File _patchinfo of Package patchinfo.22223
<patchinfo incident="22223">
<issue tracker="bnc" id="1156884">[Build2.73] chronyd is missing sources</issue>
<issue tracker="bnc" id="1183783">FTBFS: chrony won't compile on SP3</issue>
<issue tracker="bnc" id="1069468">Packages should no longer use /var/adm/fillup-templates</issue>
<issue tracker="bnc" id="1174075">Changing %{_libexecdir} breaks some packages which are misusing the macro</issue>
<issue tracker="bnc" id="1159840">chrony is build failed in Leap 15.2</issue>
<issue tracker="bnc" id="1172113">[RPi4] Chrony takes too long for initial time sync which can result in failed product registration</issue>
<issue tracker="bnc" id="1184400">chronyd system unit PIDFILE references a legacy directory</issue>
<issue tracker="bnc" id="1174911">VUL-0: CVE-2020-14367: chrony: unsafe pidfile creation allows privilege escalation from chrony user to root</issue>
<issue tracker="bnc" id="1181826">network:time/chrony is compiled without support for seccomp</issue>
<issue tracker="bnc" id="1171806">chronyc, called by wicked, loops forever and prevents resolv.conf update</issue>
<issue tracker="bnc" id="1190926">Systemd hardening effort breaks chrony</issue>
<issue tracker="bnc" id="1173277">chrony: sysconfig file useless</issue>
<issue tracker="bnc" id="1083597">chrony: include /etc/chrony.d/*.conf by default</issue>
<issue tracker="bnc" id="1115529">chronyd version 3.4 has problems starting the command socket</issue>
<issue tracker="bnc" id="1099272">DHCP/netconfig does not set chrony time servers, still uses ntpq</issue>
<issue tracker="bnc" id="1161119">[RPi3] [Compute module 3+] Clock is wrong while chronyd is running</issue>
<issue tracker="bnc" id="1082318">Packages must not mark license files as %doc</issue>
<issue tracker="bnc" id="1187906">/etc/dhcp/dhclient.d/chrony.sh references non-existent /usr/share/chrony-helper</issue>
<issue tracker="bnc" id="1128846">chrony-dnssrv@.service has wrong path to helper script</issue>
<issue tracker="bnc" id="1173760">FIPS: chrony aborts in FIPS mode due to MD5</issue>
<issue tracker="bnc" id="1162964">chrony fails with recent glibc</issue>
<issue tracker="bnc" id="1063704">chrony uses opensuse.pool.ntp.org by default</issue>
<issue tracker="bnc" id="1180689">MicroOS defaults to using the SUSE NTP pool</issue>
<issue tracker="cve" id="2020-14367"/>
<issue tracker="jsc" id="SLE-11424"/>
<issue tracker="jsc" id="SLE-22292"/>
<issue tracker="jsc" id="SLE-22248"/>
<packager>rmax</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for chrony</summary>
<description>This update for chrony fixes the following issues:
Chrony was updated to 4.1:
* Add support for NTS servers specified by IP address (matching
Subject Alternative Name in server certificate)
* Add source-specific configuration of trusted certificates
* Allow multiple files and directories with trusted certificates
* Allow multiple pairs of server keys and certificates
* Add copy option to server/pool directive
* Increase PPS lock limit to 40% of pulse interval
* Perform source selection immediately after loading dump files
* Reload dump files for addresses negotiated by NTS-KE server
* Update seccomp filter and add less restrictive level
* Restart ongoing name resolution on online command
* Fix dump files to not include uncorrected offset
* Fix initstepslew to accept time from own NTP clients
* Reset NTP address and port when no longer negotiated by NTS-KE
server
- Update clknetsim to snapshot f89702d.
- Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689).
- Enable syscallfilter unconditionally (bsc#1181826).
Chrony was updated to 4.0:
Enhancements
- Add support for Network Time Security (NTS) authentication
- Add support for AES-CMAC keys (AES128, AES256) with Nettle
- Add authselectmode directive to control selection of
unauthenticated sources
- Add binddevice, bindacqdevice, bindcmddevice directives
- Add confdir directive to better support fragmented
configuration
- Add sourcedir directive and "reload sources" command to
support dynamic NTP sources specified in files
- Add clockprecision directive
- Add dscp directive to set Differentiated Services Code Point
(DSCP)
- Add -L option to limit log messages by severity
- Add -p option to print whole configuration with included
files
- Add -U option to allow start under non-root user
- Allow maxsamples to be set to 1 for faster update with -q/-Q
option
- Avoid replacing NTP sources with sources that have
unreachable address
- Improve pools to repeat name resolution to get "maxsources"
sources
- Improve source selection with trusted sources
- Improve NTP loop test to prevent synchronisation to itself
- Repeat iburst when NTP source is switched from offline state
to online
- Update clock synchronisation status and leap status more
frequently
- Update seccomp filter
- Add "add pool" command
- Add "reset sources" command to drop all measurements
- Add authdata command to print details about NTP
authentication
- Add selectdata command to print details about source
selection
- Add -N option and sourcename command to print original names
of sources
- Add -a option to some commands to print also unresolved
sources
- Add -k, -p, -r options to clients command to select, limit,
reset data
- Bug fixes
- Don’t set interface for NTP responses to allow asymmetric
routing
- Handle RTCs that don’t support interrupts
- Respond to command requests with correct address on
multihomed hosts
- Removed features
- Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)
- Drop support for long (non-standard) MACs in NTPv4 packets
(chrony 2.x clients using non-MD5/SHA1 keys need to use
option "version 3")
- By default we don't write log files but log to journald, so
only recommend logrotate.
- Adjust and rename the sysconfig file, so that it matches the
expectations of chronyd.service (bsc#1173277).
Chrony was updated to 3.5.1:
* Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)
- Add chrony-pool-suse and chrony-pool-openSUSE subpackages that
preconfigure chrony to use NTP servers from the respective
pools for SUSE and openSUSE (bsc#1156884, SLE-11424).
- Add chrony-pool-empty to still allow installing chrony without
preconfigured servers.
- Use iburst in the default pool statements to speed up initial
synchronisation (bsc#1172113).
- Update clknetsim to version 79ffe44 (fixes bsc#1162964).
Update to 3.5:
+ Add support for more accurate reading of PHC on Linux 5.0
+ Add support for hardware timestamping on interfaces with read-only timestamping configuration
+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris
+ Update seccomp filter to work on more architectures
+ Validate refclock driver options
+ Fix bindaddress directive on FreeBSD
+ Fix transposition of hardware RX timestamp on Linux 4.13 and later
+ Fix building on non-glibc systems
- Fix location of helper script in chrony-dnssrv@.service (bsc#1128846).
- Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272)
- Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share.
- Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529)
Update to version 3.4
* Enhancements
+ Add filter option to server/pool/peer directive
+ Add minsamples and maxsamples options to hwtimestamp directive
+ Add support for faster frequency adjustments in Linux 4.19
+ Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd
without root privileges to remove it on exit
+ Disable sub-second polling intervals for distant NTP sources
+ Extend range of supported sub-second polling intervals
+ Get/set IPv4 destination/source address of NTP packets on FreeBSD
+ Make burst options and command useful with short polling intervals
+ Modify auto_offline option to activate when sending request failed
+ Respond from interface that received NTP request if possible
+ Add onoffline command to switch between online and offline state
according to current system network configuration
+ Improve example NetworkManager dispatcher script
* Bug fixes
+ Avoid waiting in Linux getrandom system call
+ Fix PPS support on FreeBSD and NetBSD
Update to version 3.3
* Enhancements:
+ Add burst option to server/pool directive
+ Add stratum and tai options to refclock directive
+ Add support for Nettle crypto library
+ Add workaround for missing kernel receive timestamps on Linux
+ Wait for late hardware transmit timestamps
+ Improve source selection with unreachable sources
+ Improve protection against replay attacks on symmetric mode
+ Allow PHC refclock to use socket in /var/run/chrony
+ Add shutdown command to stop chronyd
+ Simplify format of response to manual list command
+ Improve handling of unknown responses in chronyc
* Bug fixes:
+ Respond to NTPv1 client requests with zero mode
+ Fix -x option to not require CAP_SYS_TIME under non-root user
+ Fix acquisitionport directive to work with privilege separation
+ Fix handling of socket errors on Linux to avoid high CPU usage
+ Fix chronyc to not get stuck in infinite loop after clock step
- Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add "include /etc/chrony.d/*"
- Enable pps support
Upgraded to version 3.2:
Enhancements
* Improve stability with NTP sources and reference clocks
* Improve stability with hardware timestamping
* Improve support for NTP interleaved modes
* Control frequency of system clock on macOS 10.13 and later
* Set TAI-UTC offset of system clock with leapsectz directive
* Minimise data in client requests to improve privacy
* Allow transmit-only hardware timestamping
* Add support for new timestamping options introduced in Linux 4.13
* Add root delay, root dispersion and maximum error to tracking log
* Add mindelay and asymmetry options to server/peer/pool directive
* Add extpps option to PHC refclock to timestamp external PPS signal
* Add pps option to refclock directive to treat any refclock as PPS
* Add width option to refclock directive to filter wrong pulse edges
* Add rxfilter option to hwtimestamp directive
* Add -x option to disable control of system clock
* Add -l option to log to specified file instead of syslog
* Allow multiple command-line options to be specified together
* Allow starting without root privileges with -Q option
* Update seccomp filter for new glibc versions
* Dump history on exit by default with dumpdir directive
* Use hardening compiler options by default
Bug fixes
* Don't drop PHC samples with low-resolution system clock
* Ignore outliers in PHC tracking, RTC tracking, manual input
* Increase polling interval when peer is not responding
* Exit with error message when include directive fails
* Don't allow slash after hostname in allow/deny directive/command
* Try to connect to all addresses in chronyc before giving up
Upgraded to version 3.1:
- Enhancements
- Add support for precise cross timestamping of PHC on Linux
- Add minpoll, precision, nocrossts options to hwtimestamp directive
- Add rawmeasurements option to log directive and modify measurements
option to log only valid measurements from synchronised sources
- Allow sub-second polling interval with NTP sources
- Bug fixes
- Fix time smoothing in interleaved mode
Upgraded to version 3.0:
- Enhancements
- Add support for software and hardware timestamping on Linux
- Add support for client/server and symmetric interleaved modes
- Add support for MS-SNTP authentication in Samba
- Add support for truncated MACs in NTPv4 packets
- Estimate and correct for asymmetric network jitter
- Increase default minsamples and polltarget to improve stability with very low jitter
- Add maxjitter directive to limit source selection by jitter
- Add offset option to server/pool/peer directive
- Add maxlockage option to refclock directive
- Add -t option to chronyd to exit after specified time
- Add partial protection against replay attacks on symmetric mode
- Don't reset polling interval when switching sources to online state
- Allow rate limiting with very short intervals
- Improve maximum server throughput on Linux and NetBSD
- Remove dump files after start
- Add tab-completion to chronyc with libedit/readline
- Add ntpdata command to print details about NTP measurements
- Allow all source options to be set in add server/peer command
- Indicate truncated addresses/hostnames in chronyc output
- Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses
- Bug fixes
- Fix crash with disabled asynchronous name resolving
Upgraded to version 2.4.1:
- Bug fixes
- Fix processing of kernel timestamps on non-Linux systems
- Fix crash with smoothtime directive
- Fix validation of refclock sample times
- Fix parsing of refclock directive
update to 2.4:
- Enhancements
- Add orphan option to local directive for orphan mode
compatible with ntpd
- Add distance option to local directive to set activation
threshold (1 second by default)
- Add maxdrift directive to set maximum allowed drift of system
clock
- Try to replace NTP sources exceeding maximum distance
- Randomise source replacement to avoid getting stuck with bad
sources
- Randomise selection of sources from pools on start
- Ignore reference timestamp as ntpd doesn't always set it
correctly
- Modify tracking report to use same values as seen by NTP
clients
- Add -c option to chronyc to write reports in CSV format
- Provide detailed manual pages
- Bug fixes
- Fix SOCK refclock to work correctly when not specified as
last refclock
- Fix initstepslew and -q/-Q options to accept time from own
NTP clients
- Fix authentication with keys using 512-bit hash functions
- Fix crash on exit when multiple signals are received
- Fix conversion of very small floating-point numbers in
command packets
</description>
</patchinfo>
