NEWS revision 1.1.1.1
1 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 2 3 Focus: Security Fixes 4 5 Severity: HIGH 6 7 This release fixes the following high-severity vulnerability: 8 9 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 10 11 See http://support.ntp.org/security for more information. 12 13 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 14 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 15 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 16 request or a mode 7 error response from an address which is not listed 17 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 18 reply with a mode 7 error response (and log a message). In this case: 19 20 * If an attacker spoofs the source address of ntpd host A in a 21 mode 7 response packet sent to ntpd host B, both A and B will 22 continuously send each other error responses, for as long as 23 those packets get through. 24 25 * If an attacker spoofs an address of ntpd host A in a mode 7 26 response packet sent to ntpd host A, A will respond to itself 27 endlessly, consuming CPU and logging excessively. 28 29 Credit for finding this vulnerability goes to Robin Park and Dmitri 30 Vinokurov of Alcatel-Lucent. 31 32 THIS IS A STRONGLY RECOMMENDED UPGRADE. 33 34 --- 35 ntpd now syncs to refclocks right away. 36 37 Backward-Incomatible changes: 38 39 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 40 Use '--var name' or '--dvar name' instead. (Bug 817) 41 42 --- 43 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 44 45 Focus: Security and Bug Fixes 46 47 Severity: HIGH 48 49 This release fixes the following high-severity vulnerability: 50 51 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 52 53 See http://support.ntp.org/security for more information. 54 55 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 56 line) then a carefully crafted packet sent to the machine will cause 57 a buffer overflow and possible execution of injected code, running 58 with the privileges of the ntpd process (often root). 59 60 Credit for finding this vulnerability goes to Chris Ries of CMU. 61 62 This release fixes the following low-severity vulnerabilities: 63 64 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 65 Credit for finding this vulnerability goes to Geoff Keating of Apple. 66 67 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 68 Credit for finding this issue goes to Dave Hart. 69 70 This release fixes a number of bugs and adds some improvements: 71 72 * Improved logging 73 * Fix many compiler warnings 74 * Many fixes and improvements for Windows 75 * Adds support for AIX 6.1 76 * Resolves some issues under MacOS X and Solaris 77 78 THIS IS A STRONGLY RECOMMENDED UPGRADE. 79 80 --- 81 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 82 83 Focus: Security Fix 84 85 Severity: Low 86 87 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 88 the OpenSSL library relating to the incorrect checking of the return 89 value of EVP_VerifyFinal function. 90 91 Credit for finding this issue goes to the Google Security Team for 92 finding the original issue with OpenSSL, and to ocert.org for finding 93 the problem in NTP and telling us about it. 94 95 This is a recommended upgrade. 96 --- 97 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 98 99 Focus: Minor Bugfixes 100 101 This release fixes a number of Windows-specific ntpd bugs and 102 platform-independent ntpdate bugs. A logging bugfix has been applied 103 to the ONCORE driver. 104 105 The "dynamic" keyword and is now obsolete and deferred binding to local 106 interfaces is the new default. The minimum time restriction for the 107 interface update interval has been dropped. 108 109 A number of minor build system and documentation fixes are included. 110 111 This is a recommended upgrade for Windows. 112 113 --- 114 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 115 116 Focus: Minor Bugfixes 117 118 This release updates certain copyright information, fixes several display 119 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 120 shutdown in the parse refclock driver, removes some lint from the code, 121 stops accessing certain buffers immediately after they were freed, fixes 122 a problem with non-command-line specification of -6, and allows the loopback 123 interface to share addresses with other interfaces. 124 125 --- 126 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 127 128 Focus: Minor Bugfixes 129 130 This release fixes a bug in Windows that made it difficult to 131 terminate ntpd under windows. 132 This is a recommended upgrade for Windows. 133 134 --- 135 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 136 137 Focus: Minor Bugfixes 138 139 This release fixes a multicast mode authentication problem, 140 an error in NTP packet handling on Windows that could lead to 141 ntpd crashing, and several other minor bugs. Handling of 142 multicast interfaces and logging configuration were improved. 143 The required versions of autogen and libopts were incremented. 144 This is a recommended upgrade for Windows and multicast users. 145 146 --- 147 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 148 149 Focus: enhancements and bug fixes. 150 151 Dynamic interface rescanning was added to simplify the use of ntpd in 152 conjunction with DHCP. GNU AutoGen is used for its command-line options 153 processing. Separate PPS devices are supported for PARSE refclocks, MD5 154 signatures are now provided for the release files. Drivers have been 155 added for some new ref-clocks and have been removed for some older 156 ref-clocks. This release also includes other improvements, documentation 157 and bug fixes. 158 159 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 160 C support. 161 162 --- 163 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 164 165 Focus: enhancements and bug fixes. 166
Indexes created Mon Apr 20 00:23:12 UTC 2026