mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
9034852c84
Security: VuXML: c4a18a12-77fc-11e5-a687-206a8a720317 Security: CVE-2015-7871 Security: CVE-2015-7855 Security: CVE-2015-7854 Security: CVE-2015-7853 Security: CVE-2015-7852 Security: CVE-2015-7851 Security: CVE-2015-7850 Security: CVE-2015-7849 Security: CVE-2015-7848 Security: CVE-2015-7701 Security: CVE-2015-7703 Security: CVE-2015-7704, CVE-2015-7705 Security: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Security: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner Sponsored by: Nginx, Inc.
1455 lines
62 KiB
Plaintext
1455 lines
62 KiB
Plaintext
---
|
|
NTP 4.2.8p4
|
|
|
|
Focus: Security, Bug fies, enhancements.
|
|
|
|
Severity: MEDIUM
|
|
|
|
In addition to bug fixes and enhancements, this release fixes the
|
|
following 13 low- and medium-severity vulnerabilities:
|
|
|
|
* Incomplete vallen (value length) checks in ntp_crypto.c, leading
|
|
to potential crashes or potential code injection/information leakage.
|
|
|
|
References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
|
|
and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
|
|
Summary: The fix for CVE-2014-9750 was incomplete in that there were
|
|
certain code paths where a packet with particular autokey operations
|
|
that contained malicious data was not always being completely
|
|
validated. Receipt of these packets can cause ntpd to crash.
|
|
Mitigation:
|
|
Don't use autokey.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Tenable Network Security.
|
|
|
|
* Clients that receive a KoD should validate the origin timestamp field.
|
|
|
|
References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
|
|
and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
|
|
Summary: An ntpd client that honors Kiss-of-Death responses will honor
|
|
KoD messages that have been forged by an attacker, causing it to
|
|
delay or stop querying its servers for time updates. Also, an
|
|
attacker can forge packets that claim to be from the target and
|
|
send them to servers often enough that a server that implements
|
|
KoD rate limiting will send the target machine a KoD response to
|
|
attempt to reduce the rate of incoming packets, or it may also
|
|
trigger a firewall block at the server for packets from the target
|
|
machine. For either of these attacks to succeed, the attacker must
|
|
know what servers the target is communicating with. An attacker
|
|
can be anywhere on the Internet and can frequently learn the
|
|
identity of the target's time source by sending the target a
|
|
time query.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page
|
|
If you can't upgrade, restrict who can query ntpd to learn who
|
|
its servers are, and what IPs are allowed to ask your system
|
|
for the time. This mitigation is heavy-handed.
|
|
Monitor your ntpd instances.
|
|
Note:
|
|
4.2.8p4 protects against the first attack. For the second attack,
|
|
all we can do is warn when it is happening, which we do in 4.2.8p4.
|
|
Credit: This weakness was discovered by Aanchal Malhotra,
|
|
Issac E. Cohen, and Sharon Goldberg of Boston University.
|
|
|
|
* configuration directives to change "pidfile" and "driftfile" should
|
|
only be allowed locally.
|
|
|
|
References: Sec 2902 / CVE-2015-5196
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
|
|
and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
|
|
Summary: If ntpd is configured to allow for remote configuration,
|
|
and if the (possibly spoofed) source IP address is allowed to
|
|
send remote configuration requests, and if the attacker knows
|
|
the remote configuration password, it's possible for an attacker
|
|
to use the "pidfile" or "driftfile" directives to potentially
|
|
overwrite other files.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page
|
|
If you cannot upgrade, don't enable remote configuration.
|
|
If you must enable remote configuration and cannot upgrade,
|
|
remote configuration of NTF's ntpd requires:
|
|
- an explicitly configured trustedkey, and you should also
|
|
configure a controlkey.
|
|
- access from a permitted IP. You choose the IPs.
|
|
- authentication. Don't disable it. Practice secure key safety.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
|
|
|
|
* Slow memory leak in CRYPTO_ASSOC
|
|
|
|
References: Sec 2909 / CVE-2015-7701
|
|
Affects: All ntp-4 releases that use autokey up to, but not
|
|
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
|
|
4.6 otherwise
|
|
Summary: If ntpd is configured to use autokey, then an attacker can
|
|
send packets to ntpd that will, after several days of ongoing
|
|
attack, cause it to run out of memory.
|
|
Mitigation:
|
|
Don't use autokey.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Tenable Network Security.
|
|
|
|
* mode 7 loop counter underrun
|
|
|
|
References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
|
|
and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
|
|
Summary: If ntpd is configured to enable mode 7 packets, and if the
|
|
use of mode 7 packets is not properly protected thru the use of
|
|
the available mode 7 authentication and restriction mechanisms,
|
|
and if the (possibly spoofed) source IP address is allowed to
|
|
send mode 7 queries, then an attacker can send a crafted packet
|
|
to ntpd that will cause it to crash.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade:
|
|
In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
|
|
If you must enable mode 7:
|
|
configure the use of a requestkey to control who can issue
|
|
mode 7 requests.
|
|
configure restrict noquery to further limit mode 7 requests
|
|
to trusted sources.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
|
|
|
|
* memory corruption in password store
|
|
|
|
References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
|
|
Summary: If ntpd is configured to allow remote configuration, and if
|
|
the (possibly spoofed) source IP address is allowed to send
|
|
remote configuration requests, and if the attacker knows the
|
|
remote configuration password or if ntpd was configured to
|
|
disable authentication, then an attacker can send a set of
|
|
packets to ntpd that may cause a crash or theoretically
|
|
perform a code injection attack.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade, remote configuration of NTF's
|
|
ntpd requires:
|
|
an explicitly configured "trusted" key. Only configure
|
|
this if you need it.
|
|
access from a permitted IP address. You choose the IPs.
|
|
authentication. Don't disable it. Practice secure key safety.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
|
|
|
|
* Infinite loop if extended logging enabled and the logfile and
|
|
keyfile are the same.
|
|
|
|
References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
|
|
and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
|
|
Summary: If ntpd is configured to allow remote configuration, and if
|
|
the (possibly spoofed) source IP address is allowed to send
|
|
remote configuration requests, and if the attacker knows the
|
|
remote configuration password or if ntpd was configured to
|
|
disable authentication, then an attacker can send a set of
|
|
packets to ntpd that will cause it to crash and/or create a
|
|
potentially huge log file. Specifically, the attacker could
|
|
enable extended logging, point the key file at the log file,
|
|
and cause what amounts to an infinite loop.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade, remote configuration of NTF's ntpd
|
|
requires:
|
|
an explicitly configured "trusted" key. Only configure this
|
|
if you need it.
|
|
access from a permitted IP address. You choose the IPs.
|
|
authentication. Don't disable it. Practice secure key safety.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
|
|
|
|
* Potential path traversal vulnerability in the config file saving of
|
|
ntpd on VMS.
|
|
|
|
References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
|
|
Affects: All ntp-4 releases running under VMS up to, but not
|
|
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
|
|
Summary: If ntpd is configured to allow remote configuration, and if
|
|
the (possibly spoofed) IP address is allowed to send remote
|
|
configuration requests, and if the attacker knows the remote
|
|
configuration password or if ntpd was configured to disable
|
|
authentication, then an attacker can send a set of packets to
|
|
ntpd that may cause ntpd to overwrite files.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade, remote configuration of NTF's ntpd
|
|
requires:
|
|
an explicitly configured "trusted" key. Only configure
|
|
this if you need it.
|
|
access from permitted IP addresses. You choose the IPs.
|
|
authentication. Don't disable it. Practice key security safety.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
|
|
|
|
* ntpq atoascii() potential memory corruption
|
|
|
|
References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
|
|
Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
|
|
and 4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
|
|
Summary: If an attacker can figure out the precise moment that ntpq
|
|
is listening for data and the port number it is listening on or
|
|
if the attacker can provide a malicious instance ntpd that
|
|
victims will connect to then an attacker can send a set of
|
|
crafted mode 6 response packets that, if received by ntpq,
|
|
can cause ntpq to crash.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade and you run ntpq against a server
|
|
and ntpq crashes, try again using raw mode. Build or get a
|
|
patched ntpq and see if that fixes the problem. Report new
|
|
bugs in ntpq or abusive servers appropriately.
|
|
If you use ntpq in scripts, make sure ntpq does what you expect
|
|
in your scripts.
|
|
Credit: This weakness was discovered by Yves Younan and
|
|
Aleksander Nikolich of Cisco Talos.
|
|
|
|
* Invalid length data provided by a custom refclock driver could cause
|
|
a buffer overflow.
|
|
|
|
References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
|
|
Affects: Potentially all ntp-4 releases running up to, but not
|
|
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
|
|
that have custom refclocks
|
|
CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
|
|
5.9 unusual worst case
|
|
Summary: A negative value for the datalen parameter will overflow a
|
|
data buffer. NTF's ntpd driver implementations always set this
|
|
value to 0 and are therefore not vulnerable to this weakness.
|
|
If you are running a custom refclock driver in ntpd and that
|
|
driver supplies a negative value for datalen (no custom driver
|
|
of even minimal competence would do this) then ntpd would
|
|
overflow a data buffer. It is even hypothetically possible
|
|
in this case that instead of simply crashing ntpd the attacker
|
|
could effect a code injection attack.
|
|
Mitigation:
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade:
|
|
If you are running custom refclock drivers, make sure
|
|
the signed datalen value is either zero or positive.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
|
|
|
|
* Password Length Memory Corruption Vulnerability
|
|
|
|
References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
|
|
4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
|
|
1.7 usual case, 6.8, worst case
|
|
Summary: If ntpd is configured to allow remote configuration, and if
|
|
the (possibly spoofed) source IP address is allowed to send
|
|
remote configuration requests, and if the attacker knows the
|
|
remote configuration password or if ntpd was (foolishly)
|
|
configured to disable authentication, then an attacker can
|
|
send a set of packets to ntpd that may cause it to crash,
|
|
with the hypothetical possibility of a small code injection.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade, remote configuration of NTF's
|
|
ntpd requires:
|
|
an explicitly configured "trusted" key. Only configure
|
|
this if you need it.
|
|
access from a permitted IP address. You choose the IPs.
|
|
authentication. Don't disable it. Practice secure key safety.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Yves Younan and
|
|
Aleksander Nikolich of Cisco Talos.
|
|
|
|
* decodenetnum() will ASSERT botch instead of returning FAIL on some
|
|
bogus values.
|
|
|
|
References: Sec 2922 / CVE-2015-7855
|
|
Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
|
|
4.3.0 up to, but not including 4.3.77
|
|
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
|
|
Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
|
|
an unusually long data value where a network address is expected,
|
|
the decodenetnum() function will abort with an assertion failure
|
|
instead of simply returning a failure condition.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade:
|
|
mode 7 is disabled by default. Don't enable it.
|
|
Use restrict noquery to limit who can send mode 6
|
|
and mode 7 requests.
|
|
Configure and use the controlkey and requestkey
|
|
authentication directives to limit who can
|
|
send mode 6 and mode 7 requests.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
|
|
|
|
* NAK to the Future: Symmetric association authentication bypass via
|
|
crypto-NAK.
|
|
|
|
References: Sec 2941 / CVE-2015-7871
|
|
Affects: All ntp-4 releases between 4.2.5p186 up to but not including
|
|
4.2.8p4, and 4.3.0 up to but not including 4.3.77
|
|
CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
|
|
Summary: Crypto-NAK packets can be used to cause ntpd to accept time
|
|
from unauthenticated ephemeral symmetric peers by bypassing the
|
|
authentication required to mobilize peer associations. This
|
|
vulnerability appears to have been introduced in ntp-4.2.5p186
|
|
when the code handling mobilization of new passive symmetric
|
|
associations (lines 1103-1165) was refactored.
|
|
Mitigation:
|
|
Implement BCP-38.
|
|
Upgrade to 4.2.8p4, or later, from the NTP Project Download
|
|
Page or the NTP Public Services Project Download Page.
|
|
If you are unable to upgrade:
|
|
Apply the patch to the bottom of the "authentic" check
|
|
block around line 1136 of ntp_proto.c.
|
|
Monitor your ntpd instances.
|
|
Credit: This weakness was discovered by Stephen Gray <stepgray@cisco.com>.
|
|
|
|
Backward-Incompatible changes:
|
|
* [Bug 2817] Default on Linux is now "rlimit memlock -1".
|
|
While the general default of 32M is still the case, under Linux
|
|
the default value has been changed to -1 (do not lock ntpd into
|
|
memory). A value of 0 means "lock ntpd into memory with whatever
|
|
memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
|
|
value in it, that value will continue to be used.
|
|
|
|
* [Bug 2886] Misspelling: "outlyer" should be "outlier".
|
|
If you've written a script that looks for this case in, say, the
|
|
output of ntpq, you probably want to change your regex matches
|
|
from 'outlyer' to 'outl[iy]er'.
|
|
|
|
New features in this release:
|
|
* 'rlimit memlock' now has finer-grained control. A value of -1 means
|
|
"don't lock ntpd into memore". This is the default for Linux boxes.
|
|
A value of 0 means "lock ntpd into memory" with no limits. Otherwise
|
|
the value is the number of megabytes of memory to lock. The default
|
|
is 32 megabytes.
|
|
|
|
* The old Google Test framework has been replaced with a new framework,
|
|
based on http://www.throwtheswitch.org/unity/ .
|
|
|
|
Bug Fixes and Improvements:
|
|
* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
|
|
privileges and limiting resources in NTPD removes the need to link
|
|
forcefully against 'libgcc_s' which does not always work. J.Perlinger
|
|
* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn.
|
|
* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn.
|
|
* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn.
|
|
* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org
|
|
* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn.
|
|
* [Bug 2849] Systems with more than one default route may never
|
|
synchronize. Brian Utterback. Note that this patch might need to
|
|
be reverted once Bug 2043 has been fixed.
|
|
* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
|
|
* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn.
|
|
* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
|
|
* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn
|
|
* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
|
|
* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must
|
|
be configured for the distribution targets. Harlan Stenn.
|
|
* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar.
|
|
* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org
|
|
* [Bug 2888] streamline calendar functions. perlinger@ntp.org
|
|
* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org
|
|
* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov.
|
|
* [Bug 2906] make check needs better support for pthreads. Harlan Stenn.
|
|
* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn.
|
|
* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn.
|
|
* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn.
|
|
* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn.
|
|
* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn.
|
|
* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn.
|
|
* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn.
|
|
* top_srcdir can change based on ntp v. sntp. Harlan Stenn.
|
|
* sntp/tests/ function parameter list cleanup. Damir Tomić.
|
|
* tests/libntp/ function parameter list cleanup. Damir Tomić.
|
|
* tests/ntpd/ function parameter list cleanup. Damir Tomić.
|
|
* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn.
|
|
* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn.
|
|
* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić.
|
|
* tests/libntp/ improvements in code and fixed error printing. Damir Tomić.
|
|
* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
|
|
caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
|
|
formatting; first declaration, then code (C90); deleted unnecessary comments;
|
|
changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
|
|
* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
|
|
fix formatting, cleanup. Tomasz Flendrich
|
|
* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
|
|
Tomasz Flendrich
|
|
* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
|
|
fix formatting. Tomasz Flendrich
|
|
* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
|
|
* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
|
|
* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
|
|
Tomasz Flendrich
|
|
* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
|
|
* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
|
|
* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
|
|
* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
|
|
* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
|
|
* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
|
|
* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
|
|
fixed formatting. Tomasz Flendrich
|
|
* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
|
|
removed unnecessary comments, cleanup. Tomasz Flendrich
|
|
* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
|
|
comments, cleanup. Tomasz Flendrich
|
|
* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
|
|
Tomasz Flendrich
|
|
* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
|
|
* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
|
|
* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
|
|
Tomasz Flendrich
|
|
* sntp/tests/kodDatabase.c added consts, deleted empty function,
|
|
fixed formatting. Tomasz Flendrich
|
|
* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
|
|
* sntp/tests/packetHandling.c is now using proper Unity's assertions,
|
|
fixed formatting, deleted unused variable. Tomasz Flendrich
|
|
* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
|
|
Tomasz Flendrich
|
|
* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
|
|
fixed formatting. Tomasz Flendrich
|
|
* sntp/tests/utilities.c is now using proper Unity's assertions, changed
|
|
the order of includes, fixed formatting, removed unnecessary comments.
|
|
Tomasz Flendrich
|
|
* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
|
|
* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
|
|
made one function do its job, deleted unnecessary prints, fixed formatting.
|
|
Tomasz Flendrich
|
|
* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
|
|
* sntp/unity/unity_config.h: Distribute it. Harlan Stenn.
|
|
* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn.
|
|
* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn.
|
|
* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn.
|
|
* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn.
|
|
* Don't build sntp/libevent/sample/. Harlan Stenn.
|
|
* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn.
|
|
* br-flock: --enable-local-libevent. Harlan Stenn.
|
|
* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
|
|
* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn.
|
|
* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn.
|
|
* Code cleanup. Harlan Stenn.
|
|
* libntp/icom.c: Typo fix. Harlan Stenn.
|
|
* util/ntptime.c: initialization nit. Harlan Stenn.
|
|
* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn.
|
|
* Add std_unity_tests to various Makefile.am files. Harlan Stenn.
|
|
* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
|
|
Tomasz Flendrich
|
|
* Changed progname to be const in many files - now it's consistent. Tomasz
|
|
Flendrich
|
|
* Typo fix for GCC warning suppression. Harlan Stenn.
|
|
* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
|
|
* Added declarations to all Unity tests, and did minor fixes to them.
|
|
Reduced the number of warnings by half. Damir Tomić.
|
|
* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
|
|
with the latest Unity updates from Mark. Damir Tomić.
|
|
* Retire google test - phase I. Harlan Stenn.
|
|
* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn.
|
|
* Update the NEWS file. Harlan Stenn.
|
|
* Autoconf cleanup. Harlan Stenn.
|
|
* Unit test dist cleanup. Harlan Stenn.
|
|
* Cleanup various test Makefile.am files. Harlan Stenn.
|
|
* Pthread autoconf macro cleanup. Harlan Stenn.
|
|
* Fix progname definition in unity runner scripts. Harlan Stenn.
|
|
* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn.
|
|
* Update the patch for bug 2817. Harlan Stenn.
|
|
* More updates for bug 2817. Harlan Stenn.
|
|
* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn.
|
|
* gcc on older HPUX may need +allowdups. Harlan Stenn.
|
|
* Adding missing MCAST protection. Harlan Stenn.
|
|
* Disable certain test programs on certain platforms. Harlan Stenn.
|
|
* Implement --enable-problem-tests (on by default). Harlan Stenn.
|
|
* build system tweaks. Harlan Stenn.
|
|
|
|
---
|
|
NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
|
|
|
|
Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
|
|
|
|
Severity: MEDIUM
|
|
|
|
Security Fix:
|
|
|
|
* [Sec 2853] Crafted remote config packet can crash some versions of
|
|
ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
|
|
|
|
Under specific circumstances an attacker can send a crafted packet to
|
|
cause a vulnerable ntpd instance to crash. This requires each of the
|
|
following to be true:
|
|
|
|
1) ntpd set up to allow remote configuration (not allowed by default), and
|
|
2) knowledge of the configuration password, and
|
|
3) access to a computer entrusted to perform remote configuration.
|
|
|
|
This vulnerability is considered low-risk.
|
|
|
|
New features in this release:
|
|
|
|
Optional (disabled by default) support to have ntpd provide smeared
|
|
leap second time. A specially built and configured ntpd will only
|
|
offer smeared time in response to client packets. These response
|
|
packets will also contain a "refid" of 254.a.b.c, where the 24 bits
|
|
of a, b, and c encode the amount of smear in a 2:22 integer:fraction
|
|
format. See README.leapsmear and http://bugs.ntp.org/2855 for more
|
|
information.
|
|
|
|
*IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
|
|
*BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
|
|
|
|
We've imported the Unity test framework, and have begun converting
|
|
the existing google-test items to this new framework. If you want
|
|
to write new tests or change old ones, you'll need to have ruby
|
|
installed. You don't need ruby to run the test suite.
|
|
|
|
Bug Fixes and Improvements:
|
|
|
|
* CID 739725: Fix a rare resource leak in libevent/listener.c.
|
|
* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
|
|
* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
|
|
* CID 1269537: Clean up a line of dead code in getShmTime().
|
|
* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
|
|
* [Bug 2590] autogen-5.18.5.
|
|
* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
|
|
of 'limited'.
|
|
* [Bug 2650] fix includefile processing.
|
|
* [Bug 2745] ntpd -x steps clock on leap second
|
|
Fixed an initial-value problem that caused misbehaviour in absence of
|
|
any leapsecond information.
|
|
Do leap second stepping only of the step adjustment is beyond the
|
|
proper jump distance limit and step correction is allowed at all.
|
|
* [Bug 2750] build for Win64
|
|
Building for 32bit of loopback ppsapi needs def file
|
|
* [Bug 2776] Improve ntpq's 'help keytype'.
|
|
* [Bug 2778] Implement "apeers" ntpq command to include associd.
|
|
* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
|
|
* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
|
|
interface is ignored as long as this flag is not set since the
|
|
interface is not usable (e.g., no link).
|
|
* [Bug 2794] Clean up kernel clock status reports.
|
|
* [Bug 2800] refclock_true.c true_debug() can't open debug log because
|
|
of incompatible open/fdopen parameters.
|
|
* [Bug 2804] install-local-data assumes GNU 'find' semantics.
|
|
* [Bug 2805] ntpd fails to join multicast group.
|
|
* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
|
|
* [Bug 2808] GPSD_JSON driver enhancements, step 1.
|
|
Fix crash during cleanup if GPS device not present and char device.
|
|
Increase internal token buffer to parse all JSON data, even SKY.
|
|
Defer logging of errors during driver init until the first unit is
|
|
started, so the syslog is not cluttered when the driver is not used.
|
|
Various improvements, see http://bugs.ntp.org/2808 for details.
|
|
Changed libjsmn to a more recent version.
|
|
* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
|
|
* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
|
|
* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
|
|
* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
|
|
* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
|
|
* [Bug 2824] Convert update-leap to perl. (also see 2769)
|
|
* [Bug 2825] Quiet file installation in html/ .
|
|
* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
|
|
NTPD transfers the current TAI (instead of an announcement) now.
|
|
This might still needed improvement.
|
|
Update autokey data ASAP when 'sys_tai' changes.
|
|
Fix unit test that was broken by changes for autokey update.
|
|
Avoid potential signature length issue and use DPRINTF where possible
|
|
in ntp_crypto.c.
|
|
* [Bug 2832] refclock_jjy.c supports the TDC-300.
|
|
* [Bug 2834] Correct a broken html tag in html/refclock.html
|
|
* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
|
|
robust, and require 2 consecutive timestamps to be consistent.
|
|
* [Bug 2837] Allow a configurable DSCP value.
|
|
* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
|
|
* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
|
|
* [Bug 2842] Bug in mdoc2man.
|
|
* [Bug 2843] make check fails on 4.3.36
|
|
Fixed compiler warnings about numeric range overflow
|
|
(The original topic was fixed in a byplay to bug#2830)
|
|
* [Bug 2845] Harden memory allocation in ntpd.
|
|
* [Bug 2852] 'make check' can't find unity.h. Hal Murray.
|
|
* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
|
|
* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
|
|
* [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
|
|
* [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
|
|
* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
|
|
* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
|
|
* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
|
|
* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
|
|
* html/drivers/driver22.html: typo fix. Harlan Stenn.
|
|
* refidsmear test cleanup. Tomasz Flendrich.
|
|
* refidsmear function support and tests. Harlan Stenn.
|
|
* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
|
|
something that was only in the 4.2.6 sntp. Harlan Stenn.
|
|
* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
|
|
Damir Tomić
|
|
* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
|
|
Damir Tomić
|
|
* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
|
|
Damir Tomić
|
|
* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
|
|
* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
|
|
* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
|
|
atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
|
|
calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
|
|
numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
|
|
timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
|
|
Damir Tomić
|
|
* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
|
|
networking.c, keyFile.c, utilities.cpp, sntptest.h,
|
|
fileHandlingTest.h. Damir Tomić
|
|
* Initial support for experimental leap smear code. Harlan Stenn.
|
|
* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
|
|
* Report select() debug messages at debug level 3 now.
|
|
* sntp/scripts/genLocInfo: treat raspbian as debian.
|
|
* Unity test framework fixes.
|
|
** Requires ruby for changes to tests.
|
|
* Initial support for PACKAGE_VERSION tests.
|
|
* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
|
|
* tests/bug-2803/Makefile.am must distribute bug-2803.h.
|
|
* Add an assert to the ntpq ifstats code.
|
|
* Clean up the RLIMIT_STACK code.
|
|
* Improve the ntpq documentation around the controlkey keyid.
|
|
* ntpq.c cleanup.
|
|
* Windows port build cleanup.
|
|
|
|
---
|
|
NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
|
|
|
|
Focus: Security and Bug fixes, enhancements.
|
|
|
|
Severity: MEDIUM
|
|
|
|
In addition to bug fixes and enhancements, this release fixes the
|
|
following medium-severity vulnerabilities involving private key
|
|
authentication:
|
|
|
|
* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
|
|
|
|
References: Sec 2779 / CVE-2015-1798 / VU#374268
|
|
Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
|
|
including ntp-4.2.8p2 where the installation uses symmetric keys
|
|
to authenticate remote associations.
|
|
CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
|
|
Date Resolved: Stable (4.2.8p2) 07 Apr 2015
|
|
Summary: When ntpd is configured to use a symmetric key to authenticate
|
|
a remote NTP server/peer, it checks if the NTP message
|
|
authentication code (MAC) in received packets is valid, but not if
|
|
there actually is any MAC included. Packets without a MAC are
|
|
accepted as if they had a valid MAC. This allows a MITM attacker to
|
|
send false packets that are accepted by the client/peer without
|
|
having to know the symmetric key. The attacker needs to know the
|
|
transmit timestamp of the client to match it in the forged reply
|
|
and the false reply needs to reach the client before the genuine
|
|
reply from the server. The attacker doesn't necessarily need to be
|
|
relaying the packets between the client and the server.
|
|
|
|
Authentication using autokey doesn't have this problem as there is
|
|
a check that requires the key ID to be larger than NTP_MAXKEY,
|
|
which fails for packets without a MAC.
|
|
Mitigation:
|
|
Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page
|
|
Configure ntpd with enough time sources and monitor it properly.
|
|
Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
|
|
|
|
* [Sec 2781] Authentication doesn't protect symmetric associations against
|
|
DoS attacks.
|
|
|
|
References: Sec 2781 / CVE-2015-1799 / VU#374268
|
|
Affects: All NTP releases starting with at least xntp3.3wy up to but
|
|
not including ntp-4.2.8p2 where the installation uses symmetric
|
|
key authentication.
|
|
CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
|
|
Note: the CVSS base Score for this issue could be 4.3 or lower, and
|
|
it could be higher than 5.4.
|
|
Date Resolved: Stable (4.2.8p2) 07 Apr 2015
|
|
Summary: An attacker knowing that NTP hosts A and B are peering with
|
|
each other (symmetric association) can send a packet to host A
|
|
with source address of B which will set the NTP state variables
|
|
on A to the values sent by the attacker. Host A will then send
|
|
on its next poll to B a packet with originate timestamp that
|
|
doesn't match the transmit timestamp of B and the packet will
|
|
be dropped. If the attacker does this periodically for both
|
|
hosts, they won't be able to synchronize to each other. This is
|
|
a known denial-of-service attack, described at
|
|
https://www.eecis.udel.edu/~mills/onwire.html .
|
|
|
|
According to the document the NTP authentication is supposed to
|
|
protect symmetric associations against this attack, but that
|
|
doesn't seem to be the case. The state variables are updated even
|
|
when authentication fails and the peers are sending packets with
|
|
originate timestamps that don't match the transmit timestamps on
|
|
the receiving side.
|
|
|
|
This seems to be a very old problem, dating back to at least
|
|
xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
|
|
specifications, so other NTP implementations with support for
|
|
symmetric associations and authentication may be vulnerable too.
|
|
An update to the NTP RFC to correct this error is in-process.
|
|
Mitigation:
|
|
Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page
|
|
Note that for users of autokey, this specific style of MITM attack
|
|
is simply a long-known potential problem.
|
|
Configure ntpd with appropriate time sources and monitor ntpd.
|
|
Alert your staff if problems are detected.
|
|
Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
|
|
|
|
* New script: update-leap
|
|
The update-leap script will verify and if necessary, update the
|
|
leap-second definition file.
|
|
It requires the following commands in order to work:
|
|
|
|
wget logger tr sed shasum
|
|
|
|
Some may choose to run this from cron. It needs more portability testing.
|
|
|
|
Bug Fixes and Improvements:
|
|
|
|
* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
|
|
* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
|
|
* [Bug 2346] "graceful termination" signals do not do peer cleanup.
|
|
* [Bug 2728] See if C99-style structure initialization works.
|
|
* [Bug 2747] Upgrade libevent to 2.1.5-beta.
|
|
* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
|
|
* [Bug 2751] jitter.h has stale copies of l_fp macros.
|
|
* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
|
|
* [Bug 2757] Quiet compiler warnings.
|
|
* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
|
|
* [Bug 2763] Allow different thresholds for forward and backward steps.
|
|
* [Bug 2766] ntp-keygen output files should not be world-readable.
|
|
* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
|
|
* [Bug 2771] nonvolatile value is documented in wrong units.
|
|
* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
|
|
* [Bug 2774] Unreasonably verbose printout - leap pending/warning
|
|
* [Bug 2775] ntp-keygen.c fails to compile under Windows.
|
|
* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
|
|
Removed non-ASCII characters from some copyright comments.
|
|
Removed trailing whitespace.
|
|
Updated definitions for Meinberg clocks from current Meinberg header files.
|
|
Now use C99 fixed-width types and avoid non-ASCII characters in comments.
|
|
Account for updated definitions pulled from Meinberg header files.
|
|
Updated comments on Meinberg GPS receivers which are not only called GPS16x.
|
|
Replaced some constant numbers by defines from ntp_calendar.h
|
|
Modified creation of parse-specific variables for Meinberg devices
|
|
in gps16x_message().
|
|
Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
|
|
Modified mbg_tm_str() which now expexts an additional parameter controlling
|
|
if the time status shall be printed.
|
|
* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
|
|
* [Sec 2781] Authentication doesn't protect symmetric associations against
|
|
DoS attacks.
|
|
* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
|
|
* [Bug 2789] Quiet compiler warnings from libevent.
|
|
* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
|
|
pause briefly before measuring system clock precision to yield
|
|
correct results.
|
|
* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
|
|
* Use predefined function types for parse driver functions
|
|
used to set up function pointers.
|
|
Account for changed prototype of parse_inp_fnc_t functions.
|
|
Cast parse conversion results to appropriate types to avoid
|
|
compiler warnings.
|
|
Let ioctl() for Windows accept a (void *) to avoid compiler warnings
|
|
when called with pointers to different types.
|
|
|
|
---
|
|
NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
|
|
|
|
Focus: Security and Bug fixes, enhancements.
|
|
|
|
Severity: HIGH
|
|
|
|
In addition to bug fixes and enhancements, this release fixes the
|
|
following high-severity vulnerabilities:
|
|
|
|
* vallen is not validated in several places in ntp_crypto.c, leading
|
|
to a potential information leak or possibly a crash
|
|
|
|
References: Sec 2671 / CVE-2014-9297 / VU#852879
|
|
Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Date Resolved: Stable (4.2.8p1) 04 Feb 2015
|
|
Summary: The vallen packet value is not validated in several code
|
|
paths in ntp_crypto.c which can lead to information leakage
|
|
or perhaps a crash of the ntpd process.
|
|
Mitigation - any of:
|
|
Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page.
|
|
Disable Autokey Authentication by removing, or commenting out,
|
|
all configuration directives beginning with the "crypto"
|
|
keyword in your ntp.conf file.
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team, with additional cases found by Sebastian
|
|
Krahmer of the SUSE Security Team and Harlan Stenn of Network
|
|
Time Foundation.
|
|
|
|
* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
|
|
can be bypassed.
|
|
|
|
References: Sec 2672 / CVE-2014-9298 / VU#852879
|
|
Affects: All NTP4 releases before 4.2.8p1, under at least some
|
|
versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
|
|
Date Resolved: Stable (4.2.8p1) 04 Feb 2014
|
|
Summary: While available kernels will prevent 127.0.0.1 addresses
|
|
from "appearing" on non-localhost IPv4 interfaces, some kernels
|
|
do not offer the same protection for ::1 source addresses on
|
|
IPv6 interfaces. Since NTP's access control is based on source
|
|
address and localhost addresses generally have no restrictions,
|
|
an attacker can send malicious control and configuration packets
|
|
by spoofing ::1 addresses from the outside. Note Well: This is
|
|
not really a bug in NTP, it's a problem with some OSes. If you
|
|
have one of these OSes where ::1 can be spoofed, ALL ::1 -based
|
|
ACL restrictions on any application can be bypassed!
|
|
Mitigation:
|
|
Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
|
|
or the NTP Public Services Project Download Page
|
|
Install firewall rules to block packets claiming to come from
|
|
::1 from inappropriate network interfaces.
|
|
Credit: This vulnerability was discovered by Stephen Roettger of
|
|
the Google Security Team.
|
|
|
|
Additionally, over 30 bugfixes and improvements were made to the codebase.
|
|
See the ChangeLog for more information.
|
|
|
|
---
|
|
NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
|
|
|
|
Focus: Security and Bug fixes, enhancements.
|
|
|
|
Severity: HIGH
|
|
|
|
In addition to bug fixes and enhancements, this release fixes the
|
|
following high-severity vulnerabilities:
|
|
|
|
************************** vv NOTE WELL vv *****************************
|
|
|
|
The vulnerabilities listed below can be significantly mitigated by
|
|
following the BCP of putting
|
|
|
|
restrict default ... noquery
|
|
|
|
in the ntp.conf file. With the exception of:
|
|
|
|
receive(): missing return on error
|
|
References: Sec 2670 / CVE-2014-9296 / VU#852879
|
|
|
|
below (which is a limited-risk vulnerability), none of the recent
|
|
vulnerabilities listed below can be exploited if the source IP is
|
|
restricted from sending a 'query'-class packet by your ntp.conf file.
|
|
|
|
************************** ^^ NOTE WELL ^^ *****************************
|
|
|
|
* Weak default key in config_auth().
|
|
|
|
References: [Sec 2665] / CVE-2014-9293 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
|
|
Vulnerable Versions: all releases prior to 4.2.7p11
|
|
Date Resolved: 28 Jan 2010
|
|
|
|
Summary: If no 'auth' key is set in the configuration file, ntpd
|
|
would generate a random key on the fly. There were two
|
|
problems with this: 1) the generated key was 31 bits in size,
|
|
and 2) it used the (now weak) ntp_random() function, which was
|
|
seeded with a 32-bit value and could only provide 32 bits of
|
|
entropy. This was sufficient back in the late 1990s when the
|
|
code was written. Not today.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.7p11 or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
|
|
of the Google Security Team.
|
|
|
|
* Non-cryptographic random number generator with weak seed used by
|
|
ntp-keygen to generate symmetric keys.
|
|
|
|
References: [Sec 2666] / CVE-2014-9294 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
|
|
Vulnerable Versions: All NTP4 releases before 4.2.7p230
|
|
Date Resolved: Dev (4.2.7p230) 01 Nov 2011
|
|
|
|
Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
|
|
prepare a random number generator that was of good quality back
|
|
in the late 1990s. The random numbers produced was then used to
|
|
generate symmetric keys. In ntp-4.2.8 we use a current-technology
|
|
cryptographic random number generator, either RAND_bytes from
|
|
OpenSSL, or arc4random().
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.7p230 or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered in ntp-4.2.6 by
|
|
Stephen Roettger of the Google Security Team.
|
|
|
|
* Buffer overflow in crypto_recv()
|
|
|
|
References: Sec 2667 / CVE-2014-9295 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Versions: All releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
|
|
file contains a 'crypto pw ...' directive) a remote attacker
|
|
can send a carefully crafted packet that can overflow a stack
|
|
buffer and potentially allow malicious code to be executed
|
|
with the privilege level of the ntpd process.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later, or
|
|
- Disable Autokey Authentication by removing, or commenting out,
|
|
all configuration directives beginning with the crypto keyword
|
|
in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
* Buffer overflow in ctl_putdata()
|
|
|
|
References: Sec 2668 / CVE-2014-9295 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Versions: All NTP4 releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: A remote attacker can send a carefully crafted packet that
|
|
can overflow a stack buffer and potentially allow malicious
|
|
code to be executed with the privilege level of the ntpd process.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
* Buffer overflow in configure()
|
|
|
|
References: Sec 2669 / CVE-2014-9295 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
|
|
Versions: All NTP4 releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: A remote attacker can send a carefully crafted packet that
|
|
can overflow a stack buffer and potentially allow malicious
|
|
code to be executed with the privilege level of the ntpd process.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later.
|
|
- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
* receive(): missing return on error
|
|
|
|
References: Sec 2670 / CVE-2014-9296 / VU#852879
|
|
CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
|
|
Versions: All NTP4 releases before 4.2.8
|
|
Date Resolved: Stable (4.2.8) 18 Dec 2014
|
|
|
|
Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
|
|
the code path where an error was detected, which meant
|
|
processing did not stop when a specific rare error occurred.
|
|
We haven't found a way for this bug to affect system integrity.
|
|
If there is no way to affect system integrity the base CVSS
|
|
score for this bug is 0. If there is one avenue through which
|
|
system integrity can be partially affected, the base score
|
|
becomes a 5. If system integrity can be partially affected
|
|
via all three integrity metrics, the CVSS base score become 7.5.
|
|
|
|
Mitigation - any of:
|
|
- Upgrade to 4.2.8, or later,
|
|
- Remove or comment out all configuration directives
|
|
beginning with the crypto keyword in your ntp.conf file.
|
|
|
|
Credit: This vulnerability was discovered by Stephen Roettger of the
|
|
Google Security Team.
|
|
|
|
See http://support.ntp.org/security for more information.
|
|
|
|
New features / changes in this release:
|
|
|
|
Important Changes
|
|
|
|
* Internal NTP Era counters
|
|
|
|
The internal counters that track the "era" (range of years) we are in
|
|
rolls over every 136 years'. The current "era" started at the stroke of
|
|
midnight on 1 Jan 1900, and ends just before the stroke of midnight on
|
|
1 Jan 2036.
|
|
In the past, we have used the "midpoint" of the range to decide which
|
|
era we were in. Given the longevity of some products, it became clear
|
|
that it would be more functional to "look back" less, and "look forward"
|
|
more. We now compile a timestamp into the ntpd executable and when we
|
|
get a timestamp we us the "built-on" to tell us what era we are in.
|
|
This check "looks back" 10 years, and "looks forward" 126 years.
|
|
|
|
* ntpdc responses disabled by default
|
|
|
|
Dave Hart writes:
|
|
|
|
For a long time, ntpq and its mostly text-based mode 6 (control)
|
|
protocol have been preferred over ntpdc and its mode 7 (private
|
|
request) protocol for runtime queries and configuration. There has
|
|
been a goal of deprecating ntpdc, previously held back by numerous
|
|
capabilities exposed by ntpdc with no ntpq equivalent. I have been
|
|
adding commands to ntpq to cover these cases, and I believe I've
|
|
covered them all, though I've not compared command-by-command
|
|
recently.
|
|
|
|
As I've said previously, the binary mode 7 protocol involves a lot of
|
|
hand-rolled structure layout and byte-swapping code in both ntpd and
|
|
ntpdc which is hard to get right. As ntpd grows and changes, the
|
|
changes are difficult to expose via ntpdc while maintaining forward
|
|
and backward compatibility between ntpdc and ntpd. In contrast,
|
|
ntpq's text-based, label=value approach involves more code reuse and
|
|
allows compatible changes without extra work in most cases.
|
|
|
|
Mode 7 has always been defined as vendor/implementation-specific while
|
|
mode 6 is described in RFC 1305 and intended to be open to interoperate
|
|
with other implementations. There is an early draft of an updated
|
|
mode 6 description that likely will join the other NTPv4 RFCs
|
|
eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
|
|
|
|
For these reasons, ntpd 4.2.7p230 by default disables processing of
|
|
ntpdc queries, reducing ntpd's attack surface and functionally
|
|
deprecating ntpdc. If you are in the habit of using ntpdc for certain
|
|
operations, please try the ntpq equivalent. If there's no equivalent,
|
|
please open a bug report at http://bugs.ntp.org./
|
|
|
|
In addition to the above, over 1100 issues have been resolved between
|
|
the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
|
|
lists these.
|
|
|
|
---
|
|
NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
|
|
|
|
Focus: Bug fixes
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release updates sys_rootdisp and sys_jitter calculations to match the
|
|
RFC specification, fixes a potential IPv6 address matching error for the
|
|
"nic" and "interface" configuration directives, suppresses the creation of
|
|
extraneous ephemeral associations for certain broadcastclient and
|
|
multicastclient configurations, cleans up some ntpq display issues, and
|
|
includes improvements to orphan mode, minor bugs fixes and code clean-ups.
|
|
|
|
New features / changes in this release:
|
|
|
|
ntpd
|
|
|
|
* Updated "nic" and "interface" IPv6 address handling to prevent
|
|
mismatches with localhost [::1] and wildcard [::] which resulted from
|
|
using the address/prefix format (e.g. fe80::/64)
|
|
* Fix orphan mode stratum incorrectly counting to infinity
|
|
* Orphan parent selection metric updated to includes missing ntohl()
|
|
* Non-printable stratum 16 refid no longer sent to ntp
|
|
* Duplicate ephemeral associations suppressed for broadcastclient and
|
|
multicastclient without broadcastdelay
|
|
* Exclude undetermined sys_refid from use in loopback TEST12
|
|
* Exclude MODE_SERVER responses from KoD rate limiting
|
|
* Include root delay in clock_update() sys_rootdisp calculations
|
|
* get_systime() updated to exclude sys_residual offset (which only
|
|
affected bits "below" sys_tick, the precision threshold)
|
|
* sys.peer jitter weighting corrected in sys_jitter calculation
|
|
|
|
ntpq
|
|
|
|
* -n option extended to include the billboard "server" column
|
|
* IPv6 addresses in the local column truncated to prevent overruns
|
|
|
|
---
|
|
NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
|
|
|
|
Focus: Bug fixes and portability improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release includes build infrastructure updates, code
|
|
clean-ups, minor bug fixes, fixes for a number of minor
|
|
ref-clock issues, and documentation revisions.
|
|
|
|
Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
|
|
|
|
New features / changes in this release:
|
|
|
|
Build system
|
|
|
|
* Fix checking for struct rtattr
|
|
* Update config.guess and config.sub for AIX
|
|
* Upgrade required version of autogen and libopts for building
|
|
from our source code repository
|
|
|
|
ntpd
|
|
|
|
* Back-ported several fixes for Coverity warnings from ntp-dev
|
|
* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
|
|
* Allow "logconfig =allall" configuration directive
|
|
* Bind tentative IPv6 addresses on Linux
|
|
* Correct WWVB/Spectracom driver to timestamp CR instead of LF
|
|
* Improved tally bit handling to prevent incorrect ntpq peer status reports
|
|
* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
|
|
candidate list unless they are designated a "prefer peer"
|
|
* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
|
|
selection during the 'tos orphanwait' period
|
|
* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
|
|
drivers
|
|
* Improved support of the Parse Refclock trusttime flag in Meinberg mode
|
|
* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
|
|
* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
|
|
clock slew on Microsoft Windows
|
|
* Code cleanup in libntpq
|
|
|
|
ntpdc
|
|
|
|
* Fix timerstats reporting
|
|
|
|
ntpdate
|
|
|
|
* Reduce time required to set clock
|
|
* Allow a timeout greater than 2 seconds
|
|
|
|
sntp
|
|
|
|
* Backward incompatible command-line option change:
|
|
-l/--filelog changed -l/--logfile (to be consistent with ntpd)
|
|
|
|
Documentation
|
|
|
|
* Update html2man. Fix some tags in the .html files
|
|
* Distribute ntp-wait.html
|
|
|
|
---
|
|
NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
|
|
|
|
Focus: Bug fixes and portability improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release includes build infrastructure updates, code
|
|
clean-ups, minor bug fixes, fixes for a number of minor
|
|
ref-clock issues, and documentation revisions.
|
|
|
|
Portability improvements in this release affect AIX, Atari FreeMiNT,
|
|
FreeBSD4, Linux and Microsoft Windows.
|
|
|
|
New features / changes in this release:
|
|
|
|
Build system
|
|
* Use lsb_release to get information about Linux distributions.
|
|
* 'test' is in /usr/bin (instead of /bin) on some systems.
|
|
* Basic sanity checks for the ChangeLog file.
|
|
* Source certain build files with ./filename for systems without . in PATH.
|
|
* IRIX portability fix.
|
|
* Use a single copy of the "libopts" code.
|
|
* autogen/libopts upgrade.
|
|
* configure.ac m4 quoting cleanup.
|
|
|
|
ntpd
|
|
* Do not bind to IN6_IFF_ANYCAST addresses.
|
|
* Log the reason for exiting under Windows.
|
|
* Multicast fixes for Windows.
|
|
* Interpolation fixes for Windows.
|
|
* IPv4 and IPv6 Multicast fixes.
|
|
* Manycast solicitation fixes and general repairs.
|
|
* JJY refclock cleanup.
|
|
* NMEA refclock improvements.
|
|
* Oncore debug message cleanup.
|
|
* Palisade refclock now builds under Linux.
|
|
* Give RAWDCF more baud rates.
|
|
* Support Truetime Satellite clocks under Windows.
|
|
* Support Arbiter 1093C Satellite clocks under Windows.
|
|
* Make sure that the "filegen" configuration command defaults to "enable".
|
|
* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
|
|
* Prohibit 'includefile' directive in remote configuration command.
|
|
* Fix 'nic' interface bindings.
|
|
* Fix the way we link with openssl if openssl is installed in the base
|
|
system.
|
|
|
|
ntp-keygen
|
|
* Fix -V coredump.
|
|
* OpenSSL version display cleanup.
|
|
|
|
ntpdc
|
|
* Many counters should be treated as unsigned.
|
|
|
|
ntpdate
|
|
* Do not ignore replies with equal receive and transmit timestamps.
|
|
|
|
ntpq
|
|
* libntpq warning cleanup.
|
|
|
|
ntpsnmpd
|
|
* Correct SNMP type for "precision" and "resolution".
|
|
* Update the MIB from the draft version to RFC-5907.
|
|
|
|
sntp
|
|
* Display timezone offset when showing time for sntp in the local
|
|
timezone.
|
|
* Pay proper attention to RATE KoD packets.
|
|
* Fix a miscalculation of the offset.
|
|
* Properly parse empty lines in the key file.
|
|
* Logging cleanup.
|
|
* Use tv_usec correctly in set_time().
|
|
* Documentation cleanup.
|
|
|
|
---
|
|
NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
|
|
|
|
Focus: Bug fixes and portability improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
This release includes build infrastructure updates, code
|
|
clean-ups, minor bug fixes, fixes for a number of minor
|
|
ref-clock issues, improved KOD handling, OpenSSL related
|
|
updates and documentation revisions.
|
|
|
|
Portability improvements in this release affect Irix, Linux,
|
|
Mac OS, Microsoft Windows, OpenBSD and QNX6
|
|
|
|
New features / changes in this release:
|
|
|
|
ntpd
|
|
* Range syntax for the trustedkey configuration directive
|
|
* Unified IPv4 and IPv6 restrict lists
|
|
|
|
ntpdate
|
|
* Rate limiting and KOD handling
|
|
|
|
ntpsnmpd
|
|
* default connection to net-snmpd via a unix-domain socket
|
|
* command-line 'socket name' option
|
|
|
|
ntpq / ntpdc
|
|
* support for the "passwd ..." syntax
|
|
* key-type specific password prompts
|
|
|
|
sntp
|
|
* MD5 authentication of an ntpd
|
|
* Broadcast and crypto
|
|
* OpenSSL support
|
|
|
|
---
|
|
NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
|
|
|
|
Focus: Bug fixes, portability fixes, and documentation improvements
|
|
|
|
Severity: Medium
|
|
|
|
This is a recommended upgrade.
|
|
|
|
---
|
|
NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
|
|
|
|
Focus: enhancements and bug fixes.
|
|
|
|
---
|
|
NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
|
|
|
|
Focus: Security Fixes
|
|
|
|
Severity: HIGH
|
|
|
|
This release fixes the following high-severity vulnerability:
|
|
|
|
* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
|
|
|
|
See http://support.ntp.org/security for more information.
|
|
|
|
NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
|
|
In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
|
|
transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
|
|
request or a mode 7 error response from an address which is not listed
|
|
in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
|
|
reply with a mode 7 error response (and log a message). In this case:
|
|
|
|
* If an attacker spoofs the source address of ntpd host A in a
|
|
mode 7 response packet sent to ntpd host B, both A and B will
|
|
continuously send each other error responses, for as long as
|
|
those packets get through.
|
|
|
|
* If an attacker spoofs an address of ntpd host A in a mode 7
|
|
response packet sent to ntpd host A, A will respond to itself
|
|
endlessly, consuming CPU and logging excessively.
|
|
|
|
Credit for finding this vulnerability goes to Robin Park and Dmitri
|
|
Vinokurov of Alcatel-Lucent.
|
|
|
|
THIS IS A STRONGLY RECOMMENDED UPGRADE.
|
|
|
|
---
|
|
ntpd now syncs to refclocks right away.
|
|
|
|
Backward-Incompatible changes:
|
|
|
|
ntpd no longer accepts '-v name' or '-V name' to define internal variables.
|
|
Use '--var name' or '--dvar name' instead. (Bug 817)
|
|
|
|
---
|
|
NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
|
|
|
|
Focus: Security and Bug Fixes
|
|
|
|
Severity: HIGH
|
|
|
|
This release fixes the following high-severity vulnerability:
|
|
|
|
* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
|
|
|
|
See http://support.ntp.org/security for more information.
|
|
|
|
If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
|
|
line) then a carefully crafted packet sent to the machine will cause
|
|
a buffer overflow and possible execution of injected code, running
|
|
with the privileges of the ntpd process (often root).
|
|
|
|
Credit for finding this vulnerability goes to Chris Ries of CMU.
|
|
|
|
This release fixes the following low-severity vulnerabilities:
|
|
|
|
* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
|
|
Credit for finding this vulnerability goes to Geoff Keating of Apple.
|
|
|
|
* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
|
|
Credit for finding this issue goes to Dave Hart.
|
|
|
|
This release fixes a number of bugs and adds some improvements:
|
|
|
|
* Improved logging
|
|
* Fix many compiler warnings
|
|
* Many fixes and improvements for Windows
|
|
* Adds support for AIX 6.1
|
|
* Resolves some issues under MacOS X and Solaris
|
|
|
|
THIS IS A STRONGLY RECOMMENDED UPGRADE.
|
|
|
|
---
|
|
NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
|
|
|
|
Focus: Security Fix
|
|
|
|
Severity: Low
|
|
|
|
This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
|
|
the OpenSSL library relating to the incorrect checking of the return
|
|
value of EVP_VerifyFinal function.
|
|
|
|
Credit for finding this issue goes to the Google Security Team for
|
|
finding the original issue with OpenSSL, and to ocert.org for finding
|
|
the problem in NTP and telling us about it.
|
|
|
|
This is a recommended upgrade.
|
|
---
|
|
NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release fixes a number of Windows-specific ntpd bugs and
|
|
platform-independent ntpdate bugs. A logging bugfix has been applied
|
|
to the ONCORE driver.
|
|
|
|
The "dynamic" keyword and is now obsolete and deferred binding to local
|
|
interfaces is the new default. The minimum time restriction for the
|
|
interface update interval has been dropped.
|
|
|
|
A number of minor build system and documentation fixes are included.
|
|
|
|
This is a recommended upgrade for Windows.
|
|
|
|
---
|
|
NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release updates certain copyright information, fixes several display
|
|
bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
|
|
shutdown in the parse refclock driver, removes some lint from the code,
|
|
stops accessing certain buffers immediately after they were freed, fixes
|
|
a problem with non-command-line specification of -6, and allows the loopback
|
|
interface to share addresses with other interfaces.
|
|
|
|
---
|
|
NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release fixes a bug in Windows that made it difficult to
|
|
terminate ntpd under windows.
|
|
This is a recommended upgrade for Windows.
|
|
|
|
---
|
|
NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
|
|
|
|
Focus: Minor Bugfixes
|
|
|
|
This release fixes a multicast mode authentication problem,
|
|
an error in NTP packet handling on Windows that could lead to
|
|
ntpd crashing, and several other minor bugs. Handling of
|
|
multicast interfaces and logging configuration were improved.
|
|
The required versions of autogen and libopts were incremented.
|
|
This is a recommended upgrade for Windows and multicast users.
|
|
|
|
---
|
|
NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
|
|
|
|
Focus: enhancements and bug fixes.
|
|
|
|
Dynamic interface rescanning was added to simplify the use of ntpd in
|
|
conjunction with DHCP. GNU AutoGen is used for its command-line options
|
|
processing. Separate PPS devices are supported for PARSE refclocks, MD5
|
|
signatures are now provided for the release files. Drivers have been
|
|
added for some new ref-clocks and have been removed for some older
|
|
ref-clocks. This release also includes other improvements, documentation
|
|
and bug fixes.
|
|
|
|
K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
|
|
C support.
|
|
|
|
---
|
|
NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
|
|
|
|
Focus: enhancements and bug fixes.
|