{"affected":[{"ecosystem_specific":{"binaries":[{"augeas":"1.10.1-3.9.1","augeas-lenses":"1.10.1-3.9.1","libaugeas0":"1.10.1-3.9.1"}]},"package":{"ecosystem":"SUSE:Linux Enterprise Micro 5.2","name":"augeas","purl":"pkg:rpm/suse/augeas&distro=SUSE%20Linux%20Enterprise%20Micro%205.2"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"1.10.1-3.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for chrony fixes the following issues:\n\nChrony was updated to 4.1, bringing features and bugfixes.\n\nUpdate to 4.1\n\n  * Add support for NTS servers specified by IP address (matching\n    Subject Alternative Name in server certificate)\n  * Add source-specific configuration of trusted certificates\n  * Allow multiple files and directories with trusted certificates\n  * Allow multiple pairs of server keys and certificates\n  * Add copy option to server/pool directive\n  * Increase PPS lock limit to 40% of pulse interval\n  * Perform source selection immediately after loading dump files\n  * Reload dump files for addresses negotiated by NTS-KE server\n  * Update seccomp filter and add less restrictive level\n  * Restart ongoing name resolution on online command\n  * Fix dump files to not include uncorrected offset\n  * Fix initstepslew to accept time from own NTP clients\n  * Reset NTP address and port when no longer negotiated by NTS-KE\n    server\n\n- Ensure the correct pool packages are installed for openSUSE\n  and SLE (bsc#1180689).\n- Fix pool package dependencies, so that SLE prefers chrony-pool-suse\n  over chrony-pool-empty. (bsc#1194229)\n\n- Enable syscallfilter unconditionally [bsc#1181826].\n\nUpdate to 4.0\n\n  - Enhancements\n\n    - Add support for Network Time Security (NTS) authentication\n    - Add support for AES-CMAC keys (AES128, AES256) with Nettle\n    - Add authselectmode directive to control selection of\n      unauthenticated sources\n    - Add binddevice, bindacqdevice, bindcmddevice directives\n    - Add confdir directive to better support fragmented\n      configuration\n    - Add sourcedir directive and 'reload sources' command to\n      support dynamic NTP sources specified in files\n    - Add clockprecision directive\n    - Add dscp directive to set Differentiated Services Code Point\n      (DSCP)\n    - Add -L option to limit log messages by severity\n    - Add -p option to print whole configuration with included\n      files\n    - Add -U option to allow start under non-root user\n    - Allow maxsamples to be set to 1 for faster update with -q/-Q\n      option\n    - Avoid replacing NTP sources with sources that have\n      unreachable address\n    - Improve pools to repeat name resolution to get 'maxsources'\n      sources\n    - Improve source selection with trusted sources\n    - Improve NTP loop test to prevent synchronisation to itself\n    - Repeat iburst when NTP source is switched from offline state\n      to online\n    - Update clock synchronisation status and leap status more\n      frequently\n    - Update seccomp filter\n    - Add 'add pool' command\n    - Add 'reset sources' command to drop all measurements\n    - Add authdata command to print details about NTP\n      authentication\n    - Add selectdata command to print details about source\n      selection\n    - Add -N option and sourcename command to print original names\n      of sources\n    - Add -a option to some commands to print also unresolved\n      sources\n    - Add -k, -p, -r options to clients command to select, limit,\n      reset data\n\n  - Bug fixes\n\n    - Don’t set interface for NTP responses to allow asymmetric\n      routing\n    - Handle RTCs that don’t support interrupts\n    - Respond to command requests with correct address on\n      multihomed hosts\n  - Removed features\n    - Drop support for RIPEMD keys (RMD128, RMD160, RMD256, RMD320)\n    - Drop support for long (non-standard) MACs in NTPv4 packets\n      (chrony 2.x clients using non-MD5/SHA1 keys need to use\n      option 'version 3')\n    - Drop support for line editing with GNU Readline\n\n- By default we don't write log files but log to journald, so\n  only recommend logrotate.\n\n- Adjust and rename the sysconfig file, so that it matches the\n  expectations of chronyd.service (bsc#1173277).\n\nUpdate to 3.5.1:\n\n  * Create new file when writing pidfile (CVE-2020-14367, bsc#1174911)\n\n- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)\n\n- Use iburst in the default pool statements to speed up initial\n  synchronisation (bsc#1172113).\n\n\n\n\nUpdate to 3.5:\n\n+ Add support for more accurate reading of PHC on Linux 5.0\n+ Add support for hardware timestamping on interfaces with read-only timestamping configuration\n+ Add support for memory locking and real-time priority on FreeBSD, NetBSD, Solaris\n+ Update seccomp filter to work on more architectures\n+ Validate refclock driver options\n+ Fix bindaddress directive on FreeBSD\n+ Fix transposition of hardware RX timestamp on Linux 4.13 and later\n+ Fix building on non-glibc systems\n\n- Fix location of helper script in chrony-dnssrv@.service\n  (bsc#1128846).\n\n\n- Read runtime servers from /var/run/netconfig/chrony.servers to\n  fix bsc#1099272.\n- Move chrony-helper to /usr/lib/chrony/helper, because there\n  should be no executables in /usr/share.\n\nUpdate to version 3.4\n\n  * Enhancements\n\n    + Add filter option to server/pool/peer directive\n    + Add minsamples and maxsamples options to hwtimestamp directive\n    + Add support for faster frequency adjustments in Linux 4.19\n    + Change default pidfile to /var/run/chrony/chronyd.pid to allow chronyd \n      without root privileges to remove it on exit\n    + Disable sub-second polling intervals for distant NTP sources\n    + Extend range of supported sub-second polling intervals\n    + Get/set IPv4 destination/source address of NTP packets on FreeBSD\n    + Make burst options and command useful with short polling intervals\n    + Modify auto_offline option to activate when sending request failed\n    + Respond from interface that received NTP request if possible\n    + Add onoffline command to switch between online and offline state \n      according to current system network configuration\n    + Improve example NetworkManager dispatcher script\n\n  * Bug fixes\n\n    + Avoid waiting in Linux getrandom system call\n    + Fix PPS support on FreeBSD and NetBSD\n\nUpdate to version 3.3\n\n  * Enhancements:\n\n    + Add burst option to server/pool directive\n    + Add stratum and tai options to refclock directive\n    + Add support for Nettle crypto library\n    + Add workaround for missing kernel receive timestamps on Linux\n    + Wait for late hardware transmit timestamps\n    + Improve source selection with unreachable sources\n    + Improve protection against replay attacks on symmetric mode\n    + Allow PHC refclock to use socket in /var/run/chrony\n    + Add shutdown command to stop chronyd\n    + Simplify format of response to manual list command\n    + Improve handling of unknown responses in chronyc\n\n  * Bug fixes:\n\n    + Respond to NTPv1 client requests with zero mode\n    + Fix -x option to not require CAP_SYS_TIME under non-root user\n    + Fix acquisitionport directive to work with privilege separation\n    + Fix handling of socket errors on Linux to avoid high CPU usage\n    + Fix chronyc to not get stuck in infinite loop after clock step","id":"SUSE-SU-2022:0845-2","modified":"2022-04-19T19:08:44Z","published":"2022-04-19T19:08:44Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2022/suse-su-20220845-2/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1099272"},{"type":"REPORT","url":"https://bugzilla.suse.com/1115529"},{"type":"REPORT","url":"https://bugzilla.suse.com/1128846"},{"type":"REPORT","url":"https://bugzilla.suse.com/1162964"},{"type":"REPORT","url":"https://bugzilla.suse.com/1172113"},{"type":"REPORT","url":"https://bugzilla.suse.com/1173277"},{"type":"REPORT","url":"https://bugzilla.suse.com/1174075"},{"type":"REPORT","url":"https://bugzilla.suse.com/1174911"},{"type":"REPORT","url":"https://bugzilla.suse.com/1180689"},{"type":"REPORT","url":"https://bugzilla.suse.com/1181826"},{"type":"REPORT","url":"https://bugzilla.suse.com/1187906"},{"type":"REPORT","url":"https://bugzilla.suse.com/1190926"},{"type":"REPORT","url":"https://bugzilla.suse.com/1194229"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-14367"}],"related":["CVE-2020-14367"],"summary":"Security update for chrony","upstream":["CVE-2020-14367"]}