OVAL Reference oval:org.opensuse.security:def:973

Oval Definition:

oval:org.opensuse.security:def:973

Revision Date:	2022-03-15	Version:	1
Title:	Security update for chrony (Moderate)
Description:	This update for chrony fixes the following issues: Chrony was updated to 4.1, bringing features and bugfixes. Update to 4.1 * Add support for NTS servers specified by IP address (matching Subject Alternative Name in server certificate) * Add source-specific configuration of trusted certificates * Allow multiple files and directories with trusted certificates * Allow multiple pairs of server keys and certificates * Add copy option to server/pool directive * Increase PPS lock limit to 40% of pulse interval * Perform source selection immediately after loading dump files * Reload dump files for addresses negotiated by NTS-KE server * Update seccomp filter and add less restrictive level * Restart ongoing name resolution on online command * Fix dump files to not include uncorrected offset * Fix initstepslew to accept time from own NTP clients * Reset NTP address and port when no longer negotiated by NTS-KE server - Ensure the correct pool packages are installed for openSUSE and SLE (bsc#1180689). - Fix pool package dependencies, so that SLE prefers chrony-pool-suse over chrony-pool-empty. (bsc#1194229) - Enable syscallfilter unconditionally [bsc#1181826]. Update to 4.0 - Enhancements - Add support for Network Time Security (NTS) authentication - Add support for AES-CMAC keys (AES128, AES256) with Nettle - Add authselectmode directive to control selection of unauthenticated sources - Add binddevice, bindacqdevice, bindcmddevice directives - Add confdir directive to better support fragmented configuration - Add sourcedir directive and 'reload sources' command to support dynamic NTP sources specified in files - Add clockprecision directive - Add dscp directive to set Differentiated Services Code Point (DSCP) - Add -L option to limit log messages by severity - Add -p option to print whole configuration with included files - Add -U option to allow start under non-root user - Allow maxsamples to be set to 1 for faster update with -q/-Q option - Avoid replacing NTP sources with sources that have unreachable address - Improve pools to repeat name resolution to get 'maxsources' sources - Improve source selection with trusted sources - Improve NTP loop test to prevent synchronisation to itself - Repeat iburst when NTP source is switched from offline state to online - Update clock synchronisation status and leap status more frequently - Update seccomp filter - Add 'add pool' command - Add 'reset sources' command to drop all measurements - Add authdata command to print details about NTP authentication - Add selectdata command to print details about source selection - Add -N option and sourcename command to print original names of sources - Add -a option to some commands to print also unresolved sources - Add -k, -p, -r options to clients command to select, limit, reset data - Bug fixes - Don’t set interface for NTP responses to allow asymmetric routing - Handle RTCs that don’t support interrupts - Respond to command requests with correct address on multihomed hosts - Removed features - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320) - Drop support for long (non-standard) MACs in NTPv4 packets (chrony 2.x clients using non-MD5/SHA1 keys need to use option 'version 3') - Drop support for line editing with GNU Readline - By default we don't write log files but log to journald, so only recommend logrotate. - Adjust and rename the sysconfig file, so that it matches the expectations of chronyd.service (bsc#1173277). Update to 3.5.1: * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911) - Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075) - Use iburst in the default pool statements to speed up initial synchronisation (bsc#1172113). Update to 3.5: + Add support for more accurate reading of PHC on Linux 5.0 + Add support for hardware timestamping on interfaces with read-only timestamping configuration + Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris + Update seccomp filter to work on more architectures + Validate refclock driver options + Fix bindaddress directive on FreeBSD + Fix transposition of hardware RX timestamp on Linux 4.13 and later + Fix building on non-glibc systems - Fix location of helper script in chrony-dnssrv@.service (bsc#1128846). - Read runtime servers from /var/run/netconfig/chrony.servers to fix bsc#1099272. - Move chrony-helper to /usr/lib/chrony/helper, because there should be no executables in /usr/share. Update to version 3.4 * Enhancements + Add filter option to server/pool/peer directive + Add minsamples and maxsamples options to hwtimestamp directive + Add support for faster frequency adjustments in Linux 4.19 + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd without root privileges to remove it on exit + Disable sub-second polling intervals for distant NTP sources + Extend range of supported sub-second polling intervals + Get/set IPv4 destination/source address of NTP packets on FreeBSD + Make burst options and command useful with short polling intervals + Modify auto_offline option to activate when sending request failed + Respond from interface that received NTP request if possible + Add onoffline command to switch between online and offline state according to current system network configuration + Improve example NetworkManager dispatcher script * Bug fixes + Avoid waiting in Linux getrandom system call + Fix PPS support on FreeBSD and NetBSD Update to version 3.3 * Enhancements: + Add burst option to server/pool directive + Add stratum and tai options to refclock directive + Add support for Nettle crypto library + Add workaround for missing kernel receive timestamps on Linux + Wait for late hardware transmit timestamps + Improve source selection with unreachable sources + Improve protection against replay attacks on symmetric mode + Allow PHC refclock to use socket in /var/run/chrony + Add shutdown command to stop chronyd + Simplify format of response to manual list command + Improve handling of unknown responses in chronyc * Bug fixes: + Respond to NTPv1 client requests with zero mode + Fix -x option to not require CAP_SYS_TIME under non-root user + Fix acquisitionport directive to work with privilege separation + Fix handling of socket errors on Linux to avoid high CPU usage + Fix chronyc to not get stuck in infinite loop after clock step
Family:	unix	Class:	patch
Status:		Reference(s):	1099272 1115529 1128846 1162964 1172113 1173277 1174075 1174911 1180689 1181826 1187906 1190926 1194229 CVE-2009-0316 CVE-2017-1000382 CVE-2017-5953 CVE-2017-6349 CVE-2017-6350 CVE-2017-6507 CVE-2017-6507 CVE-2018-1000858 CVE-2018-12020 CVE-2018-9234 CVE-2019-13050 CVE-2019-14855 CVE-2020-14367 CVE-2020-25125 SUSE-SU-2022:0845-1
Platform(s):	openSUSE 13.2 SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5 SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Desktop 12 SP3 SUSE Linux Enterprise Desktop 15 SP3 SUSE Linux Enterprise High Availability 15 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Module for additional PackageHub packages 15 SUSE Linux Enterprise Module for Basesystem 15 SP3 SUSE Linux Enterprise Module for Desktop Applications 15 SUSE Linux Enterprise Module for Legacy Software 15 SUSE Linux Enterprise Module for Live Patching 15 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 SUSE Linux Enterprise Module for Public Cloud 15 SUSE Linux Enterprise Module for Server Applications 15 SUSE Linux Enterprise Module for Web Scripting 15 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Software Development Kit 12 SP1 SUSE Linux Enterprise Storage 7.1 SUSE Linux Enterprise Workstation Extension 12 SUSE Linux Enterprise Workstation Extension 15 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2 SUSE Package Hub for SUSE Linux Enterprise 12 SUSE Package Hub for SUSE Linux Enterprise 15	Product(s):
Definition Synopsis
SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5 is installed AND Package Information openstack-cinder-2014.2.3.dev13-1 is installed OR openstack-cinder-volume-2014.2.3.dev13-1 is installed OR python-cinder-2014.2.3.dev13-1 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 is installed AND Package Information aaa_base-13.2+git20140911.61c1681-1 is installed OR aaa_base-extras-13.2+git20140911.61c1681-1 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP1 is installed AND Package Information ImageMagick-6.8.8.1-8 is installed OR libMagick++-6_Q16-3-6.8.8.1-8 is installed OR libMagickCore-6_Q16-1-6.8.8.1-8 is installed OR libMagickCore-6_Q16-1-32bit-6.8.8.1-8 is installed OR libMagickWand-6_Q16-1-6.8.8.1-8 is installed
Definition Synopsis
SUSE Linux Enterprise Desktop 12 SP3 is installed AND Package Information libjson-c2-0.11-2 is installed OR libjson-c2-32bit-0.11-2 is installed
Definition Synopsis
Release Information SUSE Linux Enterprise Desktop 15 SP3 is installed OR SUSE Linux Enterprise High Performance Computing 15 SP3 is installed OR SUSE Linux Enterprise Module for Basesystem 15 SP3 is installed OR SUSE Linux Enterprise Server 15 SP3 is installed OR SUSE Linux Enterprise Server for SAP Applications 15 SP3 is installed OR SUSE Linux Enterprise Storage 7.1 is installed OR SUSE Manager Proxy 4.2 is installed OR SUSE Manager Retail Branch Server 4.2 is installed OR SUSE Manager Server 4.2 is installed AND Package Information augeas-1.10.1-3.9.1 is installed OR augeas-devel-1.10.1-3.9.1 is installed OR augeas-lenses-1.10.1-3.9.1 is installed OR chrony-4.1-150300.16.3.1 is installed OR chrony-pool-empty-4.1-150300.16.3.1 is installed OR chrony-pool-suse-4.1-150300.16.3.1 is installed OR libaugeas0-1.10.1-3.9.1 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Basesystem 15 SP3 is installed AND Package Information dirmngr-2.2.27-1.2 is installed OR gpg2-2.2.27-1.2 is installed OR gpg2-lang-2.2.27-1.2 is installed
Definition Synopsis
SUSE Linux Enterprise High Availability 15 is installed AND Package Information drbd-9.0.13+git.b83ade31-3.2 is installed OR drbd-kmp-default-9.0.13+git.b83ade31_k4.12.14_23-3.2 is installed
Definition Synopsis
SUSE Linux Enterprise Module for additional PackageHub packages 15 is installed AND Package Information libxmlsec1-gcrypt1-1.2.26-3.3 is installed OR libxmlsec1-gnutls1-1.2.26-3.3 is installed OR libxmlsec1-openssl1-1.2.26-3.3 is installed OR xmlsec1-1.2.26-3.3 is installed OR xmlsec1-gnutls-devel-1.2.26-3.3 is installed OR xmlsec1-openssl-devel-1.2.26-3.3 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Desktop Applications 15 is installed AND gvim-8.0.1568-3 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Legacy Software 15 is installed AND Package Information kernel-default-4.12.14-25.3 is installed OR reiserfs-kmp-default-4.12.14-25.3 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Live Patching 15 is installed AND Package Information kernel-livepatch-4_12_14-25_3-default-2-2 is installed OR kernel-livepatch-SLE15_Update_1-2-2 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 is installed AND Package Information nginx-1.14.2-3.3 is installed OR vim-plugin-nginx-1.14.2-3.3 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Public Cloud 15 is installed AND Package Information kernel-azure-4.12.14-5.13 is installed OR kernel-azure-base-4.12.14-5.13 is installed OR kernel-azure-devel-4.12.14-5.13 is installed OR kernel-devel-azure-4.12.14-5.13 is installed OR kernel-source-azure-4.12.14-5.13 is installed OR kernel-syms-azure-4.12.14-5.13 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Server Applications 15 is installed AND apache2-mod_apparmor-2.12-5 is installed
Definition Synopsis
SUSE Linux Enterprise Module for Web Scripting 15 is installed AND Package Information tomcat-9.0.10-3.7 is installed OR tomcat-admin-webapps-9.0.10-3.7 is installed OR tomcat-el-3_0-api-9.0.10-3.7 is installed OR tomcat-jsp-2_3-api-9.0.10-3.7 is installed OR tomcat-lib-9.0.10-3.7 is installed OR tomcat-servlet-4_0-api-9.0.10-3.7 is installed OR tomcat-webapps-9.0.10-3.7 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 is installed AND libzip2-0.11.1-4.62 is installed
Definition Synopsis
SUSE Linux Enterprise Server 12 SP2 is installed AND Package Information libpng12-0-1.2.50-13.1 is installed OR libpng12-0-32bit-1.2.50-13.1 is installed
Definition Synopsis
SUSE Linux Enterprise Workstation Extension 15 is installed AND Package Information kernel-default-4.12.14-25.13 is installed OR kernel-default-extra-4.12.14-25.13 is installed
Definition Synopsis
SUSE Package Hub for SUSE Linux Enterprise 12 is installed AND Package Information chromedriver-54.0.2840.59-109 is installed OR chromium-54.0.2840.59-109 is installed OR chromium-ffmpegsumo-54.0.2840.59-109 is installed
Definition Synopsis
SUSE Package Hub for SUSE Linux Enterprise 15 is installed AND Package Information GraphicsMagick-1.3.29-bp150.2.6 is installed OR GraphicsMagick-devel-1.3.29-bp150.2.6 is installed OR libGraphicsMagick++-Q16-12-1.3.29-bp150.2.6 is installed OR libGraphicsMagick++-devel-1.3.29-bp150.2.6 is installed OR libGraphicsMagick-Q16-3-1.3.29-bp150.2.6 is installed OR libGraphicsMagick3-config-1.3.29-bp150.2.6 is installed OR libGraphicsMagickWand-Q16-2-1.3.29-bp150.2.6 is installed OR perl-GraphicsMagick-1.3.29-bp150.2.6 is installed

BACK