OVAL Reference oval:org.opensuse.security:def:60440

Oval Definition:

oval:org.opensuse.security:def:60440

Revision Date:	2021-12-22	Version:	1
Title:	Security update for chrony (Moderate)
Description:	This update for chrony fixes the following issues: Chrony was updated to 4.1: * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Update clknetsim to snapshot f89702d. - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Enable syscallfilter unconditionally (bsc#1181826). Chrony was updated to 4.0: Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Chrony was updated to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Add chrony-pool-suse and chrony-pool-openSUSE subpackages that preconfigure chrony to use NTP servers from the respective pools for SUSE and openSUSE (bsc#1156884, SLE-11424). - Add chrony-pool-empty to still allow installing chrony without preconfigured servers. - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). - Update clknetsim to version 79ffe44 (fixes bsc#1162964). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers (bsc#1099272) - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. - Remove discrepancies between spec file and chrony-tmpfiles (bsc#1115529) Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step - Added /etc/chrony.d/ directory to the package (bsc#1083597) Modifed default chrony.conf to add 'include /etc/chrony.d/' - Enable pps support Upgraded to version 3.2: Enhancements Improve stability with NTP sources and reference clocks * Improve stability with hardware timestamping * Improve support for NTP interleaved modes * Control frequency of system clock on macOS 10.13 and later * Set TAI-UTC offset of system clock with leapsectz directive * Minimise data in client requests to improve privacy * Allow transmit-only hardware timestamping * Add support for new timestamping options introduced in Linux 4.13 * Add root delay, root dispersion and maximum error to tracking log * Add mindelay and asymmetry options to server/peer/pool directive * Add extpps option to PHC refclock to timestamp external PPS signal * Add pps option to refclock directive to treat any refclock as PPS * Add width option to refclock directive to filter wrong pulse edges * Add rxfilter option to hwtimestamp directive * Add -x option to disable control of system clock * Add -l option to log to specified file instead of syslog * Allow multiple command-line options to be specified together * Allow starting without root privileges with -Q option * Update seccomp filter for new glibc versions * Dump history on exit by default with dumpdir directive * Use hardening compiler options by default Bug fixes * Don't drop PHC samples with low-resolution system clock * Ignore outliers in PHC tracking, RTC tracking, manual input * Increase polling interval when peer is not responding * Exit with error message when include directive fails * Don't allow slash after hostname in allow/deny directive/command * Try to connect to all addresses in chronyc before giving up Upgraded to version 3.1: - Enhancements - Add support for precise cross timestamping of PHC on Linux - Add minpoll, precision, nocrossts options to hwtimestamp directive - Add rawmeasurements option to log directive and modify measurements option to log only valid measurements from synchronised sources - Allow sub-second polling interval with NTP sources - Bug fixes - Fix time smoothing in interleaved mode Upgraded to version 3.0: - Enhancements - Add support for software and hardware timestamping on Linux - Add support for client/server and symmetric interleaved modes - Add support for MS-SNTP authentication in Samba - Add support for truncated MACs in NTPv4 packets - Estimate and correct for asymmetric network jitter - Increase default minsamples and polltarget to improve stability with very low jitter - Add maxjitter directive to limit source selection by jitter - Add offset option to server/pool/peer directive - Add maxlockage option to refclock directive - Add -t option to chronyd to exit after specified time - Add partial protection against replay attacks on symmetric mode - Don't reset polling interval when switching sources to online state - Allow rate limiting with very short intervals - Improve maximum server throughput on Linux and NetBSD - Remove dump files after start - Add tab-completion to chronyc with libedit/readline - Add ntpdata command to print details about NTP measurements - Allow all source options to be set in add server/peer command - Indicate truncated addresses/hostnames in chronyc output - Print reference IDs as hexadecimal numbers to avoid confusion with IPv4 addresses - Bug fixes - Fix crash with disabled asynchronous name resolving Upgraded to version 2.4.1: - Bug fixes - Fix processing of kernel timestamps on non-Linux systems - Fix crash with smoothtime directive - Fix validation of refclock sample times - Fix parsing of refclock directive update to 2.4: - Enhancements - Add orphan option to local directive for orphan mode compatible with ntpd - Add distance option to local directive to set activation threshold (1 second by default) - Add maxdrift directive to set maximum allowed drift of system clock - Try to replace NTP sources exceeding maximum distance - Randomise source replacement to avoid getting stuck with bad sources - Randomise selection of sources from pools on start - Ignore reference timestamp as ntpd doesn't always set it correctly - Modify tracking report to use same values as seen by NTP clients - Add -c option to chronyc to write reports in CSV format - Provide detailed manual pages - Bug fixes - Fix SOCK refclock to work correctly when not specified as last refclock - Fix initstepslew and -q/-Q options to accept time from own NTP clients - Fix authentication with keys using 512-bit hash functions - Fix crash on exit when multiple signals are received - Fix conversion of very small floating-point numbers in command packets
Family:	unix	Class:	patch
Status:		Reference(s):	1010201 1012382 1012523 1015336 1015337 1015340 1015342 1015343 1019675 1020412 1020645 1022595 1022607 1024346 1024373 1024376 1024412 1031717 1032150 1036489 1036800 1037404 1037838 1038299 1039542 1040073 1040519 1041873 1042268 1042957 1042977 1042978 1043017 1045404 1046054 1046107 1047901 1047989 1048317 1048327 1048356 1048688 1050060 1050231 1051406 1051635 1051987 1052384 1053309 1053919 1055272 1056003 1056365 1056427 1056587 1056596 1056652 1056979 1057079 1057199 1057820 1058413 1059639 1060333 1061756 1062496 1062835 1062941 1063026 1063349 1063516 1063704 1064206 1064320 1064591 1064597 1064606 1064701 1064926 1065101 1065180 1065600 1065639 1065692 1065717 1065866 1065959 1066045 1066175 1066192 1066213 1066223 1066285 1066382 1066470 1066471 1066472 1066573 1066606 1066629 1066660 1066696 1066767 1066812 1066974 1067105 1067132 1067225 1067494 1067734 1067735 1067888 1067906 1068671 1068978 1068980 1068982 1069152 1069250 1069270 1069277 1069468 1069484 1069583 1069721 1069793 1069879 1069916 1069942 1069996 1070001 1070006 1070145 1070169 1070404 1070535 1070767 1070771 1070805 1070825 1070964 1071693 1071694 1071695 1071833 1072589 1077718 1082318 1083597 1096209 1097775 1098155 1099272 1099805 1099808 1111180 1114157 1114169 1115529 1115750 1115904 1125357 1127367 1127369 1127370 1128712 1128846 1129734 1132852 1133817 1135773 1138461 1144903 1145498 1146206 1148426 1149110 1149294 1149295 1149296 1149297 1149298 1149299 1149303 1149304 1149324 1149535 1151206 1153108 1153158 1153161 1156884 1158328 1159840 1161119 1162964 1165402 1165643 1166290 1167240 1171806 1172113 1173277 1173760 1174075 1174157 1174911 1180689 1181826 1183783 1184400 1187906 1190926 144694 744692 789311 964944 966170 966172 969470 979928 989261 996376 CVE-2011-1521 CVE-2011-3389 CVE-2011-4944 CVE-2012-0845 CVE-2012-1150 CVE-2013-1752 CVE-2013-1753 CVE-2013-4238 CVE-2014-1912 CVE-2014-4650 CVE-2014-7185 CVE-2014-9130 CVE-2015-5191 CVE-2016-0772 CVE-2016-1000110 CVE-2016-5636 CVE-2016-5699 CVE-2017-1000410 CVE-2017-11600 CVE-2017-12193 CVE-2017-15115 CVE-2017-16528 CVE-2017-16536 CVE-2017-16537 CVE-2017-16645 CVE-2017-16646 CVE-2017-16994 CVE-2017-17448 CVE-2017-17449 CVE-2017-17450 CVE-2017-5637 CVE-2017-7482 CVE-2017-7524 CVE-2017-8824 CVE-2018-10851 CVE-2018-10855 CVE-2018-10874 CVE-2018-10875 CVE-2018-1152 CVE-2018-11813 CVE-2018-14498 CVE-2018-14626 CVE-2018-4700 CVE-2019-0201 CVE-2019-10220 CVE-2019-11596 CVE-2019-11740 CVE-2019-11742 CVE-2019-11743 CVE-2019-11744 CVE-2019-11745 CVE-2019-11746 CVE-2019-11752 CVE-2019-11753 CVE-2019-12855 CVE-2019-13722 CVE-2019-15026 CVE-2019-17005 CVE-2019-17008 CVE-2019-17009 CVE-2019-17010 CVE-2019-17011 CVE-2019-17012 CVE-2019-17133 CVE-2019-3871 CVE-2019-9208 CVE-2019-9209 CVE-2019-9214 CVE-2019-9812 CVE-2020-14367 CVE-2020-14577 CVE-2020-14578 CVE-2020-14579 CVE-2020-14581 CVE-2020-14583 CVE-2020-14593 CVE-2020-14621 CVE-2020-5247 CVE-2020-9543 SUSE-SU-2017:3398-1 SUSE-SU-2018:4089-1 SUSE-SU-2018:4130-1 SUSE-SU-2019:0688-1 SUSE-SU-2019:1111-1 SUSE-SU-2019:2453-1 SUSE-SU-2019:3347-1 SUSE-SU-2020:1066-1 SUSE-SU-2020:2861-1 SUSE-SU-2021:4147-1
Platform(s):	openSUSE Leap 15.0 openSUSE Leap 15.1 openSUSE Leap 15.2 SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9	Product(s):
Definition Synopsis
openSUSE Leap 15.0 is installed AND Package Information libmodplug-devel-0.3.19-lp150.10 is installed OR libmodplug1-0.3.19-lp150.10 is installed OR libmodplug1-32bit-0.3.19-lp150.10 is installed OR libopenmpt-0.3.19-lp150.10 is installed OR libopenmpt-devel-0.3.19-lp150.10 is installed OR libopenmpt0-0.3.19-lp150.10 is installed OR libopenmpt0-32bit-0.3.19-lp150.10 is installed OR libopenmpt_modplug1-0.3.19-lp150.10 is installed OR libopenmpt_modplug1-32bit-0.3.19-lp150.10 is installed OR openmpt123-0.3.19-lp150.10 is installed
Definition Synopsis
openSUSE Leap 15.1 is installed AND ledger-3.1.3-lp151.3.3 is installed
Definition Synopsis
openSUSE Leap 15.2 is installed AND Package Information libpython2_7-1_0-2.7.17-lp152.3.3 is installed OR libpython2_7-1_0-32bit-2.7.17-lp152.3.3 is installed OR python-2.7.17-lp152.3.3 is installed OR python-32bit-2.7.17-lp152.3.3 is installed OR python-base-2.7.17-lp152.3.3 is installed OR python-base-32bit-2.7.17-lp152.3.3 is installed OR python-curses-2.7.17-lp152.3.3 is installed OR python-demo-2.7.17-lp152.3.3 is installed OR python-devel-2.7.17-lp152.3.3 is installed OR python-doc-2.7.17-lp152.3.3 is installed OR python-doc-pdf-2.7.17-lp152.3.3 is installed OR python-gdbm-2.7.17-lp152.3.3 is installed OR python-idle-2.7.17-lp152.3.3 is installed OR python-tk-2.7.17-lp152.3.3 is installed OR python-xml-2.7.17-lp152.3.3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information libpython2_7-1_0-2.7.13-27 is installed OR libpython2_7-1_0-32bit-2.7.13-27 is installed OR python-base-2.7.13-27 is installed OR python-base-32bit-2.7.13-27 is installed OR python-xml-2.7.13-27 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-BCL is installed AND Package Information MozillaFirefox-68.3.0-109.98 is installed OR MozillaFirefox-translations-common-68.3.0-109.98 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-ESPOS is installed AND Package Information MozillaFirefox-60.9.0-109.86 is installed OR MozillaFirefox-translations-common-60.9.0-109.86 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND Package Information openslp-2.0.0-18.15 is installed OR openslp-32bit-2.0.0-18.15 is installed OR openslp-server-2.0.0-18.15 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4 is installed AND busybox-1.21.1-3 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4-ESPOS is installed AND Package Information xen-4.11.4_06-2.33 is installed OR xen-doc-html-4.11.4_06-2.33 is installed OR xen-libs-4.11.4_06-2.33 is installed OR xen-libs-32bit-4.11.4_06-2.33 is installed OR xen-tools-4.11.4_06-2.33 is installed OR xen-tools-domU-4.11.4_06-2.33 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP4-LTSS is installed AND Package Information ghostscript-9.52-23.39 is installed OR ghostscript-x11-9.52-23.39 is installed
Definition Synopsis
Release Information SUSE Linux Enterprise Server 12 SP5 is installed AND chrony-4.1-5.9.1 is installed OR Package Information SUSE Linux Enterprise Server for SAP Applications 12 SP5 is installed AND chrony-4.1-5.9.1 is installed
Definition Synopsis
SUSE OpenStack Cloud 8 is installed AND ansible-2.4.6.0-3.3 is installed
Definition Synopsis
SUSE OpenStack Cloud 9 is installed AND mailman-2.1.17-3.23 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 8 is installed AND python-Twisted-15.2.1-9.8 is installed
Definition Synopsis
SUSE OpenStack Cloud Crowbar 9 is installed AND Package Information mariadb-10.2.25-3.19 is installed OR mariadb-galera-10.2.25-3.19 is installed

BACK