OVAL Reference oval:org.opensuse.security:def:56109

Oval Definition:

oval:org.opensuse.security:def:56109

Revision Date:	2021-12-22	Version:	1
Title:	Security update for chrony (Moderate)
Description:	This update for chrony fixes the following issues: Chrony was updated to 4.1: * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Update clknetsim to snapshot f89702d. - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Enable syscallfilter unconditionally (bsc#1181826). Chrony was updated to 4.0: Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Chrony was updated to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE (bsc#1156884, SLE-11424). - Add chrony-pool-empty to still allow installing chrony without preconfigured servers. - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). - Update clknetsim to version 79ffe44 (fixes bsc#1162964). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272) - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. - Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529) Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step - Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/' - Enable pps support Upgraded to version 3.2: Enhancements Improve stability with NTP sources and reference clocks * Improve stability with hardware timestamping * Improve support for NTP interleaved modes * Control frequency of system clock on macOS 10.13 and later * Set TAI-UTC offset of system clock with leapsectz directive * Minimise data in client requests to improve privacy * Allow transmit-only hardware timestamping * Add support for new timestamping options introduced in Linux 4.13 * Add root delay, root dispersion and maximum error to tracking log * Add mindelay and asymmetry options to server/peer/pool directive * Add extpps option to PHC refclock to timestamp external PPS signal * Add pps option to refclock directive to treat any refclock as PPS * Add width option to refclock directive to filter wrong pulse edges * Add rxfilter option to hwtimestamp directive * Add -x option to disable control of system clock * Add -l option to log to specified file instead of syslog * Allow multiple command-line options to be specified together * Allow starting without root privileges with -Q option * Update seccomp filter for new glibc versions * Dump history on exit by default with dumpdir directive * Use hardening compiler options by default Bug fixes * Don't drop PHC samples with low-resolution system clock * Ignore outliers in PHC tracking, RTC tracking, manual input * Increase polling interval when peer is not responding * Exit with error message when include directive fails * Don't allow slash after hostname in allow/deny directive/command * Try to connect to all addresses in chronyc before giving up Upgraded to version 3.1: - Enhancements - Add support for precise cross timestamping of PHC on Linux - Add minpoll, precision, nocrossts options to hwtimestamp directive - Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources - Allow sub-second polling interval with NTP sources - Bug fixes - Fix time smoothing in interleaved mode Upgraded to version 3.0: - Enhancements - Add support for software and hardware timestamping on Linux - Add support for client/server and symmetric interleaved modes - Add support for MS-SNTP authentication in Samba - Add support for truncated MACs in NTPv4 packets - Estimate and correct for asymmetric network jitter - Increase default minsamples and polltarget to improve stability with very low jitter - Add maxjitter directive to limit source selection by jitter - Add offset option to server/pool/peer directive - Add maxlockage option to refclock directive - Add -t option to chronyd to exit after specified time - Add partial protection against replay attacks on symmetric mode - Don't reset polling interval when switching sources to online state - Allow rate limiting with very short intervals - Improve maximum server throughput on Linux and NetBSD - Remove dump files after start - Add tab-completion to chronyc with libedit/readline - Add ntpdata command to print details about NTP measurements - Allow all source options to be set in add server/peer command - Indicate truncated addresses/hostnames in chronyc output - Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses - Bug fixes - Fix crash with disabled asynchronous name resolving Upgraded to version 2.4.1: - Bug fixes - Fix processing of kernel timestamps on non-Linux systems - Fix crash with smoothtime directive - Fix validation of refclock sample times - Fix parsing of refclock directive update to 2.4: - Enhancements - Add orphan option to local directive for orphan mode compatible with ntpd - Add distance option to local directive to set activation threshold (1 second by default) - Add maxdrift directive to set maximum allowed drift of system clock - Try to replace NTP sources exceeding maximum distance - Randomise source replacement to avoid getting stuck with bad sources - Randomise selection of sources from pools on start - Ignore reference timestamp as ntpd doesn't always set it correctly - Modify tracking report to use same values as seen by NTP clients - Add -c option to chronyc to write reports in CSV format - Provide detailed manual pages - Bug fixes - Fix SOCK refclock to work correctly when not specified as last refclock - Fix initstepslew and -q/-Q options to accept time from own NTP clients - Fix authentication with keys using 512-bit hash functions - Fix crash on exit when multiple signals are received - Fix conversion of very small floating-point numbers in command packets
Family:	unix	Class:	patch
Status:		Reference(s):	1012102 1012103 1012104 1013653 1013655 1013663 1032680 1054028 1054986 1056995 1060877 1063704 1069468 1082318 1083597 1090338 1096740 1099272 1105607 1115529 1117951 1122858 1128846 1140749 1156884 1159840 1160163 1161119 1162964 1167890 1168930 1171806 1172113 1173277 1173760 1174075 1174911 1180689 1181826 1183783 1184400 1187906 1190926 846389 864391 864655 864673 864678 864682 864769 864805 864811 877642 897654 900418 901508 902737 903543 905959 908275 916897 916914 922448 924018 924828 928393 929736 935033 935979 945404 945989 947271 949889 953339 953362 953518 954872 956829 957162 957568 957986 957988 958007 958009 958491 958523 958848 958917 959005 959387 959695 959928 960334 960707 960725 960835 960861 960862 961332 961358 961596 961600 961691 962320 963161 963782 963923 964413 964427 965315 965317 967012 967013 967630 967969 969121 969122 969350 973188 973631 974038 975130 975138 975907 976058 976111 978164 978295 978413 979620 979670 980716 980724 981264 981276 982024 982025 982026 982224 982225 982286 982695 982960 983973 983984 984981 985503 986586 988675 988676 990843 990923 CVE-2010-3609 CVE-2013-4449 CVE-2013-4527 CVE-2013-4529 CVE-2013-4530 CVE-2013-4533 CVE-2013-4534 CVE-2013-4537 CVE-2013-4538 CVE-2013-4539 CVE-2014-0222 CVE-2014-2977 CVE-2014-2978 CVE-2014-3640 CVE-2014-3672 CVE-2014-3689 CVE-2014-7815 CVE-2014-8962 CVE-2014-9028 CVE-2014-9718 CVE-2015-1545 CVE-2015-1546 CVE-2015-1779 CVE-2015-2296 CVE-2015-2721 CVE-2015-2722 CVE-2015-2724 CVE-2015-2725 CVE-2015-2726 CVE-2015-2728 CVE-2015-2730 CVE-2015-2733 CVE-2015-2734 CVE-2015-2735 CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739 CVE-2015-2740 CVE-2015-2743 CVE-2015-2806 CVE-2015-4000 CVE-2015-5278 CVE-2015-6855 CVE-2015-7512 CVE-2015-7549 CVE-2015-8313 CVE-2015-8345 CVE-2015-8504 CVE-2015-8550 CVE-2015-8554 CVE-2015-8555 CVE-2015-8558 CVE-2015-8567 CVE-2015-8568 CVE-2015-8613 CVE-2015-8619 CVE-2015-8743 CVE-2015-8744 CVE-2015-8745 CVE-2015-8817 CVE-2015-8818 CVE-2016-1568 CVE-2016-1570 CVE-2016-1571 CVE-2016-1714 CVE-2016-1922 CVE-2016-1981 CVE-2016-2198 CVE-2016-2270 CVE-2016-2271 CVE-2016-2391 CVE-2016-2392 CVE-2016-2538 CVE-2016-2841 CVE-2016-3158 CVE-2016-3159 CVE-2016-3710 CVE-2016-3960 CVE-2016-4001 CVE-2016-4002 CVE-2016-4020 CVE-2016-4037 CVE-2016-4439 CVE-2016-4441 CVE-2016-4453 CVE-2016-4454 CVE-2016-4952 CVE-2016-4962 CVE-2016-4963 CVE-2016-5105 CVE-2016-5106 CVE-2016-5107 CVE-2016-5126 CVE-2016-5238 CVE-2016-5337 CVE-2016-5338 CVE-2016-5403 CVE-2016-6258 CVE-2016-6259 CVE-2016-6351 CVE-2016-9634 CVE-2016-9635 CVE-2016-9636 CVE-2016-9807 CVE-2016-9808 CVE-2016-9810 CVE-2017-11462 CVE-2017-12166 CVE-2018-3665 CVE-2019-13313 CVE-2020-14367 CVE-2020-5260 SUSE-SU-2015:0887-1 SUSE-SU-2015:1268-2 SUSE-SU-2016:0077-1 SUSE-SU-2016:0114-1 SUSE-SU-2016:0955-1 SUSE-SU-2016:2093-1 SUSE-SU-2017:0210-1 SUSE-SU-2017:2659-1 SUSE-SU-2017:2839-1 SUSE-SU-2018:2086-1 SUSE-SU-2019:2273-1 SUSE-SU-2020:0516-1 SUSE-SU-2020:0992-1
Platform(s):	openSUSE Leap 15.0 openSUSE Leap 15.1 SUSE Linux Enterprise Desktop 11 SP3 SUSE Linux Enterprise Desktop 11 SP4 SUSE Linux Enterprise Desktop 12 SP2 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP2-LTSS SUSE Linux Enterprise Server 12 SP2-LTSS-SAP SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8	Product(s):
Definition Synopsis
openSUSE Leap 15.0 is installed AND Package Information coreutils-8.29-lp150.2 is installed OR coreutils-lang-8.29-lp150.2 is installed
Definition Synopsis
openSUSE Leap 15.1 is installed AND Package Information aubio-0.4.6-lp151.6.3 is installed OR aubio-tools-0.4.6-lp151.6.3 is installed OR libaubio-devel-0.4.6-lp151.6.3 is installed OR libaubio5-0.4.6-lp151.6.3 is installed OR libaubio5-32bit-0.4.6-lp151.6.3 is installed OR python-aubio-0.4.6-lp151.6.3 is installed OR python2-aubio-0.4.6-lp151.6.3 is installed OR python3-aubio-0.4.6-lp151.6.3 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP3 is installed AND Package Information libldap-2_4-2-2.4.26-0.30 is installed OR libldap-2_4-2-32bit-2.4.26-0.30 is installed OR openldap2-client-2.4.26-0.30 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 11 SP4 is installed AND Package Information MozillaFirefox-31.8.0esr-0.10 is installed OR MozillaFirefox-translations-31.8.0esr-0.10 is installed OR libfreebl3-3.19.2_CKBI_1.98-0.10 is installed OR libfreebl3-32bit-3.19.2_CKBI_1.98-0.10 is installed OR libsoftokn3-3.19.2_CKBI_1.98-0.10 is installed OR libsoftokn3-32bit-3.19.2_CKBI_1.98-0.10 is installed OR mozilla-nspr-4.10.8-0.5 is installed OR mozilla-nspr-32bit-4.10.8-0.5 is installed OR mozilla-nss-3.19.2_CKBI_1.98-0.10 is installed OR mozilla-nss-32bit-3.19.2_CKBI_1.98-0.10 is installed OR mozilla-nss-tools-3.19.2_CKBI_1.98-0.10 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP2 is installed AND Package Information gstreamer-0_10-plugins-good-0.10.31-16 is installed OR gstreamer-0_10-plugins-good-lang-0.10.31-16 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1 is installed AND Package Information libFLAC++6-1.3.0-6 is installed OR libFLAC8-1.3.0-6 is installed OR libFLAC8-32bit-1.3.0-6 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP1-LTSS is installed AND Package Information openvpn-2.3.8-16.20 is installed OR openvpn-auth-pam-plugin-2.3.8-16.20 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2 is installed AND Package Information DirectFB-1.7.1-6 is installed OR lib++dfb-1_7-1-1.7.1-6 is installed OR libdirectfb-1_7-1-1.7.1-6 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-BCL is installed AND Package Information libmysqlclient18-10.0.35-29.20 is installed OR libmysqlclient18-32bit-10.0.35-29.20 is installed OR mariadb-10.0.35-29.20 is installed OR mariadb-client-10.0.35-29.20 is installed OR mariadb-errormessages-10.0.35-29.20 is installed OR mariadb-tools-10.0.35-29.20 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND Package Information kgraft-patch-4_4_120-92_70-default-9-2 is installed OR kgraft-patch-SLE12-SP2_Update_20-9-2 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2-LTSS is installed AND Package Information kernel-firmware-20170530-21.22 is installed OR ucode-amd-20170530-21.22 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information hplip-3.16.11-1 is installed OR hplip-hpijs-3.16.11-1 is installed OR hplip-sane-3.16.11-1 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-ESPOS is installed AND Package Information libpython3_4m1_0-3.4.10-25.45 is installed OR python3-3.4.10-25.45 is installed OR python3-base-3.4.10-25.45 is installed OR python3-curses-3.4.10-25.45 is installed OR python3-devel-3.4.10-25.45 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND Package Information libcgroup-0.41.rc1-10.9 is installed OR libcgroup-tools-0.41.rc1-10.9 is installed OR libcgroup1-0.41.rc1-10.9 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information libcdio14-0.90-6.3 is installed OR libcdio14-32bit-0.90-6.3 is installed
Definition Synopsis
SUSE OpenStack Cloud 7 is installed AND Package Information java-1_7_1-ibm-1.7.1_sr4.45-38.37 is installed OR java-1_7_1-ibm-alsa-1.7.1_sr4.45-38.37 is installed OR java-1_7_1-ibm-devel-1.7.1_sr4.45-38.37 is installed OR java-1_7_1-ibm-jdbc-1.7.1_sr4.45-38.37 is installed OR java-1_7_1-ibm-plugin-1.7.1_sr4.45-38.37 is installed
Definition Synopsis
SUSE OpenStack Cloud 8 is installed AND git-2.12.3-27.14 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 8 is installed AND Package Information python-certifi-2018.4.16-3.6 is installed OR python-chardet-3.0.4-5.6 is installed OR python-urllib3-1.22-3.20 is installed OR python3-certifi-2018.4.16-3.6 is installed OR python3-chardet-3.0.4-5.6 is installed OR python3-requests-2.20.1-5 is installed OR python3-urllib3-1.22-3.20 is installed

BACK