- Update to 4.2

* Add support for NTPv4 extension field improving synchronisation
    stability and resolution of root delay and dispersion
    (experimental)
  * Add support for NTP over PTP (experimental)
  * Add support for AES-CMAC and hash functions in GnuTLS
  * Improve server interleaved mode to be more reliable and support
    multiple clients behind NAT
  * Update seccomp filter
  * Fix RTC support with 64-bit time_t on 32-bit Linux
  * Fix seccomp filter to work correctly with bind*device directives
- Obsoleted patches:
  * chrony-refid-internal-md5.patch
  * harden_chrony-wait.service.patch
  * harden_chronyd.service.patch
- Update clknetsim to snapshot 470b5e9.

- Add chrony-htonl.patch to work around undocumented behaviour of
  htonl() in older glibc versions (SLE-12) on 64 bit big endian
  architectures (s390x).

- SLE bugs that have been fixed in openSUSE up to this point
  without explicit references: bsc#1183783, bsc#1184400,
  bsc#1171806, bsc#1161119, bsc#1159840.
- Obsoleted SLE patches:
  * chrony-fix-open.patch
  * chrony-gettimeofday.patch
  * chrony-ntp-era-split.patch
  * chrony-pidfile.patch
  * chrony-select-timeout.patch

OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=106

chrony-4.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ed76f2d3f9347ac6221a91ad4bd553dd0565ac188cd7490d0801d08f7171164c
-size 564648

chrony-4.1.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmCdA+8ACgkQU34rdvdo
-DayU8Q/9FCKZSecv//ZdhH89eVYyQZsb7AREqhiJqaWHekd08Hj8UZx9SA+0JtSl
-QwnGJNOrF76gbvyvjCzVmUSnIuHWADK6tAWxm8RBXqjoIS9Qv15sIpVVvTGDWxJQ
-shN2Tag5gplI6ZRp2rJAggxxtqVR2ZC3sZ+ay5LHQUhN2buxqy/v3XZXaTtfqRtI
-QLq8IVXH7f08D+F0mlH+okJ0qyemP1KYMrD9XqZjmwUupAVhrVj0UCtn+wDszbbr
-hWcs12brtSq13YUu2hbU5tXS++BEVJ1QM9+7OvG2V2idV6NRIsDhLjNPJwdYC4Dw
-kJjN2dA1/tH9YaSUUV1vcSSSmkwYki2WJijIWMluoOlbO6aIR1+ohwkror4GztQL
-0hOnVgXgTTPCS1hb5qi2nG+n6p1iKDOHudGQoyqV+qbAZYAGPGaC5jd3vDKLlI1F
-TCmXL68VtTxamjI7hAUCvt1uMWtVhkogw1Y9pHU1D8PeB5iqPK6slLU0hAn1lhB9
-AUlJ/AFSTXXqpWOuUnMx8mC9xLbekeE+KnM/IfO3BUm7CgUO8pOBCteCisHl/IFU
-7Y7AmsB+15DjJasqLhhKiVeMTbMJBlA5a9y3kvbUJv0uhS1fl0XrYK6Ht09/6t3C
-CGy+YB7OfBp1w1kKix6kmsNVjGSL9s+pODRsj/vHAxTbzzbX80Y=
-=rNMW
------END PGP SIGNATURE-----

chrony-4.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:273f9fd15c328ed6f3a5f6ba6baec35a421a34a73bb725605329b1712048db9a
+size 578411

chrony-4.2.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo
+Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN
+NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ
+CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz
+R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum
+ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM
+TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1
+2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI
+cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/
+QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS
+9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn
+2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA=
+=F4BS
+-----END PGP SIGNATURE-----

chrony-htonl.patch

@@ -0,0 +1,11 @@
+--- test/unit/util.c.orig
++++ test/unit/util.c
+@@ -533,7 +533,7 @@ test_unit(void)
+ #else
+   TEST_CHECK(tspec.tv_sec_high == htonl(TV_NOHIGHSEC));
+ #endif
+-  TEST_CHECK(tspec.tv_sec_low == htonl(ts.tv_sec));
++  TEST_CHECK(tspec.tv_sec_low == htonl((uint32_t) ts.tv_sec));
+   TEST_CHECK(tspec.tv_nsec == htonl(ts.tv_nsec));
+   UTI_TimespecNetworkToHost(&tspec, &ts2);
+   TEST_CHECK(!UTI_CompareTimespecs(&ts, &ts2));

chrony-refid-internal-md5.patch

@@ -1,45 +0,0 @@
---- util.c.orig
-+++ util.c
-@@ -32,7 +32,13 @@
- #include "logging.h"
- #include "memory.h"
- #include "util.h"
--#include "hash.h"
-+/*
-+ * We use the internal MD5 implementation here to avoid trouble with
-+ * FIPS. This is OK, because MD5 is only being used for the non-crypto
-+ * purpose of hashing 128 bit IPv6 addresses to 32 bit referenc IDs,
-+ * as required by RFC 5905.
-+ */
-+#include "md5.c"
- 
- #define NSEC_PER_SEC 1000000000
- 
-@@ -392,21 +398,17 @@ UTI_IsIPReal(const IPAddr *ip)
- uint32_t
- UTI_IPToRefid(const IPAddr *ip)
- {
--  static int MD5_hash = -1;
--  unsigned char buf[16];
-+  MD5_CTX ctx;
-+  unsigned char *buf = &ctx.digest;
- 
-   switch (ip->family) {
-     case IPADDR_INET4:
-       return ip->addr.in4;
-     case IPADDR_INET6:
--      if (MD5_hash < 0)
--        MD5_hash = HSH_GetHashId(HSH_MD5);
--
--      if (MD5_hash < 0 ||
--          HSH_Hash(MD5_hash, (const unsigned char *)ip->addr.in6, sizeof (ip->addr.in6),
--                   NULL, 0, buf, sizeof (buf)) != sizeof (buf))
--        LOG_FATAL("Could not get MD5");
--
-+      MD5Init(&ctx);
-+      MD5Update(&ctx, (unsigned const char *)ip->addr.in6,
-+                     sizeof(ip->addr.in6));
-+      MD5Final(&ctx);
-       return (uint32_t)buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
-   }
-   return 0;

chrony-service-helper.patch

@@ -1,12 +1,10 @@
-diff -burNE chrony-3.5_orig/examples/chronyd.service chrony-3.5/examples/chronyd.service
---- chrony-3.5_orig/examples/chronyd.service	2019-10-19 10:20:18.421076350 +0200
-+++ chrony-3.5/examples/chronyd.service	2019-10-19 10:23:20.521233091 +0200
-@@ -10,6 +10,7 @@
+--- examples/chronyd.service.orig
++++ examples/chronyd.service
+@@ -10,6 +10,7 @@ Type=forking
  PIDFile=/run/chrony/chronyd.pid
  EnvironmentFile=-/etc/sysconfig/chronyd
  ExecStart=/usr/sbin/chronyd $OPTIONS
 +ExecStartPost=@CHRONY_HELPER@ update-daemon
- PrivateTmp=yes
- ProtectHome=yes
- ProtectSystem=full
-
+ 
+ CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE

chrony.changes

@@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Thu Dec 16 16:47:08 UTC 2021 - Reinhard Max <max@suse.com>
+
+- Update to 4.2
+  * Add support for NTPv4 extension field improving synchronisation
+    stability and resolution of root delay and dispersion
+    (experimental)
+  * Add support for NTP over PTP (experimental)
+  * Add support for AES-CMAC and hash functions in GnuTLS
+  * Improve server interleaved mode to be more reliable and support
+    multiple clients behind NAT
+  * Update seccomp filter
+  * Fix RTC support with 64-bit time_t on 32-bit Linux
+  * Fix seccomp filter to work correctly with bind*device directives
+- Obsoleted patches:
+  * chrony-refid-internal-md5.patch
+  * harden_chrony-wait.service.patch
+  * harden_chronyd.service.patch
+- Update clknetsim to snapshot 470b5e9.
+
+-------------------------------------------------------------------
+Tue Dec  7 10:08:53 UTC 2021 - Reinhard Max <max@suse.com>
+
+- Add chrony-htonl.patch to work around undocumented behaviour of
+  htonl() in older glibc versions (SLE-12) on 64 bit big endian
+  architectures (s390x).
+
+-------------------------------------------------------------------
+Fri Nov 19 16:39:44 UTC 2021 - Reinhard Max <max@suse.com>
+
+- SLE bugs that have been fixed in openSUSE up to this point
+  without explicit references: bsc#1183783, bsc#1184400,
+  bsc#1171806, bsc#1161119, bsc#1159840.
+- Obsoleted SLE patches:
+  * chrony-fix-open.patch
+  * chrony-gettimeofday.patch
+  * chrony-ntp-era-split.patch
+  * chrony-pidfile.patch
+  * chrony-select-timeout.patch
+  * chrony-urandom.patch
+  * chrony.sysconfig
+  * clknetsim-glibc-2.31.patch
+
 -------------------------------------------------------------------
 Fri Oct  8 14:52:41 UTC 2021 - Reinhard Max <max@suse.com>
 

chrony.spec

@@ -30,14 +30,14 @@
 %bcond_without testsuite
 
 %define _systemdutildir %(pkg-config --variable systemdutildir systemd)
-%global clknetsim_ver f89702d
+%global clknetsim_ver 470b5e9
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 %define chrony_helper %{_libexecdir}/chrony/helper
 Name:           chrony
-Version:        4.1
+Version:        4.2
 Release:        0
 Summary:        System Clock Synchronization Client and Server
 License:        GPL-2.0-only
@@ -64,9 +64,7 @@ Patch0:         chrony-config.patch
 Patch1:         chrony-service-helper.patch
 Patch2:         chrony-logrotate.patch
 Patch3:         chrony-service-ordering.patch
-Patch4:         chrony-refid-internal-md5.patch
-Patch5:         harden_chrony-wait.service.patch
-Patch6:         harden_chronyd.service.patch
+Patch7:         chrony-htonl.patch
 BuildRequires:  NetworkManager-devel
 BuildRequires:  bison
 BuildRequires:  findutils
@@ -132,7 +130,7 @@ Provides:       %name-pool-nonempty
 Conflicts:      %name-pool
 Requires:       %name = %version
 BuildArch:      noarch
-RemovePathPostfixes: .suse
+Removepathpostfixes:.suse
 
 %description pool-suse
 This package configures chrony to use the SUSE NTP server pool by
@@ -147,7 +145,7 @@ Conflicts:      %name-pool
 Requires:       %name = %version
 BuildArch:      noarch
 Supplements:    (chrony and branding-openSUSE)
-RemovePathPostfixes: .opensuse
+Removepathpostfixes:.opensuse
 
 %description pool-openSUSE
 This package configures chrony to use the openSUSE NTP server pool by
@@ -161,7 +159,7 @@ Conflicts:      %name-pool
 Requires:       %name = %version
 BuildArch:      noarch
 Supplements:    (chrony and branding-SLE)
-RemovePathPostfixes: .empty
+Removepathpostfixes:.empty
 
 %description pool-empty
 This package provides an empty /etc/chrony.d/pool.conf file for
@@ -173,12 +171,10 @@ e.g. because the servers will be set via DHCP.
 %prep
 %setup -q -a 10
 %patch0 -p1
-%patch1 -p1
+%patch1
 %patch2 -p1
 %patch3
-%patch4
-%patch5 -p1
-%patch6
+%patch7
 
 # Remove pool statements from the default /etc/chrony.conf. They will
 # be provided by branding packages in /etc/chrony.d/pool.conf .

clknetsim-470b5e9.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:92fe0052f9e2369f9a2a2565fe1d681d18ef27ad1e85ce542cc089b833977750
+size 48016

clknetsim-f89702d.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0aaa98b344b3cfc3cc94ef39a1793a78ee4cf11f669c2890c7a38621ec29cf22
-size 46889

harden_chrony-wait.service.patch

@@ -1,24 +0,0 @@
-Index: chrony-4.1/examples/chrony-wait.service
-===================================================================
---- chrony-4.1.orig/examples/chrony-wait.service
-+++ chrony-4.1/examples/chrony-wait.service
-@@ -7,6 +7,19 @@ Before=time-sync.target
- Wants=time-sync.target
- 
- [Service]
-+# added automatically, for details please see
-+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-+ProtectSystem=full
-+ProtectHome=true
-+PrivateDevices=true
-+ProtectHostname=true
-+ProtectClock=true
-+ProtectKernelTunables=true
-+ProtectKernelModules=true
-+ProtectKernelLogs=true
-+ProtectControlGroups=true
-+RestrictRealtime=true
-+# end of automatic additions 
- Type=oneshot
- # Wait for chronyd to update the clock and the remaining
- # correction to be less than 0.1 seconds

harden_chronyd.service.patch

@@ -1,18 +0,0 @@
---- examples/chronyd.service.orig
-+++ examples/chronyd.service
-@@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae
- PrivateTmp=yes
- ProtectHome=yes
- ProtectSystem=full
-+# added automatically, for details please see
-+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
-+ProtectHostname=true
-+ProtectKernelModules=true
-+ProtectKernelLogs=true
-+ProtectControlGroups=true
-+DeviceAllow=char-rtc
-+DeviceAllow=char-ptp
-+# end of automatic additions 
- 
- [Install]
- WantedBy=multi-user.target