MFC r362568:

MFV r362565:

Update 4.2.8p14 --> 4.2.8p15

Summary: Systems that use a CMAC algorithm in ntp.keys will not release
a bit of memory on each packet that uses a CMAC keyid, eventually causing
ntpd to run out of memory and fail. The CMAC cleanup from
https://bugs.ntp.org/3447, part of ntp-4.2.8p11, introduced a bug whereby
the CMAC data structure was no longer completely removed.

Security: NTP Bug 3661

MFC r358652:

MFV r358616:

Update ntp-4.2.8p13 --> 4.2.8p14.

The advisory can be found at:
http://support.ntp.org/bin/view/Main/SecurityNotice#\
March_2020_ntp_4_2_8p14_NTP_Rele

No CVEs have been documented yet.

Security: http://support.ntp.org/bin/view/Main/NtpBug3610
http://support.ntp.org/bin/view/Main/NtpBug3596
http://support.ntp.org/bin/view/Main/NtpBug3592

MFC r338126: MFV r338092: ntp 4.2.8p12.

Relnotes: yes

MFC r330104: MFV r330102: ntp 4.2.8p11

MFC r315871: MFV r315791: ntp 4.2.8p10.

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFV r301238:

ntp 4.2.8p8.

Security: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954
Security: CVE-2016-4955, CVE-2016-4956
Security: FreeBSD-SA-16:24.ntp
With hat: so

MFV r298691:

ntp 4.2.8p7.

Security: CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security: CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security: CVE-2016-2519
Security: FreeBSD-SA-16:16.ntp
With hat: so

MFV r294491: ntp 4.2.8p6.

Security: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975
Security: CVE-2015-7976, CVE-2015-7977, CVE-2015-7978
Security: CVE-2015-7979, CVE-2015-8138, CVE-2015-8139
Security: CVE-2015-8140, CVE-2015-8158
With hat: so

MFV r293415:

ntp 4.2.8p5

Reviewed by: cy, roberto
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D4828

MFV ntp-4.2.8p4 (r289715)

Security: VuXML: c4a18a12-77fc-11e5-a687-206a8a720317
Security: CVE-2015-7871
Security: CVE-2015-7855
Security: CVE-2015-7854
Security: CVE-2015-7853
Security: CVE-2015-7852
Security: CVE-2015-7851
Security: CVE-2015-7850
Security: CVE-2015-7849
Security: CVE-2015-7848
Security: CVE-2015-7701
Security: CVE-2015-7703
Security: CVE-2015-7704, CVE-2015-7705
Security: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Sponsored by: Nginx, Inc.

MFV ntp-4.2.8p3 (r284990).

Approved by: roberto, delphij
Security: VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0
Security: http://bugs.ntp.org/show_bug.cgi?id=2853
Security: https://www.kb.cert.org/vuls/id/668167
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

MFV ntp 4.2.8p1 (r258945, r275970, r276091, r276092, r276093, r278284)

Thanks to roberto for providing pointers to wedge this into HEAD.

Approved by: roberto

ntpd tries to bind to IPv6 interfaces in 'tentative' state and fails as IPv6 is
actually disabled. Fix it by making ntpd ignore such interfaces.

Submitted by: ume
Reviewed by: bz, gnn
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D1527

Correct comparison of IPv6 wildcard address.

MFC after: 3 days

Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by: roberto
Sponsored by: Sandvine Incorporated
MFC after: 1 week

The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char. For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by: roberto
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days
Filed as: Bug 1936 on ntp.org

Merge 4.2.4p8 into contrib (r200452 & r200454).

Subversion is being difficult here so take a hammer and get it in.

MFC after: 2 weeks
Security: CVE-2009-3563

Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess. It does away with an annoying
message.

Reviewed by: bz, roberto
MFC after: 2 weeks

Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after: 2 weeks

This commit was generated by cvs2svn to compensate for changes in r132451,
which included commits to RCS files with non-trunk default branches.

Virgin import of ntpd 4.2.0

Virgin import of ntpd 4.1.1a

Virgin import of ntpd 4.1.0

Fix potential alignement problems on Alpha + IPv6.

This is done on the vendor branch to avoid spamming the tree. It has been
sent to the NTP maintainers already.

Submitted by: shin

Virgin import of ntpd 4.0.99b

Virgin import of ntpd 4.0.98f

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

MFV r301238:

ntp 4.2.8p8.

Security: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954
Security: CVE-2016-4955, CVE-2016-4956
Security: FreeBSD-SA-16:24.ntp
With hat: so

MFV r298691:

ntp 4.2.8p7.

Security: CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security: CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security: CVE-2016-2519
Security: FreeBSD-SA-16:16.ntp
With hat: so

MFV r294491: ntp 4.2.8p6.

Security: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975
Security: CVE-2015-7976, CVE-2015-7977, CVE-2015-7978
Security: CVE-2015-7979, CVE-2015-8138, CVE-2015-8139
Security: CVE-2015-8140, CVE-2015-8158
With hat: so

MFV r293415:

ntp 4.2.8p5

Reviewed by: cy, roberto
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D4828

MFV ntp-4.2.8p4 (r289715)

Security: VuXML: c4a18a12-77fc-11e5-a687-206a8a720317
Security: CVE-2015-7871
Security: CVE-2015-7855
Security: CVE-2015-7854
Security: CVE-2015-7853
Security: CVE-2015-7852
Security: CVE-2015-7851
Security: CVE-2015-7850
Security: CVE-2015-7849
Security: CVE-2015-7848
Security: CVE-2015-7701
Security: CVE-2015-7703
Security: CVE-2015-7704, CVE-2015-7705
Security: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Sponsored by: Nginx, Inc.

MFV ntp-4.2.8p3 (r284990).

Approved by: roberto, delphij
Security: VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0
Security: http://bugs.ntp.org/show_bug.cgi?id=2853
Security: https://www.kb.cert.org/vuls/id/668167
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

MFV ntp 4.2.8p1 (r258945, r275970, r276091, r276092, r276093, r278284)

Thanks to roberto for providing pointers to wedge this into HEAD.

Approved by: roberto

ntpd tries to bind to IPv6 interfaces in 'tentative' state and fails as IPv6 is
actually disabled. Fix it by making ntpd ignore such interfaces.

Submitted by: ume
Reviewed by: bz, gnn
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D1527

Correct comparison of IPv6 wildcard address.

MFC after: 3 days

Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by: roberto
Sponsored by: Sandvine Incorporated
MFC after: 1 week

The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char. For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by: roberto
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days
Filed as: Bug 1936 on ntp.org

Merge 4.2.4p8 into contrib (r200452 & r200454).

Subversion is being difficult here so take a hammer and get it in.

MFC after: 2 weeks
Security: CVE-2009-3563

Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess. It does away with an annoying
message.

Reviewed by: bz, roberto
MFC after: 2 weeks

Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after: 2 weeks

This commit was generated by cvs2svn to compensate for changes in r132451,
which included commits to RCS files with non-trunk default branches.

Virgin import of ntpd 4.2.0

Virgin import of ntpd 4.1.1a

Virgin import of ntpd 4.1.0

Fix potential alignement problems on Alpha + IPv6.

This is done on the vendor branch to avoid spamming the tree. It has been
sent to the NTP maintainers already.

Submitted by: shin

Virgin import of ntpd 4.0.99b

Virgin import of ntpd 4.0.98f