peer directive
    • Add minsamples and maxsamples options to hwtimestamp directive
    • Add support for faster frequency adjustments in Linux 4.19
    • Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit
    • Disable sub-second polling intervals for distant NTP sources
    • Extend range of supported sub-second polling intervals
    • Get/set IPv4 destination/source address of NTP packets on FreeBSD
    • Make burst options and command useful with short polling intervals
    • Modify auto_offline option to activate when sending request failed
    • Respond from interface that received NTP request if possible
    • Add onoffline command to switch between online and offline state according to current system network configuration
    • Improve example NetworkManager dispatcher script
  • Bug fixes

    • Avoid waiting in Linux getrandom system call
    • Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

  • Enhancements:

    • Add burst option to server/pool directive
    • Add stratum and tai options to refclock directive
    • Add support for Nettle crypto library
    • Add workaround for missing kernel receive timestamps on Linux
    • Wait for late hardware transmit timestamps
    • Improve source selection with unreachable sources
    • Improve protection against replay attacks on symmetric mode
    • Allow PHC refclock to use socket in /var/run/chrony
    • Add shutdown command to stop chronyd
    • Simplify format of response to manual list command
    • Improve handling of unknown responses in chronyc
  • Bug fixes:

    • Respond to NTPv1 client requests with zero mode
    • Fix -x option to not require CAPSYSTIME under non-root user
    • Fix acquisitionport directive to work with privilege separation
    • Fix handling of socket errors on Linux to avoid high CPU usage
    • Fix chronyc to not get stuck in infinite loop after clock step
References

Affected packages

SUSE:Linux Enterprise Installer Updates 15 SP3 / augeas

Package

Name
augeas
Purl
pkg:rpm/suse/augeas&distro=SUSE%20Linux%20Enterprise%20Installer%20Updates%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.1-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "libaugeas0": "1.10.1-3.9.1",
            "augeas-lenses": "1.10.1-3.9.1",
            "augeas": "1.10.1-3.9.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Basesystem 15 SP3 / augeas

Package

Name
augeas
Purl
pkg:rpm/suse/augeas&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.1-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "chrony-pool-empty": "4.1-150300.16.3.1",
            "augeas-devel": "1.10.1-3.9.1",
            "chrony-pool-suse": "4.1-150300.16.3.1",
            "chrony": "4.1-150300.16.3.1",
            "augeas": "1.10.1-3.9.1",
            "libaugeas0": "1.10.1-3.9.1",
            "augeas-lenses": "1.10.1-3.9.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Basesystem 15 SP3 / chrony

Package

Name
chrony
Purl
pkg:rpm/suse/chrony&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1-150300.16.3.1

Ecosystem specific

{
    "binaries": [
        {
            "chrony-pool-empty": "4.1-150300.16.3.1",
            "augeas-devel": "1.10.1-3.9.1",
            "chrony-pool-suse": "4.1-150300.16.3.1",
            "chrony": "4.1-150300.16.3.1",
            "augeas": "1.10.1-3.9.1",
            "libaugeas0": "1.10.1-3.9.1",
            "augeas-lenses": "1.10.1-3.9.1"
        }
    ]
}

SUSE:Linux Enterprise Real Time 15 SP2 / augeas

Package

Name
augeas
Purl
pkg:rpm/suse/augeas&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.1-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "libaugeas0": "1.10.1-3.9.1",
            "augeas-devel": "1.10.1-3.9.1",
            "augeas-lenses": "1.10.1-3.9.1",
            "augeas": "1.10.1-3.9.1"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.0 / augeas

Package

Name
augeas
Purl
pkg:rpm/suse/augeas&distro=SUSE%20Linux%20Enterprise%20Micro%205.0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.1-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "libaugeas0": "1.10.1-3.9.1",
            "augeas-lenses": "1.10.1-3.9.1",
            "augeas": "1.10.1-3.9.1"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.1 / augeas

Package

Name
augeas
Purl
pkg:rpm/suse/augeas&distro=SUSE%20Linux%20Enterprise%20Micro%205.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.1-3.9.1

Ecosystem specific

{
    "binaries": [
        {
            "augeas-lenses": "1.10.1-3.9.1",
            "libaugeas0": "1.10.1-3.9.1",
            "chrony-pool-suse": "4.1-150300.16.3.1",
            "chrony": "4.1-150300.16.3.1",
            "augeas": "1.10.1-3.9.1"
        }
    ]
}

SUSE:Linux Enterprise Micro 5.1 / chrony

Package

Name
chrony
Purl
pkg:rpm/suse/chrony&distro=SUSE%20Linux%20Enterprise%20Micro%205.1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.1-150300.16.3.1

Ecosystem specific

{
    "binaries": [
        {
            "augeas-lenses": "1.10.1-3.9.1",
            "libaugeas0": "1.10.1-3.9.1",
            "chrony-pool-suse": "4.1-150300.16.3.1",
            "chrony": "4.1-150300.16.3.1",
            "augeas": "1.10.1-3.9.1"
        }
    ]
}