diff --git a/chrony-4.1.tar.gz b/chrony-4.1.tar.gz deleted file mode 100644 index c78c693..0000000 --- a/chrony-4.1.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:ed76f2d3f9347ac6221a91ad4bd553dd0565ac188cd7490d0801d08f7171164c -size 564648 diff --git a/chrony-4.1.tar.gz.sig b/chrony-4.1.tar.gz.sig deleted file mode 100644 index a3ffada..0000000 --- a/chrony-4.1.tar.gz.sig +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmCdA+8ACgkQU34rdvdo -DayU8Q/9FCKZSecv//ZdhH89eVYyQZsb7AREqhiJqaWHekd08Hj8UZx9SA+0JtSl -QwnGJNOrF76gbvyvjCzVmUSnIuHWADK6tAWxm8RBXqjoIS9Qv15sIpVVvTGDWxJQ -shN2Tag5gplI6ZRp2rJAggxxtqVR2ZC3sZ+ay5LHQUhN2buxqy/v3XZXaTtfqRtI -QLq8IVXH7f08D+F0mlH+okJ0qyemP1KYMrD9XqZjmwUupAVhrVj0UCtn+wDszbbr -hWcs12brtSq13YUu2hbU5tXS++BEVJ1QM9+7OvG2V2idV6NRIsDhLjNPJwdYC4Dw -kJjN2dA1/tH9YaSUUV1vcSSSmkwYki2WJijIWMluoOlbO6aIR1+ohwkror4GztQL -0hOnVgXgTTPCS1hb5qi2nG+n6p1iKDOHudGQoyqV+qbAZYAGPGaC5jd3vDKLlI1F -TCmXL68VtTxamjI7hAUCvt1uMWtVhkogw1Y9pHU1D8PeB5iqPK6slLU0hAn1lhB9 -AUlJ/AFSTXXqpWOuUnMx8mC9xLbekeE+KnM/IfO3BUm7CgUO8pOBCteCisHl/IFU -7Y7AmsB+15DjJasqLhhKiVeMTbMJBlA5a9y3kvbUJv0uhS1fl0XrYK6Ht09/6t3C -CGy+YB7OfBp1w1kKix6kmsNVjGSL9s+pODRsj/vHAxTbzzbX80Y= -=rNMW ------END PGP SIGNATURE----- diff --git a/chrony-4.2.tar.gz b/chrony-4.2.tar.gz new file mode 100644 index 0000000..2bc8596 --- /dev/null +++ b/chrony-4.2.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:273f9fd15c328ed6f3a5f6ba6baec35a421a34a73bb725605329b1712048db9a +size 578411 diff --git a/chrony-4.2.tar.gz.sig b/chrony-4.2.tar.gz.sig new file mode 100644 index 0000000..b63b0bd --- /dev/null +++ b/chrony-4.2.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo +Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN +NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ +CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz +R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum +ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM +TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1 +2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI +cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/ +QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS +9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn +2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA= +=F4BS +-----END PGP SIGNATURE----- diff --git a/chrony-htonl.patch b/chrony-htonl.patch new file mode 100644 index 0000000..6274992 --- /dev/null +++ b/chrony-htonl.patch @@ -0,0 +1,11 @@ +--- test/unit/util.c.orig ++++ test/unit/util.c +@@ -533,7 +533,7 @@ test_unit(void) + #else + TEST_CHECK(tspec.tv_sec_high == htonl(TV_NOHIGHSEC)); + #endif +- TEST_CHECK(tspec.tv_sec_low == htonl(ts.tv_sec)); ++ TEST_CHECK(tspec.tv_sec_low == htonl((uint32_t) ts.tv_sec)); + TEST_CHECK(tspec.tv_nsec == htonl(ts.tv_nsec)); + UTI_TimespecNetworkToHost(&tspec, &ts2); + TEST_CHECK(!UTI_CompareTimespecs(&ts, &ts2)); diff --git a/chrony-refid-internal-md5.patch b/chrony-refid-internal-md5.patch deleted file mode 100644 index f4747c4..0000000 --- a/chrony-refid-internal-md5.patch +++ /dev/null @@ -1,45 +0,0 @@ ---- util.c.orig -+++ util.c -@@ -32,7 +32,13 @@ - #include "logging.h" - #include "memory.h" - #include "util.h" --#include "hash.h" -+/* -+ * We use the internal MD5 implementation here to avoid trouble with -+ * FIPS. This is OK, because MD5 is only being used for the non-crypto -+ * purpose of hashing 128 bit IPv6 addresses to 32 bit referenc IDs, -+ * as required by RFC 5905. -+ */ -+#include "md5.c" - - #define NSEC_PER_SEC 1000000000 - -@@ -392,21 +398,17 @@ UTI_IsIPReal(const IPAddr *ip) - uint32_t - UTI_IPToRefid(const IPAddr *ip) - { -- static int MD5_hash = -1; -- unsigned char buf[16]; -+ MD5_CTX ctx; -+ unsigned char *buf = &ctx.digest; - - switch (ip->family) { - case IPADDR_INET4: - return ip->addr.in4; - case IPADDR_INET6: -- if (MD5_hash < 0) -- MD5_hash = HSH_GetHashId(HSH_MD5); -- -- if (MD5_hash < 0 || -- HSH_Hash(MD5_hash, (const unsigned char *)ip->addr.in6, sizeof (ip->addr.in6), -- NULL, 0, buf, sizeof (buf)) != sizeof (buf)) -- LOG_FATAL("Could not get MD5"); -- -+ MD5Init(&ctx); -+ MD5Update(&ctx, (unsigned const char *)ip->addr.in6, -+ sizeof(ip->addr.in6)); -+ MD5Final(&ctx); - return (uint32_t)buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]; - } - return 0; diff --git a/chrony-service-helper.patch b/chrony-service-helper.patch index 0aa7599..f5ad63b 100644 --- a/chrony-service-helper.patch +++ b/chrony-service-helper.patch @@ -1,12 +1,10 @@ -diff -burNE chrony-3.5_orig/examples/chronyd.service chrony-3.5/examples/chronyd.service ---- chrony-3.5_orig/examples/chronyd.service 2019-10-19 10:20:18.421076350 +0200 -+++ chrony-3.5/examples/chronyd.service 2019-10-19 10:23:20.521233091 +0200 -@@ -10,6 +10,7 @@ +--- examples/chronyd.service.orig ++++ examples/chronyd.service +@@ -10,6 +10,7 @@ Type=forking PIDFile=/run/chrony/chronyd.pid EnvironmentFile=-/etc/sysconfig/chronyd ExecStart=/usr/sbin/chronyd $OPTIONS +ExecStartPost=@CHRONY_HELPER@ update-daemon - PrivateTmp=yes - ProtectHome=yes - ProtectSystem=full - + + CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE + CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE diff --git a/chrony.changes b/chrony.changes index 6c12cb9..12563fa 100644 --- a/chrony.changes +++ b/chrony.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Thu Dec 16 16:47:08 UTC 2021 - Reinhard Max + +- Update to 4.2 + * Add support for NTPv4 extension field improving synchronisation + stability and resolution of root delay and dispersion + (experimental) + * Add support for NTP over PTP (experimental) + * Add support for AES-CMAC and hash functions in GnuTLS + * Improve server interleaved mode to be more reliable and support + multiple clients behind NAT + * Update seccomp filter + * Fix RTC support with 64-bit time_t on 32-bit Linux + * Fix seccomp filter to work correctly with bind*device directives +- Obsoleted patches: + * chrony-refid-internal-md5.patch + * harden_chrony-wait.service.patch + * harden_chronyd.service.patch +- Update clknetsim to snapshot 470b5e9. + +------------------------------------------------------------------- +Tue Dec 7 10:08:53 UTC 2021 - Reinhard Max + +- Add chrony-htonl.patch to work around undocumented behaviour of + htonl() in older glibc versions (SLE-12) on 64 bit big endian + architectures (s390x). + +------------------------------------------------------------------- +Fri Nov 19 16:39:44 UTC 2021 - Reinhard Max + +- SLE bugs that have been fixed in openSUSE up to this point + without explicit references: bsc#1183783, bsc#1184400, + bsc#1171806, bsc#1161119, bsc#1159840. +- Obsoleted SLE patches: + * chrony-fix-open.patch + * chrony-gettimeofday.patch + * chrony-ntp-era-split.patch + * chrony-pidfile.patch + * chrony-select-timeout.patch + * chrony-urandom.patch + * chrony.sysconfig + * clknetsim-glibc-2.31.patch + ------------------------------------------------------------------- Fri Oct 8 14:52:41 UTC 2021 - Reinhard Max diff --git a/chrony.spec b/chrony.spec index 7e89201..d2c41ff 100644 --- a/chrony.spec +++ b/chrony.spec @@ -30,14 +30,14 @@ %bcond_without testsuite %define _systemdutildir %(pkg-config --variable systemdutildir systemd) -%global clknetsim_ver f89702d +%global clknetsim_ver 470b5e9 #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif %define chrony_helper %{_libexecdir}/chrony/helper Name: chrony -Version: 4.1 +Version: 4.2 Release: 0 Summary: System Clock Synchronization Client and Server License: GPL-2.0-only @@ -64,9 +64,7 @@ Patch0: chrony-config.patch Patch1: chrony-service-helper.patch Patch2: chrony-logrotate.patch Patch3: chrony-service-ordering.patch -Patch4: chrony-refid-internal-md5.patch -Patch5: harden_chrony-wait.service.patch -Patch6: harden_chronyd.service.patch +Patch7: chrony-htonl.patch BuildRequires: NetworkManager-devel BuildRequires: bison BuildRequires: findutils @@ -132,7 +130,7 @@ Provides: %name-pool-nonempty Conflicts: %name-pool Requires: %name = %version BuildArch: noarch -RemovePathPostfixes: .suse +Removepathpostfixes:.suse %description pool-suse This package configures chrony to use the SUSE NTP server pool by @@ -147,7 +145,7 @@ Conflicts: %name-pool Requires: %name = %version BuildArch: noarch Supplements: (chrony and branding-openSUSE) -RemovePathPostfixes: .opensuse +Removepathpostfixes:.opensuse %description pool-openSUSE This package configures chrony to use the openSUSE NTP server pool by @@ -161,7 +159,7 @@ Conflicts: %name-pool Requires: %name = %version BuildArch: noarch Supplements: (chrony and branding-SLE) -RemovePathPostfixes: .empty +Removepathpostfixes:.empty %description pool-empty This package provides an empty /etc/chrony.d/pool.conf file for @@ -173,12 +171,10 @@ e.g. because the servers will be set via DHCP. %prep %setup -q -a 10 %patch0 -p1 -%patch1 -p1 +%patch1 %patch2 -p1 %patch3 -%patch4 -%patch5 -p1 -%patch6 +%patch7 # Remove pool statements from the default /etc/chrony.conf. They will # be provided by branding packages in /etc/chrony.d/pool.conf . diff --git a/clknetsim-470b5e9.tar.gz b/clknetsim-470b5e9.tar.gz new file mode 100644 index 0000000..d1a722a --- /dev/null +++ b/clknetsim-470b5e9.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:92fe0052f9e2369f9a2a2565fe1d681d18ef27ad1e85ce542cc089b833977750 +size 48016 diff --git a/clknetsim-f89702d.tar.gz b/clknetsim-f89702d.tar.gz deleted file mode 100644 index 4c13857..0000000 --- a/clknetsim-f89702d.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0aaa98b344b3cfc3cc94ef39a1793a78ee4cf11f669c2890c7a38621ec29cf22 -size 46889 diff --git a/harden_chrony-wait.service.patch b/harden_chrony-wait.service.patch deleted file mode 100644 index 5d103d7..0000000 --- a/harden_chrony-wait.service.patch +++ /dev/null @@ -1,24 +0,0 @@ -Index: chrony-4.1/examples/chrony-wait.service -=================================================================== ---- chrony-4.1.orig/examples/chrony-wait.service -+++ chrony-4.1/examples/chrony-wait.service -@@ -7,6 +7,19 @@ Before=time-sync.target - Wants=time-sync.target - - [Service] -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectSystem=full -+ProtectHome=true -+PrivateDevices=true -+ProtectHostname=true -+ProtectClock=true -+ProtectKernelTunables=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+RestrictRealtime=true -+# end of automatic additions - Type=oneshot - # Wait for chronyd to update the clock and the remaining - # correction to be less than 0.1 seconds diff --git a/harden_chronyd.service.patch b/harden_chronyd.service.patch deleted file mode 100644 index fc606be..0000000 --- a/harden_chronyd.service.patch +++ /dev/null @@ -1,18 +0,0 @@ ---- examples/chronyd.service.orig -+++ examples/chronyd.service -@@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae - PrivateTmp=yes - ProtectHome=yes - ProtectSystem=full -+# added automatically, for details please see -+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort -+ProtectHostname=true -+ProtectKernelModules=true -+ProtectKernelLogs=true -+ProtectControlGroups=true -+DeviceAllow=char-rtc -+DeviceAllow=char-ptp -+# end of automatic additions - - [Install] - WantedBy=multi-user.target