Security update for chrony SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20862-1 Final 1 1 2025-10-17T12:05:08Z current 2025-10-17T12:05:08Z 2025-10-17T12:05:08Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chrony This update for chrony fixes the following issues: - Update to version 4.8: * Add maxunreach option to limit selection of unreachable sources * Add -u option to chronyc to drop root privileges (default chronyc user is set by configure script) * Fix refclock extpps option to work on Linux >= 6.15 * Validate refclock samples for reachability updates - Fix racy socket creation which allows privilege escalation to root (bsc#1246544) - Update to version 4.7: * Add opencommands directive to select remote monitoring commands * Add interval option to driftfile directive * Add waitsynced and waitunsynced options to local directive * Add sanity checks for integer values in configuration * Add support for systemd Type=notify service * Add RTC refclock driver * Allow PHC refclock to be specified with network interface name * Don’t require multiple refclock samples per poll to simplify filter configuration * Keep refclock reachable when dropping samples with large delay * Improve quantile-based filtering to adapt faster to larger delay * Improve logging of selection failures * Detect clock interference from other processes * Try to reopen message log (-l option) on cyclelogs command * Fix sourcedir reloading to not multiply sources * Fix tracking offset after failed clock step * Drop support for NTS with Nettle < 3.6 and GnuTLS < 3.6.14 * Drop support for building without POSIX threads - Update to version 4.6.1: * Add ntsaeads directive to enable only selected AEAD algorithms for NTS. * Negotiate use of compliant NTS keys with AES-128-GCM-SIV AEAD algorithm. * Switch to compliant NTS keys if first response from server is NTS NAK. - Drop rcFOO symlinks for CODE16 (PED-266). - Update to version 4.6: * Add activate option to local directive to set activation threshold * Add ipv4 and ipv6 options to server/pool/peer directive * Add kod option to ratelimit directive for server KoD RATE support * Add leapseclist directive to read NIST/IERS leap-seconds.list file * Add ptpdomain directive to set PTP domain for NTP over PTP * Allow disabling pidfile * Improve copy server option to accept unsynchronised status instantly * Log one selection failure on start * Add offset command to modify source offset correction * Add timestamp sources to ntpdata report * Fix crash on sources reload during initstepslew or RTC initialisation * Fix source refreshment to not repeat failed name resolving attempts The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.1-306 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520862-1/ Link for SUSE-SU-2025:20862-1 https://lists.suse.com/pipermail/sle-updates/2025-October/042316.html E-Mail link for SUSE-SU-2025:20862-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1246544 SUSE Bug 1246544 SUSE Linux Micro 6.1 chrony-4.8-slfo.1.1_1.1 chrony-pool-empty-4.8-slfo.1.1_1.1 chrony-pool-suse-4.8-slfo.1.1_1.1 chrony-4.8-slfo.1.1_1.1 as a component of SUSE Linux Micro 6.1 chrony-pool-empty-4.8-slfo.1.1_1.1 as a component of SUSE Linux Micro 6.1 chrony-pool-suse-4.8-slfo.1.1_1.1 as a component of SUSE Linux Micro 6.1