NEWS revision 294904
1--- 2 3NTP 4.2.8p6 4 5Focus: Security, Bug fixes, enhancements. 6 7Severity: MEDIUM 8 9In addition to bug fixes and enhancements, this release fixes the 10following X low- and Y medium-severity vulnerabilities: 11 12* Potential Infinite Loop in 'ntpq' 13 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 14 References: Sec 2548 / CVE-2015-8158 15 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 16 4.3.0 up to, but not including 4.3.90 17 CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 18 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 19 Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'. 20 The loop's only stopping conditions are receiving a complete and 21 correct response or hitting a small number of error conditions. 22 If the packet contains incorrect values that don't trigger one of 23 the error conditions, the loop continues to receive new packets. 24 Note well, this is an attack against an instance of 'ntpq', not 25 'ntpd', and this attack requires the attacker to do one of the 26 following: 27 * Own a malicious NTP server that the client trusts 28 * Prevent a legitimate NTP server from sending packets to 29 the 'ntpq' client 30 * MITM the 'ntpq' communications between the 'ntpq' client 31 and the NTP server 32 Mitigation: 33 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 34 or the NTP Public Services Project Download Page 35 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 36 37* 0rigin: Zero Origin Timestamp Bypass 38 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 39 References: Sec 2945 / CVE-2015-8138 40 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 41 4.3.0 up to, but not including 4.3.90 42 CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM 43 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM 44 (3.7 - LOW if you score AC:L) 45 Summary: To distinguish legitimate peer responses from forgeries, a 46 client attempts to verify a response packet by ensuring that the 47 origin timestamp in the packet matches the origin timestamp it 48 transmitted in its last request. A logic error exists that 49 allows packets with an origin timestamp of zero to bypass this 50 check whenever there is not an outstanding request to the server. 51 Mitigation: 52 Configure 'ntpd' to get time from multiple sources. 53 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 54 or the NTP Public Services Project Download Page. 55 Monitor your 'ntpd= instances. 56 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 57 58* Stack exhaustion in recursive traversal of restriction list 59 Date Resolved: Stable (4.2.8p6) 19 Jan 2016 60 References: Sec 2940 / CVE-2015-7978 61 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 62 4.3.0 up to, but not including 4.3.90 63 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 64 Summary: An unauthenticated 'ntpdc reslist' command can cause a 65 segmentation fault in ntpd by exhausting the call stack. 66 Mitigation: 67 Implement BCP-38. 68 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 69 or the NTP Public Services Project Download Page. 70 If you are unable to upgrade: 71 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 72 If you must enable mode 7: 73 configure the use of a 'requestkey' to control who can 74 issue mode 7 requests. 75 configure 'restrict noquery' to further limit mode 7 76 requests to trusted sources. 77 Monitor your ntpd instances. 78 Credit: This weakness was discovered by Stephen Gray at Cisco ASIG. 79 80* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode 81 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 82 References: Sec 2942 / CVE-2015-7979 83 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 84 4.3.0 up to, but not including 4.3.90 85 CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8 86 Summary: An off-path attacker can send broadcast packets with bad 87 authentication (wrong key, mismatched key, incorrect MAC, etc) 88 to broadcast clients. It is observed that the broadcast client 89 tears down the association with the broadcast server upon 90 receiving just one bad packet. 91 Mitigation: 92 Implement BCP-38. 93 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 94 or the NTP Public Services Project Download Page. 95 Monitor your 'ntpd' instances. 96 If this sort of attack is an active problem for you, you have 97 deeper problems to investigate. In this case also consider 98 having smaller NTP broadcast domains. 99 Credit: This weakness was discovered by Aanchal Malhotra of Boston 100 University. 101 102* reslist NULL pointer dereference 103 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 104 References: Sec 2939 / CVE-2015-7977 105 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 106 4.3.0 up to, but not including 4.3.90 107 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM 108 Summary: An unauthenticated 'ntpdc reslist' command can cause a 109 segmentation fault in ntpd by causing a NULL pointer dereference. 110 Mitigation: 111 Implement BCP-38. 112 Upgrade to 4.2.8p6, or later, from NTP Project Download Page or 113 the NTP Public Services Project Download Page. 114 If you are unable to upgrade: 115 mode 7 is disabled by default. Don't enable it. 116 If you must enable mode 7: 117 configure the use of a 'requestkey' to control who can 118 issue mode 7 requests. 119 configure 'restrict noquery' to further limit mode 7 120 requests to trusted sources. 121 Monitor your ntpd instances. 122 Credit: This weakness was discovered by Stephen Gray of Cisco ASIG. 123 124* 'ntpq saveconfig' command allows dangerous characters in filenames. 125 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 126 References: Sec 2938 / CVE-2015-7976 127 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 128 4.3.0 up to, but not including 4.3.90 129 CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM 130 Summary: The ntpq saveconfig command does not do adequate filtering 131 of special characters from the supplied filename. 132 Note well: The ability to use the saveconfig command is controlled 133 by the 'restrict nomodify' directive, and the recommended default 134 configuration is to disable this capability. If the ability to 135 execute a 'saveconfig' is required, it can easily (and should) be 136 limited and restricted to a known small number of IP addresses. 137 Mitigation: 138 Implement BCP-38. 139 use 'restrict default nomodify' in your 'ntp.conf' file. 140 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page. 141 If you are unable to upgrade: 142 build NTP with 'configure --disable-saveconfig' if you will 143 never need this capability, or 144 use 'restrict default nomodify' in your 'ntp.conf' file. Be 145 careful about what IPs have the ability to send 'modify' 146 requests to 'ntpd'. 147 Monitor your ntpd instances. 148 'saveconfig' requests are logged to syslog - monitor your syslog files. 149 Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG. 150 151* nextvar() missing length check in ntpq 152 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 153 References: Sec 2937 / CVE-2015-7975 154 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 155 4.3.0 up to, but not including 4.3.90 156 CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW 157 If you score A:C, this becomes 4.0. 158 CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW 159 Summary: ntpq may call nextvar() which executes a memcpy() into the 160 name buffer without a proper length check against its maximum 161 length of 256 bytes. Note well that we're taking about ntpq here. 162 The usual worst-case effect of this vulnerability is that the 163 specific instance of ntpq will crash and the person or process 164 that did this will have stopped themselves. 165 Mitigation: 166 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 167 or the NTP Public Services Project Download Page. 168 If you are unable to upgrade: 169 If you have scripts that feed input to ntpq make sure there are 170 some sanity checks on the input received from the "outside". 171 This is potentially more dangerous if ntpq is run as root. 172 Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG. 173 174* Skeleton Key: Any trusted key system can serve time 175 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 176 References: Sec 2936 / CVE-2015-7974 177 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 178 4.3.0 up to, but not including 4.3.90 179 CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9 180 Summary: Symmetric key encryption uses a shared trusted key. The 181 reported title for this issue was "Missing key check allows 182 impersonation between authenticated peers" and the report claimed 183 "A key specified only for one server should only work to 184 authenticate that server, other trusted keys should be refused." 185 Except there has never been any correlation between this trusted 186 key and server v. clients machines and there has never been any 187 way to specify a key only for one server. We have treated this as 188 an enhancement request, and ntp-4.2.8p6 includes other checks and 189 tests to strengthen clients against attacks coming from broadcast 190 servers. 191 Mitigation: 192 Implement BCP-38. 193 If this scenario represents a real or a potential issue for you, 194 upgrade to 4.2.8p6, or later, from the NTP Project Download 195 Page or the NTP Public Services Project Download Page, and 196 use the new field in the ntp.keys file that specifies the list 197 of IPs that are allowed to serve time. Note that this alone 198 will not protect against time packets with forged source IP 199 addresses, however other changes in ntp-4.2.8p6 provide 200 significant mitigation against broadcast attacks. MITM attacks 201 are a different story. 202 If you are unable to upgrade: 203 Don't use broadcast mode if you cannot monitor your client 204 servers. 205 If you choose to use symmetric keys to authenticate time 206 packets in a hostile environment where ephemeral time 207 servers can be created, or if it is expected that malicious 208 time servers will participate in an NTP broadcast domain, 209 limit the number of participating systems that participate 210 in the shared-key group. 211 Monitor your ntpd instances. 212 Credit: This weakness was discovered by Matt Street of Cisco ASIG. 213 214* Deja Vu: Replay attack on authenticated broadcast mode 215 Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016 216 References: Sec 2935 / CVE-2015-7973 217 Affects: All ntp-4 releases up to, but not including 4.2.8p6, and 218 4.3.0 up to, but not including 4.3.90 219 CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM 220 Summary: If an NTP network is configured for broadcast operations then 221 either a man-in-the-middle attacker or a malicious participant 222 that has the same trusted keys as the victim can replay time packets. 223 Mitigation: 224 Implement BCP-38. 225 Upgrade to 4.2.8p6, or later, from the NTP Project Download Page 226 or the NTP Public Services Project Download Page. 227 If you are unable to upgrade: 228 Don't use broadcast mode if you cannot monitor your client servers. 229 Monitor your ntpd instances. 230 Credit: This weakness was discovered by Aanchal Malhotra of Boston 231 University. 232 233Other fixes: 234 235* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org 236* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org 237 - applied patch by shenpeng11@huawei.com with minor adjustments 238* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org 239* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org 240* [Bug 2892] Several test cases assume IPv6 capabilities even when 241 IPv6 is disabled in the build. perlinger@ntp.org 242 - Found this already fixed, but validation led to cleanup actions. 243* [Bug 2905] DNS lookups broken. perlinger@ntp.org 244 - added limits to stack consumption, fixed some return code handling 245* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 246 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 247 - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org 248* [Bug 2980] reduce number of warnings. perlinger@ntp.org 249 - integrated several patches from Havard Eidnes (he@uninett.no) 250* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org 251 - implement 'auth_log2()' using integer bithack instead of float calculation 252* Make leapsec_query debug messages less verbose. Harlan Stenn. 253 254--- 255 256NTP 4.2.8p5 257 258Focus: Security, Bug fixes, enhancements. 259 260Severity: MEDIUM 261 262In addition to bug fixes and enhancements, this release fixes the 263following medium-severity vulnerability: 264 265* Small-step/big-step. Close the panic gate earlier. 266 References: Sec 2956, CVE-2015-5300 267 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 268 4.3.0 up to, but not including 4.3.78 269 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM 270 Summary: If ntpd is always started with the -g option, which is 271 common and against long-standing recommendation, and if at the 272 moment ntpd is restarted an attacker can immediately respond to 273 enough requests from enough sources trusted by the target, which 274 is difficult and not common, there is a window of opportunity 275 where the attacker can cause ntpd to set the time to an 276 arbitrary value. Similarly, if an attacker is able to respond 277 to enough requests from enough sources trusted by the target, 278 the attacker can cause ntpd to abort and restart, at which 279 point it can tell the target to set the time to an arbitrary 280 value if and only if ntpd was re-started against long-standing 281 recommendation with the -g flag, or if ntpd was not given the 282 -g flag, the attacker can move the target system's time by at 283 most 900 seconds' time per attack. 284 Mitigation: 285 Configure ntpd to get time from multiple sources. 286 Upgrade to 4.2.8p5, or later, from the NTP Project Download 287 Page or the NTP Public Services Project Download Page 288 As we've long documented, only use the -g option to ntpd in 289 cold-start situations. 290 Monitor your ntpd instances. 291 Credit: This weakness was discovered by Aanchal Malhotra, 292 Isaac E. Cohen, and Sharon Goldberg at Boston University. 293 294 NOTE WELL: The -g flag disables the limit check on the panic_gate 295 in ntpd, which is 900 seconds by default. The bug identified by 296 the researchers at Boston University is that the panic_gate 297 check was only re-enabled after the first change to the system 298 clock that was greater than 128 milliseconds, by default. The 299 correct behavior is that the panic_gate check should be 300 re-enabled after any initial time correction. 301 302 If an attacker is able to inject consistent but erroneous time 303 responses to your systems via the network or "over the air", 304 perhaps by spoofing radio, cellphone, or navigation satellite 305 transmissions, they are in a great position to affect your 306 system's clock. There comes a point where your very best 307 defenses include: 308 309 Configure ntpd to get time from multiple sources. 310 Monitor your ntpd instances. 311 312Other fixes: 313 314* Coverity submission process updated from Coverity 5 to Coverity 7. 315 The NTP codebase has been undergoing regular Coverity scans on an 316 ongoing basis since 2006. As part of our recent upgrade from 317 Coverity 5 to Coverity 7, Coverity identified 16 nits in some of 318 the newly-written Unity test programs. These were fixed. 319* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org 320* [Bug 2887] stratum -1 config results as showing value 99 321 - fudge stratum should only accept values [0..16]. perlinger@ntp.org 322* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. 323* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray 324* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. 325 - applied patch by Christos Zoulas. perlinger@ntp.org 326* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. 327* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. 328 - fixed data race conditions in threaded DNS worker. perlinger@ntp.org 329 - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org 330* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org 331 - accept key file only if there are no parsing errors 332 - fixed size_t/u_int format clash 333 - fixed wrong use of 'strlcpy' 334* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. 335* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org 336 - fixed several other warnings (cast-alignment, missing const, missing prototypes) 337 - promote use of 'size_t' for values that express a size 338 - use ptr-to-const for read-only arguments 339 - make sure SOCKET values are not truncated (win32-specific) 340 - format string fixes 341* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. 342* [Bug 2967] ntpdate command suffers an assertion failure 343 - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org 344* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with 345 lots of clients. perlinger@ntp.org 346* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call 347 - changed stacked/nested handling of CTRL-C. perlinger@ntp.org 348* Unity cleanup for FreeBSD-6.4. Harlan Stenn. 349* Unity test cleanup. Harlan Stenn. 350* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. 351* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. 352* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. 353* Quiet a warning from clang. Harlan Stenn. 354 355--- 356NTP 4.2.8p4 357 358Focus: Security, Bug fixes, enhancements. 359 360Severity: MEDIUM 361 362In addition to bug fixes and enhancements, this release fixes the 363following 13 low- and medium-severity vulnerabilities: 364 365* Incomplete vallen (value length) checks in ntp_crypto.c, leading 366 to potential crashes or potential code injection/information leakage. 367 368 References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 369 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 370 and 4.3.0 up to, but not including 4.3.77 371 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 372 Summary: The fix for CVE-2014-9750 was incomplete in that there were 373 certain code paths where a packet with particular autokey operations 374 that contained malicious data was not always being completely 375 validated. Receipt of these packets can cause ntpd to crash. 376 Mitigation: 377 Don't use autokey. 378 Upgrade to 4.2.8p4, or later, from the NTP Project Download 379 Page or the NTP Public Services Project Download Page 380 Monitor your ntpd instances. 381 Credit: This weakness was discovered by Tenable Network Security. 382 383* Clients that receive a KoD should validate the origin timestamp field. 384 385 References: Sec 2901 / CVE-2015-7704, CVE-2015-7705 386 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 387 and 4.3.0 up to, but not including 4.3.77 388 CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst 389 Summary: An ntpd client that honors Kiss-of-Death responses will honor 390 KoD messages that have been forged by an attacker, causing it to 391 delay or stop querying its servers for time updates. Also, an 392 attacker can forge packets that claim to be from the target and 393 send them to servers often enough that a server that implements 394 KoD rate limiting will send the target machine a KoD response to 395 attempt to reduce the rate of incoming packets, or it may also 396 trigger a firewall block at the server for packets from the target 397 machine. For either of these attacks to succeed, the attacker must 398 know what servers the target is communicating with. An attacker 399 can be anywhere on the Internet and can frequently learn the 400 identity of the target's time source by sending the target a 401 time query. 402 Mitigation: 403 Implement BCP-38. 404 Upgrade to 4.2.8p4, or later, from the NTP Project Download Page 405 or the NTP Public Services Project Download Page 406 If you can't upgrade, restrict who can query ntpd to learn who 407 its servers are, and what IPs are allowed to ask your system 408 for the time. This mitigation is heavy-handed. 409 Monitor your ntpd instances. 410 Note: 411 4.2.8p4 protects against the first attack. For the second attack, 412 all we can do is warn when it is happening, which we do in 4.2.8p4. 413 Credit: This weakness was discovered by Aanchal Malhotra, 414 Issac E. Cohen, and Sharon Goldberg of Boston University. 415 416* configuration directives to change "pidfile" and "driftfile" should 417 only be allowed locally. 418 419 References: Sec 2902 / CVE-2015-5196 420 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 421 and 4.3.0 up to, but not including 4.3.77 422 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case 423 Summary: If ntpd is configured to allow for remote configuration, 424 and if the (possibly spoofed) source IP address is allowed to 425 send remote configuration requests, and if the attacker knows 426 the remote configuration password, it's possible for an attacker 427 to use the "pidfile" or "driftfile" directives to potentially 428 overwrite other files. 429 Mitigation: 430 Implement BCP-38. 431 Upgrade to 4.2.8p4, or later, from the NTP Project Download 432 Page or the NTP Public Services Project Download Page 433 If you cannot upgrade, don't enable remote configuration. 434 If you must enable remote configuration and cannot upgrade, 435 remote configuration of NTF's ntpd requires: 436 - an explicitly configured trustedkey, and you should also 437 configure a controlkey. 438 - access from a permitted IP. You choose the IPs. 439 - authentication. Don't disable it. Practice secure key safety. 440 Monitor your ntpd instances. 441 Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 442 443* Slow memory leak in CRYPTO_ASSOC 444 445 References: Sec 2909 / CVE-2015-7701 446 Affects: All ntp-4 releases that use autokey up to, but not 447 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 448 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case, 449 4.6 otherwise 450 Summary: If ntpd is configured to use autokey, then an attacker can 451 send packets to ntpd that will, after several days of ongoing 452 attack, cause it to run out of memory. 453 Mitigation: 454 Don't use autokey. 455 Upgrade to 4.2.8p4, or later, from the NTP Project Download 456 Page or the NTP Public Services Project Download Page 457 Monitor your ntpd instances. 458 Credit: This weakness was discovered by Tenable Network Security. 459 460* mode 7 loop counter underrun 461 462 References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052 463 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 464 and 4.3.0 up to, but not including 4.3.77 465 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6 466 Summary: If ntpd is configured to enable mode 7 packets, and if the 467 use of mode 7 packets is not properly protected thru the use of 468 the available mode 7 authentication and restriction mechanisms, 469 and if the (possibly spoofed) source IP address is allowed to 470 send mode 7 queries, then an attacker can send a crafted packet 471 to ntpd that will cause it to crash. 472 Mitigation: 473 Implement BCP-38. 474 Upgrade to 4.2.8p4, or later, from the NTP Project Download 475 Page or the NTP Public Services Project Download Page. 476 If you are unable to upgrade: 477 In ntp-4.2.8, mode 7 is disabled by default. Don't enable it. 478 If you must enable mode 7: 479 configure the use of a requestkey to control who can issue 480 mode 7 requests. 481 configure restrict noquery to further limit mode 7 requests 482 to trusted sources. 483 Monitor your ntpd instances. 484Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 485 486* memory corruption in password store 487 488 References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054 489 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 490 CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case 491 Summary: If ntpd is configured to allow remote configuration, and if 492 the (possibly spoofed) source IP address is allowed to send 493 remote configuration requests, and if the attacker knows the 494 remote configuration password or if ntpd was configured to 495 disable authentication, then an attacker can send a set of 496 packets to ntpd that may cause a crash or theoretically 497 perform a code injection attack. 498 Mitigation: 499 Implement BCP-38. 500 Upgrade to 4.2.8p4, or later, from the NTP Project Download 501 Page or the NTP Public Services Project Download Page. 502 If you are unable to upgrade, remote configuration of NTF's 503 ntpd requires: 504 an explicitly configured "trusted" key. Only configure 505 this if you need it. 506 access from a permitted IP address. You choose the IPs. 507 authentication. Don't disable it. Practice secure key safety. 508 Monitor your ntpd instances. 509 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 510 511* Infinite loop if extended logging enabled and the logfile and 512 keyfile are the same. 513 514 References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055 515 Affects: All ntp-4 releases up to, but not including 4.2.8p4, 516 and 4.3.0 up to, but not including 4.3.77 517 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 518 Summary: If ntpd is configured to allow remote configuration, and if 519 the (possibly spoofed) source IP address is allowed to send 520 remote configuration requests, and if the attacker knows the 521 remote configuration password or if ntpd was configured to 522 disable authentication, then an attacker can send a set of 523 packets to ntpd that will cause it to crash and/or create a 524 potentially huge log file. Specifically, the attacker could 525 enable extended logging, point the key file at the log file, 526 and cause what amounts to an infinite loop. 527 Mitigation: 528 Implement BCP-38. 529 Upgrade to 4.2.8p4, or later, from the NTP Project Download 530 Page or the NTP Public Services Project Download Page. 531 If you are unable to upgrade, remote configuration of NTF's ntpd 532 requires: 533 an explicitly configured "trusted" key. Only configure this 534 if you need it. 535 access from a permitted IP address. You choose the IPs. 536 authentication. Don't disable it. Practice secure key safety. 537 Monitor your ntpd instances. 538 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 539 540* Potential path traversal vulnerability in the config file saving of 541 ntpd on VMS. 542 543 References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062 544 Affects: All ntp-4 releases running under VMS up to, but not 545 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 546 CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case 547 Summary: If ntpd is configured to allow remote configuration, and if 548 the (possibly spoofed) IP address is allowed to send remote 549 configuration requests, and if the attacker knows the remote 550 configuration password or if ntpd was configured to disable 551 authentication, then an attacker can send a set of packets to 552 ntpd that may cause ntpd to overwrite files. 553 Mitigation: 554 Implement BCP-38. 555 Upgrade to 4.2.8p4, or later, from the NTP Project Download 556 Page or the NTP Public Services Project Download Page. 557 If you are unable to upgrade, remote configuration of NTF's ntpd 558 requires: 559 an explicitly configured "trusted" key. Only configure 560 this if you need it. 561 access from permitted IP addresses. You choose the IPs. 562 authentication. Don't disable it. Practice key security safety. 563 Monitor your ntpd instances. 564 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 565 566* ntpq atoascii() potential memory corruption 567 568 References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063 569 Affects: All ntp-4 releases running up to, but not including 4.2.8p4, 570 and 4.3.0 up to, but not including 4.3.77 571 CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case 572 Summary: If an attacker can figure out the precise moment that ntpq 573 is listening for data and the port number it is listening on or 574 if the attacker can provide a malicious instance ntpd that 575 victims will connect to then an attacker can send a set of 576 crafted mode 6 response packets that, if received by ntpq, 577 can cause ntpq to crash. 578 Mitigation: 579 Implement BCP-38. 580 Upgrade to 4.2.8p4, or later, from the NTP Project Download 581 Page or the NTP Public Services Project Download Page. 582 If you are unable to upgrade and you run ntpq against a server 583 and ntpq crashes, try again using raw mode. Build or get a 584 patched ntpq and see if that fixes the problem. Report new 585 bugs in ntpq or abusive servers appropriately. 586 If you use ntpq in scripts, make sure ntpq does what you expect 587 in your scripts. 588 Credit: This weakness was discovered by Yves Younan and 589 Aleksander Nikolich of Cisco Talos. 590 591* Invalid length data provided by a custom refclock driver could cause 592 a buffer overflow. 593 594 References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064 595 Affects: Potentially all ntp-4 releases running up to, but not 596 including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77 597 that have custom refclocks 598 CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case, 599 5.9 unusual worst case 600 Summary: A negative value for the datalen parameter will overflow a 601 data buffer. NTF's ntpd driver implementations always set this 602 value to 0 and are therefore not vulnerable to this weakness. 603 If you are running a custom refclock driver in ntpd and that 604 driver supplies a negative value for datalen (no custom driver 605 of even minimal competence would do this) then ntpd would 606 overflow a data buffer. It is even hypothetically possible 607 in this case that instead of simply crashing ntpd the attacker 608 could effect a code injection attack. 609 Mitigation: 610 Upgrade to 4.2.8p4, or later, from the NTP Project Download 611 Page or the NTP Public Services Project Download Page. 612 If you are unable to upgrade: 613 If you are running custom refclock drivers, make sure 614 the signed datalen value is either zero or positive. 615 Monitor your ntpd instances. 616 Credit: This weakness was discovered by Yves Younan of Cisco Talos. 617 618* Password Length Memory Corruption Vulnerability 619 620 References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065 621 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 622 4.3.0 up to, but not including 4.3.77 623 CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case, 624 1.7 usual case, 6.8, worst case 625 Summary: If ntpd is configured to allow remote configuration, and if 626 the (possibly spoofed) source IP address is allowed to send 627 remote configuration requests, and if the attacker knows the 628 remote configuration password or if ntpd was (foolishly) 629 configured to disable authentication, then an attacker can 630 send a set of packets to ntpd that may cause it to crash, 631 with the hypothetical possibility of a small code injection. 632 Mitigation: 633 Implement BCP-38. 634 Upgrade to 4.2.8p4, or later, from the NTP Project Download 635 Page or the NTP Public Services Project Download Page. 636 If you are unable to upgrade, remote configuration of NTF's 637 ntpd requires: 638 an explicitly configured "trusted" key. Only configure 639 this if you need it. 640 access from a permitted IP address. You choose the IPs. 641 authentication. Don't disable it. Practice secure key safety. 642 Monitor your ntpd instances. 643 Credit: This weakness was discovered by Yves Younan and 644 Aleksander Nikolich of Cisco Talos. 645 646* decodenetnum() will ASSERT botch instead of returning FAIL on some 647 bogus values. 648 649 References: Sec 2922 / CVE-2015-7855 650 Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 651 4.3.0 up to, but not including 4.3.77 652 CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case 653 Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing 654 an unusually long data value where a network address is expected, 655 the decodenetnum() function will abort with an assertion failure 656 instead of simply returning a failure condition. 657 Mitigation: 658 Implement BCP-38. 659 Upgrade to 4.2.8p4, or later, from the NTP Project Download 660 Page or the NTP Public Services Project Download Page. 661 If you are unable to upgrade: 662 mode 7 is disabled by default. Don't enable it. 663 Use restrict noquery to limit who can send mode 6 664 and mode 7 requests. 665 Configure and use the controlkey and requestkey 666 authentication directives to limit who can 667 send mode 6 and mode 7 requests. 668 Monitor your ntpd instances. 669 Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 670 671* NAK to the Future: Symmetric association authentication bypass via 672 crypto-NAK. 673 674 References: Sec 2941 / CVE-2015-7871 675 Affects: All ntp-4 releases between 4.2.5p186 up to but not including 676 4.2.8p4, and 4.3.0 up to but not including 4.3.77 677 CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4 678 Summary: Crypto-NAK packets can be used to cause ntpd to accept time 679 from unauthenticated ephemeral symmetric peers by bypassing the 680 authentication required to mobilize peer associations. This 681 vulnerability appears to have been introduced in ntp-4.2.5p186 682 when the code handling mobilization of new passive symmetric 683 associations (lines 1103-1165) was refactored. 684 Mitigation: 685 Implement BCP-38. 686 Upgrade to 4.2.8p4, or later, from the NTP Project Download 687 Page or the NTP Public Services Project Download Page. 688 If you are unable to upgrade: 689 Apply the patch to the bottom of the "authentic" check 690 block around line 1136 of ntp_proto.c. 691 Monitor your ntpd instances. 692 Credit: This weakness was discovered by Stephen Gray <stepgray@cisco.com>. 693 694Backward-Incompatible changes: 695* [Bug 2817] Default on Linux is now "rlimit memlock -1". 696 While the general default of 32M is still the case, under Linux 697 the default value has been changed to -1 (do not lock ntpd into 698 memory). A value of 0 means "lock ntpd into memory with whatever 699 memory it needs." If your ntp.conf file has an explicit "rlimit memlock" 700 value in it, that value will continue to be used. 701 702* [Bug 2886] Misspelling: "outlyer" should be "outlier". 703 If you've written a script that looks for this case in, say, the 704 output of ntpq, you probably want to change your regex matches 705 from 'outlyer' to 'outl[iy]er'. 706 707New features in this release: 708* 'rlimit memlock' now has finer-grained control. A value of -1 means 709 "don't lock ntpd into memore". This is the default for Linux boxes. 710 A value of 0 means "lock ntpd into memory" with no limits. Otherwise 711 the value is the number of megabytes of memory to lock. The default 712 is 32 megabytes. 713 714* The old Google Test framework has been replaced with a new framework, 715 based on http://www.throwtheswitch.org/unity/ . 716 717Bug Fixes and Improvements: 718* [Bug 2332] (reopened) Exercise thread cancellation once before dropping 719 privileges and limiting resources in NTPD removes the need to link 720 forcefully against 'libgcc_s' which does not always work. J.Perlinger 721* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn. 722* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. 723* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn. 724* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. perlinger@ntp.org 725* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. 726* [Bug 2849] Systems with more than one default route may never 727 synchronize. Brian Utterback. Note that this patch might need to 728 be reverted once Bug 2043 has been fixed. 729* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger 730* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. 731* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger 732* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn 733* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn 734* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must 735 be configured for the distribution targets. Harlan Stenn. 736* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. 737* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". dave@horsfall.org 738* [Bug 2888] streamline calendar functions. perlinger@ntp.org 739* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. perlinger@ntp.org 740* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. 741* [Bug 2906] make check needs better support for pthreads. Harlan Stenn. 742* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn. 743* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn. 744* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn. 745* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn. 746* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn. 747* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn. 748* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn. 749* top_srcdir can change based on ntp v. sntp. Harlan Stenn. 750* sntp/tests/ function parameter list cleanup. Damir Tomi��. 751* tests/libntp/ function parameter list cleanup. Damir Tomi��. 752* tests/ntpd/ function parameter list cleanup. Damir Tomi��. 753* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn. 754* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn. 755* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomi��. 756* tests/libntp/ improvements in code and fixed error printing. Damir Tomi��. 757* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 758 caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed 759 formatting; first declaration, then code (C90); deleted unnecessary comments; 760 changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich 761* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments, 762 fix formatting, cleanup. Tomasz Flendrich 763* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting. 764 Tomasz Flendrich 765* tests/libntp/statestr.c remove empty functions, remove unnecessary include, 766 fix formatting. Tomasz Flendrich 767* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich 768* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich 769* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting. 770 Tomasz Flendrich 771* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich 772* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich 773* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich 774* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich 775* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich 776* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting. 777* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include, 778fixed formatting. Tomasz Flendrich 779* tests/libntp/timespecops.c fixed formatting, fixed the order of includes, 780 removed unnecessary comments, cleanup. Tomasz Flendrich 781* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary 782 comments, cleanup. Tomasz Flendrich 783* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting. 784 Tomasz Flendrich 785* tests/libntp/lfptest.h cleanup. Tomasz Flendrich 786* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich 787* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting. 788 Tomasz Flendrich 789* sntp/tests/kodDatabase.c added consts, deleted empty function, 790 fixed formatting. Tomasz Flendrich 791* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich 792* sntp/tests/packetHandling.c is now using proper Unity's assertions, 793 fixed formatting, deleted unused variable. Tomasz Flendrich 794* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting. 795 Tomasz Flendrich 796* sntp/tests/packetProcessing.c changed from sprintf to snprintf, 797 fixed formatting. Tomasz Flendrich 798* sntp/tests/utilities.c is now using proper Unity's assertions, changed 799 the order of includes, fixed formatting, removed unnecessary comments. 800 Tomasz Flendrich 801* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich 802* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem, 803 made one function do its job, deleted unnecessary prints, fixed formatting. 804 Tomasz Flendrich 805* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich 806* sntp/unity/unity_config.h: Distribute it. Harlan Stenn. 807* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn. 808* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn. 809* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn. 810* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn. 811* Don't build sntp/libevent/sample/. Harlan Stenn. 812* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn. 813* br-flock: --enable-local-libevent. Harlan Stenn. 814* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich 815* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn. 816* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn. 817* Code cleanup. Harlan Stenn. 818* libntp/icom.c: Typo fix. Harlan Stenn. 819* util/ntptime.c: initialization nit. Harlan Stenn. 820* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn. 821* Add std_unity_tests to various Makefile.am files. Harlan Stenn. 822* ntpd/ntp_restrict.c: added a few assertions, created tests for this file. 823 Tomasz Flendrich 824* Changed progname to be const in many files - now it's consistent. Tomasz 825 Flendrich 826* Typo fix for GCC warning suppression. Harlan Stenn. 827* Added tests/ntpd/ntp_scanner.c test. Damir Tomi��. 828* Added declarations to all Unity tests, and did minor fixes to them. 829 Reduced the number of warnings by half. Damir Tomi��. 830* Updated generate_test_runner.rb and updated the sntp/unity/auto directory 831 with the latest Unity updates from Mark. Damir Tomi��. 832* Retire google test - phase I. Harlan Stenn. 833* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn. 834* Update the NEWS file. Harlan Stenn. 835* Autoconf cleanup. Harlan Stenn. 836* Unit test dist cleanup. Harlan Stenn. 837* Cleanup various test Makefile.am files. Harlan Stenn. 838* Pthread autoconf macro cleanup. Harlan Stenn. 839* Fix progname definition in unity runner scripts. Harlan Stenn. 840* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn. 841* Update the patch for bug 2817. Harlan Stenn. 842* More updates for bug 2817. Harlan Stenn. 843* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn. 844* gcc on older HPUX may need +allowdups. Harlan Stenn. 845* Adding missing MCAST protection. Harlan Stenn. 846* Disable certain test programs on certain platforms. Harlan Stenn. 847* Implement --enable-problem-tests (on by default). Harlan Stenn. 848* build system tweaks. Harlan Stenn. 849 850--- 851NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 852 853Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. 854 855Severity: MEDIUM 856 857Security Fix: 858 859* [Sec 2853] Crafted remote config packet can crash some versions of 860 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. 861 862Under specific circumstances an attacker can send a crafted packet to 863cause a vulnerable ntpd instance to crash. This requires each of the 864following to be true: 865 8661) ntpd set up to allow remote configuration (not allowed by default), and 8672) knowledge of the configuration password, and 8683) access to a computer entrusted to perform remote configuration. 869 870This vulnerability is considered low-risk. 871 872New features in this release: 873 874Optional (disabled by default) support to have ntpd provide smeared 875leap second time. A specially built and configured ntpd will only 876offer smeared time in response to client packets. These response 877packets will also contain a "refid" of 254.a.b.c, where the 24 bits 878of a, b, and c encode the amount of smear in a 2:22 integer:fraction 879format. See README.leapsmear and http://bugs.ntp.org/2855 for more 880information. 881 882 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* 883 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* 884 885We've imported the Unity test framework, and have begun converting 886the existing google-test items to this new framework. If you want 887to write new tests or change old ones, you'll need to have ruby 888installed. You don't need ruby to run the test suite. 889 890Bug Fixes and Improvements: 891 892* CID 739725: Fix a rare resource leak in libevent/listener.c. 893* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776. 894* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html 895* CID 1269537: Clean up a line of dead code in getShmTime(). 896* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach. 897* [Bug 2590] autogen-5.18.5. 898* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because 899 of 'limited'. 900* [Bug 2650] fix includefile processing. 901* [Bug 2745] ntpd -x steps clock on leap second 902 Fixed an initial-value problem that caused misbehaviour in absence of 903 any leapsecond information. 904 Do leap second stepping only of the step adjustment is beyond the 905 proper jump distance limit and step correction is allowed at all. 906* [Bug 2750] build for Win64 907 Building for 32bit of loopback ppsapi needs def file 908* [Bug 2776] Improve ntpq's 'help keytype'. 909* [Bug 2778] Implement "apeers" ntpq command to include associd. 910* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection. 911* [Bug 2792] If the IFF_RUNNING interface flag is supported then an 912 interface is ignored as long as this flag is not set since the 913 interface is not usable (e.g., no link). 914* [Bug 2794] Clean up kernel clock status reports. 915* [Bug 2800] refclock_true.c true_debug() can't open debug log because 916 of incompatible open/fdopen parameters. 917* [Bug 2804] install-local-data assumes GNU 'find' semantics. 918* [Bug 2805] ntpd fails to join multicast group. 919* [Bug 2806] refclock_jjy.c supports the Telephone JJY. 920* [Bug 2808] GPSD_JSON driver enhancements, step 1. 921 Fix crash during cleanup if GPS device not present and char device. 922 Increase internal token buffer to parse all JSON data, even SKY. 923 Defer logging of errors during driver init until the first unit is 924 started, so the syslog is not cluttered when the driver is not used. 925 Various improvements, see http://bugs.ntp.org/2808 for details. 926 Changed libjsmn to a more recent version. 927* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX. 928* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h. 929* [Bug 2815] net-snmp before v5.4 has circular library dependencies. 930* [Bug 2821] Add a missing NTP_PRINTF and a missing const. 931* [Bug 2822] New leap column in sntp broke NTP::Util.pm. 932* [Bug 2824] Convert update-leap to perl. (also see 2769) 933* [Bug 2825] Quiet file installation in html/ . 934* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey 935 NTPD transfers the current TAI (instead of an announcement) now. 936 This might still needed improvement. 937 Update autokey data ASAP when 'sys_tai' changes. 938 Fix unit test that was broken by changes for autokey update. 939 Avoid potential signature length issue and use DPRINTF where possible 940 in ntp_crypto.c. 941* [Bug 2832] refclock_jjy.c supports the TDC-300. 942* [Bug 2834] Correct a broken html tag in html/refclock.html 943* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more 944 robust, and require 2 consecutive timestamps to be consistent. 945* [Bug 2837] Allow a configurable DSCP value. 946* [Bug 2837] add test for DSCP to ntpd/complete.conf.in 947* [Bug 2842] Glitch in ntp.conf.def documentation stanza. 948* [Bug 2842] Bug in mdoc2man. 949* [Bug 2843] make check fails on 4.3.36 950 Fixed compiler warnings about numeric range overflow 951 (The original topic was fixed in a byplay to bug#2830) 952* [Bug 2845] Harden memory allocation in ntpd. 953* [Bug 2852] 'make check' can't find unity.h. Hal Murray. 954* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida. 955* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn. 956* [Bug 2855] Report leap smear in the REFID. Harlan Stenn. 957* [Bug 2855] Implement conditional leap smear code. Martin Burnicki. 958* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green. 959* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green. 960* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel. 961* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. 962* html/drivers/driver22.html: typo fix. Harlan Stenn. 963* refidsmear test cleanup. Tomasz Flendrich. 964* refidsmear function support and tests. Harlan Stenn. 965* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested 966 something that was only in the 4.2.6 sntp. Harlan Stenn. 967* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests. 968 Damir Tomi�� 969* Modified tests/libtnp/Makefile.am so it builds Unity framework tests. 970 Damir Tomi�� 971* Modified sntp/tests/Makefile.am so it builds Unity framework tests. 972 Damir Tomi�� 973* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger. 974* Converted from gtest to Unity: tests/bug-2803/. Damir Tomi�� 975* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c, 976 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c, 977 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c, 978 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c, 979 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c. 980 Damir Tomi�� 981* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c, 982 networking.c, keyFile.c, utilities.cpp, sntptest.h, 983 fileHandlingTest.h. Damir Tomi�� 984* Initial support for experimental leap smear code. Harlan Stenn. 985* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn. 986* Report select() debug messages at debug level 3 now. 987* sntp/scripts/genLocInfo: treat raspbian as debian. 988* Unity test framework fixes. 989 ** Requires ruby for changes to tests. 990* Initial support for PACKAGE_VERSION tests. 991* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS. 992* tests/bug-2803/Makefile.am must distribute bug-2803.h. 993* Add an assert to the ntpq ifstats code. 994* Clean up the RLIMIT_STACK code. 995* Improve the ntpq documentation around the controlkey keyid. 996* ntpq.c cleanup. 997* Windows port build cleanup. 998 999--- 1000NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 1001 1002Focus: Security and Bug fixes, enhancements. 1003 1004Severity: MEDIUM 1005 1006In addition to bug fixes and enhancements, this release fixes the 1007following medium-severity vulnerabilities involving private key 1008authentication: 1009 1010* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1011 1012 References: Sec 2779 / CVE-2015-1798 / VU#374268 1013 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not 1014 including ntp-4.2.8p2 where the installation uses symmetric keys 1015 to authenticate remote associations. 1016 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1017 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1018 Summary: When ntpd is configured to use a symmetric key to authenticate 1019 a remote NTP server/peer, it checks if the NTP message 1020 authentication code (MAC) in received packets is valid, but not if 1021 there actually is any MAC included. Packets without a MAC are 1022 accepted as if they had a valid MAC. This allows a MITM attacker to 1023 send false packets that are accepted by the client/peer without 1024 having to know the symmetric key. The attacker needs to know the 1025 transmit timestamp of the client to match it in the forged reply 1026 and the false reply needs to reach the client before the genuine 1027 reply from the server. The attacker doesn't necessarily need to be 1028 relaying the packets between the client and the server. 1029 1030 Authentication using autokey doesn't have this problem as there is 1031 a check that requires the key ID to be larger than NTP_MAXKEY, 1032 which fails for packets without a MAC. 1033 Mitigation: 1034 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1035 or the NTP Public Services Project Download Page 1036 Configure ntpd with enough time sources and monitor it properly. 1037 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1038 1039* [Sec 2781] Authentication doesn't protect symmetric associations against 1040 DoS attacks. 1041 1042 References: Sec 2781 / CVE-2015-1799 / VU#374268 1043 Affects: All NTP releases starting with at least xntp3.3wy up to but 1044 not including ntp-4.2.8p2 where the installation uses symmetric 1045 key authentication. 1046 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 1047 Note: the CVSS base Score for this issue could be 4.3 or lower, and 1048 it could be higher than 5.4. 1049 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 1050 Summary: An attacker knowing that NTP hosts A and B are peering with 1051 each other (symmetric association) can send a packet to host A 1052 with source address of B which will set the NTP state variables 1053 on A to the values sent by the attacker. Host A will then send 1054 on its next poll to B a packet with originate timestamp that 1055 doesn't match the transmit timestamp of B and the packet will 1056 be dropped. If the attacker does this periodically for both 1057 hosts, they won't be able to synchronize to each other. This is 1058 a known denial-of-service attack, described at 1059 https://www.eecis.udel.edu/~mills/onwire.html . 1060 1061 According to the document the NTP authentication is supposed to 1062 protect symmetric associations against this attack, but that 1063 doesn't seem to be the case. The state variables are updated even 1064 when authentication fails and the peers are sending packets with 1065 originate timestamps that don't match the transmit timestamps on 1066 the receiving side. 1067 1068 This seems to be a very old problem, dating back to at least 1069 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) 1070 specifications, so other NTP implementations with support for 1071 symmetric associations and authentication may be vulnerable too. 1072 An update to the NTP RFC to correct this error is in-process. 1073 Mitigation: 1074 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page 1075 or the NTP Public Services Project Download Page 1076 Note that for users of autokey, this specific style of MITM attack 1077 is simply a long-known potential problem. 1078 Configure ntpd with appropriate time sources and monitor ntpd. 1079 Alert your staff if problems are detected. 1080 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 1081 1082* New script: update-leap 1083The update-leap script will verify and if necessary, update the 1084leap-second definition file. 1085It requires the following commands in order to work: 1086 1087 wget logger tr sed shasum 1088 1089Some may choose to run this from cron. It needs more portability testing. 1090 1091Bug Fixes and Improvements: 1092 1093* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003. 1094* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument. 1095* [Bug 2346] "graceful termination" signals do not do peer cleanup. 1096* [Bug 2728] See if C99-style structure initialization works. 1097* [Bug 2747] Upgrade libevent to 2.1.5-beta. 1098* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. . 1099* [Bug 2751] jitter.h has stale copies of l_fp macros. 1100* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM. 1101* [Bug 2757] Quiet compiler warnings. 1102* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq. 1103* [Bug 2763] Allow different thresholds for forward and backward steps. 1104* [Bug 2766] ntp-keygen output files should not be world-readable. 1105* [Bug 2767] ntp-keygen -M should symlink to ntp.keys. 1106* [Bug 2771] nonvolatile value is documented in wrong units. 1107* [Bug 2773] Early leap announcement from Palisade/Thunderbolt 1108* [Bug 2774] Unreasonably verbose printout - leap pending/warning 1109* [Bug 2775] ntp-keygen.c fails to compile under Windows. 1110* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info. 1111 Removed non-ASCII characters from some copyright comments. 1112 Removed trailing whitespace. 1113 Updated definitions for Meinberg clocks from current Meinberg header files. 1114 Now use C99 fixed-width types and avoid non-ASCII characters in comments. 1115 Account for updated definitions pulled from Meinberg header files. 1116 Updated comments on Meinberg GPS receivers which are not only called GPS16x. 1117 Replaced some constant numbers by defines from ntp_calendar.h 1118 Modified creation of parse-specific variables for Meinberg devices 1119 in gps16x_message(). 1120 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates. 1121 Modified mbg_tm_str() which now expexts an additional parameter controlling 1122 if the time status shall be printed. 1123* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. 1124* [Sec 2781] Authentication doesn't protect symmetric associations against 1125 DoS attacks. 1126* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE. 1127* [Bug 2789] Quiet compiler warnings from libevent. 1128* [Bug 2790] If ntpd sets the Windows MM timer highest resolution 1129 pause briefly before measuring system clock precision to yield 1130 correct results. 1131* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer. 1132* Use predefined function types for parse driver functions 1133 used to set up function pointers. 1134 Account for changed prototype of parse_inp_fnc_t functions. 1135 Cast parse conversion results to appropriate types to avoid 1136 compiler warnings. 1137 Let ioctl() for Windows accept a (void *) to avoid compiler warnings 1138 when called with pointers to different types. 1139 1140--- 1141NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 1142 1143Focus: Security and Bug fixes, enhancements. 1144 1145Severity: HIGH 1146 1147In addition to bug fixes and enhancements, this release fixes the 1148following high-severity vulnerabilities: 1149 1150* vallen is not validated in several places in ntp_crypto.c, leading 1151 to a potential information leak or possibly a crash 1152 1153 References: Sec 2671 / CVE-2014-9297 / VU#852879 1154 Affects: All NTP4 releases before 4.2.8p1 that are running autokey. 1155 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1156 Date Resolved: Stable (4.2.8p1) 04 Feb 2015 1157 Summary: The vallen packet value is not validated in several code 1158 paths in ntp_crypto.c which can lead to information leakage 1159 or perhaps a crash of the ntpd process. 1160 Mitigation - any of: 1161 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1162 or the NTP Public Services Project Download Page. 1163 Disable Autokey Authentication by removing, or commenting out, 1164 all configuration directives beginning with the "crypto" 1165 keyword in your ntp.conf file. 1166 Credit: This vulnerability was discovered by Stephen Roettger of the 1167 Google Security Team, with additional cases found by Sebastian 1168 Krahmer of the SUSE Security Team and Harlan Stenn of Network 1169 Time Foundation. 1170 1171* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses 1172 can be bypassed. 1173 1174 References: Sec 2672 / CVE-2014-9298 / VU#852879 1175 Affects: All NTP4 releases before 4.2.8p1, under at least some 1176 versions of MacOS and Linux. *BSD has not been seen to be vulnerable. 1177 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 1178 Date Resolved: Stable (4.2.8p1) 04 Feb 2014 1179 Summary: While available kernels will prevent 127.0.0.1 addresses 1180 from "appearing" on non-localhost IPv4 interfaces, some kernels 1181 do not offer the same protection for ::1 source addresses on 1182 IPv6 interfaces. Since NTP's access control is based on source 1183 address and localhost addresses generally have no restrictions, 1184 an attacker can send malicious control and configuration packets 1185 by spoofing ::1 addresses from the outside. Note Well: This is 1186 not really a bug in NTP, it's a problem with some OSes. If you 1187 have one of these OSes where ::1 can be spoofed, ALL ::1 -based 1188 ACL restrictions on any application can be bypassed! 1189 Mitigation: 1190 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page 1191 or the NTP Public Services Project Download Page 1192 Install firewall rules to block packets claiming to come from 1193 ::1 from inappropriate network interfaces. 1194 Credit: This vulnerability was discovered by Stephen Roettger of 1195 the Google Security Team. 1196 1197Additionally, over 30 bugfixes and improvements were made to the codebase. 1198See the ChangeLog for more information. 1199 1200--- 1201NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 1202 1203Focus: Security and Bug fixes, enhancements. 1204 1205Severity: HIGH 1206 1207In addition to bug fixes and enhancements, this release fixes the 1208following high-severity vulnerabilities: 1209 1210************************** vv NOTE WELL vv ***************************** 1211 1212The vulnerabilities listed below can be significantly mitigated by 1213following the BCP of putting 1214 1215 restrict default ... noquery 1216 1217in the ntp.conf file. With the exception of: 1218 1219 receive(): missing return on error 1220 References: Sec 2670 / CVE-2014-9296 / VU#852879 1221 1222below (which is a limited-risk vulnerability), none of the recent 1223vulnerabilities listed below can be exploited if the source IP is 1224restricted from sending a 'query'-class packet by your ntp.conf file. 1225 1226************************** ^^ NOTE WELL ^^ ***************************** 1227 1228* Weak default key in config_auth(). 1229 1230 References: [Sec 2665] / CVE-2014-9293 / VU#852879 1231 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1232 Vulnerable Versions: all releases prior to 4.2.7p11 1233 Date Resolved: 28 Jan 2010 1234 1235 Summary: If no 'auth' key is set in the configuration file, ntpd 1236 would generate a random key on the fly. There were two 1237 problems with this: 1) the generated key was 31 bits in size, 1238 and 2) it used the (now weak) ntp_random() function, which was 1239 seeded with a 32-bit value and could only provide 32 bits of 1240 entropy. This was sufficient back in the late 1990s when the 1241 code was written. Not today. 1242 1243 Mitigation - any of: 1244 - Upgrade to 4.2.7p11 or later. 1245 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1246 1247 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta 1248 of the Google Security Team. 1249 1250* Non-cryptographic random number generator with weak seed used by 1251 ntp-keygen to generate symmetric keys. 1252 1253 References: [Sec 2666] / CVE-2014-9294 / VU#852879 1254 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 1255 Vulnerable Versions: All NTP4 releases before 4.2.7p230 1256 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 1257 1258 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to 1259 prepare a random number generator that was of good quality back 1260 in the late 1990s. The random numbers produced was then used to 1261 generate symmetric keys. In ntp-4.2.8 we use a current-technology 1262 cryptographic random number generator, either RAND_bytes from 1263 OpenSSL, or arc4random(). 1264 1265 Mitigation - any of: 1266 - Upgrade to 4.2.7p230 or later. 1267 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1268 1269 Credit: This vulnerability was discovered in ntp-4.2.6 by 1270 Stephen Roettger of the Google Security Team. 1271 1272* Buffer overflow in crypto_recv() 1273 1274 References: Sec 2667 / CVE-2014-9295 / VU#852879 1275 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1276 Versions: All releases before 4.2.8 1277 Date Resolved: Stable (4.2.8) 18 Dec 2014 1278 1279 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf 1280 file contains a 'crypto pw ...' directive) a remote attacker 1281 can send a carefully crafted packet that can overflow a stack 1282 buffer and potentially allow malicious code to be executed 1283 with the privilege level of the ntpd process. 1284 1285 Mitigation - any of: 1286 - Upgrade to 4.2.8, or later, or 1287 - Disable Autokey Authentication by removing, or commenting out, 1288 all configuration directives beginning with the crypto keyword 1289 in your ntp.conf file. 1290 1291 Credit: This vulnerability was discovered by Stephen Roettger of the 1292 Google Security Team. 1293 1294* Buffer overflow in ctl_putdata() 1295 1296 References: Sec 2668 / CVE-2014-9295 / VU#852879 1297 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1298 Versions: All NTP4 releases before 4.2.8 1299 Date Resolved: Stable (4.2.8) 18 Dec 2014 1300 1301 Summary: A remote attacker can send a carefully crafted packet that 1302 can overflow a stack buffer and potentially allow malicious 1303 code to be executed with the privilege level of the ntpd process. 1304 1305 Mitigation - any of: 1306 - Upgrade to 4.2.8, or later. 1307 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1308 1309 Credit: This vulnerability was discovered by Stephen Roettger of the 1310 Google Security Team. 1311 1312* Buffer overflow in configure() 1313 1314 References: Sec 2669 / CVE-2014-9295 / VU#852879 1315 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 1316 Versions: All NTP4 releases before 4.2.8 1317 Date Resolved: Stable (4.2.8) 18 Dec 2014 1318 1319 Summary: A remote attacker can send a carefully crafted packet that 1320 can overflow a stack buffer and potentially allow malicious 1321 code to be executed with the privilege level of the ntpd process. 1322 1323 Mitigation - any of: 1324 - Upgrade to 4.2.8, or later. 1325 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file. 1326 1327 Credit: This vulnerability was discovered by Stephen Roettger of the 1328 Google Security Team. 1329 1330* receive(): missing return on error 1331 1332 References: Sec 2670 / CVE-2014-9296 / VU#852879 1333 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 1334 Versions: All NTP4 releases before 4.2.8 1335 Date Resolved: Stable (4.2.8) 18 Dec 2014 1336 1337 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in 1338 the code path where an error was detected, which meant 1339 processing did not stop when a specific rare error occurred. 1340 We haven't found a way for this bug to affect system integrity. 1341 If there is no way to affect system integrity the base CVSS 1342 score for this bug is 0. If there is one avenue through which 1343 system integrity can be partially affected, the base score 1344 becomes a 5. If system integrity can be partially affected 1345 via all three integrity metrics, the CVSS base score become 7.5. 1346 1347 Mitigation - any of: 1348 - Upgrade to 4.2.8, or later, 1349 - Remove or comment out all configuration directives 1350 beginning with the crypto keyword in your ntp.conf file. 1351 1352 Credit: This vulnerability was discovered by Stephen Roettger of the 1353 Google Security Team. 1354 1355See http://support.ntp.org/security for more information. 1356 1357New features / changes in this release: 1358 1359Important Changes 1360 1361* Internal NTP Era counters 1362 1363The internal counters that track the "era" (range of years) we are in 1364rolls over every 136 years'. The current "era" started at the stroke of 1365midnight on 1 Jan 1900, and ends just before the stroke of midnight on 13661 Jan 2036. 1367In the past, we have used the "midpoint" of the range to decide which 1368era we were in. Given the longevity of some products, it became clear 1369that it would be more functional to "look back" less, and "look forward" 1370more. We now compile a timestamp into the ntpd executable and when we 1371get a timestamp we us the "built-on" to tell us what era we are in. 1372This check "looks back" 10 years, and "looks forward" 126 years. 1373 1374* ntpdc responses disabled by default 1375 1376Dave Hart writes: 1377 1378For a long time, ntpq and its mostly text-based mode 6 (control) 1379protocol have been preferred over ntpdc and its mode 7 (private 1380request) protocol for runtime queries and configuration. There has 1381been a goal of deprecating ntpdc, previously held back by numerous 1382capabilities exposed by ntpdc with no ntpq equivalent. I have been 1383adding commands to ntpq to cover these cases, and I believe I've 1384covered them all, though I've not compared command-by-command 1385recently. 1386 1387As I've said previously, the binary mode 7 protocol involves a lot of 1388hand-rolled structure layout and byte-swapping code in both ntpd and 1389ntpdc which is hard to get right. As ntpd grows and changes, the 1390changes are difficult to expose via ntpdc while maintaining forward 1391and backward compatibility between ntpdc and ntpd. In contrast, 1392ntpq's text-based, label=value approach involves more code reuse and 1393allows compatible changes without extra work in most cases. 1394 1395Mode 7 has always been defined as vendor/implementation-specific while 1396mode 6 is described in RFC 1305 and intended to be open to interoperate 1397with other implementations. There is an early draft of an updated 1398mode 6 description that likely will join the other NTPv4 RFCs 1399eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) 1400 1401For these reasons, ntpd 4.2.7p230 by default disables processing of 1402ntpdc queries, reducing ntpd's attack surface and functionally 1403deprecating ntpdc. If you are in the habit of using ntpdc for certain 1404operations, please try the ntpq equivalent. If there's no equivalent, 1405please open a bug report at http://bugs.ntp.org./ 1406 1407In addition to the above, over 1100 issues have been resolved between 1408the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution 1409lists these. 1410 1411--- 1412NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 1413 1414Focus: Bug fixes 1415 1416Severity: Medium 1417 1418This is a recommended upgrade. 1419 1420This release updates sys_rootdisp and sys_jitter calculations to match the 1421RFC specification, fixes a potential IPv6 address matching error for the 1422"nic" and "interface" configuration directives, suppresses the creation of 1423extraneous ephemeral associations for certain broadcastclient and 1424multicastclient configurations, cleans up some ntpq display issues, and 1425includes improvements to orphan mode, minor bugs fixes and code clean-ups. 1426 1427New features / changes in this release: 1428 1429ntpd 1430 1431 * Updated "nic" and "interface" IPv6 address handling to prevent 1432 mismatches with localhost [::1] and wildcard [::] which resulted from 1433 using the address/prefix format (e.g. fe80::/64) 1434 * Fix orphan mode stratum incorrectly counting to infinity 1435 * Orphan parent selection metric updated to includes missing ntohl() 1436 * Non-printable stratum 16 refid no longer sent to ntp 1437 * Duplicate ephemeral associations suppressed for broadcastclient and 1438 multicastclient without broadcastdelay 1439 * Exclude undetermined sys_refid from use in loopback TEST12 1440 * Exclude MODE_SERVER responses from KoD rate limiting 1441 * Include root delay in clock_update() sys_rootdisp calculations 1442 * get_systime() updated to exclude sys_residual offset (which only 1443 affected bits "below" sys_tick, the precision threshold) 1444 * sys.peer jitter weighting corrected in sys_jitter calculation 1445 1446ntpq 1447 1448 * -n option extended to include the billboard "server" column 1449 * IPv6 addresses in the local column truncated to prevent overruns 1450 1451--- 1452NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 1453 1454Focus: Bug fixes and portability improvements 1455 1456Severity: Medium 1457 1458This is a recommended upgrade. 1459 1460This release includes build infrastructure updates, code 1461clean-ups, minor bug fixes, fixes for a number of minor 1462ref-clock issues, and documentation revisions. 1463 1464Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 1465 1466New features / changes in this release: 1467 1468Build system 1469 1470* Fix checking for struct rtattr 1471* Update config.guess and config.sub for AIX 1472* Upgrade required version of autogen and libopts for building 1473 from our source code repository 1474 1475ntpd 1476 1477* Back-ported several fixes for Coverity warnings from ntp-dev 1478* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 1479* Allow "logconfig =allall" configuration directive 1480* Bind tentative IPv6 addresses on Linux 1481* Correct WWVB/Spectracom driver to timestamp CR instead of LF 1482* Improved tally bit handling to prevent incorrect ntpq peer status reports 1483* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 1484 candidate list unless they are designated a "prefer peer" 1485* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 1486 selection during the 'tos orphanwait' period 1487* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 1488 drivers 1489* Improved support of the Parse Refclock trusttime flag in Meinberg mode 1490* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 1491* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 1492 clock slew on Microsoft Windows 1493* Code cleanup in libntpq 1494 1495ntpdc 1496 1497* Fix timerstats reporting 1498 1499ntpdate 1500 1501* Reduce time required to set clock 1502* Allow a timeout greater than 2 seconds 1503 1504sntp 1505 1506* Backward incompatible command-line option change: 1507 -l/--filelog changed -l/--logfile (to be consistent with ntpd) 1508 1509Documentation 1510 1511* Update html2man. Fix some tags in the .html files 1512* Distribute ntp-wait.html 1513 1514--- 1515NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) 1516 1517Focus: Bug fixes and portability improvements 1518 1519Severity: Medium 1520 1521This is a recommended upgrade. 1522 1523This release includes build infrastructure updates, code 1524clean-ups, minor bug fixes, fixes for a number of minor 1525ref-clock issues, and documentation revisions. 1526 1527Portability improvements in this release affect AIX, Atari FreeMiNT, 1528FreeBSD4, Linux and Microsoft Windows. 1529 1530New features / changes in this release: 1531 1532Build system 1533* Use lsb_release to get information about Linux distributions. 1534* 'test' is in /usr/bin (instead of /bin) on some systems. 1535* Basic sanity checks for the ChangeLog file. 1536* Source certain build files with ./filename for systems without . in PATH. 1537* IRIX portability fix. 1538* Use a single copy of the "libopts" code. 1539* autogen/libopts upgrade. 1540* configure.ac m4 quoting cleanup. 1541 1542ntpd 1543* Do not bind to IN6_IFF_ANYCAST addresses. 1544* Log the reason for exiting under Windows. 1545* Multicast fixes for Windows. 1546* Interpolation fixes for Windows. 1547* IPv4 and IPv6 Multicast fixes. 1548* Manycast solicitation fixes and general repairs. 1549* JJY refclock cleanup. 1550* NMEA refclock improvements. 1551* Oncore debug message cleanup. 1552* Palisade refclock now builds under Linux. 1553* Give RAWDCF more baud rates. 1554* Support Truetime Satellite clocks under Windows. 1555* Support Arbiter 1093C Satellite clocks under Windows. 1556* Make sure that the "filegen" configuration command defaults to "enable". 1557* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. 1558* Prohibit 'includefile' directive in remote configuration command. 1559* Fix 'nic' interface bindings. 1560* Fix the way we link with openssl if openssl is installed in the base 1561 system. 1562 1563ntp-keygen 1564* Fix -V coredump. 1565* OpenSSL version display cleanup. 1566 1567ntpdc 1568* Many counters should be treated as unsigned. 1569 1570ntpdate 1571* Do not ignore replies with equal receive and transmit timestamps. 1572 1573ntpq 1574* libntpq warning cleanup. 1575 1576ntpsnmpd 1577* Correct SNMP type for "precision" and "resolution". 1578* Update the MIB from the draft version to RFC-5907. 1579 1580sntp 1581* Display timezone offset when showing time for sntp in the local 1582 timezone. 1583* Pay proper attention to RATE KoD packets. 1584* Fix a miscalculation of the offset. 1585* Properly parse empty lines in the key file. 1586* Logging cleanup. 1587* Use tv_usec correctly in set_time(). 1588* Documentation cleanup. 1589 1590--- 1591NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) 1592 1593Focus: Bug fixes and portability improvements 1594 1595Severity: Medium 1596 1597This is a recommended upgrade. 1598 1599This release includes build infrastructure updates, code 1600clean-ups, minor bug fixes, fixes for a number of minor 1601ref-clock issues, improved KOD handling, OpenSSL related 1602updates and documentation revisions. 1603 1604Portability improvements in this release affect Irix, Linux, 1605Mac OS, Microsoft Windows, OpenBSD and QNX6 1606 1607New features / changes in this release: 1608 1609ntpd 1610* Range syntax for the trustedkey configuration directive 1611* Unified IPv4 and IPv6 restrict lists 1612 1613ntpdate 1614* Rate limiting and KOD handling 1615 1616ntpsnmpd 1617* default connection to net-snmpd via a unix-domain socket 1618* command-line 'socket name' option 1619 1620ntpq / ntpdc 1621* support for the "passwd ..." syntax 1622* key-type specific password prompts 1623 1624sntp 1625* MD5 authentication of an ntpd 1626* Broadcast and crypto 1627* OpenSSL support 1628 1629--- 1630NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) 1631 1632Focus: Bug fixes, portability fixes, and documentation improvements 1633 1634Severity: Medium 1635 1636This is a recommended upgrade. 1637 1638--- 1639NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 1640 1641Focus: enhancements and bug fixes. 1642 1643--- 1644NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) 1645 1646Focus: Security Fixes 1647 1648Severity: HIGH 1649 1650This release fixes the following high-severity vulnerability: 1651 1652* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. 1653 1654 See http://support.ntp.org/security for more information. 1655 1656 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. 1657 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time 1658 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 1659 request or a mode 7 error response from an address which is not listed 1660 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will 1661 reply with a mode 7 error response (and log a message). In this case: 1662 1663 * If an attacker spoofs the source address of ntpd host A in a 1664 mode 7 response packet sent to ntpd host B, both A and B will 1665 continuously send each other error responses, for as long as 1666 those packets get through. 1667 1668 * If an attacker spoofs an address of ntpd host A in a mode 7 1669 response packet sent to ntpd host A, A will respond to itself 1670 endlessly, consuming CPU and logging excessively. 1671 1672 Credit for finding this vulnerability goes to Robin Park and Dmitri 1673 Vinokurov of Alcatel-Lucent. 1674 1675THIS IS A STRONGLY RECOMMENDED UPGRADE. 1676 1677--- 1678ntpd now syncs to refclocks right away. 1679 1680Backward-Incompatible changes: 1681 1682ntpd no longer accepts '-v name' or '-V name' to define internal variables. 1683Use '--var name' or '--dvar name' instead. (Bug 817) 1684 1685--- 1686NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) 1687 1688Focus: Security and Bug Fixes 1689 1690Severity: HIGH 1691 1692This release fixes the following high-severity vulnerability: 1693 1694* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 1695 1696 See http://support.ntp.org/security for more information. 1697 1698 If autokey is enabled (if ntp.conf contains a "crypto pw whatever" 1699 line) then a carefully crafted packet sent to the machine will cause 1700 a buffer overflow and possible execution of injected code, running 1701 with the privileges of the ntpd process (often root). 1702 1703 Credit for finding this vulnerability goes to Chris Ries of CMU. 1704 1705This release fixes the following low-severity vulnerabilities: 1706 1707* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 1708 Credit for finding this vulnerability goes to Geoff Keating of Apple. 1709 1710* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows 1711 Credit for finding this issue goes to Dave Hart. 1712 1713This release fixes a number of bugs and adds some improvements: 1714 1715* Improved logging 1716* Fix many compiler warnings 1717* Many fixes and improvements for Windows 1718* Adds support for AIX 6.1 1719* Resolves some issues under MacOS X and Solaris 1720 1721THIS IS A STRONGLY RECOMMENDED UPGRADE. 1722 1723--- 1724NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) 1725 1726Focus: Security Fix 1727 1728Severity: Low 1729 1730This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting 1731the OpenSSL library relating to the incorrect checking of the return 1732value of EVP_VerifyFinal function. 1733 1734Credit for finding this issue goes to the Google Security Team for 1735finding the original issue with OpenSSL, and to ocert.org for finding 1736the problem in NTP and telling us about it. 1737 1738This is a recommended upgrade. 1739--- 1740NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) 1741 1742Focus: Minor Bugfixes 1743 1744This release fixes a number of Windows-specific ntpd bugs and 1745platform-independent ntpdate bugs. A logging bugfix has been applied 1746to the ONCORE driver. 1747 1748The "dynamic" keyword and is now obsolete and deferred binding to local 1749interfaces is the new default. The minimum time restriction for the 1750interface update interval has been dropped. 1751 1752A number of minor build system and documentation fixes are included. 1753 1754This is a recommended upgrade for Windows. 1755 1756--- 1757NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) 1758 1759Focus: Minor Bugfixes 1760 1761This release updates certain copyright information, fixes several display 1762bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor 1763shutdown in the parse refclock driver, removes some lint from the code, 1764stops accessing certain buffers immediately after they were freed, fixes 1765a problem with non-command-line specification of -6, and allows the loopback 1766interface to share addresses with other interfaces. 1767 1768--- 1769NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) 1770 1771Focus: Minor Bugfixes 1772 1773This release fixes a bug in Windows that made it difficult to 1774terminate ntpd under windows. 1775This is a recommended upgrade for Windows. 1776 1777--- 1778NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) 1779 1780Focus: Minor Bugfixes 1781 1782This release fixes a multicast mode authentication problem, 1783an error in NTP packet handling on Windows that could lead to 1784ntpd crashing, and several other minor bugs. Handling of 1785multicast interfaces and logging configuration were improved. 1786The required versions of autogen and libopts were incremented. 1787This is a recommended upgrade for Windows and multicast users. 1788 1789--- 1790NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) 1791 1792Focus: enhancements and bug fixes. 1793 1794Dynamic interface rescanning was added to simplify the use of ntpd in 1795conjunction with DHCP. GNU AutoGen is used for its command-line options 1796processing. Separate PPS devices are supported for PARSE refclocks, MD5 1797signatures are now provided for the release files. Drivers have been 1798added for some new ref-clocks and have been removed for some older 1799ref-clocks. This release also includes other improvements, documentation 1800and bug fixes. 1801 1802K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 1803C support. 1804 1805--- 1806NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) 1807 1808Focus: enhancements and bug fixes. 1809