From 2bad924aa02c906759f1860a264ffdd519e18bc5487183c2a44de1e8a79afea4 Mon Sep 17 00:00:00 2001 From: David Bahi Date: Tue, 25 Feb 2014 15:55:43 +0000 Subject: [PATCH] Accepting request 223745 from home:darix:branches:network:time - clean up build section - the configure script can actually import CC/CFLAGS from the environment. no need to break any CFLAGS it might set in the configure script. - remove unneeded prefix from the make calls. - enable building the binaries with PIE/relro now - Update to version 1.29.1: * Modify chronyc protocol to prevent amplification attacks (CVE-2014-0021) (incompatible with previous protocol version, chronyc supports both) - Additional changes from 1.29 * Fix crash when processing crafted commands (CVE-2012-4502) (possible with IP addresses allowed by cmdallow and localhost) * Don't send uninitialized data in SUBNETS_ACCESSED and CLIENT_ACCESSES replies (CVE-2012-4503) (not used by chronyc) * Drop support for SUBNETS_ACCESSED and CLIENT_ACCESSES commands - Updated chrony-config.patch: - lots of config values were fixed upstream already - key file patching is unnecessary OBS-URL: https://build.opensuse.org/request/show/223745 OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=5 --- chrony-1.27.tar.gz | 3 --- chrony-1.29.1.tar.gz | 3 +++ chrony-config.patch | 60 ++++++++++---------------------------------- chrony.changes | 48 +++++++++++++++++++++++++++++++++++ chrony.spec | 16 ++++++------ 5 files changed, 71 insertions(+), 59 deletions(-) delete mode 100644 chrony-1.27.tar.gz create mode 100644 chrony-1.29.1.tar.gz diff --git a/chrony-1.27.tar.gz b/chrony-1.27.tar.gz deleted file mode 100644 index 4a41565..0000000 --- a/chrony-1.27.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d44835ee2180a9a0f4f320fc498c39d59dec33d35c2aa05b446fe65a2a83ae9d -size 392876 diff --git a/chrony-1.29.1.tar.gz b/chrony-1.29.1.tar.gz new file mode 100644 index 0000000..cab0a65 --- /dev/null +++ b/chrony-1.29.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:658c9bb4d8c8d8ec7d0908429aa266e5f8413ba86bd4acbfd2f9669f6065af27 +size 392889 diff --git a/chrony-config.patch b/chrony-config.patch index 511de3a..898aed4 100644 --- a/chrony-config.patch +++ b/chrony-config.patch @@ -1,13 +1,12 @@ ---- examples/chrony.conf.example 2010-03-07 17:42:07.000000000 +0100 -+++ examples/chrony.conf.example 2010-03-07 23:59:35.000000000 +0100 -@@ -43,9 +43,45 @@ - # you can access at - # http://www.eecis.udel.edu/~mills/ntp/servers.htm. - -+server 0.pool.ntp.org -+server 1.pool.ntp.org -+server 2.pool.ntp.org -+server 3.pool.ntp.org +Index: examples/chrony.conf.example +=================================================================== +--- examples/chrony.conf.example.orig 2014-02-24 17:46:48.776464049 +0100 ++++ examples/chrony.conf.example 2014-02-24 17:51:15.983463576 +0100 +@@ -46,7 +46,37 @@ + ! server 0.pool.ntp.org iburst + ! server 1.pool.ntp.org iburst + ! server 2.pool.ntp.org iburst +- + +# for Europe: +! server 0.europe.pool.ntp.org @@ -39,41 +38,19 @@ +! server 2.oceania.pool.ntp.org +! server 3.oceania.pool.ntp.org + -+# for your own ISP (preferred): -+! server ntp.skynet.be - ! server ntp0.your-isp.com - ! server ntp1.your-isp.com --! server ntp.public-server.org - # However, for dial-up use you probably want these instead. The word # 'offline' means that the server is not visible at boot time. Use -@@ -89,7 +125,7 @@ + # chronyc's 'online' command to tell chronyd that these servers have +@@ -89,7 +119,7 @@ # immediately so that it doesn't gain or lose any more time. You # generally want this, so it is uncommented. --driftfile /etc/chrony.drift +-driftfile /var/lib/chrony/drift +driftfile /var/lib/chrony/chrony.drift # If you want to use the program called chronyc to configure aspects of # chronyd's operation once it is running (e.g. tell it the Internet link -@@ -122,14 +158,14 @@ - # Enable these two options to use this. - - ! dumponexit --! dumpdir /var/log/chrony -+! dumpdir /var/lib/chrony - - # chronyd writes its process ID to a file. If you try to start a second - # copy of chronyd, it will detect that the process named in the file is - # still running and bail out. If you want to change the path to the PID - # file, uncomment this line and edit it. The default path is shown. - --! pidfile /var/run/chronyd.pid -+pidfile /var/run/chronyd.pid - - ####################################################################### - ### INITIAL CLOCK CORRECTION -@@ -153,8 +189,8 @@ +@@ -152,8 +182,8 @@ commandkey 1 # produce some graphs of your system's timekeeping performance, or you # need help in debugging a problem. @@ -84,14 +61,3 @@ # If you have real time clock support enabled (see below), you might want # this line instead: ---- examples/chrony.keys.example 2010-03-07 17:41:49.000000000 +0100 -+++ examples/chrony.keys.example 2010-03-07 17:42:01.000000000 +0100 -@@ -12,7 +12,7 @@ - ####################################################################### - # A valid key line looks like this - --1 a_key -+1 change_me_to_a_secret - - # It must consist of an integer, followed by whitespace, followed by a block of - # text with no spaces in it. (You cannot put a space in a key). If you wanted diff --git a/chrony.changes b/chrony.changes index 8ec77ac..912cd6e 100644 --- a/chrony.changes +++ b/chrony.changes @@ -1,3 +1,51 @@ +------------------------------------------------------------------- +Mon Feb 24 17:21:35 UTC 2014 - mrueckert@suse.de + +- clean up build section + - the configure script can actually import CC/CFLAGS from the + environment. no need to break any CFLAGS it might set in the + configure script. + - remove unneeded prefix from the make calls. + - enable building the binaries with PIE/relro now + +------------------------------------------------------------------- +Mon Feb 24 16:53:46 UTC 2014 - mrueckert@suse.de + +- Update to version 1.29.1: + * Modify chronyc protocol to prevent amplification attacks + (CVE-2014-0021) (incompatible with previous protocol version, + chronyc supports both) +- Additional changes from 1.29 + * Fix crash when processing crafted commands (CVE-2012-4502) + (possible with IP addresses allowed by cmdallow and localhost) + * Don't send uninitialized data in SUBNETS_ACCESSED and + CLIENT_ACCESSES replies (CVE-2012-4503) (not used by chronyc) + * Drop support for SUBNETS_ACCESSED and CLIENT_ACCESSES commands +- Additional changes from 1.28 + * Combine sources to improve accuracy + * Make config and command parser strict + * Add -a option to chronyc to authenticate automatically + * Add -R option to ignore initstepslew and makestep directives + * Add generatecommandkey, minsamples, maxsamples and user + directives + * Improve compatibility with NTPv1 and NTPv2 clients + * Create sockets only in selected family with -4/-6 option + * Treat address bind errors as non-fatal + * Extend tracking log + * Accept float values as initstepslew threshold + * Allow hostnames in offline, online and burst commands + * Fix and improve peer polling + * Fix crash in config parsing with too many servers + * Fix crash with duplicated initstepslew address + * Fix delta calculation with extreme frequency offsets + * Set local stratum correctly + * Remove unnecessary adjtimex calls + * Set paths in documentation by configure + * Update chrony.spec +- Updated chrony-config.patch: + - lots of config values were fixed upstream already + - key file patching is unnecessary + ------------------------------------------------------------------- Sat Jul 13 22:14:49 UTC 2013 - zaitor@opensuse.org diff --git a/chrony.spec b/chrony.spec index 3781613..1ca70fa 100644 --- a/chrony.spec +++ b/chrony.spec @@ -3,7 +3,7 @@ # Name: chrony -Version: 1.27 +Version: 1.29.1 Release: 0 License: GPL-2.0+ Summary: System Clock Synchronization Client and Server @@ -54,6 +54,9 @@ as the Chronyd instance it is controlling or a different computer. %build # not autoconf: +export CC="gcc" +export CFLAGS="%{optflags} -Wall -fpic -DPIC" +export LDFLAGS="-pie -Wl,-z,relro,-z,now" ./configure \ --prefix="%{_prefix}" \ --exec-prefix="%{_exec_prefix}" \ @@ -65,13 +68,9 @@ as the Chronyd instance it is controlling or a different computer. --mandir="%{_mandir}" \ --docdir="%{_docdir}/%{name}" -make %{?_smp_mflags} \ - CC="gcc" \ - CFLAGS="%{optflags} -Wall" \ - prefix="%{_prefix}" - -make chrony.txt prefix="%{_prefix}" -make chrony.info prefix="%{_prefix}" +make %{?_smp_mflags} +make chrony.txt +make chrony.info %install %makeinstall @@ -98,7 +97,6 @@ test -e "$h" && ln -s -f "$h" . install -d "%{buildroot}%{_sysconfdir}" install -m0644 examples/chrony.conf.example "%{buildroot}%{_sysconfdir}/chrony.conf" install -m0600 examples/chrony.keys.example "%{buildroot}%{_sysconfdir}/chrony.keys" -rm examples/chrony.keys.example.orig %pre /usr/sbin/groupadd -r chrony || :