NEWS revision 1.1.1.8
1 --- 2 3 NTP 4.2.8p5 4 5 Focus: Security, Bug fixes, enhancements. 6 7 Severity: MEDIUM 8 9 In addition to bug fixes and enhancements, this release fixes the 10 following medium-severity vulnerability: 11 12 * Small-step/big-step. Close the panic gate earlier. 13 References: Sec 2956, CVE-2015-5300 14 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 15 4.3.0 up to, but not including 4.3.78 16 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 17 Summary: If ntpd is always started with the -g option, which is 18 common and against long-standing recommendation, and if at the 19 moment ntpd is restarted an attacker can immediately respond to 20 enough requests from enough sources trusted by the target, which 21 is difficult and not common, there is a window of opportunity 22 where the attacker can cause ntpd to set the time to an 23 arbitrary value. Similarly, if an attacker is able to respond 24 to enough requests from enough sources trusted by the target, 25 the attacker can cause ntpd to abort and restart, at which 26 point it can tell the target to set the time to an arbitrary 27 value if and only if ntpd was re-started against long-standing 28 recommendation with the -g flag, or if ntpd was not given the 29 -g flag, the attacker can move the target system's time by at 30 most 900 seconds' time per attack. 31 Mitigation: 32 Configure ntpd to get time from multiple sources. 33 Upgrade to 4.2.8p5, or later, from the NTP Project Download 34 Page or the NTP Public Services Project Download Page 35 As we've long documented, only use the -g option to ntpd in 36 cold-start situations. 37 Monitor your ntpd instances. 38 Credit: This weakness was discovered by Aanchal Malhotra, 39 Isaac E. Cohen, and Sharon Goldberg at Boston University. 40 41 NOTE WELL: The -g flag disables the limit check on the panic_gate 42 in ntpd, which is 900 seconds by default. The bug identified by 43 the researchers at Boston University is that the panic_gate 44 check was only re-enabled after the first change to the system 45 clock that was greater than 128 milliseconds, by default. The 46 correct behavior is that the panic_gate check should be 47 re-enabled after any initial time correction. 48 49 If an attacker is able to inject consistent but erroneous time 50 responses to your systems via the network or "over the air", 51 perhaps by spoofing radio, cellphone, or navigation satellite 52 transmissions, they are in a great position to affect your 53 system's clock. There comes a point where your very best 54 defenses include: 55 56 Configure ntpd to get time from multiple sources. 57 Monitor your ntpd instances. 58 59 Other fixes: 60 61 * Coverity submission process updated from Coverity 5 to Coverity 7. 62 The NTP codebase has been undergoing regular Coverity scans on an 63 ongoing basis since 2006. As part of our recent upgrade from 64 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 65 the newly-written Unity test programs. These were fixed. 66 * [Bug 2829] Look at pipe_fds in ntpd.c (did so. perlinger (a] ntp.org) 67 * [Bug 2887] stratum -1 config results as showing value 99 68 - fudge stratum should only accept values [0..16]. perlinger (a] ntp.org 69 * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 70 * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 71 * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 72 - applied patch by Christos Zoulas. perlinger (a] ntp.org 73 * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 74 * [Bug 2954] Version 4.2.8p4 crashes on startup with sig fault 75 - fixed data race conditions in threaded DNS worker. perlinger (a] ntp.org 76 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger (a] ntp.org 77 * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger (a] ntp.org 78 - accept key file only if there are no parsing errors 79 - fixed size_t/u_int format clash 80 - fixed wrong use of 'strlcpy' 81 * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 82 * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger (a] ntp.org 83 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 84 - promote use of 'size_t' for values that express a size 85 - use ptr-to-const for read-only arguments 86 - make sure SOCKET values are not truncated (win32-specific) 87 - format string fixes 88 * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 89 * [Bug 2967] ntpdate command suffers an assertion failure 90 - fixed ntp_rfc2553.c to return proper address length. perlinger (a] ntp.org 91 * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 92 lots of clients. perlinger (a] ntp.org 93 * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 94 - changed stacked/nested handling of CTRL-C. perlinger (a] ntp.org 95 * Unity cleanup for FreeBSD-6.4. Harlan Stenn. 96 * Unity test cleanup. Harlan Stenn. 97 * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 98 * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 99 * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 100 * Quiet a warning from clang. Harlan Stenn. 101 102 --- 103 NTP 4.2.8p4 104 105 Focus: Security, Bug fixes, enhancements. 106 107 Severity: MEDIUM 108 109 In addition to bug fixes and enhancements, this release fixes the 110 following 13 low- and medium-severity vulnerabilities: 111 112 * Incomplete vallen (value length) checks in ntp_crypto.c, leading 113 to potential crashes or potential code injection/information leakage. 114 115 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 116 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 117 and 4.3.0 up to, but not including 4.3.77 118 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 119 Summary: The fix for CVE-2014-9750 was incomplete in that there were 120 certain code paths where a packet with particular autokey operations 121 that contained malicious data was not always being completely 122 validated. Receipt of these packets can cause ntpd to crash. 123 Mitigation: 124 Don't use autokey. 125 Upgrade to 4.2.8p4, or later, from the NTP Project Download 126 Page or the NTP Public Services Project Download Page 127 Monitor your ntpd instances. 128 Credit: This weakness was discovered by Tenable Network Security. 129 130 * Clients that receive a KoD should validate the origin timestamp field. 131 132 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 133 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 134 and 4.3.0 up to, but not including 4.3.77 135 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 136 Summary: An ntpd client that honors Kiss-of-Death responses will honor 137 KoD messages that have been forged by an attacker, causing it to 138 delay or stop querying its servers for time updates. Also, an 139 attacker can forge packets that claim to be from the target and 140 send them to servers often enough that a server that implements 141 KoD rate limiting will send the target machine a KoD response to 142 attempt to reduce the rate of incoming packets, or it may also 143 trigger a firewall block at the server for packets from the target 144 machine. For either of these attacks to succeed, the attacker must 145 know what servers the target is communicating with. An attacker 146 can be anywhere on the Internet and can frequently learn the 147 identity of the target's time source by sending the target a 148 time query. 149 Mitigation: 150 Implement BCP-38. 151 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 152 or the NTP Public Services Project Download Page 153 If you can't upgrade, restrict who can query ntpd to learn who 154 its servers are, and what IPs are allowed to ask your system 155 for the time. This mitigation is heavy-handed. 156 Monitor your ntpd instances. 157 Note: 158 4.2.8p4 protects against the first attack. For the second attack, 159 all we can do is warn when it is happening, which we do in 4.2.8p4. 160 Credit: This weakness was discovered by Aanchal Malhotra, 161 Issac E. Cohen, and Sharon Goldberg of Boston University. 162 163 * configuration directives to change "pidfile" and "driftfile" should 164 only be allowed locally. 165 166 References: Sec 2902 / CVE-2015-5196 167 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 168 and 4.3.0 up to, but not including 4.3.77 169 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 170 Summary: If ntpd is configured to allow for remote configuration, 171 and if the (possibly spoofed) source IP address is allowed to 172 send remote configuration requests, and if the attacker knows 173 the remote configuration password, it's possible for an attacker 174 to use the "pidfile" or "driftfile" directives to potentially 175 overwrite other files. 176 Mitigation: 177 Implement BCP-38. 178 Upgrade to 4.2.8p4, or later, from the NTP Project Download 179 Page or the NTP Public Services Project Download Page 180 If you cannot upgrade, don't enable remote configuration. 181 If you must enable remote configuration and cannot upgrade, 182 remote configuration of NTF's ntpd requires: 183 - an explicitly configured trustedkey, and you should also 184 configure a controlkey. 185 - access from a permitted IP. You choose the IPs. 186 - authentication. Don't disable it. Practice secure key safety. 187 Monitor your ntpd instances. 188 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 189 190 * Slow memory leak in CRYPTO_ASSOC 191 192 References: Sec 2909 / CVE-2015-7701 193 Affects: All ntp-4 releases that use autokey up to, but not 194 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 195 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 196 4.6 otherwise 197 Summary: If ntpd is configured to use autokey, then an attacker can 198 send packets to ntpd that will, after several days of ongoing 199 attack, cause it to run out of memory. 200 Mitigation: 201 Don't use autokey. 202 Upgrade to 4.2.8p4, or later, from the NTP Project Download 203 Page or the NTP Public Services Project Download Page 204 Monitor your ntpd instances. 205 Credit: This weakness was discovered by Tenable Network Security. 206 207 * mode 7 loop counter underrun 208 209 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 210 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 211 and 4.3.0 up to, but not including 4.3.77 212 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 213 Summary: If ntpd is configured to enable mode 7 packets, and if the 214 use of mode 7 packets is not properly protected thru the use of 215 the available mode 7 authentication and restriction mechanisms, 216 and if the (possibly spoofed) source IP address is allowed to 217 send mode 7 queries, then an attacker can send a crafted packet 218 to ntpd that will cause it to crash. 219 Mitigation: 220 Implement BCP-38. 221 Upgrade to 4.2.8p4, or later, from the NTP Project Download 222 Page or the NTP Public Services Project Download Page. 223 If you are unable to upgrade: 224 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 225 If you must enable mode 7: 226 configure the use of a requestkey to control who can issue 227 mode 7 requests. 228 configure restrict noquery to further limit mode 7 requests 229 to trusted sources. 230 Monitor your ntpd instances. 231 Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 232 233 * memory corruption in password store 234 235 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 236 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 237 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 238 Summary: If ntpd is configured to allow remote configuration, and if 239 the (possibly spoofed) source IP address is allowed to send 240 remote configuration requests, and if the attacker knows the 241 remote configuration password or if ntpd was configured to 242 disable authentication, then an attacker can send a set of 243 packets to ntpd that may cause a crash or theoretically 244 perform a code injection attack. 245 Mitigation: 246 Implement BCP-38. 247 Upgrade to 4.2.8p4, or later, from the NTP Project Download 248 Page or the NTP Public Services Project Download Page. 249 If you are unable to upgrade, remote configuration of NTF's 250 ntpd requires: 251 an explicitly configured "trusted" key. Only configure 252 this if you need it. 253 access from a permitted IP address. You choose the IPs. 254 authentication. Don't disable it. Practice secure key safety. 255 Monitor your ntpd instances. 256 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 257 258 * Infinite loop if extended logging enabled and the logfile and 259 keyfile are the same. 260 261 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 262 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 263 and 4.3.0 up to, but not including 4.3.77 264 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 265 Summary: If ntpd is configured to allow remote configuration, and if 266 the (possibly spoofed) source IP address is allowed to send 267 remote configuration requests, and if the attacker knows the 268 remote configuration password or if ntpd was configured to 269 disable authentication, then an attacker can send a set of 270 packets to ntpd that will cause it to crash and/or create a 271 potentially huge log file. Specifically, the attacker could 272 enable extended logging, point the key file at the log file, 273 and cause what amounts to an infinite loop. 274 Mitigation: 275 Implement BCP-38. 276 Upgrade to 4.2.8p4, or later, from the NTP Project Download 277 Page or the NTP Public Services Project Download Page. 278 If you are unable to upgrade, remote configuration of NTF's ntpd 279 requires: 280 an explicitly configured "trusted" key. Only configure this 281 if you need it. 282 access from a permitted IP address. You choose the IPs. 283 authentication. Don't disable it. Practice secure key safety. 284 Monitor your ntpd instances. 285 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 286 287 * Potential path traversal vulnerability in the config file saving of 288 ntpd on VMS. 289 290 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 291 Affects: All ntp-4 releases running under VMS up to, but not 292 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 293 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 294 Summary: If ntpd is configured to allow remote configuration, and if 295 the (possibly spoofed) IP address is allowed to send remote 296 configuration requests, and if the attacker knows the remote 297 configuration password or if ntpd was configured to disable 298 authentication, then an attacker can send a set of packets to 299 ntpd that may cause ntpd to overwrite files. 300 Mitigation: 301 Implement BCP-38. 302 Upgrade to 4.2.8p4, or later, from the NTP Project Download 303 Page or the NTP Public Services Project Download Page. 304 If you are unable to upgrade, remote configuration of NTF's ntpd 305 requires: 306 an explicitly configured "trusted" key. Only configure 307 this if you need it. 308 access from permitted IP addresses. You choose the IPs. 309 authentication. Don't disable it. Practice key security safety. 310 Monitor your ntpd instances. 311 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 312 313 * ntpq atoascii() potential memory corruption 314 315 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 316 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 317 and 4.3.0 up to, but not including 4.3.77 318 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 319 Summary: If an attacker can figure out the precise moment that ntpq 320 is listening for data and the port number it is listening on or 321 if the attacker can provide a malicious instance ntpd that 322 victims will connect to then an attacker can send a set of 323 crafted mode 6 response packets that, if received by ntpq, 324 can cause ntpq to crash. 325 Mitigation: 326 Implement BCP-38. 327 Upgrade to 4.2.8p4, or later, from the NTP Project Download 328 Page or the NTP Public Services Project Download Page. 329 If you are unable to upgrade and you run ntpq against a server 330 and ntpq crashes, try again using raw mode. Build or get a 331 patched ntpq and see if that fixes the problem. Report new 332 bugs in ntpq or abusive servers appropriately. 333 If you use ntpq in scripts, make sure ntpq does what you expect 334 in your scripts. 335 Credit: This weakness was discovered by Yves Younan and 336 Aleksander Nikolich of Cisco Talos. 337 338 * Invalid length data provided by a custom refclock driver could cause 339 a buffer overflow. 340 341 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 342 Affects: Potentially all ntp-4 releases running up to, but not 343 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 344 that have custom refclocks 345 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 346 5.9 unusual worst case 347 Summary: A negative value for the datalen parameter will overflow a 348 data buffer. NTF's ntpd driver implementations always set this 349 value to 0 and are therefore not vulnerable to this weakness. 350 If you are running a custom refclock driver in ntpd and that 351 driver supplies a negative value for datalen (no custom driver 352 of even minimal competence would do this) then ntpd would 353 overflow a data buffer. It is even hypothetically possible 354 in this case that instead of simply crashing ntpd the attacker 355 could effect a code injection attack. 356 Mitigation: 357 Upgrade to 4.2.8p4, or later, from the NTP Project Download 358 Page or the NTP Public Services Project Download Page. 359 If you are unable to upgrade: 360 If you are running custom refclock drivers, make sure 361 the signed datalen value is either zero or positive. 362 Monitor your ntpd instances. 363 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 364 365 * Password Length Memory Corruption Vulnerability 366 367 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 368 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 369 4.3.0 up to, but not including 4.3.77 370 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 371 1.7 usual case, 6.8, worst case 372 Summary: If ntpd is configured to allow remote configuration, and if 373 the (possibly spoofed) source IP address is allowed to send 374 remote configuration requests, and if the attacker knows the 375 remote configuration password or if ntpd was (foolishly) 376 configured to disable authentication, then an attacker can 377 send a set of packets to ntpd that may cause it to crash, 378 with the hypothetical possibility of a small code injection. 379 Mitigation: 380 Implement BCP-38. 381 Upgrade to 4.2.8p4, or later, from the NTP Project Download 382 Page or the NTP Public Services Project Download Page. 383 If you are unable to upgrade, remote configuration of NTF's 384 ntpd requires: 385 an explicitly configured "trusted" key. Only configure 386 this if you need it. 387 access from a permitted IP address. You choose the IPs. 388 authentication. Don't disable it. Practice secure key safety. 389 Monitor your ntpd instances. 390 Credit: This weakness was discovered by Yves Younan and 391 Aleksander Nikolich of Cisco Talos. 392 393 * decodenetnum() will ASSERT botch instead of returning FAIL on some 394 bogus values. 395 396 References: Sec 2922 / CVE-2015-7855 397 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 398 4.3.0 up to, but not including 4.3.77 399 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 400 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 401 an unusually long data value where a network address is expected, 402 the decodenetnum() function will abort with an assertion failure 403 instead of simply returning a failure condition. 404 Mitigation: 405 Implement BCP-38. 406 Upgrade to 4.2.8p4, or later, from the NTP Project Download 407 Page or the NTP Public Services Project Download Page. 408 If you are unable to upgrade: 409 mode 7 is disabled by default. Don't enable it. 410 Use restrict noquery to limit who can send mode 6 411 and mode 7 requests. 412 Configure and use the controlkey and requestkey 413 authentication directives to limit who can 414 send mode 6 and mode 7 requests. 415 Monitor your ntpd instances. 416 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 417 418 * NAK to the Future: Symmetric association authentication bypass via 419 crypto-NAK. 420 421 References: Sec 2941 / CVE-2015-7871 422 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 423 4.2.8p4, and 4.3.0 up to but not including 4.3.77 424 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 425 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 426 from unauthenticated ephemeral symmetric peers by bypassing the 427 authentication required to mobilize peer associations. This 428 vulnerability appears to have been introduced in ntp-4.2.5p186 429 when the code handling mobilization of new passive symmetric 430 associations (lines 1103-1165) was refactored. 431 Mitigation: 432 Implement BCP-38. 433 Upgrade to 4.2.8p4, or later, from the NTP Project Download 434 Page or the NTP Public Services Project Download Page. 435 If you are unable to upgrade: 436 Apply the patch to the bottom of the "authentic" check 437 block around line 1136 of ntp_proto.c. 438 Monitor your ntpd instances. 439 Credit: This weakness was discovered by Stephen Gray <stepgray (a] cisco.com>. 440 441 Backward-Incompatible changes: 442 * [Bug 2817] Default on Linux is now "rlimit memlock -1". 443 While the general default of 32M is still the case, under Linux 444 the default value has been changed to -1 (do not lock ntpd into 445 memory). A value of 0 means "lock ntpd into memory with whatever 446 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 447 value in it, that value will continue to be used. 448 449 * [Bug 2886] Misspelling: "outlyer" should be "outlier". 450 If you've written a script that looks for this case in, say, the 451 output of ntpq, you probably want to change your regex matches 452 from 'outlyer' to 'outl[iy]er'. 453 454 New features in this release: 455 * 'rlimit memlock' now has finer-grained control. A value of -1 means 456 "don't lock ntpd into memore". This is the default for Linux boxes. 457 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 458 the value is the number of megabytes of memory to lock. The default 459 is 32 megabytes. 460 461 * The old Google Test framework has been replaced with a new framework, 462 based on http://www.throwtheswitch.org/unity/ . 463 464 Bug Fixes and Improvements: 465 * [Bug 2332] (reopened) Exercise thread cancellation once before dropping 466 privileges and limiting resources in NTPD removes the need to link 467 forcefully against 'libgcc_s' which does not always work. J.Perlinger 468 * [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 469 * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 470 * [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 471 * [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger (a] ntp.org 472 * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 473 * [Bug 2849] Systems with more than one default route may never 474 synchronize. Brian Utterback. Note that this patch might need to 475 be reverted once Bug 2043 has been fixed. 476 * [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 477 * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 478 * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 479 * [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 480 * [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 481 * [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 482 be configured for the distribution targets. Harlan Stenn. 483 * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 484 * [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave (a] horsfall.org 485 * [Bug 2888] streamline calendar functions. perlinger (a] ntp.org 486 * [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger (a] ntp.org 487 * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 488 * [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 489 * [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 490 * [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 491 * libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 492 * Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 493 * tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 494 * Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 495 * On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 496 * top_srcdir can change based on ntp v. sntp. Harlan Stenn. 497 * sntp/tests/ function parameter list cleanup. Damir Tomi. 498 * tests/libntp/ function parameter list cleanup. Damir Tomi. 499 * tests/ntpd/ function parameter list cleanup. Damir Tomi. 500 * sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 501 * sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 502 * tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi. 503 * tests/libntp/ improvements in code and fixed error printing. Damir Tomi. 504 * tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 505 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 506 formatting; first declaration, then code (C90); deleted unnecessary comments; 507 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 508 * tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 509 fix formatting, cleanup. Tomasz Flendrich 510 * tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 511 Tomasz Flendrich 512 * tests/libntp/statestr.c remove empty functions, remove unnecessary include, 513 fix formatting. Tomasz Flendrich 514 * tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 515 * tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 516 * tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 517 Tomasz Flendrich 518 * tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 519 * tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 520 * tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 521 * tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 522 * tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 523 * tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 524 * tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 525 fixed formatting. Tomasz Flendrich 526 * tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 527 removed unnecessary comments, cleanup. Tomasz Flendrich 528 * tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 529 comments, cleanup. Tomasz Flendrich 530 * tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 531 Tomasz Flendrich 532 * tests/libntp/lfptest.h cleanup. Tomasz Flendrich 533 * tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 534 * sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 535 Tomasz Flendrich 536 * sntp/tests/kodDatabase.c added consts, deleted empty function, 537 fixed formatting. Tomasz Flendrich 538 * sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 539 * sntp/tests/packetHandling.c is now using proper Unity's assertions, 540 fixed formatting, deleted unused variable. Tomasz Flendrich 541 * sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 542 Tomasz Flendrich 543 * sntp/tests/packetProcessing.c changed from sprintf to snprintf, 544 fixed formatting. Tomasz Flendrich 545 * sntp/tests/utilities.c is now using proper Unity's assertions, changed 546 the order of includes, fixed formatting, removed unnecessary comments. 547 Tomasz Flendrich 548 * sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 549 * sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 550 made one function do its job, deleted unnecessary prints, fixed formatting. 551 Tomasz Flendrich 552 * sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 553 * sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 554 * sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 555 * sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 556 * sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 557 * Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 558 * Don't build sntp/libevent/sample/. Harlan Stenn. 559 * tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 560 * br-flock: --enable-local-libevent. Harlan Stenn. 561 * Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 562 * scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 563 * Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 564 * Code cleanup. Harlan Stenn. 565 * libntp/icom.c: Typo fix. Harlan Stenn. 566 * util/ntptime.c: initialization nit. Harlan Stenn. 567 * ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 568 * Add std_unity_tests to various Makefile.am files. Harlan Stenn. 569 * ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 570 Tomasz Flendrich 571 * Changed progname to be const in many files - now it's consistent. Tomasz 572 Flendrich 573 * Typo fix for GCC warning suppression. Harlan Stenn. 574 * Added tests/ntpd/ntp_scanner.c test. Damir Tomi. 575 * Added declarations to all Unity tests, and did minor fixes to them. 576 Reduced the number of warnings by half. Damir Tomi. 577 * Updated generate_test_runner.rb and updated the sntp/unity/auto directory 578 with the latest Unity updates from Mark. Damir Tomi. 579 * Retire google test - phase I. Harlan Stenn. 580 * Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 581 * Update the NEWS file. Harlan Stenn. 582 * Autoconf cleanup. Harlan Stenn. 583 * Unit test dist cleanup. Harlan Stenn. 584 * Cleanup various test Makefile.am files. Harlan Stenn. 585 * Pthread autoconf macro cleanup. Harlan Stenn. 586 * Fix progname definition in unity runner scripts. Harlan Stenn. 587 * Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 588 * Update the patch for bug 2817. Harlan Stenn. 589 * More updates for bug 2817. Harlan Stenn. 590 * Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 591 * gcc on older HPUX may need +allowdups. Harlan Stenn. 592 * Adding missing MCAST protection. Harlan Stenn. 593 * Disable certain test programs on certain platforms. Harlan Stenn. 594 * Implement --enable-problem-tests (on by default). Harlan Stenn. 595 * build system tweaks. Harlan Stenn. 596 597 --- 598 NTP 4.2.8p3 (Harlan Stenn <stenn (a] ntp.org>, 2015/06/29) 599 600 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 601 602 Severity: MEDIUM 603 604 Security Fix: 605 606 * [Sec 2853] Crafted remote config packet can crash some versions of 607 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 608 609 Under specific circumstances an attacker can send a crafted packet to 610 cause a vulnerable ntpd instance to crash. This requires each of the 611 following to be true: 612 613 1) ntpd set up to allow remote configuration (not allowed by default), and 614 2) knowledge of the configuration password, and 615 3) access to a computer entrusted to perform remote configuration. 616 617 This vulnerability is considered low-risk. 618 619 New features in this release: 620 621 Optional (disabled by default) support to have ntpd provide smeared 622 leap second time. A specially built and configured ntpd will only 623 offer smeared time in response to client packets. These response 624 packets will also contain a "refid" of 254.a.b.c, where the 24 bits 625 of a, b, and c encode the amount of smear in a 2:22 integer:fraction 626 format. See README.leapsmear and http://bugs.ntp.org/2855 for more 627 information. 628 629 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 630 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 631 632 We've imported the Unity test framework, and have begun converting 633 the existing google-test items to this new framework. If you want 634 to write new tests or change old ones, you'll need to have ruby 635 installed. You don't need ruby to run the test suite. 636 637 Bug Fixes and Improvements: 638 639 * CID 739725: Fix a rare resource leak in libevent/listener.c. 640 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 641 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 642 * CID 1269537: Clean up a line of dead code in getShmTime(). 643 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 644 * [Bug 2590] autogen-5.18.5. 645 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 646 of 'limited'. 647 * [Bug 2650] fix includefile processing. 648 * [Bug 2745] ntpd -x steps clock on leap second 649 Fixed an initial-value problem that caused misbehaviour in absence of 650 any leapsecond information. 651 Do leap second stepping only of the step adjustment is beyond the 652 proper jump distance limit and step correction is allowed at all. 653 * [Bug 2750] build for Win64 654 Building for 32bit of loopback ppsapi needs def file 655 * [Bug 2776] Improve ntpq's 'help keytype'. 656 * [Bug 2778] Implement "apeers" ntpq command to include associd. 657 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 658 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an 659 interface is ignored as long as this flag is not set since the 660 interface is not usable (e.g., no link). 661 * [Bug 2794] Clean up kernel clock status reports. 662 * [Bug 2800] refclock_true.c true_debug() can't open debug log because 663 of incompatible open/fdopen parameters. 664 * [Bug 2804] install-local-data assumes GNU 'find' semantics. 665 * [Bug 2805] ntpd fails to join multicast group. 666 * [Bug 2806] refclock_jjy.c supports the Telephone JJY. 667 * [Bug 2808] GPSD_JSON driver enhancements, step 1. 668 Fix crash during cleanup if GPS device not present and char device. 669 Increase internal token buffer to parse all JSON data, even SKY. 670 Defer logging of errors during driver init until the first unit is 671 started, so the syslog is not cluttered when the driver is not used. 672 Various improvements, see http://bugs.ntp.org/2808 for details. 673 Changed libjsmn to a more recent version. 674 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 675 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 676 * [Bug 2815] net-snmp before v5.4 has circular library dependencies. 677 * [Bug 2821] Add a missing NTP_PRINTF and a missing const. 678 * [Bug 2822] New leap column in sntp broke NTP::Util.pm. 679 * [Bug 2824] Convert update-leap to perl. (also see 2769) 680 * [Bug 2825] Quiet file installation in html/ . 681 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 682 NTPD transfers the current TAI (instead of an announcement) now. 683 This might still needed improvement. 684 Update autokey data ASAP when 'sys_tai' changes. 685 Fix unit test that was broken by changes for autokey update. 686 Avoid potential signature length issue and use DPRINTF where possible 687 in ntp_crypto.c. 688 * [Bug 2832] refclock_jjy.c supports the TDC-300. 689 * [Bug 2834] Correct a broken html tag in html/refclock.html 690 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 691 robust, and require 2 consecutive timestamps to be consistent. 692 * [Bug 2837] Allow a configurable DSCP value. 693 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in 694 * [Bug 2842] Glitch in ntp.conf.def documentation stanza. 695 * [Bug 2842] Bug in mdoc2man. 696 * [Bug 2843] make check fails on 4.3.36 697 Fixed compiler warnings about numeric range overflow 698 (The original topic was fixed in a byplay to bug#2830) 699 * [Bug 2845] Harden memory allocation in ntpd. 700 * [Bug 2852] 'make check' can't find unity.h. Hal Murray. 701 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 702 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 703 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 704 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 705 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 706 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 707 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 708 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 709 * html/drivers/driver22.html: typo fix. Harlan Stenn. 710 * refidsmear test cleanup. Tomasz Flendrich. 711 * refidsmear function support and tests. Harlan Stenn. 712 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 713 something that was only in the 4.2.6 sntp. Harlan Stenn. 714 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 715 Damir Tomi 716 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 717 Damir Tomi 718 * Modified sntp/tests/Makefile.am so it builds Unity framework tests. 719 Damir Tomi 720 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 721 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomi 722 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 723 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 724 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 725 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 726 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 727 Damir Tomi 728 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 729 networking.c, keyFile.c, utilities.cpp, sntptest.h, 730 fileHandlingTest.h. Damir Tomi 731 * Initial support for experimental leap smear code. Harlan Stenn. 732 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 733 * Report select() debug messages at debug level 3 now. 734 * sntp/scripts/genLocInfo: treat raspbian as debian. 735 * Unity test framework fixes. 736 ** Requires ruby for changes to tests. 737 * Initial support for PACKAGE_VERSION tests. 738 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 739 * tests/bug-2803/Makefile.am must distribute bug-2803.h. 740 * Add an assert to the ntpq ifstats code. 741 * Clean up the RLIMIT_STACK code. 742 * Improve the ntpq documentation around the controlkey keyid. 743 * ntpq.c cleanup. 744 * Windows port build cleanup. 745 746 --- 747 NTP 4.2.8p2 (Harlan Stenn <stenn (a] ntp.org>, 2015/04/07) 748 749 Focus: Security and Bug fixes, enhancements. 750 751 Severity: MEDIUM 752 753 In addition to bug fixes and enhancements, this release fixes the 754 following medium-severity vulnerabilities involving private key 755 authentication: 756 757 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 758 759 References: Sec 2779 / CVE-2015-1798 / VU#374268 760 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 761 including ntp-4.2.8p2 where the installation uses symmetric keys 762 to authenticate remote associations. 763 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 764 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 765 Summary: When ntpd is configured to use a symmetric key to authenticate 766 a remote NTP server/peer, it checks if the NTP message 767 authentication code (MAC) in received packets is valid, but not if 768 there actually is any MAC included. Packets without a MAC are 769 accepted as if they had a valid MAC. This allows a MITM attacker to 770 send false packets that are accepted by the client/peer without 771 having to know the symmetric key. The attacker needs to know the 772 transmit timestamp of the client to match it in the forged reply 773 and the false reply needs to reach the client before the genuine 774 reply from the server. The attacker doesn't necessarily need to be 775 relaying the packets between the client and the server. 776 777 Authentication using autokey doesn't have this problem as there is 778 a check that requires the key ID to be larger than NTP_MAXKEY, 779 which fails for packets without a MAC. 780 Mitigation: 781 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 782 or the NTP Public Services Project Download Page 783 Configure ntpd with enough time sources and monitor it properly. 784 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 785 786 * [Sec 2781] Authentication doesn't protect symmetric associations against 787 DoS attacks. 788 789 References: Sec 2781 / CVE-2015-1799 / VU#374268 790 Affects: All NTP releases starting with at least xntp3.3wy up to but 791 not including ntp-4.2.8p2 where the installation uses symmetric 792 key authentication. 793 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 794 Note: the CVSS base Score for this issue could be 4.3 or lower, and 795 it could be higher than 5.4. 796 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 797 Summary: An attacker knowing that NTP hosts A and B are peering with 798 each other (symmetric association) can send a packet to host A 799 with source address of B which will set the NTP state variables 800 on A to the values sent by the attacker. Host A will then send 801 on its next poll to B a packet with originate timestamp that 802 doesn't match the transmit timestamp of B and the packet will 803 be dropped. If the attacker does this periodically for both 804 hosts, they won't be able to synchronize to each other. This is 805 a known denial-of-service attack, described at 806 https://www.eecis.udel.edu/~mills/onwire.html . 807 808 According to the document the NTP authentication is supposed to 809 protect symmetric associations against this attack, but that 810 doesn't seem to be the case. The state variables are updated even 811 when authentication fails and the peers are sending packets with 812 originate timestamps that don't match the transmit timestamps on 813 the receiving side. 814 815 This seems to be a very old problem, dating back to at least 816 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 817 specifications, so other NTP implementations with support for 818 symmetric associations and authentication may be vulnerable too. 819 An update to the NTP RFC to correct this error is in-process. 820 Mitigation: 821 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 822 or the NTP Public Services Project Download Page 823 Note that for users of autokey, this specific style of MITM attack 824 is simply a long-known potential problem. 825 Configure ntpd with appropriate time sources and monitor ntpd. 826 Alert your staff if problems are detected. 827 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 828 829 * New script: update-leap 830 The update-leap script will verify and if necessary, update the 831 leap-second definition file. 832 It requires the following commands in order to work: 833 834 wget logger tr sed shasum 835 836 Some may choose to run this from cron. It needs more portability testing. 837 838 Bug Fixes and Improvements: 839 840 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 841 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 842 * [Bug 2346] "graceful termination" signals do not do peer cleanup. 843 * [Bug 2728] See if C99-style structure initialization works. 844 * [Bug 2747] Upgrade libevent to 2.1.5-beta. 845 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 846 * [Bug 2751] jitter.h has stale copies of l_fp macros. 847 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 848 * [Bug 2757] Quiet compiler warnings. 849 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 850 * [Bug 2763] Allow different thresholds for forward and backward steps. 851 * [Bug 2766] ntp-keygen output files should not be world-readable. 852 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 853 * [Bug 2771] nonvolatile value is documented in wrong units. 854 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt 855 * [Bug 2774] Unreasonably verbose printout - leap pending/warning 856 * [Bug 2775] ntp-keygen.c fails to compile under Windows. 857 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 858 Removed non-ASCII characters from some copyright comments. 859 Removed trailing whitespace. 860 Updated definitions for Meinberg clocks from current Meinberg header files. 861 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 862 Account for updated definitions pulled from Meinberg header files. 863 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 864 Replaced some constant numbers by defines from ntp_calendar.h 865 Modified creation of parse-specific variables for Meinberg devices 866 in gps16x_message(). 867 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 868 Modified mbg_tm_str() which now expexts an additional parameter controlling 869 if the time status shall be printed. 870 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 871 * [Sec 2781] Authentication doesn't protect symmetric associations against 872 DoS attacks. 873 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 874 * [Bug 2789] Quiet compiler warnings from libevent. 875 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution 876 pause briefly before measuring system clock precision to yield 877 correct results. 878 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 879 * Use predefined function types for parse driver functions 880 used to set up function pointers. 881 Account for changed prototype of parse_inp_fnc_t functions. 882 Cast parse conversion results to appropriate types to avoid 883 compiler warnings. 884 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 885 when called with pointers to different types. 886 887 --- 888 NTP 4.2.8p1 (Harlan Stenn <stenn (a] ntp.org>, 2015/02/04) 889 890 Focus: Security and Bug fixes, enhancements. 891 892 Severity: HIGH 893 894 In addition to bug fixes and enhancements, this release fixes the 895 following high-severity vulnerabilities: 896 897 * vallen is not validated in several places in ntp_crypto.c, leading 898 to a potential information leak or possibly a crash 899 900 References: Sec 2671 / CVE-2014-9297 / VU#852879 901 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 902 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 903 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 904 Summary: The vallen packet value is not validated in several code 905 paths in ntp_crypto.c which can lead to information leakage 906 or perhaps a crash of the ntpd process. 907 Mitigation - any of: 908 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 909 or the NTP Public Services Project Download Page. 910 Disable Autokey Authentication by removing, or commenting out, 911 all configuration directives beginning with the "crypto" 912 keyword in your ntp.conf file. 913 Credit: This vulnerability was discovered by Stephen Roettger of the 914 Google Security Team, with additional cases found by Sebastian 915 Krahmer of the SUSE Security Team and Harlan Stenn of Network 916 Time Foundation. 917 918 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 919 can be bypassed. 920 921 References: Sec 2672 / CVE-2014-9298 / VU#852879 922 Affects: All NTP4 releases before 4.2.8p1, under at least some 923 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 924 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 925 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 926 Summary: While available kernels will prevent 127.0.0.1 addresses 927 from "appearing" on non-localhost IPv4 interfaces, some kernels 928 do not offer the same protection for ::1 source addresses on 929 IPv6 interfaces. Since NTP's access control is based on source 930 address and localhost addresses generally have no restrictions, 931 an attacker can send malicious control and configuration packets 932 by spoofing ::1 addresses from the outside. Note Well: This is 933 not really a bug in NTP, it's a problem with some OSes. If you 934 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 935 ACL restrictions on any application can be bypassed! 936 Mitigation: 937 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 938 or the NTP Public Services Project Download Page 939 Install firewall rules to block packets claiming to come from 940 ::1 from inappropriate network interfaces. 941 Credit: This vulnerability was discovered by Stephen Roettger of 942 the Google Security Team. 943 944 Additionally, over 30 bugfixes and improvements were made to the codebase. 945 See the ChangeLog for more information. 946 947 --- 948 NTP 4.2.8 (Harlan Stenn <stenn (a] ntp.org>, 2014/12/18) 949 950 Focus: Security and Bug fixes, enhancements. 951 952 Severity: HIGH 953 954 In addition to bug fixes and enhancements, this release fixes the 955 following high-severity vulnerabilities: 956 957 ************************** vv NOTE WELL vv ***************************** 958 959 The vulnerabilities listed below can be significantly mitigated by 960 following the BCP of putting 961 962 restrict default ... noquery 963 964 in the ntp.conf file. With the exception of: 965 966 receive(): missing return on error 967 References: Sec 2670 / CVE-2014-9296 / VU#852879 968 969 below (which is a limited-risk vulnerability), none of the recent 970 vulnerabilities listed below can be exploited if the source IP is 971 restricted from sending a 'query'-class packet by your ntp.conf file. 972 973 ************************** ^^ NOTE WELL ^^ ***************************** 974 975 * Weak default key in config_auth(). 976 977 References: [Sec 2665] / CVE-2014-9293 / VU#852879 978 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 979 Vulnerable Versions: all releases prior to 4.2.7p11 980 Date Resolved: 28 Jan 2010 981 982 Summary: If no 'auth' key is set in the configuration file, ntpd 983 would generate a random key on the fly. There were two 984 problems with this: 1) the generated key was 31 bits in size, 985 and 2) it used the (now weak) ntp_random() function, which was 986 seeded with a 32-bit value and could only provide 32 bits of 987 entropy. This was sufficient back in the late 1990s when the 988 code was written. Not today. 989 990 Mitigation - any of: 991 - Upgrade to 4.2.7p11 or later. 992 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 993 994 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 995 of the Google Security Team. 996 997 * Non-cryptographic random number generator with weak seed used by 998 ntp-keygen to generate symmetric keys. 999 1000 References: [Sec 2666] / CVE-2014-9294 / VU#852879 1001 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1002 Vulnerable Versions: All NTP4 releases before 4.2.7p230 1003 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 1004 1005 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 1006 prepare a random number generator that was of good quality back 1007 in the late 1990s. The random numbers produced was then used to 1008 generate symmetric keys. In ntp-4.2.8 we use a current-technology 1009 cryptographic random number generator, either RAND_bytes from 1010 OpenSSL, or arc4random(). 1011 1012 Mitigation - any of: 1013 - Upgrade to 4.2.7p230 or later. 1014 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1015 1016 Credit: This vulnerability was discovered in ntp-4.2.6 by 1017 Stephen Roettger of the Google Security Team. 1018 1019 * Buffer overflow in crypto_recv() 1020 1021 References: Sec 2667 / CVE-2014-9295 / VU#852879 1022 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1023 Versions: All releases before 4.2.8 1024 Date Resolved: Stable (4.2.8) 18 Dec 2014 1025 1026 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 1027 file contains a 'crypto pw ...' directive) a remote attacker 1028 can send a carefully crafted packet that can overflow a stack 1029 buffer and potentially allow malicious code to be executed 1030 with the privilege level of the ntpd process. 1031 1032 Mitigation - any of: 1033 - Upgrade to 4.2.8, or later, or 1034 - Disable Autokey Authentication by removing, or commenting out, 1035 all configuration directives beginning with the crypto keyword 1036 in your ntp.conf file. 1037 1038 Credit: This vulnerability was discovered by Stephen Roettger of the 1039 Google Security Team. 1040 1041 * Buffer overflow in ctl_putdata() 1042 1043 References: Sec 2668 / CVE-2014-9295 / VU#852879 1044 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1045 Versions: All NTP4 releases before 4.2.8 1046 Date Resolved: Stable (4.2.8) 18 Dec 2014 1047 1048 Summary: A remote attacker can send a carefully crafted packet that 1049 can overflow a stack buffer and potentially allow malicious 1050 code to be executed with the privilege level of the ntpd process. 1051 1052 Mitigation - any of: 1053 - Upgrade to 4.2.8, or later. 1054 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1055 1056 Credit: This vulnerability was discovered by Stephen Roettger of the 1057 Google Security Team. 1058 1059 * Buffer overflow in configure() 1060 1061 References: Sec 2669 / CVE-2014-9295 / VU#852879 1062 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1063 Versions: All NTP4 releases before 4.2.8 1064 Date Resolved: Stable (4.2.8) 18 Dec 2014 1065 1066 Summary: A remote attacker can send a carefully crafted packet that 1067 can overflow a stack buffer and potentially allow malicious 1068 code to be executed with the privilege level of the ntpd process. 1069 1070 Mitigation - any of: 1071 - Upgrade to 4.2.8, or later. 1072 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1073 1074 Credit: This vulnerability was discovered by Stephen Roettger of the 1075 Google Security Team. 1076 1077 * receive(): missing return on error 1078 1079 References: Sec 2670 / CVE-2014-9296 / VU#852879 1080 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 1081 Versions: All NTP4 releases before 4.2.8 1082 Date Resolved: Stable (4.2.8) 18 Dec 2014 1083 1084 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 1085 the code path where an error was detected, which meant 1086 processing did not stop when a specific rare error occurred. 1087 We haven't found a way for this bug to affect system integrity. 1088 If there is no way to affect system integrity the base CVSS 1089 score for this bug is 0. If there is one avenue through which 1090 system integrity can be partially affected, the base score 1091 becomes a 5. If system integrity can be partially affected 1092 via all three integrity metrics, the CVSS base score become 7.5. 1093 1094 Mitigation - any of: 1095 - Upgrade to 4.2.8, or later, 1096 - Remove or comment out all configuration directives 1097 beginning with the crypto keyword in your ntp.conf file. 1098 1099 Credit: This vulnerability was discovered by Stephen Roettger of the 1100 Google Security Team. 1101 1102 See http://support.ntp.org/security for more information. 1103 1104 New features / changes in this release: 1105 1106 Important Changes 1107 1108 * Internal NTP Era counters 1109 1110 The internal counters that track the "era" (range of years) we are in 1111 rolls over every 136 years'. The current "era" started at the stroke of 1112 midnight on 1 Jan 1900, and ends just before the stroke of midnight on 1113 1 Jan 2036. 1114 In the past, we have used the "midpoint" of the range to decide which 1115 era we were in. Given the longevity of some products, it became clear 1116 that it would be more functional to "look back" less, and "look forward" 1117 more. We now compile a timestamp into the ntpd executable and when we 1118 get a timestamp we us the "built-on" to tell us what era we are in. 1119 This check "looks back" 10 years, and "looks forward" 126 years. 1120 1121 * ntpdc responses disabled by default 1122 1123 Dave Hart writes: 1124 1125 For a long time, ntpq and its mostly text-based mode 6 (control) 1126 protocol have been preferred over ntpdc and its mode 7 (private 1127 request) protocol for runtime queries and configuration. There has 1128 been a goal of deprecating ntpdc, previously held back by numerous 1129 capabilities exposed by ntpdc with no ntpq equivalent. I have been 1130 adding commands to ntpq to cover these cases, and I believe I've 1131 covered them all, though I've not compared command-by-command 1132 recently. 1133 1134 As I've said previously, the binary mode 7 protocol involves a lot of 1135 hand-rolled structure layout and byte-swapping code in both ntpd and 1136 ntpdc which is hard to get right. As ntpd grows and changes, the 1137 changes are difficult to expose via ntpdc while maintaining forward 1138 and backward compatibility between ntpdc and ntpd. In contrast, 1139 ntpq's text-based, label=value approach involves more code reuse and 1140 allows compatible changes without extra work in most cases. 1141 1142 Mode 7 has always been defined as vendor/implementation-specific while 1143 mode 6 is described in RFC 1305 and intended to be open to interoperate 1144 with other implementations. There is an early draft of an updated 1145 mode 6 description that likely will join the other NTPv4 RFCs 1146 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 1147 1148 For these reasons, ntpd 4.2.7p230 by default disables processing of 1149 ntpdc queries, reducing ntpd's attack surface and functionally 1150 deprecating ntpdc. If you are in the habit of using ntpdc for certain 1151 operations, please try the ntpq equivalent. If there's no equivalent, 1152 please open a bug report at http://bugs.ntp.org./ 1153 1154 In addition to the above, over 1100 issues have been resolved between 1155 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 1156 lists these. 1157 1158 --- 1159 NTP 4.2.6p5 (Harlan Stenn <stenn (a] ntp.org>, 2011/12/24) 1160 1161 Focus: Bug fixes 1162 1163 Severity: Medium 1164 1165 This is a recommended upgrade. 1166 1167 This release updates sys_rootdisp and sys_jitter calculations to match the 1168 RFC specification, fixes a potential IPv6 address matching error for the 1169 "nic" and "interface" configuration directives, suppresses the creation of 1170 extraneous ephemeral associations for certain broadcastclient and 1171 multicastclient configurations, cleans up some ntpq display issues, and 1172 includes improvements to orphan mode, minor bugs fixes and code clean-ups. 1173 1174 New features / changes in this release: 1175 1176 ntpd 1177 1178 * Updated "nic" and "interface" IPv6 address handling to prevent 1179 mismatches with localhost [::1] and wildcard [::] which resulted from 1180 using the address/prefix format (e.g. fe80::/64) 1181 * Fix orphan mode stratum incorrectly counting to infinity 1182 * Orphan parent selection metric updated to includes missing ntohl() 1183 * Non-printable stratum 16 refid no longer sent to ntp 1184 * Duplicate ephemeral associations suppressed for broadcastclient and 1185 multicastclient without broadcastdelay 1186 * Exclude undetermined sys_refid from use in loopback TEST12 1187 * Exclude MODE_SERVER responses from KoD rate limiting 1188 * Include root delay in clock_update() sys_rootdisp calculations 1189 * get_systime() updated to exclude sys_residual offset (which only 1190 affected bits "below" sys_tick, the precision threshold) 1191 * sys.peer jitter weighting corrected in sys_jitter calculation 1192 1193 ntpq 1194 1195 * -n option extended to include the billboard "server" column 1196 * IPv6 addresses in the local column truncated to prevent overruns 1197 1198 --- 1199 NTP 4.2.6p4 (Harlan Stenn <stenn (a] ntp.org>, 2011/09/22) 1200 1201 Focus: Bug fixes and portability improvements 1202 1203 Severity: Medium 1204 1205 This is a recommended upgrade. 1206 1207 This release includes build infrastructure updates, code 1208 clean-ups, minor bug fixes, fixes for a number of minor 1209 ref-clock issues, and documentation revisions. 1210 1211 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 1212 1213 New features / changes in this release: 1214 1215 Build system 1216 1217 * Fix checking for struct rtattr 1218 * Update config.guess and config.sub for AIX 1219 * Upgrade required version of autogen and libopts for building 1220 from our source code repository 1221 1222 ntpd 1223 1224 * Back-ported several fixes for Coverity warnings from ntp-dev 1225 * Fix a rare boundary condition in UNLINK_EXPR_SLIST() 1226 * Allow "logconfig =allall" configuration directive 1227 * Bind tentative IPv6 addresses on Linux 1228 * Correct WWVB/Spectracom driver to timestamp CR instead of LF 1229 * Improved tally bit handling to prevent incorrect ntpq peer status reports 1230 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial 1231 candidate list unless they are designated a "prefer peer" 1232 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 1233 selection during the 'tos orphanwait' period 1234 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 1235 drivers 1236 * Improved support of the Parse Refclock trusttime flag in Meinberg mode 1237 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 1238 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 1239 clock slew on Microsoft Windows 1240 * Code cleanup in libntpq 1241 1242 ntpdc 1243 1244 * Fix timerstats reporting 1245 1246 ntpdate 1247 1248 * Reduce time required to set clock 1249 * Allow a timeout greater than 2 seconds 1250 1251 sntp 1252 1253 * Backward incompatible command-line option change: 1254 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 1255 1256 Documentation 1257 1258 * Update html2man. Fix some tags in the .html files 1259 * Distribute ntp-wait.html 1260 1261 --- 1262 NTP 4.2.6p3 (Harlan Stenn <stenn (a] ntp.org>, 2011/01/03) 1263 1264 Focus: Bug fixes and portability improvements 1265 1266 Severity: Medium 1267 1268 This is a recommended upgrade. 1269 1270 This release includes build infrastructure updates, code 1271 clean-ups, minor bug fixes, fixes for a number of minor 1272 ref-clock issues, and documentation revisions. 1273 1274 Portability improvements in this release affect AIX, Atari FreeMiNT, 1275 FreeBSD4, Linux and Microsoft Windows. 1276 1277 New features / changes in this release: 1278 1279 Build system 1280 * Use lsb_release to get information about Linux distributions. 1281 * 'test' is in /usr/bin (instead of /bin) on some systems. 1282 * Basic sanity checks for the ChangeLog file. 1283 * Source certain build files with ./filename for systems without . in PATH. 1284 * IRIX portability fix. 1285 * Use a single copy of the "libopts" code. 1286 * autogen/libopts upgrade. 1287 * configure.ac m4 quoting cleanup. 1288 1289 ntpd 1290 * Do not bind to IN6_IFF_ANYCAST addresses. 1291 * Log the reason for exiting under Windows. 1292 * Multicast fixes for Windows. 1293 * Interpolation fixes for Windows. 1294 * IPv4 and IPv6 Multicast fixes. 1295 * Manycast solicitation fixes and general repairs. 1296 * JJY refclock cleanup. 1297 * NMEA refclock improvements. 1298 * Oncore debug message cleanup. 1299 * Palisade refclock now builds under Linux. 1300 * Give RAWDCF more baud rates. 1301 * Support Truetime Satellite clocks under Windows. 1302 * Support Arbiter 1093C Satellite clocks under Windows. 1303 * Make sure that the "filegen" configuration command defaults to "enable". 1304 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 1305 * Prohibit 'includefile' directive in remote configuration command. 1306 * Fix 'nic' interface bindings. 1307 * Fix the way we link with openssl if openssl is installed in the base 1308 system. 1309 1310 ntp-keygen 1311 * Fix -V coredump. 1312 * OpenSSL version display cleanup. 1313 1314 ntpdc 1315 * Many counters should be treated as unsigned. 1316 1317 ntpdate 1318 * Do not ignore replies with equal receive and transmit timestamps. 1319 1320 ntpq 1321 * libntpq warning cleanup. 1322 1323 ntpsnmpd 1324 * Correct SNMP type for "precision" and "resolution". 1325 * Update the MIB from the draft version to RFC-5907. 1326 1327 sntp 1328 * Display timezone offset when showing time for sntp in the local 1329 timezone. 1330 * Pay proper attention to RATE KoD packets. 1331 * Fix a miscalculation of the offset. 1332 * Properly parse empty lines in the key file. 1333 * Logging cleanup. 1334 * Use tv_usec correctly in set_time(). 1335 * Documentation cleanup. 1336 1337 --- 1338 NTP 4.2.6p2 (Harlan Stenn <stenn (a] ntp.org>, 2010/07/08) 1339 1340 Focus: Bug fixes and portability improvements 1341 1342 Severity: Medium 1343 1344 This is a recommended upgrade. 1345 1346 This release includes build infrastructure updates, code 1347 clean-ups, minor bug fixes, fixes for a number of minor 1348 ref-clock issues, improved KOD handling, OpenSSL related 1349 updates and documentation revisions. 1350 1351 Portability improvements in this release affect Irix, Linux, 1352 Mac OS, Microsoft Windows, OpenBSD and QNX6 1353 1354 New features / changes in this release: 1355 1356 ntpd 1357 * Range syntax for the trustedkey configuration directive 1358 * Unified IPv4 and IPv6 restrict lists 1359 1360 ntpdate 1361 * Rate limiting and KOD handling 1362 1363 ntpsnmpd 1364 * default connection to net-snmpd via a unix-domain socket 1365 * command-line 'socket name' option 1366 1367 ntpq / ntpdc 1368 * support for the "passwd ..." syntax 1369 * key-type specific password prompts 1370 1371 sntp 1372 * MD5 authentication of an ntpd 1373 * Broadcast and crypto 1374 * OpenSSL support 1375 1376 --- 1377 NTP 4.2.6p1 (Harlan Stenn <stenn (a] ntp.org>, 2010/04/09) 1378 1379 Focus: Bug fixes, portability fixes, and documentation improvements 1380 1381 Severity: Medium 1382 1383 This is a recommended upgrade. 1384 1385 --- 1386 NTP 4.2.6 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 1387 1388 Focus: enhancements and bug fixes. 1389 1390 --- 1391 NTP 4.2.4p8 (Harlan Stenn <stenn (a] ntp.org>, 2009/12/08) 1392 1393 Focus: Security Fixes 1394 1395 Severity: HIGH 1396 1397 This release fixes the following high-severity vulnerability: 1398 1399 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 1400 1401 See http://support.ntp.org/security for more information. 1402 1403 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 1404 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 1405 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 1406 request or a mode 7 error response from an address which is not listed 1407 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 1408 reply with a mode 7 error response (and log a message). In this case: 1409 1410 * If an attacker spoofs the source address of ntpd host A in a 1411 mode 7 response packet sent to ntpd host B, both A and B will 1412 continuously send each other error responses, for as long as 1413 those packets get through. 1414 1415 * If an attacker spoofs an address of ntpd host A in a mode 7 1416 response packet sent to ntpd host A, A will respond to itself 1417 endlessly, consuming CPU and logging excessively. 1418 1419 Credit for finding this vulnerability goes to Robin Park and Dmitri 1420 Vinokurov of Alcatel-Lucent. 1421 1422 THIS IS A STRONGLY RECOMMENDED UPGRADE. 1423 1424 --- 1425 ntpd now syncs to refclocks right away. 1426 1427 Backward-Incompatible changes: 1428 1429 ntpd no longer accepts '-v name' or '-V name' to define internal variables. 1430 Use '--var name' or '--dvar name' instead. (Bug 817) 1431 1432 --- 1433 NTP 4.2.4p7 (Harlan Stenn <stenn (a] ntp.org>, 2009/05/04) 1434 1435 Focus: Security and Bug Fixes 1436 1437 Severity: HIGH 1438 1439 This release fixes the following high-severity vulnerability: 1440 1441 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 1442 1443 See http://support.ntp.org/security for more information. 1444 1445 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 1446 line) then a carefully crafted packet sent to the machine will cause 1447 a buffer overflow and possible execution of injected code, running 1448 with the privileges of the ntpd process (often root). 1449 1450 Credit for finding this vulnerability goes to Chris Ries of CMU. 1451 1452 This release fixes the following low-severity vulnerabilities: 1453 1454 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 1455 Credit for finding this vulnerability goes to Geoff Keating of Apple. 1456 1457 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 1458 Credit for finding this issue goes to Dave Hart. 1459 1460 This release fixes a number of bugs and adds some improvements: 1461 1462 * Improved logging 1463 * Fix many compiler warnings 1464 * Many fixes and improvements for Windows 1465 * Adds support for AIX 6.1 1466 * Resolves some issues under MacOS X and Solaris 1467 1468 THIS IS A STRONGLY RECOMMENDED UPGRADE. 1469 1470 --- 1471 NTP 4.2.4p6 (Harlan Stenn <stenn (a] ntp.org>, 2009/01/07) 1472 1473 Focus: Security Fix 1474 1475 Severity: Low 1476 1477 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 1478 the OpenSSL library relating to the incorrect checking of the return 1479 value of EVP_VerifyFinal function. 1480 1481 Credit for finding this issue goes to the Google Security Team for 1482 finding the original issue with OpenSSL, and to ocert.org for finding 1483 the problem in NTP and telling us about it. 1484 1485 This is a recommended upgrade. 1486 --- 1487 NTP 4.2.4p5 (Harlan Stenn <stenn (a] ntp.org>, 2008/08/17) 1488 1489 Focus: Minor Bugfixes 1490 1491 This release fixes a number of Windows-specific ntpd bugs and 1492 platform-independent ntpdate bugs. A logging bugfix has been applied 1493 to the ONCORE driver. 1494 1495 The "dynamic" keyword and is now obsolete and deferred binding to local 1496 interfaces is the new default. The minimum time restriction for the 1497 interface update interval has been dropped. 1498 1499 A number of minor build system and documentation fixes are included. 1500 1501 This is a recommended upgrade for Windows. 1502 1503 --- 1504 NTP 4.2.4p4 (Harlan Stenn <stenn (a] ntp.org>, 2007/09/10) 1505 1506 Focus: Minor Bugfixes 1507 1508 This release updates certain copyright information, fixes several display 1509 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 1510 shutdown in the parse refclock driver, removes some lint from the code, 1511 stops accessing certain buffers immediately after they were freed, fixes 1512 a problem with non-command-line specification of -6, and allows the loopback 1513 interface to share addresses with other interfaces. 1514 1515 --- 1516 NTP 4.2.4p3 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/29) 1517 1518 Focus: Minor Bugfixes 1519 1520 This release fixes a bug in Windows that made it difficult to 1521 terminate ntpd under windows. 1522 This is a recommended upgrade for Windows. 1523 1524 --- 1525 NTP 4.2.4p2 (Harlan Stenn <stenn (a] ntp.org>, 2007/06/19) 1526 1527 Focus: Minor Bugfixes 1528 1529 This release fixes a multicast mode authentication problem, 1530 an error in NTP packet handling on Windows that could lead to 1531 ntpd crashing, and several other minor bugs. Handling of 1532 multicast interfaces and logging configuration were improved. 1533 The required versions of autogen and libopts were incremented. 1534 This is a recommended upgrade for Windows and multicast users. 1535 1536 --- 1537 NTP 4.2.4 (Harlan Stenn <stenn (a] ntp.org>, 2006/12/31) 1538 1539 Focus: enhancements and bug fixes. 1540 1541 Dynamic interface rescanning was added to simplify the use of ntpd in 1542 conjunction with DHCP. GNU AutoGen is used for its command-line options 1543 processing. Separate PPS devices are supported for PARSE refclocks, MD5 1544 signatures are now provided for the release files. Drivers have been 1545 added for some new ref-clocks and have been removed for some older 1546 ref-clocks. This release also includes other improvements, documentation 1547 and bug fixes. 1548 1549 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 1550 C support. 1551 1552 --- 1553 NTP 4.2.0 (Harlan Stenn <stenn (a] ntp.org>, 2003/10/15) 1554 1555 Focus: enhancements and bug fixes. 1556
Indexes created Mon Apr 20 00:23:12 UTC 2026