Security update for chrony (moderate)

An update that solves one vulnerability, contains one
feature and has 12 fixes is now available.

Description:

This update for chrony fixes the following issues:

Chrony was updated to 4.1, bringing features and bugfixes.

Update to 4.1

 * Add support for NTS servers specified by IP address (matching Subject
   Alternative Name in server certificate)
 * Add source-specific configuration of trusted certificates
 * Allow multiple files and directories with trusted certificates
 * Allow multiple pairs of server keys and certificates
 * Add copy option to server/pool directive
 * Increase PPS lock limit to 40% of pulse interval
 * Perform source selection immediately after loading dump files
 * Reload dump files for addresses negotiated by NTS-KE server
 * Update seccomp filter and add less restrictive level
 * Restart ongoing name resolution on online command
 * Fix dump files to not include uncorrected offset
 * Fix initstepslew to accept time from own NTP clients
 * Reset NTP address and port when no longer negotiated by NTS-KE server

• Ensure the correct pool packages are installed for openSUSE and SLE
  (bsc#1180689).

• Fix pool package dependencies, so that SLE prefers chrony-pool-suse
  over chrony-pool-empty. (bsc#1194229)

• Enable syscallfilter unconditionally [bsc#1181826].

Update to 4.0

 - Enhancements

   - Add support for Network Time Security (NTS) authentication
   - Add support for AES-CMAC keys (AES128, AES256) with Nettle
   - Add authselectmode directive to control selection of unauthenticated
     sources
   - Add binddevice, bindacqdevice, bindcmddevice directives
   - Add confdir directive to better support fragmented configuration
   - Add sourcedir directive and "reload sources" command to support
     dynamic NTP sources specified in files
   - Add clockprecision directive
   - Add dscp directive to set Differentiated Services Code Point (DSCP)
   - Add -L option to limit log messages by severity
   - Add -p option to print whole configuration with included files
   - Add -U option to allow start under non-root user
   - Allow maxsamples to be set to 1 for faster update with -q/-Q
     option
   - Avoid replacing NTP sources with sources that have unreachable
     address
   - Improve pools to repeat name resolution to get "maxsources" sources
   - Improve source selection with trusted sources
   - Improve NTP loop test to prevent synchronisation to itself
   - Repeat iburst when NTP source is switched from offline state to
     online
   - Update clock synchronisation status and leap status more frequently
   - Update seccomp filter
   - Add "add pool" command
   - Add "reset sources" command to drop all measurements
   - Add authdata command to print details about NTP authentication
   - Add selectdata command to print details about source selection
   - Add -N option and sourcename command to print original names
     of sources
   - Add -a option to some commands to print also unresolved sources
   - Add -k, -p, -r options to clients command to select, limit, reset
     data

 - Bug fixes

   - Don���t set interface for NTP responses to allow asymmetric routing
   - Handle RTCs that don���t support interrupts
   - Respond to command requests with correct address on multihomed hosts
 - Removed features
   - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
   - Drop support for long (non-standard) MACs in NTPv4 packets (chrony
     2.x clients using non-MD5/SHA1 keys need to use
     option "version 3")
   - Drop support for line editing with GNU Readline

• By default we don’t write log files but log to journald, so
  only recommend logrotate.

• Adjust and rename the sysconfig file, so that it matches the
  expectations of chronyd.service (bsc#1173277).

Update to 3.5.1:

 * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)

• Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

• Use iburst in the default pool statements to speed up initial
  synchronisation (bsc#1172113).

Update to 3.5:

• Add support for more accurate reading of PHC on Linux 5.0
• Add support for hardware timestamping on interfaces with read-only
  timestamping configuration
• Add support for memory locking and real-time priority on FreeBSD,
  NetBSD, Solaris
• Update seccomp filter to work on more architectures
• Validate refclock driver options
• Fix bindaddress directive on FreeBSD
• Fix transposition of hardware RX timestamp on Linux 4.13 and later
• Fix building on non-glibc systems

• Fix location of helper script in [email protected] (bsc#1128846).

• Read runtime servers from /var/run/netconfig/chrony.servers to fix
  bsc#1099272.

• Move chrony-helper to /usr/lib/chrony/helper, because there should be no
  executables in /usr/share.

Update to version 3.4

 * Enhancements

   + Add filter option to server/pool/peer directive
   + Add minsamples and maxsamples options to hwtimestamp directive
   + Add support for faster frequency adjustments in Linux 4.19
   + Change default pidfile to /var/run/chrony/chronyd.pid to allow
     chronyd without root privileges to remove it on exit
   + Disable sub-second polling intervals for distant NTP sources
   + Extend range of supported sub-second polling intervals
   + Get/set IPv4 destination/source address of NTP packets on FreeBSD
   + Make burst options and command useful with short polling intervals
   + Modify auto_offline option to activate when sending request failed
   + Respond from interface that received NTP request if possible
   + Add onoffline command to switch between online and offline state
     according to current system network configuration
   + Improve example NetworkManager dispatcher script

 * Bug fixes

   + Avoid waiting in Linux getrandom system call
   + Fix PPS support on FreeBSD and NetBSD

Update to version 3.3

 * Enhancements:

   + Add burst option to server/pool directive
   + Add stratum and tai options to refclock directive
   + Add support for Nettle crypto library
   + Add workaround for missing kernel receive timestamps on Linux
   + Wait for late hardware transmit timestamps
   + Improve source selection with unreachable sources
   + Improve protection against replay attacks on symmetric mode
   + Allow PHC refclock to use socket in /var/run/chrony
   + Add shutdown command to stop chronyd
   + Simplify format of response to manual list command
   + Improve handling of unknown responses in chronyc

 * Bug fixes:

   + Respond to NTPv1 client requests with zero mode
   + Fix -x option to not require CAP_SYS_TIME under non-root user
   + Fix acquisitionport directive to work with privilege separation
   + Fix handling of socket errors on Linux to avoid high CPU usage
   + Fix chronyc to not get stuck in infinite loop after clock step

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-845=1