- Update to 4.2

* Add support for NTPv4 extension field improving synchronisation stability and resolution of root delay and dispersion (experimental) * Add support for NTP over PTP (experimental) * Add support for AES-CMAC and hash functions in GnuTLS * Improve server interleaved mode to be more reliable and support multiple clients behind NAT * Update seccomp filter * Fix RTC support with 64-bit time_t on 32-bit Linux * Fix seccomp filter to work correctly with bind*device directives - Obsoleted patches: * chrony-refid-internal-md5.patch * harden_chrony-wait.service.patch * harden_chronyd.service.patch - Update clknetsim to snapshot 470b5e9. - Add chrony-htonl.patch to work around undocumented behaviour of htonl() in older glibc versions (SLE-12) on 64 bit big endian architectures (s390x). - SLE bugs that have been fixed in openSUSE up to this point without explicit references: bsc#1183783, bsc#1184400, bsc#1171806, bsc#1161119, bsc#1159840. - Obsoleted SLE patches: * chrony-fix-open.patch * chrony-gettimeofday.patch * chrony-ntp-era-split.patch * chrony-pidfile.patch * chrony-select-timeout.patch OBS-URL: https://build.opensuse.org/package/show/network:time/chrony?expand=0&rev=106
2021-12-16 18:15:17 +00:00 · 2021-12-16 18:15:17 +00:00 · 8d76d55b2f
commit 8d76d55b2f
parent 902146d99c
13 changed files with 90 additions and 129 deletions
--- a/chrony-4.1.tar.gz
+++ b/chrony-4.1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:ed76f2d3f9347ac6221a91ad4bd553dd0565ac188cd7490d0801d08f7171164c
 size 564648
--- a/chrony-4.1.tar.gz.sig
+++ b/chrony-4.1.tar.gz.sig
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmCdA+8ACgkQU34rdvdo
 DayU8Q/9FCKZSecv//ZdhH89eVYyQZsb7AREqhiJqaWHekd08Hj8UZx9SA+0JtSl
 QwnGJNOrF76gbvyvjCzVmUSnIuHWADK6tAWxm8RBXqjoIS9Qv15sIpVVvTGDWxJQ
 shN2Tag5gplI6ZRp2rJAggxxtqVR2ZC3sZ+ay5LHQUhN2buxqy/v3XZXaTtfqRtI
 QLq8IVXH7f08D+F0mlH+okJ0qyemP1KYMrD9XqZjmwUupAVhrVj0UCtn+wDszbbr
 hWcs12brtSq13YUu2hbU5tXS++BEVJ1QM9+7OvG2V2idV6NRIsDhLjNPJwdYC4Dw
 kJjN2dA1/tH9YaSUUV1vcSSSmkwYki2WJijIWMluoOlbO6aIR1+ohwkror4GztQL
 0hOnVgXgTTPCS1hb5qi2nG+n6p1iKDOHudGQoyqV+qbAZYAGPGaC5jd3vDKLlI1F
 TCmXL68VtTxamjI7hAUCvt1uMWtVhkogw1Y9pHU1D8PeB5iqPK6slLU0hAn1lhB9
 AUlJ/AFSTXXqpWOuUnMx8mC9xLbekeE+KnM/IfO3BUm7CgUO8pOBCteCisHl/IFU
 7Y7AmsB+15DjJasqLhhKiVeMTbMJBlA5a9y3kvbUJv0uhS1fl0XrYK6Ht09/6t3C
 CGy+YB7OfBp1w1kKix6kmsNVjGSL9s+pODRsj/vHAxTbzzbX80Y=
 =rNMW
 -----END PGP SIGNATURE-----
--- a/chrony-4.2.tar.gz
+++ b/chrony-4.2.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:273f9fd15c328ed6f3a5f6ba6baec35a421a34a73bb725605329b1712048db9a
 size 578411
--- a/chrony-4.2.tar.gz.sig
+++ b/chrony-4.2.tar.gz.sig
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo
 Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN
 NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ
 CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz
 R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum
 ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM
 TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1
 2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI
 cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/
 QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS
 9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn
 2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA=
 =F4BS
 -----END PGP SIGNATURE-----
--- a/chrony-htonl.patch
+++ b/chrony-htonl.patch
@ -0,0 +1,11 @@
 --- test/unit/util.c.orig
 +++ test/unit/util.c
@@ -533,7 +533,7 @@ test_unit(void)
 #else
   TEST_CHECK(tspec.tv_sec_high == htonl(TV_NOHIGHSEC));
 #endif
 -  TEST_CHECK(tspec.tv_sec_low == htonl(ts.tv_sec));
 +  TEST_CHECK(tspec.tv_sec_low == htonl((uint32_t) ts.tv_sec));
   TEST_CHECK(tspec.tv_nsec == htonl(ts.tv_nsec));
   UTI_TimespecNetworkToHost(&tspec, &ts2);
   TEST_CHECK(!UTI_CompareTimespecs(&ts, &ts2));
--- a/chrony-refid-internal-md5.patch
+++ b/chrony-refid-internal-md5.patch
@ -1,45 +0,0 @@
 --- util.c.orig
 +++ util.c
@@ -32,7 +32,13 @@
 #include "logging.h"
 #include "memory.h"
 #include "util.h"
 -#include "hash.h"
 +/*
 + * We use the internal MD5 implementation here to avoid trouble with
 + * FIPS. This is OK, because MD5 is only being used for the non-crypto
 + * purpose of hashing 128 bit IPv6 addresses to 32 bit referenc IDs,
 + * as required by RFC 5905.
 + */
 +#include "md5.c"
 #define NSEC_PER_SEC 1000000000
@@ -392,21 +398,17 @@ UTI_IsIPReal(const IPAddr *ip)
 uint32_t
 UTI_IPToRefid(const IPAddr *ip)
 {
 -  static int MD5_hash = -1;
 -  unsigned char buf[16];
 +  MD5_CTX ctx;
 +  unsigned char *buf = &ctx.digest;
   switch (ip->family) {
     case IPADDR_INET4:
       return ip->addr.in4;
     case IPADDR_INET6:
 -      if (MD5_hash < 0)
 -        MD5_hash = HSH_GetHashId(HSH_MD5);
 -
 -      if (MD5_hash < 0 ||
 -          HSH_Hash(MD5_hash, (const unsigned char *)ip->addr.in6, sizeof (ip->addr.in6),
 -                   NULL, 0, buf, sizeof (buf)) != sizeof (buf))
 -        LOG_FATAL("Could not get MD5");
 -
 +      MD5Init(&ctx);
 +      MD5Update(&ctx, (unsigned const char *)ip->addr.in6,
 +                     sizeof(ip->addr.in6));
 +      MD5Final(&ctx);
       return (uint32_t)buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
   }
   return 0;
--- a/chrony-service-helper.patch
+++ b/chrony-service-helper.patch
@ -1,12 +1,10 @@
-diff -burNE chrony-3.5_orig/examples/chronyd.service chrony-3.5/examples/chronyd.service
+--- examples/chronyd.service.orig
--- chrony-3.5_orig/examples/chronyd.service	2019-10-19 10:20:18.421076350 +0200
+++ examples/chronyd.service
-+++ chrony-3.5/examples/chronyd.service	2019-10-19 10:23:20.521233091 +0200
+@@ -10,6 +10,7 @@ Type=forking
@@ -10,6 +10,7 @@
 PIDFile=/run/chrony/chronyd.pid
 EnvironmentFile=-/etc/sysconfig/chronyd
 ExecStart=/usr/sbin/chronyd $OPTIONS
 +ExecStartPost=@CHRONY_HELPER@ update-daemon
- PrivateTmp=yes
+ 
- ProtectHome=yes
+ CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
- ProtectSystem=full
+ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
--- a/chrony.changes
+++ b/chrony.changes
@ -1,3 +1,46 @@
 -------------------------------------------------------------------
 Thu Dec 16 16:47:08 UTC 2021 - Reinhard Max <max@suse.com>
 - Update to 4.2
  * Add support for NTPv4 extension field improving synchronisation
    stability and resolution of root delay and dispersion
    (experimental)
  * Add support for NTP over PTP (experimental)
  * Add support for AES-CMAC and hash functions in GnuTLS
  * Improve server interleaved mode to be more reliable and support
    multiple clients behind NAT
  * Update seccomp filter
  * Fix RTC support with 64-bit time_t on 32-bit Linux
  * Fix seccomp filter to work correctly with bind*device directives
 - Obsoleted patches:
  * chrony-refid-internal-md5.patch
  * harden_chrony-wait.service.patch
  * harden_chronyd.service.patch
 - Update clknetsim to snapshot 470b5e9.
 -------------------------------------------------------------------
 Tue Dec  7 10:08:53 UTC 2021 - Reinhard Max <max@suse.com>
 - Add chrony-htonl.patch to work around undocumented behaviour of
  htonl() in older glibc versions (SLE-12) on 64 bit big endian
  architectures (s390x).
 -------------------------------------------------------------------
 Fri Nov 19 16:39:44 UTC 2021 - Reinhard Max <max@suse.com>
 - SLE bugs that have been fixed in openSUSE up to this point
  without explicit references: bsc#1183783, bsc#1184400,
  bsc#1171806, bsc#1161119, bsc#1159840.
 - Obsoleted SLE patches:
  * chrony-fix-open.patch
  * chrony-gettimeofday.patch
  * chrony-ntp-era-split.patch
  * chrony-pidfile.patch
  * chrony-select-timeout.patch
  * chrony-urandom.patch
  * chrony.sysconfig
  * clknetsim-glibc-2.31.patch
 -------------------------------------------------------------------
 Fri Oct  8 14:52:41 UTC 2021 - Reinhard Max <max@suse.com>
--- a/chrony.spec
+++ b/chrony.spec
@ -30,14 +30,14 @@
 %bcond_without testsuite
 %define _systemdutildir %(pkg-config --variable systemdutildir systemd)
-%global clknetsim_ver f89702d
+%global clknetsim_ver 470b5e9
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
  %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
 %define chrony_helper %{_libexecdir}/chrony/helper
 Name:           chrony
-Version:        4.1
+Version:        4.2
 Release:        0
 Summary:        System Clock Synchronization Client and Server
 License:        GPL-2.0-only
@ -64,9 +64,7 @@ Patch0:         chrony-config.patch
 Patch1:         chrony-service-helper.patch
 Patch2:         chrony-logrotate.patch
 Patch3:         chrony-service-ordering.patch
-Patch4:         chrony-refid-internal-md5.patch
+Patch7:         chrony-htonl.patch
 Patch5:         harden_chrony-wait.service.patch
 Patch6:         harden_chronyd.service.patch
 BuildRequires:  NetworkManager-devel
 BuildRequires:  bison
 BuildRequires:  findutils
@ -132,7 +130,7 @@ Provides:       %name-pool-nonempty
 Conflicts:      %name-pool
 Requires:       %name = %version
 BuildArch:      noarch
-RemovePathPostfixes: .suse
+Removepathpostfixes:.suse
 %description pool-suse
 This package configures chrony to use the SUSE NTP server pool by
@ -147,7 +145,7 @@ Conflicts:      %name-pool
 Requires:       %name = %version
 BuildArch:      noarch
 Supplements:    (chrony and branding-openSUSE)
-RemovePathPostfixes: .opensuse
+Removepathpostfixes:.opensuse
 %description pool-openSUSE
 This package configures chrony to use the openSUSE NTP server pool by
@ -161,7 +159,7 @@ Conflicts:      %name-pool
 Requires:       %name = %version
 BuildArch:      noarch
 Supplements:    (chrony and branding-SLE)
-RemovePathPostfixes: .empty
+Removepathpostfixes:.empty
 %description pool-empty
 This package provides an empty /etc/chrony.d/pool.conf file for
@ -173,12 +171,10 @@ e.g. because the servers will be set via DHCP.
 %prep
 %setup -q -a 10
 %patch0 -p1
-%patch1 -p1
+%patch1
 %patch2 -p1
 %patch3
-%patch4
+%patch7
 %patch5 -p1
 %patch6
 # Remove pool statements from the default /etc/chrony.conf. They will
 # be provided by branding packages in /etc/chrony.d/pool.conf .
--- a/clknetsim-470b5e9.tar.gz
+++ b/clknetsim-470b5e9.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:92fe0052f9e2369f9a2a2565fe1d681d18ef27ad1e85ce542cc089b833977750
 size 48016
--- a/clknetsim-f89702d.tar.gz
+++ b/clknetsim-f89702d.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:0aaa98b344b3cfc3cc94ef39a1793a78ee4cf11f669c2890c7a38621ec29cf22
 size 46889
--- a/harden_chrony-wait.service.patch
+++ b/harden_chrony-wait.service.patch
@ -1,24 +0,0 @@
 Index: chrony-4.1/examples/chrony-wait.service
 ===================================================================
 --- chrony-4.1.orig/examples/chrony-wait.service
 +++ chrony-4.1/examples/chrony-wait.service
@@ -7,6 +7,19 @@ Before=time-sync.target
 Wants=time-sync.target
 [Service]
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 +ProtectSystem=full
 +ProtectHome=true
 +PrivateDevices=true
 +ProtectHostname=true
 +ProtectClock=true
 +ProtectKernelTunables=true
 +ProtectKernelModules=true
 +ProtectKernelLogs=true
 +ProtectControlGroups=true
 +RestrictRealtime=true
 +# end of automatic additions 
 Type=oneshot
 # Wait for chronyd to update the clock and the remaining
 # correction to be less than 0.1 seconds
--- a/harden_chronyd.service.patch
+++ b/harden_chronyd.service.patch
@ -1,18 +0,0 @@
 --- examples/chronyd.service.orig
 +++ examples/chronyd.service
@@ -18,6 +18,15 @@ ExecStartPost=@CHRONY_HELPER@ update-dae
 PrivateTmp=yes
 ProtectHome=yes
 ProtectSystem=full
 +# added automatically, for details please see
 +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
 +ProtectHostname=true
 +ProtectKernelModules=true
 +ProtectKernelLogs=true
 +ProtectControlGroups=true
 +DeviceAllow=char-rtc
 +DeviceAllow=char-ptp
 +# end of automatic additions 
 [Install]
 WantedBy=multi-user.target