NEWS revision 1.1.1.3.4.1
1 --- 2 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 3 4 Focus: Security and Bug fixes, enhancements. 5 6 Severity: HIGH 7 8 In addition to bug fixes and enhancements, this release fixes the 9 following high-severity vulnerabilities: 10 11 * Weak default key in config_auth(). 12 13 References: [Sec 2665] / CVE-2014-9293 / VU#852879 14 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 15 Vulnerable Versions: all releases prior to 4.2.7p11 16 Date Resolved: 28 Jan 2010 17 18 Summary: If no 'auth' key is set in the configuration file, ntpd 19 would generate a random key on the fly. There were two 20 problems with this: 1) the generated key was 31 bits in size, 21 and 2) it used the (now weak) ntp_random() function, which was 22 seeded with a 32-bit value and could only provide 32 bits of 23 entropy. This was sufficient back in the late 1990s when the 24 code was written. Not today. 25 26 Mitigation: Upgrade to 4.2.7p11 or later. 27 28 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 29 of the Google Security Team. 30 31 * Non-cryptographic random number generator with weak seed used by 32 ntp-keygen to generate symmetric keys. 33 34 References: [Sec 2666] / CVE-2014-9294 / VU#852879 35 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 36 Vulnerable Versions: All NTP4 releases before 4.2.7p230 37 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 38 39 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 40 prepare a random number generator that was of good quality back 41 in the late 1990s. The random numbers produced was then used to 42 generate symmetric keys. In ntp-4.2.8 we use a current-technology 43 cryptographic random number generator, either RAND_bytes from 44 OpenSSL, or arc4random(). 45 46 Mitigation: Upgrade to 4.2.7p230 or later. 47 48 Credit: This vulnerability was discovered in ntp-4.2.6 by 49 Stephen Roettger of the Google Security Team. 50 51 * Buffer overflow in crypto_recv() 52 53 References: Sec 2667 / CVE-2014-9295 / VU#852879 54 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 55 Versions: All releases before 4.2.8 56 Date Resolved: Stable (4.2.8) 18 Dec 2014 57 58 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 59 file contains a 'crypto pw ...' directive) a remote attacker 60 can send a carefully crafted packet that can overflow a stack 61 buffer and potentially allow malicious code to be executed 62 with the privilege level of the ntpd process. 63 64 Mitigation: Upgrade to 4.2.8, or later, or 65 Disable Autokey Authentication by removing, or commenting out, 66 all configuration directives beginning with the crypto keyword 67 in your ntp.conf file. 68 69 Credit: This vulnerability was discovered by Stephen Roettger of the 70 Google Security Team. 71 72 * Buffer overflow in ctl_putdata() 73 74 References: Sec 2668 / CVE-2014-9295 / VU#852879 75 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 76 Versions: All NTP4 releases before 4.2.8 77 Date Resolved: Stable (4.2.8) 18 Dec 2014 78 79 Summary: A remote attacker can send a carefully crafted packet that 80 can overflow a stack buffer and potentially allow malicious 81 code to be executed with the privilege level of the ntpd process. 82 83 Mitigation: Upgrade to 4.2.8, or later. 84 85 Credit: This vulnerability was discovered by Stephen Roettger of the 86 Google Security Team. 87 88 * Buffer overflow in configure() 89 90 References: Sec 2669 / CVE-2014-9295 / VU#852879 91 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 92 Versions: All NTP4 releases before 4.2.8 93 Date Resolved: Stable (4.2.8) 18 Dec 2014 94 95 Summary: A remote attacker can send a carefully crafted packet that 96 can overflow a stack buffer and potentially allow malicious 97 code to be executed with the privilege level of the ntpd process. 98 99 Mitigation: Upgrade to 4.2.8, or later. 100 101 Credit: This vulnerability was discovered by Stephen Roettger of the 102 Google Security Team. 103 104 * receive(): missing return on error 105 106 References: Sec 2670 / CVE-2014-9296 / VU#852879 107 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 108 Versions: All NTP4 releases before 4.2.8 109 Date Resolved: Stable (4.2.8) 18 Dec 2014 110 111 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 112 the code path where an error was detected, which meant 113 processing did not stop when a specific rare error occurred. 114 We haven't found a way for this bug to affect system integrity. 115 If there is no way to affect system integrity the base CVSS 116 score for this bug is 0. If there is one avenue through which 117 system integrity can be partially affected, the base score 118 becomes a 5. If system integrity can be partially affected 119 via all three integrity metrics, the CVSS base score become 7.5. 120 121 Mitigation: 122 Upgrade to 4.2.8, or later, 123 or Remove or comment out all configuration directives 124 beginning with the crypto keyword in your ntp.conf file. 125 126 Credit: This vulnerability was discovered by Stephen Roettger of the 127 Google Security Team. 128 129 See http://support.ntp.org/security for more information. 130 131 New features / changes in this release: 132 133 Important Changes 134 135 * Internal NTP Era counters 136 137 The internal counters that track the "era" (range of years) we are in 138 rolls over every 136 years'. The current "era" started at the stroke of 139 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 140 1 Jan 2036. 141 In the past, we have used the "midpoint" of the range to decide which 142 era we were in. Given the longevity of some products, it became clear 143 that it would be more functional to "look back" less, and "look forward" 144 more. We now compile a timestamp into the ntpd executable and when we 145 get a timestamp we us the "built-on" to tell us what era we are in. 146 This check "looks back" 10 years, and "looks forward" 126 years. 147 148 * ntpdc responses disabled by default 149 150 Dave Hart writes: 151 152 For a long time, ntpq and its mostly text-based mode 6 (control) 153 protocol have been preferred over ntpdc and its mode 7 (private 154 request) protocol for runtime queries and configuration. There has 155 been a goal of deprecating ntpdc, previously held back by numerous 156 capabilities exposed by ntpdc with no ntpq equivalent. I have been 157 adding commands to ntpq to cover these cases, and I believe I've 158 covered them all, though I've not compared command-by-command 159 recently. 160 161 As I've said previously, the binary mode 7 protocol involves a lot of 162 hand-rolled structure layout and byte-swapping code in both ntpd and 163 ntpdc which is hard to get right. As ntpd grows and changes, the 164 changes are difficult to expose via ntpdc while maintaining forward 165 and backward compatibility between ntpdc and ntpd. In contrast, 166 ntpq's text-based, label=value approach involves more code reuse and 167 allows compatible changes without extra work in most cases. 168 169 Mode 7 has always been defined as vendor/implementation-specific while 170 mode 6 is described in RFC 1305 and intended to be open to interoperate 171 with other implementations. There is an early draft of an updated 172 mode 6 description that likely will join the other NTPv4 RFCs 173 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 174 175 For these reasons, ntpd 4.2.7p230 by default disables processing of 176 ntpdc queries, reducing ntpd's attack surface and functionally 177 deprecating ntpdc. If you are in the habit of using ntpdc for certain 178 operations, please try the ntpq equivalent. If there's no equivalent, 179 please open a bug report at http://bugs.ntp.org./ 180 181 In addition to the above, over 1100 issues have been resolved between 182 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 183 lists these. 184 185 --- 186 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 187 188 Focus: Bug fixes 189 190 Severity: Medium 191 192 This is a recommended upgrade. 193 194 This release updates sys_rootdisp and sys_jitter calculations to match the 195 RFC specification, fixes a potential IPv6 address matching error for the 196 "nic" and "interface" configuration directives, suppresses the creation of 197 extraneous ephemeral associations for certain broadcastclient and 198 multicastclient configurations, cleans up some ntpq display issues, and 199 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 200 201 New features / changes in this release: 202 203 ntpd 204 205 * Updated "nic" and "interface" IPv6 address handling to prevent 206 mismatches with localhost [::1] and wildcard [::] which resulted from 207 using the address/prefix format (e.g. fe80::/64) 208 * Fix orphan mode stratum incorrectly counting to infinity 209 * Orphan parent selection metric updated to includes missing ntohl() 210 * Non-printable stratum 16 refid no longer sent to ntp 211 * Duplicate ephemeral associations suppressed for broadcastclient and 212 multicastclient without broadcastdelay 213 * Exclude undetermined sys_refid from use in loopback TEST12 214 * Exclude MODE_SERVER responses from KoD rate limiting 215 * Include root delay in clock_update() sys_rootdisp calculations 216 * get_systime() updated to exclude sys_residual offset (which only 217 affected bits "below" sys_tick, the precision threshold) 218 * sys.peer jitter weighting corrected in sys_jitter calculation 219 220 ntpq 221 222 * -n option extended to include the billboard "server" column 223 * IPv6 addresses in the local column truncated to prevent overruns 224 225 --- 226 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 227 228 Focus: Bug fixes and portability improvements 229 230 Severity: Medium 231 232 This is a recommended upgrade. 233 234 This release includes build infrastructure updates, code 235 clean-ups, minor bug fixes, fixes for a number of minor 236 ref-clock issues, and documentation revisions. 237 238 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 239 240 New features / changes in this release: 241 242 Build system 243 244 * Fix checking for struct rtattr 245 * Update config.guess and config.sub for AIX 246 * Upgrade required version of autogen and libopts for building 247 from our source code repository 248 249 ntpd 250 251 * Back-ported several fixes for Coverity warnings from ntp-dev 252 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 253 * Allow "logconfig =allall" configuration directive 254 * Bind tentative IPv6 addresses on Linux 255 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 256 * Improved tally bit handling to prevent incorrect ntpq peer status reports 257 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 258 candidate list unless they are designated a "prefer peer" 259 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 260 selection during the 'tos orphanwait' period 261 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 262 drivers 263 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 264 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 265 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 266 clock slew on Microsoft Windows 267 * Code cleanup in libntpq 268 269 ntpdc 270 271 * Fix timerstats reporting 272 273 ntpdate 274 275 * Reduce time required to set clock 276 * Allow a timeout greater than 2 seconds 277 278 sntp 279 280 * Backward incompatible command-line option change: 281 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 282 283 Documentation 284 285 * Update html2man. Fix some tags in the .html files 286 * Distribute ntp-wait.html 287 288 --- 289 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 290 291 Focus: Bug fixes and portability improvements 292 293 Severity: Medium 294 295 This is a recommended upgrade. 296 297 This release includes build infrastructure updates, code 298 clean-ups, minor bug fixes, fixes for a number of minor 299 ref-clock issues, and documentation revisions. 300 301 Portability improvements in this release affect AIX, Atari FreeMiNT, 302 FreeBSD4, Linux and Microsoft Windows. 303 304 New features / changes in this release: 305 306 Build system 307 * Use lsb_release to get information about Linux distributions. 308 * 'test' is in /usr/bin (instead of /bin) on some systems. 309 * Basic sanity checks for the ChangeLog file. 310 * Source certain build files with ./filename for systems without . in PATH. 311 * IRIX portability fix. 312 * Use a single copy of the "libopts" code. 313 * autogen/libopts upgrade. 314 * configure.ac m4 quoting cleanup. 315 316 ntpd 317 * Do not bind to IN6_IFF_ANYCAST addresses. 318 * Log the reason for exiting under Windows. 319 * Multicast fixes for Windows. 320 * Interpolation fixes for Windows. 321 * IPv4 and IPv6 Multicast fixes. 322 * Manycast solicitation fixes and general repairs. 323 * JJY refclock cleanup. 324 * NMEA refclock improvements. 325 * Oncore debug message cleanup. 326 * Palisade refclock now builds under Linux. 327 * Give RAWDCF more baud rates. 328 * Support Truetime Satellite clocks under Windows. 329 * Support Arbiter 1093C Satellite clocks under Windows. 330 * Make sure that the "filegen" configuration command defaults to "enable". 331 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 332 * Prohibit 'includefile' directive in remote configuration command. 333 * Fix 'nic' interface bindings. 334 * Fix the way we link with openssl if openssl is installed in the base 335 system. 336 337 ntp-keygen 338 * Fix -V coredump. 339 * OpenSSL version display cleanup. 340 341 ntpdc 342 * Many counters should be treated as unsigned. 343 344 ntpdate 345 * Do not ignore replies with equal receive and transmit timestamps. 346 347 ntpq 348 * libntpq warning cleanup. 349 350 ntpsnmpd 351 * Correct SNMP type for "precision" and "resolution". 352 * Update the MIB from the draft version to RFC-5907. 353 354 sntp 355 * Display timezone offset when showing time for sntp in the local 356 timezone. 357 * Pay proper attention to RATE KoD packets. 358 * Fix a miscalculation of the offset. 359 * Properly parse empty lines in the key file. 360 * Logging cleanup. 361 * Use tv_usec correctly in set_time(). 362 * Documentation cleanup. 363 364 --- 365 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 366 367 Focus: Bug fixes and portability improvements 368 369 Severity: Medium 370 371 This is a recommended upgrade. 372 373 This release includes build infrastructure updates, code 374 clean-ups, minor bug fixes, fixes for a number of minor 375 ref-clock issues, improved KOD handling, OpenSSL related 376 updates and documentation revisions. 377 378 Portability improvements in this release affect Irix, Linux, 379 Mac OS, Microsoft Windows, OpenBSD and QNX6 380 381 New features / changes in this release: 382 383 ntpd 384 * Range syntax for the trustedkey configuration directive 385 * Unified IPv4 and IPv6 restrict lists 386 387 ntpdate 388 * Rate limiting and KOD handling 389 390 ntpsnmpd 391 * default connection to net-snmpd via a unix-domain socket 392 * command-line 'socket name' option 393 394 ntpq / ntpdc 395 * support for the "passwd ..." syntax 396 * key-type specific password prompts 397 398 sntp 399 * MD5 authentication of an ntpd 400 * Broadcast and crypto 401 * OpenSSL support 402 403 --- 404 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 405 406 Focus: Bug fixes, portability fixes, and documentation improvements 407 408 Severity: Medium 409 410 This is a recommended upgrade. 411 412 --- 413 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 414 415 Focus: enhancements and bug fixes. 416 417 --- 418 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 419 420 Focus: Security Fixes 421 422 Severity: HIGH 423 424 This release fixes the following high-severity vulnerability: 425 426 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 427 428 See http://support.ntp.org/security for more information. 429 430 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 431 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 432 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 433 request or a mode 7 error response from an address which is not listed 434 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 435 reply with a mode 7 error response (and log a message). In this case: 436 437 * If an attacker spoofs the source address of ntpd host A in a 438 mode 7 response packet sent to ntpd host B, both A and B will 439 continuously send each other error responses, for as long as 440 those packets get through. 441 442 * If an attacker spoofs an address of ntpd host A in a mode 7 443 response packet sent to ntpd host A, A will respond to itself 444 endlessly, consuming CPU and logging excessively. 445 446 Credit for finding this vulnerability goes to Robin Park and Dmitri 447 Vinokurov of Alcatel-Lucent. 448 449 THIS IS A STRONGLY RECOMMENDED UPGRADE. 450 451 --- 452 ntpd now syncs to refclocks right away. 453 454 Backward-Incompatible changes: 455 456 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 457 Use '--var name' or '--dvar name' instead. (Bug 817) 458 459 --- 460 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 461 462 Focus: Security and Bug Fixes 463 464 Severity: HIGH 465 466 This release fixes the following high-severity vulnerability: 467 468 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 469 470 See http://support.ntp.org/security for more information. 471 472 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 473 line) then a carefully crafted packet sent to the machine will cause 474 a buffer overflow and possible execution of injected code, running 475 with the privileges of the ntpd process (often root). 476 477 Credit for finding this vulnerability goes to Chris Ries of CMU. 478 479 This release fixes the following low-severity vulnerabilities: 480 481 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 482 Credit for finding this vulnerability goes to Geoff Keating of Apple. 483 484 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 485 Credit for finding this issue goes to Dave Hart. 486 487 This release fixes a number of bugs and adds some improvements: 488 489 * Improved logging 490 * Fix many compiler warnings 491 * Many fixes and improvements for Windows 492 * Adds support for AIX 6.1 493 * Resolves some issues under MacOS X and Solaris 494 495 THIS IS A STRONGLY RECOMMENDED UPGRADE. 496 497 --- 498 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 499 500 Focus: Security Fix 501 502 Severity: Low 503 504 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 505 the OpenSSL library relating to the incorrect checking of the return 506 value of EVP_VerifyFinal function. 507 508 Credit for finding this issue goes to the Google Security Team for 509 finding the original issue with OpenSSL, and to ocert.org for finding 510 the problem in NTP and telling us about it. 511 512 This is a recommended upgrade. 513 --- 514 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 515 516 Focus: Minor Bugfixes 517 518 This release fixes a number of Windows-specific ntpd bugs and 519 platform-independent ntpdate bugs. A logging bugfix has been applied 520 to the ONCORE driver. 521 522 The "dynamic" keyword and is now obsolete and deferred binding to local 523 interfaces is the new default. The minimum time restriction for the 524 interface update interval has been dropped. 525 526 A number of minor build system and documentation fixes are included. 527 528 This is a recommended upgrade for Windows. 529 530 --- 531 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 532 533 Focus: Minor Bugfixes 534 535 This release updates certain copyright information, fixes several display 536 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 537 shutdown in the parse refclock driver, removes some lint from the code, 538 stops accessing certain buffers immediately after they were freed, fixes 539 a problem with non-command-line specification of -6, and allows the loopback 540 interface to share addresses with other interfaces. 541 542 --- 543 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 544 545 Focus: Minor Bugfixes 546 547 This release fixes a bug in Windows that made it difficult to 548 terminate ntpd under windows. 549 This is a recommended upgrade for Windows. 550 551 --- 552 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 553 554 Focus: Minor Bugfixes 555 556 This release fixes a multicast mode authentication problem, 557 an error in NTP packet handling on Windows that could lead to 558 ntpd crashing, and several other minor bugs. Handling of 559 multicast interfaces and logging configuration were improved. 560 The required versions of autogen and libopts were incremented. 561 This is a recommended upgrade for Windows and multicast users. 562 563 --- 564 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 565 566 Focus: enhancements and bug fixes. 567 568 Dynamic interface rescanning was added to simplify the use of ntpd in 569 conjunction with DHCP. GNU AutoGen is used for its command-line options 570 processing. Separate PPS devices are supported for PARSE refclocks, MD5 571 signatures are now provided for the release files. Drivers have been 572 added for some new ref-clocks and have been removed for some older 573 ref-clocks. This release also includes other improvements, documentation 574 and bug fixes. 575 576 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 577 C support. 578 579 --- 580 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 581 582 Focus: enhancements and bug fixes. 583
Indexes created Mon Apr 20 00:23:12 UTC 2026