SUSE-SU-2022:0845-2

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

• Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate)
• Add source-specific configuration of trusted certificates
• Allow multiple files and directories with trusted certificates
• Allow multiple pairs of server keys and certificates
• Add copy option to server/pool directive
• Increase PPS lock limit to 40% of pulse interval
• Perform source selection immediately after loading dump files
• Reload dump files for addresses negotiated by NTS-KE server
• Update seccomp filter and add less restrictive level
• Restart ongoing name resolution on online command
• Fix dump files to not include uncorrected offset
• Fix initstepslew to accept time from own NTP clients

• Reset NTP address and port when no longer negotiated by NTS-KE server

  • Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).

  • Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229)

  • Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

• Enhancements

  • Add support for Network Time Security (NTS) authentication
  • Add support for AES-CMAC keys (AES128, AES256) with Nettle
  • Add authselectmode directive to control selection of unauthenticated sources
  • Add binddevice, bindacqdevice, bindcmddevice directives
  • Add confdir directive to better support fragmented configuration
  • Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files
  • Add clockprecision directive
  • Add dscp directive to set Differentiated Services Code Point (DSCP)
  • Add -L option to limit log messages by severity
  • Add -p option to print whole configuration with included files
  • Add -U option to allow start under non-root user
  • Allow maxsamples to be set to 1 for faster update with -q/-Q option
  • Avoid replacing NTP sources with sources that have unreachable address
  • Improve pools to repeat name resolution to get 'maxsources' sources
  • Improve source selection with trusted sources
  • Improve NTP loop test to prevent synchronisation to itself
  • Repeat iburst when NTP source is switched from offline state to online
  • Update clock synchronisation status and leap status more frequently
  • Update seccomp filter
  • Add 'add pool' command
  • Add 'reset sources' command to drop all measurements
  • Add authdata command to print details about NTP authentication
  • Add selectdata command to print details about source selection
  • Add -N option and sourcename command to print original names of sources
  • Add -a option to some commands to print also unresolved sources
  • Add -k, -p, -r options to clients command to select, limit, reset data

• Bug fixes

  • Don’t set interface for NTP responses to allow asymmetric routing
  • Handle RTCs that don’t support interrupts
  • Respond to command requests with correct address on multihomed hosts

• Removed features

  • Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
  • Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3')

  • Drop support for line editing with GNU Readline

    • By default we don't write log files but log to journald, so only recommend logrotate.

    • Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

• Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

  • Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

  • Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113).

Update to 3.5:

• Add support for more accurate reading of PHC on Linux 5.0
• Add support for hardware timestamping on interfaces with read-only timestamping configuration
• Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
• Update seccomp filter to work on more architectures
• Validate refclock driver options
• Fix bindaddress directive on FreeBSD
• Fix transposition of hardware RX timestamp on Linux 4.13 and later

• Fix building on non-glibc systems

• Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).

• Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272.

• Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.

Update to version 3.4

• Enhancements

  • Add filter option to server/pool/peer directive
  • Add minsamples and maxsamples options to hwtimestamp directive
  • Add support for faster frequency adjustments in Linux 4.19
  • Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit
  • Disable sub-second polling intervals for distant NTP sources
  • Extend range of supported sub-second polling intervals
  • Get/set IPv4 destination/source address of NTP packets on FreeBSD
  • Make burst options and command useful with short polling intervals
  • Modify auto_offline option to activate when sending request failed
  • Respond from interface that received NTP request if possible
  • Add onoffline command to switch between online and offline state according to current system network configuration
  • Improve example NetworkManager dispatcher script

• Bug fixes

  • Avoid waiting in Linux getrandom system call
  • Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

• Enhancements:

  • Add burst option to server/pool directive
  • Add stratum and tai options to refclock directive
  • Add support for Nettle crypto library
  • Add workaround for missing kernel receive timestamps on Linux
  • Wait for late hardware transmit timestamps
  • Improve source selection with unreachable sources
  • Improve protection against replay attacks on symmetric mode
  • Allow PHC refclock to use socket in /var/run/chrony
  • Add shutdown command to stop chronyd
  • Simplify format of response to manual list command
  • Improve handling of unknown responses in chronyc

• Bug fixes:

  • Respond to NTPv1 client requests with zero mode
  • Fix -x option to not require CAPSYSTIME under non-root user
  • Fix acquisitionport directive to work with privilege separation
  • Fix handling of socket errors on Linux to avoid high CPU usage
  • Fix chronyc to not get stuck in infinite loop after clock step