SUSE alert SUSE-SU-2025:20846-1 (chrony)
| From: | SLE-SECURITY-UPDATES <null@suse.de> | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2025:20846-1: moderate: Security update for chrony | |
| Date: | Fri, 24 Oct 2025 20:40:42 -0000 | |
| Message-ID: | <176133844284.31037.884813823063425258@smelt2.prg2.suse.org> |
# Security update for chrony Announcement ID: SUSE-SU-2025:20846-1 Release Date: 2025-10-14T15:17:37Z Rating: moderate References: * bsc#1246544 Affected Products: * SUSE Linux Micro 6.0 An update that has one fix can now be installed. ## Description: This update for chrony fixes the following issues: * Update to version 4.8: * Add maxunreach option to limit selection of unreachable sources * Add -u option to chronyc to drop root privileges (default chronyc user is set by configure script) * Fix refclock extpps option to work on Linux >= 6.15 * Validate refclock samples for reachability updates * Fix racy socket creation allowing privilege escalation to root (bsc#1246544) * Update to version 4.7: * Add opencommands directive to select remote monitoring commands * Add interval option to driftfile directive * Add waitsynced and waitunsynced options to local directive * Add sanity checks for integer values in configuration * Add support for systemd Type=notify service * Add RTC refclock driver * Allow PHC refclock to be specified with network interface name * Don’t require multiple refclock samples per poll to simplify filter configuration * Keep refclock reachable when dropping samples with large delay * Improve quantile-based filtering to adapt faster to larger delay * Improve logging of selection failures * Detect clock interference from other processes * Try to reopen message log (-l option) on cyclelogs command * Fix sourcedir reloading to not multiply sources * Fix tracking offset after failed clock step * Drop support for NTS with Nettle < 3.6 and GnuTLS < 3.6.14 * Drop support for building without POSIX threads * Update to version 4.6.1: * Add ntsaeads directive to enable only selected AEAD algorithms for NTS. * Negotiate use of compliant NTS keys with AES-128-GCM-SIV AEAD algorithm. * Switch to compliant NTS keys if first response from server is NTS NAK. * Drop rcFOO symlinks for CODE16 (PED-266). * Update to version 4.6: * Add activate option to local directive to set activation threshold * Add ipv4 and ipv6 options to server/pool/peer directive * Add kod option to ratelimit directive for server KoD RATE support * Add leapseclist directive to read NIST/IERS leap-seconds.list file * Add ptpdomain directive to set PTP domain for NTP over PTP * Allow disabling pidfile * Improve copy server option to accept unsynchronised status instantly * Log one selection failure on start * Add offset command to modify source offset correction * Add timestamp sources to ntpdata report * Fix crash on sources reload during initstepslew or RTC initialisation * Fix source refreshment to not repeat failed name resolving attempts * Update to version 4.5: * Add support for AES-GCM-SIV in GnuTLS * Add support for corrections from PTP transparent clocks * Add support for systemd socket activation * Fix presend in interleaved mode * Fix reloading of modified sources from sourcedir ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.0 zypper in -t patch SUSE-SLE-Micro-6.0-490=1 ## Package List: * SUSE Linux Micro 6.0 (aarch64 s390x x86_64) * chrony-4.8-1.1 * chrony-debuginfo-4.8-1.1 * chrony-debugsource-4.8-1.1 * SUSE Linux Micro 6.0 (noarch) * chrony-pool-suse-4.8-1.1 ## References: * https://bugzilla.suse.com/show_bug.cgi?id=1246544
Attachment: None (type=text/html)
(HTML attachment elided)