xref: /freebsd/contrib/ntp/NEWS (revision 2e3507c25e42292b45a5482e116d278f5515d04d)
1---
2NTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06)
3
4Focus: Bug fixes
5
6Severity: HIGH (for people running 4.2.8p16)
7
8This release:
9
10- fixes 3 bugs, including a regression
11- adds new unit tests
12
13Details below:
14
15* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
16             event_sync.  Reported by Edward McGuire.  <hart@ntp.org>
17* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
18             <hart@ntp.org>  Miroslav Lichvar identified regression in 4.2.8p16.
19* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
20             4.2.8p15 or earlier.  Reported by Matt Nordhoff, thanks to
21	     Miroslav Lichvar and Matt for rapid testing and identifying the
22	     problem. <hart@ntp.org>
23* Add tests/libntp/digests.c to catch regressions reading keys file or with
24  symmetric authentication digest output.
25
26---
27NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30)
28
29Focus: Security, Bug fixes
30
31Severity: LOW
32
33This release:
34
35- fixes 4 vulnerabilities (3 LOW and 1 None severity),
36- fixes 46 bugs
37- includes 15 general improvements
38- adds support for OpenSSL-3.0
39
40Details below:
41
42* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
43* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
44             hypothetical input buffer overflow. Reported by ... stenn@
45* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
46  - solved numerically instead of using string manipulation
47* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
48             <stenn@ntp.org>
49* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
50* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
51* [Bug 3814] First poll delay of new or cleared associations miscalculated.
52             <hart@ntp.org>
53* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
54             OpenSSL 3.  Reported by rmsh1216@163.com <hart@ntp.org>
55* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
56* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
57* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
58* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
59             disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
60* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
61  - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
62* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
63  - Report and patch by Yuezhen LUAN <wei6410@sina.com>.
64* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
65* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
66             <hart@ntp.org>
67* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
68* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
69  - Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
70* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
71* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
72* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
73* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
74             Philippe De Muyter <phdm@macqel.be>
75* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
76  - openssl applink needed again for openSSL-1.1.1
77* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
78             Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
79* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
80  - command line options override config statements where applicable
81  - make initial frequency settings idempotent and reversible
82  - make sure kernel PLL gets a recovered drift componsation
83* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
84* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
85  - misleading title; essentially a request to ignore the receiver status.
86    Added a mode bit for this. <perlinger@ntp.org>
87* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
88  - original patch by Richard Schmidt, with mods & unit test fixes
89* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
90  - implement/wrap 'realpath()' to resolve symlinks in device names
91* [Bug 3691] Buffer Overflow reading GPSD output
92  - original patch by matt<ntpbr@mattcorallo.com>
93  - increased max PDU size to 4k to avoid truncation
94* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
95  - patch by Frank Kardel
96* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
97  - ntp{q,dc} now use the same password processing as ntpd does in the key
98    file, so having a binary secret >= 11 bytes is possible for all keys.
99    (This is a different approach to the problem than suggested)
100* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
101* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
102  - patch by Gerry Garvey
103* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
104  - original patch by Gerry Garvey
105* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
106  - original patch by Gerry Garvey
107* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
108  - applied patches by Gerry Garvey
109* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
110* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
111  - idea+patch by Gerry Garvey
112* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
113* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
114  - follow-up: fix inverted sense in check, reset shortfall counter
115* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
116* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
117  - fixed bug identified by Edward McGuire <perlinger@ntp.org>
118* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
119  - applied patch by Gerry Garvey
120* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org>
121  - backport from -dev, plus some more work on warnings for unchecked results
122* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
123             Reported by Israel G. Lugo. <hart@ntp.org>
124* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
125* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
126             Integrated patch from Brian Utterback. <hart@ntp.org>
127* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
128* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
129* Use correct rounding in mstolfp(). perlinger/hart
130* M_ADDF should use u_int32.  <hart@ntp.org>
131* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
132* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
133* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
134* If DEBUG is enabled, the startup banner now says that debug assertions
135  are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
136* syslog valid incoming KoDs.  <stenn@ntp.org>
137* Rename a poorly-named variable.  <stenn@ntp.org>
138* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
139* Use https in the AC_INIT URLs in configure.ac.  <stenn@ntp.org>
140* Implement NTP_FUNC_REALPATH.  <stenn@ntp.org>
141* Lose a gmake construct in ntpd/Makefile.am.  <stenn@ntp.org>
142* upgrade to: autogen-5.18.16
143* upgrade to: libopts-42.1.17
144* upgrade to: autoconf-2.71
145* upgrade to: automake-1.16.15
146* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
147* Support OpenSSL-3.0
148
149---
150NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23)
151
152Focus: Security, Bug fixes
153
154Severity: MEDIUM
155
156This release fixes one vulnerability: Associations that use CMAC
157authentication between ntpd from versions 4.2.8p11/4.3.97 and
1584.2.8p14/4.3.100 will leak a small amount of memory for each packet.
159Eventually, ntpd will run out of memory and abort.
160
161It also fixes 13 other bugs.
162
163* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org>
164* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@>
165  - Thanks to Sylar Tao
166* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org>
167  - rewrite 'decodenetnum()' in terms of inet_pton
168* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
169  - limit number of receive buffers, with an iron reserve for refclocks
170* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org>
171* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org>
172* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org>
173  - integrated patch from Charles Claggett
174* [Bug 3659] Move definition of psl[] from ntp_config.h to
175  ntp_config.h <perlinger@ntp.org>
176* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org>
177* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org>
178  - fix by Gerry garvey
179* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org>
180  - thanks to Gerry Garvey
181* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org>
182  - patch by Gerry Garvey
183* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org>
184* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org>
185  - applied patch by Takao Abe
186
187---
188NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03)
189
190Focus: Security, Bug fixes, enhancements.
191
192Severity: MEDIUM
193
194This release fixes three vulnerabilities: a bug that causes causes an ntpd
195instance that is explicitly configured to override the default and allow
196ntpdc (mode 7) connections to be made to a server to read some uninitialized
197memory; fixes the case where an unmonitored ntpd using an unauthenticated
198association to its servers may be susceptible to a forged packet DoS attack;
199and fixes an attack against a client instance that uses a single
200unauthenticated time source.  It also fixes 46 other bugs and addresses
2014 other issues.
202
203* [Sec 3610] process_control() should bail earlier on short packets. stenn@
204  - Reported by Philippe Antoine
205* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org>
206  - Reported by Miroslav Lichvar
207* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org>
208  - Reported by Miroslav Lichvar
209* [Bug 3637] Emit the version of ntpd in saveconfig.  stenn@
210* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org>
211* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org>
212* [Bug 3634] Typo in discipline.html, reported by Jason Harrison.  stenn@
213* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence
214  - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org>
215* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org>
216  - integrated patch by Cy Schubert
217* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org>
218  - applied patch by Gerry Garvey
219* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org>
220  - applied patch by Gerry Garvey
221* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org>
222  - integrated patch by Richard Steedman
223* [Bug 3615] accelerate refclock startup <perlinger@ntp.org>
224* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org>
225  - Reported by Martin Burnicki
226* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org>
227  - Reported by Philippe Antoine
228* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org>
229  - officially document new "trust date" mode bit for NMEA driver
230  - restore the (previously undocumented) "trust date" feature lost with [bug 3577]
231* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org>
232  - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter'
233* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org>
234  - removed ffs() and fls() prototypes as per Brian Utterback
235* [Bug 3604] Wrong param byte order passing into record_raw_stats() in
236	ntp_io.c <perlinger@ntp.org>
237  - fixed byte and paramter order as suggested by wei6410@sina.com
238* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org>
239* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org>
240  - added padding as suggested by John Paul Adrian Glaubitz
241* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org>
242* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org>
243* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org>
244* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org>
245  - stdout+stderr are set to line buffered during test setup now
246* [Bug 3583] synchronization error <perlinger@ntp.org>
247  - set clock to base date if system time is before that limit
248* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org>
249* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org>
250  - Reported by Paulo Neves
251* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org>
252  - also updates for refclock_nmea.c and refclock_jupiter.c
253* [Bug 3576] New GPS date function API <perlinger@ntp.org>
254* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org>
255* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org>
256* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org>
257  - sidekick: service port resolution in 'ntpdate'
258* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org>
259  - applied patch by Douglas Royds
260* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org>
261* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org>
262  - applied patch by Gerry Garvey
263* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org>
264  - try to harden 'decodenetnum()' against 'getaddrinfo()' errors
265  - fix wrong cond-compile tests in unit tests
266* [Bug 3517] Reducing build noise <perlinger@ntp.org>
267* [Bug 3516] Require tooling from this decade <perlinger@ntp.org>
268  - patch by Philipp Prindeville
269* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org>
270  - patch by Philipp Prindeville
271* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org>
272  - patch by Philipp Prindeville
273* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org>
274  - partial application of patch by Philipp Prindeville
275* [Bug 3491] Signed values of LFP datatypes should always display a sign
276  - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org>
277* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org>
278  - applied (modified) patch by Richard Steedman
279* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org>
280  - applied patch by Gerry Garvey (with minor formatting changes)
281* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org>
282  - applied patch by Miroslav Lichvar
283* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network
284  <perlinger@ntp.org>
285* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user
286             is specified with -u <perlinger@ntp.org>
287  - monitor daemon child startup & propagate exit codes
288* [Bug 1433] runtime check whether the kernel really supports capabilities
289  - (modified) patch by Kurt Roeckx <perlinger@ntp.org>
290* Clean up sntp/networking.c:sendpkt() error message.  <stenn@ntp.org>
291* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org>
292* Startup log improvements. <stenn@ntp.org>
293* Update the copyright year.
294
295---
296NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
297
298Focus: Security, Bug fixes, enhancements.
299
300Severity: MEDIUM
301
302This release fixes a bug that allows an attacker with access to an
303explicitly trusted source to send a crafted malicious mode 6 (ntpq)
304packet that can trigger a NULL pointer dereference, crashing ntpd.
305It also provides 17 other bugfixes and 1 other improvement:
306
307* [Sec 3565] Crafted null dereference attack in authenticated
308	     mode 6 packet <perlinger@ntp.org>
309  - reported by Magnus Stubman
310* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
311  - applied patch by Ian Lepore
312* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
313  - isolate and fix linux/windows specific code issue
314* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
315  - provide better function for incremental string formatting
316* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
317  - applied patch by Gerry Garvey
318* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
319  - original finding by Gerry Garvey, additional cleanup needed
320* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
321  - patch by Christous Zoulas
322* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
323  - finding by Chen Jiabin, plus another one by me
324* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
325  - applied patch by Maciej Szmigiero
326* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
327  - applied patch by Andre Charbonneau
328* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
329  - applied patch by Baruch Siach
330* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
331  - applied patch by Baruch Siach
332* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
333  - refactored handling of GPS era based on 'tos basedate' for
334    parse (TSIP) and JUPITER clocks
335* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
336  - patch by Daniel J. Luke; this does not fix a potential linker
337    regression issue on MacOS.
338* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
339  anomaly <perlinger@ntp.org>, reported by GGarvey.
340  - --enable-bug3527-fix support by HStenn
341* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
342  - applied patch by Gerry Garvey
343* [Bug 3471] Check for openssl/[ch]mac.h.  <perlinger@ntp.org>
344  - added missing check, reported by Reinhard Max <perlinger@ntp.org>
345* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
346  - this is a variant of [bug 3558] and should be fixed with it
347* Implement 'configure --disable-signalled-io'
348
349--
350NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
351
352Focus: Security, Bug fixes, enhancements.
353
354Severity: MEDIUM
355
356This release fixes a "hole" in the noepeer capability introduced to ntpd
357in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
358ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
359
360* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
361
362* [Sec 3012] Fix a hole in the new "noepeer" processing.
363
364* Bug Fixes:
365 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
366 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
367            other TrustedBSD platforms
368 - applied patch by Ian Lepore <perlinger@ntp.org>
369 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
370 - changed interaction with SCM to signal pending startup
371 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
372 - applied patch by Gerry Garvey
373 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
374 - applied patch by Gerry Garvey
375 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
376 - rework of ntpq 'nextvar()' key/value parsing
377 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
378 - applied patch by Gerry Garvey (with mods)
379 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
380 - applied patch by Gerry Garvey
381 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
382 - applied patch by Gerry Garvey (with mods)
383 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
384 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
385 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
386 - applied patch by Gerry Garvey
387 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
388 - applied patch by Gerry Garvey
389 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
390 - add #define ENABLE_CMAC support in configure.  HStenn.
391 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
392 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
393 - patch by Stephen Friedl
394 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
395 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
396 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
397 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
398 - initial patch by Hal Murray; also fixed refclock_report() trouble
399 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
400 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
401 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
402 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
403 - applied patch by Gerry Garvey
404 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
405 - applied patch by Gerry Garvey
406 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
407 with modifications
408 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
409 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
410 - applied patch by Miroslav Lichvar
411 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
412 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
413 - integrated patch by  Reinhard Max
414 [Bug 2821] minor build issues <perlinger@ntp.org>
415 - applied patches by Christos Zoulas, including real bug fixes
416 html/authopt.html: cleanup, from <stenn@ntp.org>
417 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
418 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
419
420--
421NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
422
423Focus: Security, Bug fixes, enhancements.
424
425Severity: MEDIUM
426
427This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
428vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
429provides 65 other non-security fixes and improvements:
430
431* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
432	association (LOW/MED)
433   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
434   References: Sec 3454 / CVE-2018-7185 / VU#961909
435   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
436   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
437	2.9 and 6.8.
438   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
439	score between 2.6 and 3.1
440   Summary:
441	The NTP Protocol allows for both non-authenticated and
442	authenticated associations, in client/server, symmetric (peer),
443	and several broadcast modes. In addition to the basic NTP
444	operational modes, symmetric mode and broadcast servers can
445	support an interleaved mode of operation. In ntp-4.2.8p4 a bug
446	was inadvertently introduced into the protocol engine that
447	allows a non-authenticated zero-origin (reset) packet to reset
448	an authenticated interleaved peer association. If an attacker
449	can send a packet with a zero-origin timestamp and the source
450	IP address of the "other side" of an interleaved association,
451	the 'victim' ntpd will reset its association. The attacker must
452	continue sending these packets in order to maintain the
453	disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
454	interleave mode could be entered dynamically. As of ntp-4.2.8p7,
455	interleaved mode must be explicitly configured/enabled.
456   Mitigation:
457	Implement BCP-38.
458	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
459	    or the NTP Public Services Project Download Page.
460	If you are unable to upgrade to 4.2.8p11 or later and have
461	    'peer HOST xleave' lines in your ntp.conf file, remove the
462	    'xleave' option.
463	Have enough sources of time.
464	Properly monitor your ntpd instances.
465	If ntpd stops running, auto-restart it without -g .
466   Credit:
467   	This weakness was discovered by Miroslav Lichvar of Red Hat.
468
469* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
470	state (LOW/MED)
471   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
472   References: Sec 3453 / CVE-2018-7184 / VU#961909
473   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
474   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
475	Could score between 2.9 and 6.8.
476   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
477	Could score between 2.6 and 6.0.
478   Summary:
479   	The fix for NtpBug2952 was incomplete, and while it fixed one
480	problem it created another.  Specifically, it drops bad packets
481	before updating the "received" timestamp.  This means a
482	third-party can inject a packet with a zero-origin timestamp,
483	meaning the sender wants to reset the association, and the
484	transmit timestamp in this bogus packet will be saved as the
485	most recent "received" timestamp.  The real remote peer does
486	not know this value and this will disrupt the association until
487	the association resets.
488   Mitigation:
489	Implement BCP-38.
490	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
491	    or the NTP Public Services Project Download Page.
492	Use authentication with 'peer' mode.
493	Have enough sources of time.
494	Properly monitor your ntpd instances.
495	If ntpd stops running, auto-restart it without -g .
496   Credit:
497   	This weakness was discovered by Miroslav Lichvar of Red Hat.
498
499* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
500	peering (LOW)
501   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
502   References: Sec 3415 / CVE-2018-7170 / VU#961909
503   	       Sec 3012 / CVE-2016-1549 / VU#718152
504   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
505   	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
506   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
507   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
508   Summary:
509	ntpd can be vulnerable to Sybil attacks.  If a system is set up to
510	use a trustedkey and if one is not using the feature introduced in
511	ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
512	specify which IPs can serve time, a malicious authenticated peer
513	-- i.e. one where the attacker knows the private symmetric key --
514	can create arbitrarily-many ephemeral associations in order to win
515	the clock selection of ntpd and modify a victim's clock.  Three
516	additional protections are offered in ntp-4.2.8p11.  One is the
517	new 'noepeer' directive, which disables symmetric passive
518	ephemeral peering. Another is the new 'ippeerlimit' directive,
519	which limits the number of peers that can be created from an IP.
520	The third extends the functionality of the 4th field in the
521	ntp.keys file to include specifying a subnet range.
522   Mitigation:
523	Implement BCP-38.
524	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
525	    or the NTP Public Services Project Download Page.
526	Use the 'noepeer' directive to prohibit symmetric passive
527	    ephemeral associations.
528	Use the 'ippeerlimit' directive to limit the number of peers
529	    that can be created from an IP.
530	Use the 4th argument in the ntp.keys file to limit the IPs and
531	    subnets that can be time servers.
532	Have enough sources of time.
533	Properly monitor your ntpd instances.
534	If ntpd stops running, auto-restart it without -g .
535   Credit:
536	This weakness was reported as Bug 3012 by Matthew Van Gundy of
537	Cisco ASIG, and separately by Stefan Moser as Bug 3415.
538
539* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
540   Date Resolved: 27 Feb 2018
541   References: Sec 3414 / CVE-2018-7183 / VU#961909
542   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
543   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
544   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
545   Summary:
546   	ntpq is a monitoring and control program for ntpd.  decodearr()
547	is an internal function of ntpq that is used to -- wait for it --
548	decode an array in a response string when formatted data is being
549	displayed.  This is a problem in affected versions of ntpq if a
550	maliciously-altered ntpd returns an array result that will trip this
551	bug, or if a bad actor is able to read an ntpq request on its way to
552	a remote ntpd server and forge and send a response before the remote
553	ntpd sends its response.  It's potentially possible that the
554	malicious data could become injectable/executable code.
555   Mitigation:
556	Implement BCP-38.
557	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
558	    or the NTP Public Services Project Download Page.
559   Credit:
560	This weakness was discovered by Michael Macnair of Thales e-Security.
561
562* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
563	behavior and information leak (Info/Medium)
564   Date Resolved: 27 Feb 2018
565   References: Sec 3412 / CVE-2018-7182 / VU#961909
566   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
567   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
568   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
569	0.0 if C:N
570   Summary:
571	ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
572	A malicious mode 6 packet can be sent to an ntpd instance, and
573	if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
574	cause ctl_getitem() to read past the end of its buffer.
575   Mitigation:
576	Implement BCP-38.
577	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
578	    or the NTP Public Services Project Download Page.
579	Have enough sources of time.
580	Properly monitor your ntpd instances.
581	If ntpd stops running, auto-restart it without -g .
582   Credit:
583   	This weakness was discovered by Yihan Lian of Qihoo 360.
584
585* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
586   Also see Bug 3415, above.
587   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
588   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
589   References: Sec 3012 / CVE-2016-1549 / VU#718152
590   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
591	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
592   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
593   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
594   Summary:
595	ntpd can be vulnerable to Sybil attacks.  If a system is set up
596	to use a trustedkey and if one is not using the feature
597	introduced in ntp-4.2.8p6 allowing an optional 4th field in the
598	ntp.keys file to specify which IPs can serve time, a malicious
599	authenticated peer -- i.e. one where the attacker knows the
600	private symmetric key -- can create arbitrarily-many ephemeral
601	associations in order to win the clock selection of ntpd and
602	modify a victim's clock.  Two additional protections are
603	offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
604	disables symmetric passive ephemeral peering. The other extends
605	the functionality of the 4th field in the ntp.keys file to
606	include specifying a subnet range.
607   Mitigation:
608	Implement BCP-38.
609	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
610	    the NTP Public Services Project Download Page.
611	Use the 'noepeer' directive to prohibit symmetric passive
612	    ephemeral associations.
613	Use the 'ippeerlimit' directive to limit the number of peer
614	    associations from an IP.
615	Use the 4th argument in the ntp.keys file to limit the IPs
616	    and subnets that can be time servers.
617	Properly monitor your ntpd instances.
618   Credit:
619   	This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
620
621* Bug fixes:
622 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
623 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
624 - applied patch by Sean Haugh
625 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
626 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
627 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
628 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
629 - refactoring the MAC code, too
630 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
631 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
632 - applied patch by ggarvey
633 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
634 - applied patch by ggarvey (with minor mods)
635 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
636 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
637 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
638 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
639 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
640 - fixed several issues with hash algos in ntpd, sntp, ntpq,
641   ntpdc and the test suites <perlinger@ntp.org>
642 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
643 - initial patch by Daniel Pouzzner
644 [Bug 3423] QNX adjtime() implementation error checking is
645 wrong <perlinger@ntp.org>
646 [Bug 3417] ntpq ifstats packet counters can be negative
647 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
648 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
649 - raised receive buffer size to 1200 <perlinger@ntp.org>
650 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
651 analysis tool. <abe@ntp.org>
652 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
653 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
654 - fix/drop assumptions on OpenSSL libs directory layout
655 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
656 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
657 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
658 - patch contributed by Alexander Bluhm
659 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
660 rework of formatting & data transfer stuff in 'ntp_control.c'
661 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
662 [Bug 3394] Leap second deletion does not work on ntpd clients
663 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
664 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
665 - increased mimimum stack size to 32kB <perlinger@ntp.org>
666 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
667 - reverted handling of PPS kernel consumer to 4.2.6 behavior
668 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
669 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
670 [Bug 3016] wrong error position reported for bad ":config pool"
671 - fixed location counter & ntpq output <perlinger@ntp.org>
672 [Bug 2900] libntp build order problem.  HStenn.
673 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
674 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
675 perlinger@ntp.org
676 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
677 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
678 Use strlcpy() to copy strings, not memcpy().  HStenn.
679 Typos.  HStenn.
680 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
681 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
682 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
683 Fix trivial warnings from 'make check'. perlinger@ntp.org
684 Fix bug in the override portion of the compiler hardening macro. HStenn.
685 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
686 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
687 sntp: tweak key file logging.  HStenn.
688 sntp: pkt_output(): Improve debug output.  HStenn.
689 update-leap: updates from Paul McMath.
690 When using pkg-config, report --modversion.  HStenn.
691 Clean up libevent configure checks.  HStenn.
692 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
693 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
694 authistrustedip() - use it in more places.  HStenn, JPerlinger.
695 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
696 Update ntp.keys .../N documentation.  HStenn.
697 Distribute testconf.yml.  HStenn.
698 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
699 Rename the configuration flag fifo variables.  HStenn.
700 Improve saveconfig output.  HStenn.
701 Decode restrict flags on receive() debug output.  HStenn.
702 Decode interface flags on receive() debug output.  HStenn.
703 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
704 Update the documentation in ntp.conf.def .  HStenn.
705 restrictions() must return restrict flags and ippeerlimit.  HStenn.
706 Update ntpq peer documentation to describe the 'p' type.  HStenn.
707 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
708 Provide dump_restricts() for debugging.  HStenn.
709 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
710
711* Other items:
712
713* update-leap needs the following perl modules:
714	Net::SSLeay
715	IO::Socket::SSL
716
717* New sysstats variables: sys_lamport, sys_tsrounding
718See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
719sys_lamport counts the number of observed Lamport violations, while
720sys_tsrounding counts observed timestamp rounding events.
721
722* New ntp.conf items:
723
724- restrict ... noepeer
725- restrict ... ippeerlimit N
726
727The 'noepeer' directive will disallow all ephemeral/passive peer
728requests.
729
730The 'ippeerlimit' directive limits the number of time associations
731for each IP in the designated set of addresses.  This limit does not
732apply to explicitly-configured associations.  A value of -1, the current
733default, means an unlimited number of associations may connect from a
734single IP.  0 means "none", etc.  Ordinarily the only way multiple
735associations would come from the same IP would be if the remote side
736was using a proxy.  But a trusted machine might become compromised,
737in which case an attacker might spin up multiple authenticated sessions
738from different ports.  This directive should be helpful in this case.
739
740* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
741field may contain a /subnetbits specification, which identifies  the
742scope of IPs that may use this key.  This IP/subnet restriction can be
743used to limit the IPs that may use the key in most all situations where
744a key is used.
745--
746NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
747
748Focus: Security, Bug fixes, enhancements.
749
750Severity: MEDIUM
751
752This release fixes 5 medium-, 6 low-, and 4 informational-severity
753vulnerabilities, and provides 15 other non-security fixes and improvements:
754
755* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
756   Date Resolved: 21 Mar 2017
757   References: Sec 3389 / CVE-2017-6464 / VU#325339
758   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
759	ntp-4.3.0 up to, but not including ntp-4.3.94.
760   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
761   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
762   Summary:
763	A vulnerability found in the NTP server makes it possible for an
764	authenticated remote user to crash ntpd via a malformed mode
765	configuration directive.
766   Mitigation:
767	Implement BCP-38.
768	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
769	    the NTP Public Services Project Download Page
770	Properly monitor your ntpd instances, and auto-restart
771	    ntpd (without -g) if it stops running.
772   Credit:
773	This weakness was discovered by Cure53.
774
775* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
776    Date Resolved: 21 Mar 2017
777    References: Sec 3388 / CVE-2017-6462 / VU#325339
778    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
779    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
780    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
781    Summary:
782	There is a potential for a buffer overflow in the legacy Datum
783	Programmable Time Server refclock driver.  Here the packets are
784	processed from the /dev/datum device and handled in
785	datum_pts_receive().  Since an attacker would be required to
786	somehow control a malicious /dev/datum device, this does not
787	appear to be a practical attack and renders this issue "Low" in
788	terms of severity.
789   Mitigation:
790	If you have a Datum reference clock installed and think somebody
791	    may maliciously change the device, upgrade to 4.2.8p10, or
792	    later, from the NTP Project Download Page or the NTP Public
793	    Services Project Download Page
794	Properly monitor your ntpd instances, and auto-restart
795	    ntpd (without -g) if it stops running.
796   Credit:
797	This weakness was discovered by Cure53.
798
799* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
800   Date Resolved: 21 Mar 2017
801   References: Sec 3387 / CVE-2017-6463 / VU#325339
802   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
803	ntp-4.3.0 up to, but not including ntp-4.3.94.
804   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
805   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
806   Summary:
807	A vulnerability found in the NTP server allows an authenticated
808	remote attacker to crash the daemon by sending an invalid setting
809	via the :config directive.  The unpeer option expects a number or
810	an address as an argument.  In case the value is "0", a
811	segmentation fault occurs.
812   Mitigation:
813	Implement BCP-38.
814	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
815	    or the NTP Public Services Project Download Page
816	Properly monitor your ntpd instances, and auto-restart
817	    ntpd (without -g) if it stops running.
818   Credit:
819	This weakness was discovered by Cure53.
820
821* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
822   Date Resolved: 21 Mar 2017
823   References: Sec 3386
824   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
825	ntp-4.3.0 up to, but not including ntp-4.3.94.
826   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
827   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
828   Summary:
829	The NTP Mode 6 monitoring and control client, ntpq, uses the
830	function ntpq_stripquotes() to remove quotes and escape characters
831	from a given string.  According to the documentation, the function
832	is supposed to return the number of copied bytes but due to
833	incorrect pointer usage this value is always zero.  Although the
834	return value of this function is never used in the code, this
835	flaw could lead to a vulnerability in the future.  Since relying
836	on wrong return values when performing memory operations is a
837	dangerous practice, it is recommended to return the correct value
838	in accordance with the documentation pertinent to the code.
839   Mitigation:
840	Implement BCP-38.
841	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
842	    or the NTP Public Services Project Download Page
843	Properly monitor your ntpd instances, and auto-restart
844	    ntpd (without -g) if it stops running.
845   Credit:
846	This weakness was discovered by Cure53.
847
848* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
849   Date Resolved: 21 Mar 2017
850   References: Sec 3385
851   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
852	ntp-4.3.0 up to, but not including ntp-4.3.94.
853   Summary:
854	NTP makes use of several wrappers around the standard heap memory
855	allocation functions that are provided by libc.  This is mainly
856	done to introduce additional safety checks concentrated on
857	several goals.  First, they seek to ensure that memory is not
858	accidentally freed, secondly they verify that a correct amount
859	is always allocated and, thirdly, that allocation failures are
860	correctly handled.  There is an additional implementation for
861	scenarios where memory for a specific amount of items of the
862	same size needs to be allocated.  The handling can be found in
863	the oreallocarray() function for which a further number-of-elements
864	parameter needs to be provided.  Although no considerable threat
865	was identified as tied to a lack of use of this function, it is
866	recommended to correctly apply oreallocarray() as a preferred
867	option across all of the locations where it is possible.
868   Mitigation:
869	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
870	    or the NTP Public Services Project Download Page
871   Credit:
872	This weakness was discovered by Cure53.
873
874* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
875	PPSAPI ONLY) (Low)
876   Date Resolved: 21 Mar 2017
877   References: Sec 3384 / CVE-2017-6455 / VU#325339
878   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
879	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
880	including ntp-4.3.94.
881   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
882   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
883   Summary:
884	The Windows NT port has the added capability to preload DLLs
885	defined in the inherited global local environment variable
886	PPSAPI_DLLS.  The code contained within those libraries is then
887	called from the NTPD service, usually running with elevated
888	privileges. Depending on how securely the machine is setup and
889	configured, if ntpd is configured to use the PPSAPI under Windows
890	this can easily lead to a code injection.
891   Mitigation:
892	Implement BCP-38.
893	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
894	    or the NTP Public Services Project Download Page
895   Credit:
896   This weakness was discovered by Cure53.
897
898* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
899	installer ONLY) (Low)
900   Date Resolved: 21 Mar 2017
901   References: Sec 3383 / CVE-2017-6452 / VU#325339
902   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
903	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
904	to, but not including ntp-4.3.94.
905   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
906   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
907   Summary:
908	The Windows installer for NTP calls strcat(), blindly appending
909	the string passed to the stack buffer in the addSourceToRegistry()
910	function.  The stack buffer is 70 bytes smaller than the buffer
911	in the calling main() function.  Together with the initially
912	copied Registry path, the combination causes a stack buffer
913	overflow and effectively overwrites the stack frame.  The
914	passed application path is actually limited to 256 bytes by the
915	operating system, but this is not sufficient to assure that the
916	affected stack buffer is consistently protected against
917	overflowing at all times.
918   Mitigation:
919	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
920	or the NTP Public Services Project Download Page
921   Credit:
922	This weakness was discovered by Cure53.
923
924* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
925	installer ONLY) (Low)
926   Date Resolved: 21 Mar 2017
927   References: Sec 3382 / CVE-2017-6459 / VU#325339
928   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
929	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
930	up to, but not including ntp-4.3.94.
931   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
932   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
933   Summary:
934	The Windows installer for NTP calls strcpy() with an argument
935	that specifically contains multiple null bytes.  strcpy() only
936	copies a single terminating null character into the target
937	buffer instead of copying the required double null bytes in the
938	addKeysToRegistry() function.  As a consequence, a garbage
939	registry entry can be created.  The additional arsize parameter
940	is erroneously set to contain two null bytes and the following
941	call to RegSetValueEx() claims to be passing in a multi-string
942	value, though this may not be true.
943   Mitigation:
944	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
945	    or the NTP Public Services Project Download Page
946   Credit:
947	This weakness was discovered by Cure53.
948
949* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
950   References: Sec 3381
951   Summary:
952	The report says: Statically included external projects
953	potentially introduce several problems and the issue of having
954	extensive amounts of code that is "dead" in the resulting binary
955	must clearly be pointed out.  The unnecessary unused code may or
956	may not contain bugs and, quite possibly, might be leveraged for
957	code-gadget-based branch-flow redirection exploits.  Analogically,
958	having source trees statically included as well means a failure
959	in taking advantage of the free feature for periodical updates.
960	This solution is offered by the system's Package Manager. The
961	three libraries identified are libisc, libevent, and libopts.
962   Resolution:
963	For libisc, we already only use a portion of the original library.
964	We've found and fixed bugs in the original implementation (and
965	offered the patches to ISC), and plan to see what has changed
966	since we last upgraded the code.  libisc is generally not
967	installed, and when it it we usually only see the static libisc.a
968	file installed.  Until we know for sure that the bugs we've found
969	and fixed are fixed upstream, we're better off with the copy we
970	are using.
971
972        Version 1 of libevent was the only production version available
973	until recently, and we've been requiring version 2 for a long time.
974	But if the build system has at least version 2 of libevent
975	installed, we'll use the version that is installed on the system.
976	Otherwise, we provide a copy of libevent that we know works.
977
978        libopts is provided by GNU AutoGen, and that library and package
979	undergoes frequent API version updates.  The version of autogen
980	used to generate the tables for the code must match the API
981	version in libopts.  AutoGen can be ... difficult to build and
982	install, and very few developers really need it.  So we have it
983	on our build and development machines, and we provide the
984	specific version of the libopts code in the distribution to make
985	sure that the proper API version of libopts is available.
986
987        As for the point about there being code in these libraries that
988	NTP doesn't use, OK.  But other packages used these libraries as
989	well, and it is reasonable to assume that other people are paying
990	attention to security and code quality issues for the overall
991	libraries.  It takes significant resources to analyze and
992	customize these libraries to only include what we need, and to
993	date we believe the cost of this effort does not justify the benefit.
994   Credit:
995	This issue was discovered by Cure53.
996
997* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
998   Date Resolved: 21 Mar 2017
999   References: Sec 3380
1000   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1001   	ntp-4.3.0 up to, but not including ntp-4.3.94.
1002   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
1003   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
1004   Summary:
1005	There is a fencepost error in a "recovery branch" of the code for
1006	the Oncore GPS receiver if the communication link to the ONCORE
1007	is weak / distorted and the decoding doesn't work.
1008   Mitigation:
1009        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
1010	    the NTP Public Services Project Download Page
1011        Properly monitor your ntpd instances, and auto-restart
1012	    ntpd (without -g) if it stops running.
1013   Credit:
1014	This weakness was discovered by Cure53.
1015
1016* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
1017   Date Resolved: 21 Mar 2017
1018   References: Sec 3379 / CVE-2017-6458 / VU#325339
1019   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1020	ntp-4.3.0 up to, but not including ntp-4.3.94.
1021   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
1022   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1023   Summary:
1024	ntpd makes use of different wrappers around ctl_putdata() to
1025	create name/value ntpq (mode 6) response strings.  For example,
1026	ctl_putstr() is usually used to send string data (variable names
1027	or string data).  The formatting code was missing a length check
1028	for variable names.  If somebody explicitly created any unusually
1029	long variable names in ntpd (longer than 200-512 bytes, depending
1030	on the type of variable), then if any of these variables are
1031	added to the response list it would overflow a buffer.
1032   Mitigation:
1033	Implement BCP-38.
1034	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1035	    or the NTP Public Services Project Download Page
1036	If you don't want to upgrade, then don't setvar variable names
1037	    longer than 200-512 bytes in your ntp.conf file.
1038	Properly monitor your ntpd instances, and auto-restart
1039	    ntpd (without -g) if it stops running.
1040   Credit:
1041	This weakness was discovered by Cure53.
1042
1043* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
1044   Date Resolved: 21 Mar 2017
1045   References: Sec 3378 / CVE-2017-6451 / VU#325339
1046   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1047	ntp-4.3.0 up to, but not including ntp-4.3.94.
1048   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
1049   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1050   Summary:
1051	The legacy MX4200 refclock is only built if is specifically
1052	enabled, and furthermore additional code changes are required to
1053	compile and use it.  But it uses the libc functions snprintf()
1054	and vsnprintf() incorrectly, which can lead to an out-of-bounds
1055	memory write due to an improper handling of the return value of
1056	snprintf()/vsnprintf().  Since the return value is used as an
1057	iterator and it can be larger than the buffer's size, it is
1058	possible for the iterator to point somewhere outside of the
1059	allocated buffer space.  This results in an out-of-bound memory
1060	write.  This behavior can be leveraged to overwrite a saved
1061	instruction pointer on the stack and gain control over the
1062	execution flow.  During testing it was not possible to identify
1063	any malicious usage for this vulnerability.  Specifically, no
1064	way for an attacker to exploit this vulnerability was ultimately
1065	unveiled.  However, it has the potential to be exploited, so the
1066	code should be fixed.
1067   Mitigation, if you have a Magnavox MX4200 refclock:
1068	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1069	    or the NTP Public Services Project Download Page.
1070	Properly monitor your ntpd instances, and auto-restart
1071	    ntpd (without -g) if it stops running.
1072   Credit:
1073	This weakness was discovered by Cure53.
1074
1075* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
1076	malicious ntpd (Medium)
1077   Date Resolved: 21 Mar 2017
1078   References: Sec 3377 / CVE-2017-6460 / VU#325339
1079   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
1080	ntp-4.3.0 up to, but not including ntp-4.3.94.
1081   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1082   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1083   Summary:
1084	A stack buffer overflow in ntpq can be triggered by a malicious
1085	ntpd server when ntpq requests the restriction list from the server.
1086	This is due to a missing length check in the reslist() function.
1087	It occurs whenever the function parses the server's response and
1088	encounters a flagstr variable of an excessive length.  The string
1089	will be copied into a fixed-size buffer, leading to an overflow on
1090	the function's stack-frame.  Note well that this problem requires
1091	a malicious server, and affects ntpq, not ntpd.
1092   Mitigation:
1093	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1094	    or the NTP Public Services Project Download Page
1095	If you can't upgrade your version of ntpq then if you want to know
1096	    the reslist of an instance of ntpd that you do not control,
1097	    know that if the target ntpd is malicious that it can send back
1098	    a response that intends to crash your ntpq process.
1099   Credit:
1100	This weakness was discovered by Cure53.
1101
1102* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
1103   Date Resolved: 21 Mar 2017
1104   References: Sec 3376
1105   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1106	ntp-4.3.0 up to, but not including ntp-4.3.94.
1107   CVSS2: N/A
1108   CVSS3: N/A
1109   Summary:
1110	The build process for NTP has not, by default, provided compile
1111	or link flags to offer "hardened" security options.  Package
1112	maintainers have always been able to provide hardening security
1113	flags for their builds.  As of ntp-4.2.8p10, the NTP build
1114	system has a way to provide OS-specific hardening flags.  Please
1115	note that this is still not a really great solution because it
1116	is specific to NTP builds.  It's inefficient to have every
1117	package supply, track and maintain this information for every
1118	target build.  It would be much better if there was a common way
1119	for OSes to provide this information in a way that arbitrary
1120	packages could benefit from it.
1121   Mitigation:
1122	Implement BCP-38.
1123	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1124	    or the NTP Public Services Project Download Page
1125	Properly monitor your ntpd instances, and auto-restart
1126	    ntpd (without -g) if it stops running.
1127   Credit:
1128	This weakness was reported by Cure53.
1129
1130* 0rigin DoS (Medium)
1131   Date Resolved: 21 Mar 2017
1132   References: Sec 3361 / CVE-2016-9042 / VU#325339
1133   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
1134   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
1135   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
1136   Summary:
1137	An exploitable denial of service vulnerability exists in the
1138	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
1139	crafted unauthenticated network packet can be used to reset the
1140	expected origin timestamp for target peers.  Legitimate replies
1141	from targeted peers will fail the origin timestamp check (TEST2)
1142	causing the reply to be dropped and creating a denial of service
1143	condition.  This vulnerability can only be exploited if the
1144	attacker can spoof all of the servers.
1145   Mitigation:
1146	Implement BCP-38.
1147	Configure enough servers/peers that an attacker cannot target
1148	    all of your time sources.
1149	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1150	    or the NTP Public Services Project Download Page
1151	Properly monitor your ntpd instances, and auto-restart
1152	    ntpd (without -g) if it stops running.
1153   Credit:
1154	This weakness was discovered by Matthew Van Gundy of Cisco.
1155
1156Other fixes:
1157
1158* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
1159* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
1160  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
1161* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
1162* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
1163  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
1164  - original patch by Majdi S. Abbas
1165* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
1166* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
1167  - initial patch by Christos Zoulas
1168* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
1169  - move loader API from 'inline' to proper source
1170  - augment pathless dlls with absolute path to NTPD
1171  - use 'msyslog()' instead of 'printf() 'for reporting trouble
1172* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
1173  - applied patch by Matthew Van Gundy
1174* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
1175  - applied some of the patches provided by Havard. Not all of them
1176    still match the current code base, and I did not touch libopt.
1177* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
1178  - applied patch by Reinhard Max. See bugzilla for limitations.
1179* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
1180  - fixed dependency inversion from [Bug 2837]
1181* [Bug 2896] Nothing happens if minsane < maxclock < minclock
1182  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
1183* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
1184  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
1185* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
1186  - Fixed these and some more locations of this pattern.
1187    Probably din't get them all, though. <perlinger@ntp.org>
1188* Update copyright year.
1189
1190--
1191(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
1192
1193* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
1194  - added missed changeset for automatic openssl lib detection
1195  - fixed some minor warning issues
1196* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
1197* configure.ac cleanup.  stenn@ntp.org
1198* openssl configure cleanup.  stenn@ntp.org
1199
1200--
1201NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
1202
1203Focus: Security, Bug fixes, enhancements.
1204
1205Severity: HIGH
1206
1207In addition to bug fixes and enhancements, this release fixes the
1208following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
12095 low-severity vulnerabilities, and provides 28 other non-security
1210fixes and improvements:
1211
1212* Trap crash
1213   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1214   References: Sec 3119 / CVE-2016-9311 / VU#633847
1215   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1216   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1217   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
1218   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
1219   Summary:
1220	ntpd does not enable trap service by default. If trap service
1221	has been explicitly enabled, an attacker can send a specially
1222	crafted packet to cause a null pointer dereference that will
1223	crash ntpd, resulting in a denial of service.
1224   Mitigation:
1225        Implement BCP-38.
1226	Use "restrict default noquery ..." in your ntp.conf file. Only
1227	    allow mode 6 queries from trusted networks and hosts.
1228        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1229	    or the NTP Public Services Project Download Page
1230        Properly monitor your ntpd instances, and auto-restart ntpd
1231	    (without -g) if it stops running.
1232   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1233
1234* Mode 6 information disclosure and DDoS vector
1235   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1236   References: Sec 3118 / CVE-2016-9310 / VU#633847
1237   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1238	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1239   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1240   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1241   Summary:
1242	An exploitable configuration modification vulnerability exists
1243	in the control mode (mode 6) functionality of ntpd. If, against
1244	long-standing BCP recommendations, "restrict default noquery ..."
1245	is not specified, a specially crafted control mode packet can set
1246	ntpd traps, providing information disclosure and DDoS
1247	amplification, and unset ntpd traps, disabling legitimate
1248	monitoring. A remote, unauthenticated, network attacker can
1249	trigger this vulnerability.
1250   Mitigation:
1251        Implement BCP-38.
1252	Use "restrict default noquery ..." in your ntp.conf file.
1253        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1254	    or the NTP Public Services Project Download Page
1255        Properly monitor your ntpd instances, and auto-restart ntpd
1256	    (without -g) if it stops running.
1257   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1258
1259* Broadcast Mode Replay Prevention DoS
1260   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1261   References: Sec 3114 / CVE-2016-7427 / VU#633847
1262   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1263	ntp-4.3.90 up to, but not including ntp-4.3.94.
1264   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1265   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1266   Summary:
1267	The broadcast mode of NTP is expected to only be used in a
1268	trusted network. If the broadcast network is accessible to an
1269	attacker, a potentially exploitable denial of service
1270	vulnerability in ntpd's broadcast mode replay prevention
1271	functionality can be abused. An attacker with access to the NTP
1272	broadcast domain can periodically inject specially crafted
1273	broadcast mode NTP packets into the broadcast domain which,
1274	while being logged by ntpd, can cause ntpd to reject broadcast
1275	mode packets from legitimate NTP broadcast servers.
1276   Mitigation:
1277        Implement BCP-38.
1278        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1279	    or the NTP Public Services Project Download Page
1280        Properly monitor your ntpd instances, and auto-restart ntpd
1281	    (without -g) if it stops running.
1282   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1283
1284* Broadcast Mode Poll Interval Enforcement DoS
1285   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1286   References: Sec 3113 / CVE-2016-7428 / VU#633847
1287   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1288	ntp-4.3.90 up to, but not including ntp-4.3.94
1289   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1290   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1291   Summary:
1292	The broadcast mode of NTP is expected to only be used in a
1293	trusted network. If the broadcast network is accessible to an
1294	attacker, a potentially exploitable denial of service
1295	vulnerability in ntpd's broadcast mode poll interval enforcement
1296	functionality can be abused. To limit abuse, ntpd restricts the
1297	rate at which each broadcast association will process incoming
1298	packets. ntpd will reject broadcast mode packets that arrive
1299	before the poll interval specified in the preceding broadcast
1300	packet expires. An attacker with access to the NTP broadcast
1301	domain can send specially crafted broadcast mode NTP packets to
1302	the broadcast domain which, while being logged by ntpd, will
1303	cause ntpd to reject broadcast mode packets from legitimate NTP
1304	broadcast servers.
1305   Mitigation:
1306        Implement BCP-38.
1307        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1308	    or the NTP Public Services Project Download Page
1309        Properly monitor your ntpd instances, and auto-restart ntpd
1310	    (without -g) if it stops running.
1311   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1312
1313* Windows: ntpd DoS by oversized UDP packet
1314   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1315   References: Sec 3110 / CVE-2016-9312 / VU#633847
1316   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
1317	and ntp-4.3.0 up to, but not including ntp-4.3.94.
1318   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1319   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1320   Summary:
1321	If a vulnerable instance of ntpd on Windows receives a crafted
1322	malicious packet that is "too big", ntpd will stop working.
1323   Mitigation:
1324        Implement BCP-38.
1325        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1326	    or the NTP Public Services Project Download Page
1327        Properly monitor your ntpd instances, and auto-restart ntpd
1328	    (without -g) if it stops running.
1329   Credit: This weakness was discovered by Robert Pajak of ABB.
1330
1331* 0rigin (zero origin) issues
1332   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1333   References: Sec 3102 / CVE-2016-7431 / VU#633847
1334   Affects: ntp-4.2.8p8, and ntp-4.3.93.
1335   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
1336   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1337   Summary:
1338	Zero Origin timestamp problems were fixed by Bug 2945 in
1339	ntp-4.2.8p6. However, subsequent timestamp validation checks
1340	introduced a regression in the handling of some Zero origin
1341	timestamp checks.
1342   Mitigation:
1343        Implement BCP-38.
1344        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1345	    or the NTP Public Services Project Download Page
1346        Properly monitor your ntpd instances, and auto-restart ntpd
1347	    (without -g) if it stops running.
1348   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
1349	Malhotra of Boston University.
1350
1351* read_mru_list() does inadequate incoming packet checks
1352   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1353   References: Sec 3082 / CVE-2016-7434 / VU#633847
1354   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
1355	ntp-4.3.0 up to, but not including ntp-4.3.94.
1356   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1357   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1358   Summary:
1359	If ntpd is configured to allow mrulist query requests from a
1360	server that sends a crafted malicious packet, ntpd will crash
1361	on receipt of that crafted malicious mrulist query packet.
1362   Mitigation:
1363	Only allow mrulist query packets from trusted hosts.
1364        Implement BCP-38.
1365        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1366	    or the NTP Public Services Project Download Page
1367        Properly monitor your ntpd instances, and auto-restart ntpd
1368	    (without -g) if it stops running.
1369   Credit: This weakness was discovered by Magnus Stubman.
1370
1371* Attack on interface selection
1372   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1373   References: Sec 3072 / CVE-2016-7429 / VU#633847
1374   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1375	ntp-4.3.0 up to, but not including ntp-4.3.94
1376   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1377   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1378   Summary:
1379	When ntpd receives a server response on a socket that corresponds
1380	to a different interface than was used for the request, the peer
1381	structure is updated to use the interface for new requests. If
1382	ntpd is running on a host with multiple interfaces in separate
1383	networks and the operating system doesn't check source address in
1384	received packets (e.g. rp_filter on Linux is set to 0), an
1385	attacker that knows the address of the source can send a packet
1386	with spoofed source address which will cause ntpd to select wrong
1387	interface for the source and prevent it from sending new requests
1388	until the list of interfaces is refreshed, which happens on
1389	routing changes or every 5 minutes by default. If the attack is
1390	repeated often enough (once per second), ntpd will not be able to
1391	synchronize with the source.
1392   Mitigation:
1393        Implement BCP-38.
1394        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1395	    or the NTP Public Services Project Download Page
1396	If you are going to configure your OS to disable source address
1397	    checks, also configure your firewall configuration to control
1398	    what interfaces can receive packets from what networks.
1399        Properly monitor your ntpd instances, and auto-restart ntpd
1400	    (without -g) if it stops running.
1401   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1402
1403* Client rate limiting and server responses
1404   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1405   References: Sec 3071 / CVE-2016-7426 / VU#633847
1406   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
1407	ntp-4.3.0 up to, but not including ntp-4.3.94
1408   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1409   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1410   Summary:
1411	When ntpd is configured with rate limiting for all associations
1412	(restrict default limited in ntp.conf), the limits are applied
1413	also to responses received from its configured sources. An
1414	attacker who knows the sources (e.g., from an IPv4 refid in
1415	server response) and knows the system is (mis)configured in this
1416	way can periodically send packets with spoofed source address to
1417	keep the rate limiting activated and prevent ntpd from accepting
1418	valid responses from its sources.
1419
1420	While this blanket rate limiting can be useful to prevent
1421	brute-force attacks on the origin timestamp, it allows this DoS
1422	attack. Similarly, it allows the attacker to prevent mobilization
1423	of ephemeral associations.
1424   Mitigation:
1425        Implement BCP-38.
1426        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1427	    or the NTP Public Services Project Download Page
1428        Properly monitor your ntpd instances, and auto-restart ntpd
1429	    (without -g) if it stops running.
1430   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1431
1432* Fix for bug 2085 broke initial sync calculations
1433   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1434   References: Sec 3067 / CVE-2016-7433 / VU#633847
1435   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1436	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
1437	root-distance calculation in general is incorrect in all versions
1438	of ntp-4 until this release.
1439   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
1440   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
1441   Summary:
1442	Bug 2085 described a condition where the root delay was included
1443	twice, causing the jitter value to be higher than expected. Due
1444	to a misinterpretation of a small-print variable in The Book, the
1445	fix for this problem was incorrect, resulting in a root distance
1446	that did not include the peer dispersion. The calculations and
1447	formulae have been reviewed and reconciled, and the code has been
1448	updated accordingly.
1449   Mitigation:
1450        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1451	    or the NTP Public Services Project Download Page
1452        Properly monitor your ntpd instances, and auto-restart ntpd
1453	    (without -g) if it stops running.
1454   Credit: This weakness was discovered independently by Brian Utterback of
1455	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
1456
1457Other fixes:
1458
1459* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
1460* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
1461* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
1462  - moved retry decision where it belongs. <perlinger@ntp.org>
1463* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
1464  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
1465* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
1466* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
1467  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
1468* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
1469  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
1470  - added shim layer for SSL API calls with issues (both directions)
1471* [Bug 3089] Serial Parser does not work anymore for hopfser like device
1472  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
1473* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
1474* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
1475  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
1476* [Bug 3067] Root distance calculation needs improvement.  HStenn
1477* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
1478  - PPS-HACK works again.
1479* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
1480  - applied patch by Brian Utterback <brian.utterback@oracle.com>
1481* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
1482* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
1483  <perlinger@ntp.org>
1484  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
1485* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
1486  - Patch provided by Kuramatsu.
1487* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
1488  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
1489* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
1490* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
1491* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
1492* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
1493  - fixed GPS week expansion to work based on build date. Special thanks
1494    to Craig Leres for initial patch and testing.
1495* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
1496  - fixed Makefile.am <perlinger@ntp.org>
1497* [Bug 2689] ATOM driver processes last PPS pulse at startup,
1498             even if it is very old <perlinger@ntp.org>
1499  - make sure PPS source is alive before processing samples
1500  - improve stability close to the 500ms phase jump (phase gate)
1501* Fix typos in include/ntp.h.
1502* Shim X509_get_signature_nid() if needed
1503* git author attribution cleanup
1504* bk ignore file cleanup
1505* remove locks in Windows IO, use rpc-like thread synchronisation instead
1506
1507---
1508NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
1509
1510Focus: Security, Bug fixes, enhancements.
1511
1512Severity: HIGH
1513
1514In addition to bug fixes and enhancements, this release fixes the
1515following 1 high- and 4 low-severity vulnerabilities:
1516
1517* CRYPTO_NAK crash
1518   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1519   References: Sec 3046 / CVE-2016-4957 / VU#321640
1520   Affects: ntp-4.2.8p7, and ntp-4.3.92.
1521   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1522   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1523   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
1524	could cause ntpd to crash.
1525   Mitigation:
1526        Implement BCP-38.
1527        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1528	    or the NTP Public Services Project Download Page
1529        If you cannot upgrade from 4.2.8p7, the only other alternatives
1530	    are to patch your code or filter CRYPTO_NAK packets.
1531        Properly monitor your ntpd instances, and auto-restart ntpd
1532	    (without -g) if it stops running.
1533   Credit: This weakness was discovered by Nicolas Edet of Cisco.
1534
1535* Bad authentication demobilizes ephemeral associations
1536   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1537   References: Sec 3045 / CVE-2016-4953 / VU#321640
1538   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1539	ntp-4.3.0 up to, but not including ntp-4.3.93.
1540   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1541   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1542   Summary: An attacker who knows the origin timestamp and can send a
1543	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
1544	target before any other response is sent can demobilize that
1545	association.
1546   Mitigation:
1547	Implement BCP-38.
1548	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1549	    or the NTP Public Services Project Download Page
1550	Properly monitor your ntpd instances.
1551	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1552
1553* Processing spoofed server packets
1554   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1555   References: Sec 3044 / CVE-2016-4954 / VU#321640
1556   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1557	ntp-4.3.0 up to, but not including ntp-4.3.93.
1558   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1559   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1560   Summary: An attacker who is able to spoof packets with correct origin
1561	timestamps from enough servers before the expected response
1562	packets arrive at the target machine can affect some peer
1563	variables and, for example, cause a false leap indication to be set.
1564   Mitigation:
1565	Implement BCP-38.
1566	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1567	    or the NTP Public Services Project Download Page
1568	Properly monitor your ntpd instances.
1569   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
1570
1571* Autokey association reset
1572   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1573   References: Sec 3043 / CVE-2016-4955 / VU#321640
1574   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1575	ntp-4.3.0 up to, but not including ntp-4.3.93.
1576   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1577   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1578   Summary: An attacker who is able to spoof a packet with a correct
1579	origin timestamp before the expected response packet arrives at
1580	the target machine can send a CRYPTO_NAK or a bad MAC and cause
1581	the association's peer variables to be cleared. If this can be
1582	done often enough, it will prevent that association from working.
1583   Mitigation:
1584	Implement BCP-38.
1585	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1586	    or the NTP Public Services Project Download Page
1587	Properly monitor your ntpd instances.
1588   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1589
1590* Broadcast interleave
1591   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1592   References: Sec 3042 / CVE-2016-4956 / VU#321640
1593   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1594   	ntp-4.3.0 up to, but not including ntp-4.3.93.
1595   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1596   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1597   Summary: The fix for NtpBug2978 does not cover broadcast associations,
1598   	so broadcast clients can be triggered to flip into interleave mode.
1599   Mitigation:
1600	Implement BCP-38.
1601	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1602	    or the NTP Public Services Project Download Page
1603	Properly monitor your ntpd instances.
1604   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1605
1606Other fixes:
1607* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
1608  - provide build environment
1609  - 'wint_t' and 'struct timespec' defined by VS2015
1610  - fixed print()/scanf() format issues
1611* [Bug 3052] Add a .gitignore file.  Edmund Wong.
1612* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
1613* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
1614  JPerlinger, HStenn.
1615* Fix typo in ntp-wait and plot_summary.  HStenn.
1616* Make sure we have an "author" file for git imports.  HStenn.
1617* Update the sntp problem tests for MacOS.  HStenn.
1618
1619---
1620NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
1621
1622Focus: Security, Bug fixes, enhancements.
1623
1624Severity: MEDIUM
1625
1626When building NTP from source, there is a new configure option
1627available, --enable-dynamic-interleave.  More information on this below.
1628
1629Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
1630versions of ntp.  These events have almost certainly happened in the
1631past, it's just that they were silently counted and not logged.  With
1632the increasing awareness around security, we feel it's better to clearly
1633log these events to help detect abusive behavior.  This increased
1634logging can also help detect other problems, too.
1635
1636In addition to bug fixes and enhancements, this release fixes the
1637following 9 low- and medium-severity vulnerabilities:
1638
1639* Improve NTP security against buffer comparison timing attacks,
1640  AKA: authdecrypt-timing
1641   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1642   References: Sec 2879 / CVE-2016-1550
1643   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1644	4.3.0 up to, but not including 4.3.92
1645   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
1646   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1647   Summary: Packet authentication tests have been performed using
1648	memcmp() or possibly bcmp(), and it is potentially possible
1649	for a local or perhaps LAN-based attacker to send a packet with
1650	an authentication payload and indirectly observe how much of
1651	the digest has matched.
1652   Mitigation:
1653	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1654	    or the NTP Public Services Project Download Page.
1655	Properly monitor your ntpd instances.
1656   Credit: This weakness was discovered independently by Loganaden
1657   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
1658
1659* Zero origin timestamp bypass: Additional KoD checks.
1660   References: Sec 2945 / Sec 2901 / CVE-2015-8138
1661   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1662   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
1663
1664* peer associations were broken by the fix for NtpBug2899
1665   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1666   References: Sec 2952 / CVE-2015-7704
1667   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1668   	4.3.0 up to, but not including 4.3.92
1669   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1670   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
1671   	associations did not address all of the issues.
1672   Mitigation:
1673        Implement BCP-38.
1674        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1675	    or the NTP Public Services Project Download Page
1676        If you can't upgrade, use "server" associations instead of
1677	    "peer" associations.
1678        Monitor your ntpd instances.
1679   Credit: This problem was discovered by Michael Tatarinov.
1680
1681* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
1682   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1683   References: Sec 3007 / CVE-2016-1547 / VU#718152
1684   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1685	4.3.0 up to, but not including 4.3.92
1686   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1687   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1688   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
1689	off-path attacker can cause a preemptable client association to
1690	be demobilized by sending a crypto NAK packet to a victim client
1691	with a spoofed source address of an existing associated peer.
1692	This is true even if authentication is enabled.
1693
1694	Furthermore, if the attacker keeps sending crypto NAK packets,
1695	for example one every second, the victim never has a chance to
1696	reestablish the association and synchronize time with that
1697	legitimate server.
1698
1699	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
1700	stringent checks are performed on incoming packets, but there
1701	are still ways to exploit this vulnerability in versions before
1702	ntp-4.2.8p7.
1703   Mitigation:
1704	Implement BCP-38.
1705	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1706	    or the NTP Public Services Project Download Page
1707	Properly monitor your ntpd instances
1708   Credit: This weakness was discovered by Stephen Gray and
1709   	Matthew Van Gundy of Cisco ASIG.
1710
1711* ctl_getitem() return value not always checked
1712   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1713   References: Sec 3008 / CVE-2016-2519
1714   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1715	4.3.0 up to, but not including 4.3.92
1716   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1717   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1718   Summary: ntpq and ntpdc can be used to store and retrieve information
1719   	in ntpd. It is possible to store a data value that is larger
1720	than the size of the buffer that the ctl_getitem() function of
1721	ntpd uses to report the return value. If the length of the
1722	requested data value returned by ctl_getitem() is too large,
1723	the value NULL is returned instead. There are 2 cases where the
1724	return value from ctl_getitem() was not directly checked to make
1725	sure it's not NULL, but there are subsequent INSIST() checks
1726	that make sure the return value is not NULL. There are no data
1727	values ordinarily stored in ntpd that would exceed this buffer
1728	length. But if one has permission to store values and one stores
1729	a value that is "too large", then ntpd will abort if an attempt
1730	is made to read that oversized value.
1731    Mitigation:
1732        Implement BCP-38.
1733        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1734	    or the NTP Public Services Project Download Page
1735        Properly monitor your ntpd instances.
1736    Credit: This weakness was discovered by Yihan Lian of the Cloud
1737    	Security Team, Qihoo 360.
1738
1739* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
1740   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1741   References: Sec 3009 / CVE-2016-2518 / VU#718152
1742   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1743	4.3.0 up to, but not including 4.3.92
1744   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1745   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1746   Summary: Using a crafted packet to create a peer association with
1747   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
1748	out-of-bounds reference.
1749   Mitigation:
1750	Implement BCP-38.
1751	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1752	    or the NTP Public Services Project Download Page
1753	Properly monitor your ntpd instances
1754   Credit: This weakness was discovered by Yihan Lian of the Cloud
1755   	Security Team, Qihoo 360.
1756
1757* remote configuration trustedkey/requestkey/controlkey values are not
1758	properly validated
1759   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1760   References: Sec 3010 / CVE-2016-2517 / VU#718152
1761   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1762	4.3.0 up to, but not including 4.3.92
1763   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1764   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1765   Summary: If ntpd was expressly configured to allow for remote
1766   	configuration, a malicious user who knows the controlkey for
1767	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1768	can create a session with ntpd and then send a crafted packet to
1769	ntpd that will change the value of the trustedkey, controlkey,
1770	or requestkey to a value that will prevent any subsequent
1771	authentication with ntpd until ntpd is restarted.
1772   Mitigation:
1773	Implement BCP-38.
1774	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1775	    or the NTP Public Services Project Download Page
1776	Properly monitor your ntpd instances
1777   Credit: This weakness was discovered by Yihan Lian of the Cloud
1778   	Security Team, Qihoo 360.
1779
1780* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1781   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1782   References: Sec 3011 / CVE-2016-2516 / VU#718152
1783   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1784   	4.3.0 up to, but not including 4.3.92
1785   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1786   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1787   Summary: If ntpd was expressly configured to allow for remote
1788   	configuration, a malicious user who knows the controlkey for
1789	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1790	can create a session with ntpd and if an existing association is
1791	unconfigured using the same IP twice on the unconfig directive
1792	line, ntpd will abort.
1793   Mitigation:
1794	Implement BCP-38.
1795	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1796	    or the NTP Public Services Project Download Page
1797	Properly monitor your ntpd instances
1798   Credit: This weakness was discovered by Yihan Lian of the Cloud
1799   	Security Team, Qihoo 360.
1800
1801* Refclock impersonation vulnerability
1802   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1803   References: Sec 3020 / CVE-2016-1551
1804   Affects: On a very limited number of OSes, all NTP releases up to but
1805	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1806	By "very limited number of OSes" we mean no general-purpose OSes
1807	have yet been identified that have this vulnerability.
1808   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1809   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1810   Summary: While most OSes implement martian packet filtering in their
1811   	network stack, at least regarding 127.0.0.0/8, some will allow
1812	packets claiming to be from 127.0.0.0/8 that arrive over a
1813	physical network. On these OSes, if ntpd is configured to use a
1814	reference clock an attacker can inject packets over the network
1815	that look like they are coming from that reference clock.
1816   Mitigation:
1817        Implement martian packet filtering and BCP-38.
1818        Configure ntpd to use an adequate number of time sources.
1819        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1820	    or the NTP Public Services Project Download Page
1821        If you are unable to upgrade and if you are running an OS that
1822	    has this vulnerability, implement martian packet filters and
1823	    lobby your OS vendor to fix this problem, or run your
1824	    refclocks on computers that use OSes that are not vulnerable
1825	    to these attacks and have your vulnerable machines get their
1826	    time from protected resources.
1827        Properly monitor your ntpd instances.
1828   Credit: This weakness was discovered by Matt Street and others of
1829   	Cisco ASIG.
1830
1831The following issues were fixed in earlier releases and contain
1832improvements in 4.2.8p7:
1833
1834* Clients that receive a KoD should validate the origin timestamp field.
1835   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1836   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1837   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1838
1839* Skeleton key: passive server with trusted key can serve time.
1840   References: Sec 2936 / CVE-2015-7974
1841   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1842   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1843
1844Two other vulnerabilities have been reported, and the mitigations
1845for these are as follows:
1846
1847* Interleave-pivot
1848   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1849   References: Sec 2978 / CVE-2016-1548
1850   Affects: All ntp-4 releases.
1851   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1852   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1853   Summary: It is possible to change the time of an ntpd client or deny
1854   	service to an ntpd client by forcing it to change from basic
1855	client/server mode to interleaved symmetric mode. An attacker
1856	can spoof a packet from a legitimate ntpd server with an origin
1857	timestamp that matches the peer->dst timestamp recorded for that
1858	server. After making this switch, the client will reject all
1859	future legitimate server responses. It is possible to force the
1860	victim client to move time after the mode has been changed.
1861	ntpq gives no indication that the mode has been switched.
1862   Mitigation:
1863        Implement BCP-38.
1864        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1865	    or the NTP Public Services Project Download Page.  These
1866	    versions will not dynamically "flip" into interleave mode
1867	    unless configured to do so.
1868        Properly monitor your ntpd instances.
1869   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
1870   	and separately by Jonathan Gardner of Cisco ASIG.
1871
1872* Sybil vulnerability: ephemeral association attack
1873   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1874   References: Sec 3012 / CVE-2016-1549
1875   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1876   	4.3.0 up to, but not including 4.3.92
1877   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1878   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1879   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
1880   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
1881	field in the ntp.keys file to specify which IPs can serve time,
1882	a malicious authenticated peer can create arbitrarily-many
1883	ephemeral associations in order to win the clock selection of
1884	ntpd and modify a victim's clock.
1885   Mitigation:
1886        Implement BCP-38.
1887        Use the 4th field in the ntp.keys file to specify which IPs
1888	    can be time servers.
1889        Properly monitor your ntpd instances.
1890   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1891
1892Other fixes:
1893
1894* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
1895  - fixed yet another race condition in the threaded resolver code.
1896* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
1897* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
1898  - integrated patches by Loganaden Velvidron <logan@ntp.org>
1899    with some modifications & unit tests
1900* [Bug 2960] async name resolution fixes for chroot() environments.
1901  Reinhard Max.
1902* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
1903* [Bug 2995] Fixes to compile on Windows
1904* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
1905* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
1906  - Patch provided by Ch. Weisgerber
1907* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
1908  - A change related to [Bug 2853] forbids trailing white space in
1909    remote config commands. perlinger@ntp.org
1910* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
1911  - report and patch from Aleksandr Kostikov.
1912  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
1913* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
1914  - fixed memory leak in access list (auth[read]keys.c)
1915  - refactored handling of key access lists (auth[read]keys.c)
1916  - reduced number of error branches (authreadkeys.c)
1917* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
1918* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
1919* [Bug 3031] ntp broadcastclient unable to synchronize to an server
1920             when the time of server changed. perlinger@ntp.org
1921  - Check the initial delay calculation and reject/unpeer the broadcast
1922    server if the delay exceeds 50ms. Retry again after the next
1923    broadcast packet.
1924* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
1925* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
1926* Update html/xleave.html documentation.  Harlan Stenn.
1927* Update ntp.conf documentation.  Harlan Stenn.
1928* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
1929* Fix typo in html/monopt.html.  Harlan Stenn.
1930* Add README.pullrequests.  Harlan Stenn.
1931* Cleanup to include/ntp.h.  Harlan Stenn.
1932
1933New option to 'configure':
1934
1935While looking in to the issues around Bug 2978, the "interleave pivot"
1936issue, it became clear that there are some intricate and unresolved
1937issues with interleave operations.  We also realized that the interleave
1938protocol was never added to the NTPv4 Standard, and it should have been.
1939
1940Interleave mode was first released in July of 2008, and can be engaged
1941in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
1942contain the 'xleave' option, which will expressly enable interlave mode
1943for that association.  Additionally, if a time packet arrives and is
1944found inconsistent with normal protocol behavior but has certain
1945characteristics that are compatible with interleave mode, NTP will
1946dynamically switch to interleave mode.  With sufficient knowledge, an
1947attacker can send a crafted forged packet to an NTP instance that
1948triggers only one side to enter interleaved mode.
1949
1950To prevent this attack until we can thoroughly document, describe,
1951fix, and test the dynamic interleave mode, we've added a new
1952'configure' option to the build process:
1953
1954 --enable-dynamic-interleave
1955
1956This option controls whether or not NTP will, if conditions are right,
1957engage dynamic interleave mode.  Dynamic interleave mode is disabled by
1958default in ntp-4.2.8p7.
1959
1960---
1961NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
1962
1963Focus: Security, Bug fixes, enhancements.
1964
1965Severity: MEDIUM
1966
1967In addition to bug fixes and enhancements, this release fixes the
1968following 1 low- and 8 medium-severity vulnerabilities:
1969
1970* Potential Infinite Loop in 'ntpq'
1971   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1972   References: Sec 2548 / CVE-2015-8158
1973   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1974	4.3.0 up to, but not including 4.3.90
1975   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1976   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1977   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
1978	The loop's only stopping conditions are receiving a complete and
1979	correct response or hitting a small number of error conditions.
1980	If the packet contains incorrect values that don't trigger one of
1981	the error conditions, the loop continues to receive new packets.
1982	Note well, this is an attack against an instance of 'ntpq', not
1983	'ntpd', and this attack requires the attacker to do one of the
1984	following:
1985	* Own a malicious NTP server that the client trusts
1986	* Prevent a legitimate NTP server from sending packets to
1987	    the 'ntpq' client
1988	* MITM the 'ntpq' communications between the 'ntpq' client
1989	    and the NTP server
1990   Mitigation:
1991	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1992	or the NTP Public Services Project Download Page
1993   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1994
1995* 0rigin: Zero Origin Timestamp Bypass
1996   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1997   References: Sec 2945 / CVE-2015-8138
1998   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1999	4.3.0 up to, but not including 4.3.90
2000   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
2001   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
2002	(3.7 - LOW if you score AC:L)
2003   Summary: To distinguish legitimate peer responses from forgeries, a
2004	client attempts to verify a response packet by ensuring that the
2005	origin timestamp in the packet matches the origin timestamp it
2006	transmitted in its last request.  A logic error exists that
2007	allows packets with an origin timestamp of zero to bypass this
2008	check whenever there is not an outstanding request to the server.
2009   Mitigation:
2010	Configure 'ntpd' to get time from multiple sources.
2011	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2012	    or the NTP Public Services Project Download Page.
2013	Monitor your 'ntpd' instances.
2014   Credit: This weakness was discovered by Matthey Van Gundy and
2015	Jonathan Gardner of Cisco ASIG.
2016
2017* Stack exhaustion in recursive traversal of restriction list
2018   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
2019   References: Sec 2940 / CVE-2015-7978
2020   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2021	4.3.0 up to, but not including 4.3.90
2022   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2023   Summary: An unauthenticated 'ntpdc reslist' command can cause a
2024   	segmentation fault in ntpd by exhausting the call stack.
2025   Mitigation:
2026	Implement BCP-38.
2027	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2028	    or the NTP Public Services Project Download Page.
2029	If you are unable to upgrade:
2030            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2031	    If you must enable mode 7:
2032		configure the use of a 'requestkey' to control who can
2033		    issue mode 7 requests.
2034		configure 'restrict noquery' to further limit mode 7
2035		    requests to trusted sources.
2036		Monitor your ntpd instances.
2037   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
2038
2039* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
2040   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2041   References: Sec 2942 / CVE-2015-7979
2042   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2043	4.3.0 up to, but not including 4.3.90
2044   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
2045   Summary: An off-path attacker can send broadcast packets with bad
2046	authentication (wrong key, mismatched key, incorrect MAC, etc)
2047	to broadcast clients. It is observed that the broadcast client
2048	tears down the association with the broadcast server upon
2049	receiving just one bad packet.
2050   Mitigation:
2051	Implement BCP-38.
2052	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2053	or the NTP Public Services Project Download Page.
2054	Monitor your 'ntpd' instances.
2055	If this sort of attack is an active problem for you, you have
2056	    deeper problems to investigate.  In this case also consider
2057	    having smaller NTP broadcast domains.
2058   Credit: This weakness was discovered by Aanchal Malhotra of Boston
2059   	University.
2060
2061* reslist NULL pointer dereference
2062   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2063   References: Sec 2939 / CVE-2015-7977
2064   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2065	4.3.0 up to, but not including 4.3.90
2066   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2067   Summary: An unauthenticated 'ntpdc reslist' command can cause a
2068	segmentation fault in ntpd by causing a NULL pointer dereference.
2069   Mitigation:
2070	Implement BCP-38.
2071	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
2072	the NTP Public Services Project Download Page.
2073	If you are unable to upgrade:
2074	    mode 7 is disabled by default.  Don't enable it.
2075	    If you must enable mode 7:
2076		configure the use of a 'requestkey' to control who can
2077		    issue mode 7 requests.
2078		configure 'restrict noquery' to further limit mode 7
2079		    requests to trusted sources.
2080	Monitor your ntpd instances.
2081   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
2082
2083* 'ntpq saveconfig' command allows dangerous characters in filenames.
2084   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2085   References: Sec 2938 / CVE-2015-7976
2086   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2087	4.3.0 up to, but not including 4.3.90
2088   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
2089   Summary: The ntpq saveconfig command does not do adequate filtering
2090   	of special characters from the supplied filename.
2091	Note well: The ability to use the saveconfig command is controlled
2092	by the 'restrict nomodify' directive, and the recommended default
2093	configuration is to disable this capability.  If the ability to
2094	execute a 'saveconfig' is required, it can easily (and should) be
2095	limited and restricted to a known small number of IP addresses.
2096   Mitigation:
2097	Implement BCP-38.
2098	use 'restrict default nomodify' in your 'ntp.conf' file.
2099	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
2100	If you are unable to upgrade:
2101	    build NTP with 'configure --disable-saveconfig' if you will
2102	    	never need this capability, or
2103	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
2104		careful about what IPs have the ability to send 'modify'
2105		requests to 'ntpd'.
2106	Monitor your ntpd instances.
2107	'saveconfig' requests are logged to syslog - monitor your syslog files.
2108   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
2109
2110* nextvar() missing length check in ntpq
2111   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2112   References: Sec 2937 / CVE-2015-7975
2113   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2114	4.3.0 up to, but not including 4.3.90
2115   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
2116	If you score A:C, this becomes 4.0.
2117   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
2118   Summary: ntpq may call nextvar() which executes a memcpy() into the
2119	name buffer without a proper length check against its maximum
2120	length of 256 bytes. Note well that we're taking about ntpq here.
2121	The usual worst-case effect of this vulnerability is that the
2122	specific instance of ntpq will crash and the person or process
2123	that did this will have stopped themselves.
2124   Mitigation:
2125	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2126	    or the NTP Public Services Project Download Page.
2127	If you are unable to upgrade:
2128	    If you have scripts that feed input to ntpq make sure there are
2129		some sanity checks on the input received from the "outside".
2130	    This is potentially more dangerous if ntpq is run as root.
2131   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
2132
2133* Skeleton Key: Any trusted key system can serve time
2134   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2135   References: Sec 2936 / CVE-2015-7974
2136   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2137	4.3.0 up to, but not including 4.3.90
2138   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
2139   Summary: Symmetric key encryption uses a shared trusted key. The
2140	reported title for this issue was "Missing key check allows
2141	impersonation between authenticated peers" and the report claimed
2142	"A key specified only for one server should only work to
2143	authenticate that server, other trusted keys should be refused."
2144	Except there has never been any correlation between this trusted
2145	key and server v. clients machines and there has never been any
2146	way to specify a key only for one server. We have treated this as
2147	an enhancement request, and ntp-4.2.8p6 includes other checks and
2148	tests to strengthen clients against attacks coming from broadcast
2149	servers.
2150   Mitigation:
2151	Implement BCP-38.
2152	If this scenario represents a real or a potential issue for you,
2153	    upgrade to 4.2.8p6, or later, from the NTP Project Download
2154	    Page or the NTP Public Services Project Download Page, and
2155	    use the new field in the ntp.keys file that specifies the list
2156	    of IPs that are allowed to serve time. Note that this alone
2157	    will not protect against time packets with forged source IP
2158	    addresses, however other changes in ntp-4.2.8p6 provide
2159	    significant mitigation against broadcast attacks. MITM attacks
2160	    are a different story.
2161	If you are unable to upgrade:
2162	    Don't use broadcast mode if you cannot monitor your client
2163	    	servers.
2164	    If you choose to use symmetric keys to authenticate time
2165	    	packets in a hostile environment where ephemeral time
2166		servers can be created, or if it is expected that malicious
2167		time servers will participate in an NTP broadcast domain,
2168		limit the number of participating systems that participate
2169		in the shared-key group.
2170	Monitor your ntpd instances.
2171   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
2172
2173* Deja Vu: Replay attack on authenticated broadcast mode
2174   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2175   References: Sec 2935 / CVE-2015-7973
2176   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2177   	4.3.0 up to, but not including 4.3.90
2178   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
2179   Summary: If an NTP network is configured for broadcast operations then
2180   	either a man-in-the-middle attacker or a malicious participant
2181	that has the same trusted keys as the victim can replay time packets.
2182   Mitigation:
2183	Implement BCP-38.
2184	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2185	    or the NTP Public Services Project Download Page.
2186	If you are unable to upgrade:
2187	    Don't use broadcast mode if you cannot monitor your client servers.
2188	Monitor your ntpd instances.
2189   Credit: This weakness was discovered by Aanchal Malhotra of Boston
2190	University.
2191
2192Other fixes:
2193
2194* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
2195* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
2196  - applied patch by shenpeng11@huawei.com with minor adjustments
2197* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
2198* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
2199* [Bug 2892] Several test cases assume IPv6 capabilities even when
2200             IPv6 is disabled in the build. perlinger@ntp.org
2201  - Found this already fixed, but validation led to cleanup actions.
2202* [Bug 2905] DNS lookups broken. perlinger@ntp.org
2203  - added limits to stack consumption, fixed some return code handling
2204* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2205  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2206  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
2207* [Bug 2980] reduce number of warnings. perlinger@ntp.org
2208  - integrated several patches from Havard Eidnes (he@uninett.no)
2209* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
2210  - implement 'auth_log2()' using integer bithack instead of float calculation
2211* Make leapsec_query debug messages less verbose.  Harlan Stenn.
2212
2213---
2214NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
2215
2216Focus: Security, Bug fixes, enhancements.
2217
2218Severity: MEDIUM
2219
2220In addition to bug fixes and enhancements, this release fixes the
2221following medium-severity vulnerability:
2222
2223* Small-step/big-step.  Close the panic gate earlier.
2224    References: Sec 2956, CVE-2015-5300
2225    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
2226	4.3.0 up to, but not including 4.3.78
2227    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
2228    Summary: If ntpd is always started with the -g option, which is
2229	common and against long-standing recommendation, and if at the
2230	moment ntpd is restarted an attacker can immediately respond to
2231	enough requests from enough sources trusted by the target, which
2232	is difficult and not common, there is a window of opportunity
2233	where the attacker can cause ntpd to set the time to an
2234	arbitrary value. Similarly, if an attacker is able to respond
2235	to enough requests from enough sources trusted by the target,
2236	the attacker can cause ntpd to abort and restart, at which
2237	point it can tell the target to set the time to an arbitrary
2238	value if and only if ntpd was re-started against long-standing
2239	recommendation with the -g flag, or if ntpd was not given the
2240	-g flag, the attacker can move the target system's time by at
2241	most 900 seconds' time per attack.
2242    Mitigation:
2243	Configure ntpd to get time from multiple sources.
2244	Upgrade to 4.2.8p5, or later, from the NTP Project Download
2245	    Page or the NTP Public Services Project Download Page
2246	As we've long documented, only use the -g option to ntpd in
2247	    cold-start situations.
2248	Monitor your ntpd instances.
2249    Credit: This weakness was discovered by Aanchal Malhotra,
2250	Isaac E. Cohen, and Sharon Goldberg at Boston University.
2251
2252    NOTE WELL: The -g flag disables the limit check on the panic_gate
2253	in ntpd, which is 900 seconds by default. The bug identified by
2254	the researchers at Boston University is that the panic_gate
2255	check was only re-enabled after the first change to the system
2256	clock that was greater than 128 milliseconds, by default. The
2257	correct behavior is that the panic_gate check should be
2258	re-enabled after any initial time correction.
2259
2260	If an attacker is able to inject consistent but erroneous time
2261	responses to your systems via the network or "over the air",
2262	perhaps by spoofing radio, cellphone, or navigation satellite
2263	transmissions, they are in a great position to affect your
2264	system's clock. There comes a point where your very best
2265	defenses include:
2266
2267	    Configure ntpd to get time from multiple sources.
2268	    Monitor your ntpd instances.
2269
2270Other fixes:
2271
2272* Coverity submission process updated from Coverity 5 to Coverity 7.
2273  The NTP codebase has been undergoing regular Coverity scans on an
2274  ongoing basis since 2006.  As part of our recent upgrade from
2275  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
2276  the newly-written Unity test programs.  These were fixed.
2277* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
2278* [Bug 2887] stratum -1 config results as showing value 99
2279  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
2280* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
2281* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
2282* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
2283  - applied patch by Christos Zoulas.  perlinger@ntp.org
2284* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
2285* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
2286  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
2287  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
2288* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
2289  - accept key file only if there are no parsing errors
2290  - fixed size_t/u_int format clash
2291  - fixed wrong use of 'strlcpy'
2292* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
2293* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
2294  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
2295  - promote use of 'size_t' for values that express a size
2296  - use ptr-to-const for read-only arguments
2297  - make sure SOCKET values are not truncated (win32-specific)
2298  - format string fixes
2299* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
2300* [Bug 2967] ntpdate command suffers an assertion failure
2301  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
2302* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
2303              lots of clients. perlinger@ntp.org
2304* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2305  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2306* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
2307* Unity test cleanup.  Harlan Stenn.
2308* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
2309* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
2310* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
2311* Quiet a warning from clang.  Harlan Stenn.
2312
2313---
2314NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
2315
2316Focus: Security, Bug fixes, enhancements.
2317
2318Severity: MEDIUM
2319
2320In addition to bug fixes and enhancements, this release fixes the
2321following 13 low- and medium-severity vulnerabilities:
2322
2323* Incomplete vallen (value length) checks in ntp_crypto.c, leading
2324  to potential crashes or potential code injection/information leakage.
2325
2326    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
2327    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2328    	and 4.3.0 up to, but not including 4.3.77
2329    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2330    Summary: The fix for CVE-2014-9750 was incomplete in that there were
2331    	certain code paths where a packet with particular autokey operations
2332	that contained malicious data was not always being completely
2333	validated. Receipt of these packets can cause ntpd to crash.
2334    Mitigation:
2335        Don't use autokey.
2336	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2337	    Page or the NTP Public Services Project Download Page
2338	Monitor your ntpd instances.
2339	Credit: This weakness was discovered by Tenable Network Security.
2340
2341* Clients that receive a KoD should validate the origin timestamp field.
2342
2343    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
2344    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2345	and 4.3.0 up to, but not including 4.3.77
2346    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
2347    Summary: An ntpd client that honors Kiss-of-Death responses will honor
2348    	KoD messages that have been forged by an attacker, causing it to
2349	delay or stop querying its servers for time updates. Also, an
2350	attacker can forge packets that claim to be from the target and
2351	send them to servers often enough that a server that implements
2352	KoD rate limiting will send the target machine a KoD response to
2353	attempt to reduce the rate of incoming packets, or it may also
2354	trigger a firewall block at the server for packets from the target
2355	machine. For either of these attacks to succeed, the attacker must
2356	know what servers the target is communicating with. An attacker
2357	can be anywhere on the Internet and can frequently learn the
2358	identity of the target's time source by sending the target a
2359	time query.
2360    Mitigation:
2361        Implement BCP-38.
2362	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
2363	    or the NTP Public Services Project Download Page
2364	If you can't upgrade, restrict who can query ntpd to learn who
2365	    its servers are, and what IPs are allowed to ask your system
2366	    for the time. This mitigation is heavy-handed.
2367	Monitor your ntpd instances.
2368    Note:
2369    	4.2.8p4 protects against the first attack. For the second attack,
2370    	all we can do is warn when it is happening, which we do in 4.2.8p4.
2371    Credit: This weakness was discovered by Aanchal Malhotra,
2372    	Issac E. Cohen, and Sharon Goldberg of Boston University.
2373
2374* configuration directives to change "pidfile" and "driftfile" should
2375  only be allowed locally.
2376
2377  References: Sec 2902 / CVE-2015-5196
2378  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2379	and 4.3.0 up to, but not including 4.3.77
2380   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
2381   Summary: If ntpd is configured to allow for remote configuration,
2382	and if the (possibly spoofed) source IP address is allowed to
2383	send remote configuration requests, and if the attacker knows
2384	the remote configuration password, it's possible for an attacker
2385	to use the "pidfile" or "driftfile" directives to potentially
2386	overwrite other files.
2387   Mitigation:
2388	Implement BCP-38.
2389	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2390	    Page or the NTP Public Services Project Download Page
2391	If you cannot upgrade, don't enable remote configuration.
2392	If you must enable remote configuration and cannot upgrade,
2393	    remote configuration of NTF's ntpd requires:
2394	    - an explicitly configured trustedkey, and you should also
2395	    	configure a controlkey.
2396	    - access from a permitted IP. You choose the IPs.
2397	    - authentication. Don't disable it. Practice secure key safety.
2398	Monitor your ntpd instances.
2399   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
2400
2401* Slow memory leak in CRYPTO_ASSOC
2402
2403  References: Sec 2909 / CVE-2015-7701
2404  Affects: All ntp-4 releases that use autokey up to, but not
2405    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2406  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
2407  	4.6 otherwise
2408  Summary: If ntpd is configured to use autokey, then an attacker can
2409	send packets to ntpd that will, after several days of ongoing
2410	attack, cause it to run out of memory.
2411  Mitigation:
2412	Don't use autokey.
2413	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2414	    Page or the NTP Public Services Project Download Page
2415	Monitor your ntpd instances.
2416  Credit: This weakness was discovered by Tenable Network Security.
2417
2418* mode 7 loop counter underrun
2419
2420  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
2421  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2422  	and 4.3.0 up to, but not including 4.3.77
2423  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2424  Summary: If ntpd is configured to enable mode 7 packets, and if the
2425	use of mode 7 packets is not properly protected thru the use of
2426	the available mode 7 authentication and restriction mechanisms,
2427	and if the (possibly spoofed) source IP address is allowed to
2428	send mode 7 queries, then an attacker can send a crafted packet
2429	to ntpd that will cause it to crash.
2430  Mitigation:
2431	Implement BCP-38.
2432	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2433	    Page or the NTP Public Services Project Download Page.
2434	      If you are unable to upgrade:
2435	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2436	If you must enable mode 7:
2437	    configure the use of a requestkey to control who can issue
2438		mode 7 requests.
2439	    configure restrict noquery to further limit mode 7 requests
2440		to trusted sources.
2441	Monitor your ntpd instances.
2442Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
2443
2444* memory corruption in password store
2445
2446  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
2447  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2448  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
2449  Summary: If ntpd is configured to allow remote configuration, and if
2450	the (possibly spoofed) source IP address is allowed to send
2451	remote configuration requests, and if the attacker knows the
2452	remote configuration password or if ntpd was configured to
2453	disable authentication, then an attacker can send a set of
2454	packets to ntpd that may cause a crash or theoretically
2455	perform a code injection attack.
2456  Mitigation:
2457	Implement BCP-38.
2458	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2459	    Page or the NTP Public Services Project Download Page.
2460	If you are unable to upgrade, remote configuration of NTF's
2461	    ntpd requires:
2462		an explicitly configured "trusted" key. Only configure
2463			this if you need it.
2464		access from a permitted IP address. You choose the IPs.
2465		authentication. Don't disable it. Practice secure key safety.
2466	Monitor your ntpd instances.
2467  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2468
2469* Infinite loop if extended logging enabled and the logfile and
2470  keyfile are the same.
2471
2472    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
2473    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2474	and 4.3.0 up to, but not including 4.3.77
2475    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2476    Summary: If ntpd is configured to allow remote configuration, and if
2477	the (possibly spoofed) source IP address is allowed to send
2478	remote configuration requests, and if the attacker knows the
2479	remote configuration password or if ntpd was configured to
2480	disable authentication, then an attacker can send a set of
2481	packets to ntpd that will cause it to crash and/or create a
2482	potentially huge log file. Specifically, the attacker could
2483	enable extended logging, point the key file at the log file,
2484	and cause what amounts to an infinite loop.
2485    Mitigation:
2486	Implement BCP-38.
2487	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2488	    Page or the NTP Public Services Project Download Page.
2489	If you are unable to upgrade, remote configuration of NTF's ntpd
2490	  requires:
2491            an explicitly configured "trusted" key. Only configure this
2492	    	if you need it.
2493            access from a permitted IP address. You choose the IPs.
2494            authentication. Don't disable it. Practice secure key safety.
2495        Monitor your ntpd instances.
2496    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2497
2498* Potential path traversal vulnerability in the config file saving of
2499  ntpd on VMS.
2500
2501  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
2502  Affects: All ntp-4 releases running under VMS up to, but not
2503	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2504  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
2505  Summary: If ntpd is configured to allow remote configuration, and if
2506	the (possibly spoofed) IP address is allowed to send remote
2507	configuration requests, and if the attacker knows the remote
2508	configuration password or if ntpd was configured to disable
2509	authentication, then an attacker can send a set of packets to
2510	ntpd that may cause ntpd to overwrite files.
2511  Mitigation:
2512	Implement BCP-38.
2513	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2514	    Page or the NTP Public Services Project Download Page.
2515	If you are unable to upgrade, remote configuration of NTF's ntpd
2516	    requires:
2517		an explicitly configured "trusted" key. Only configure
2518			this if you need it.
2519		access from permitted IP addresses. You choose the IPs.
2520		authentication. Don't disable it. Practice key security safety.
2521        Monitor your ntpd instances.
2522    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2523
2524* ntpq atoascii() potential memory corruption
2525
2526  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
2527  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
2528	and 4.3.0 up to, but not including 4.3.77
2529  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
2530  Summary: If an attacker can figure out the precise moment that ntpq
2531	is listening for data and the port number it is listening on or
2532	if the attacker can provide a malicious instance ntpd that
2533	victims will connect to then an attacker can send a set of
2534	crafted mode 6 response packets that, if received by ntpq,
2535	can cause ntpq to crash.
2536  Mitigation:
2537	Implement BCP-38.
2538	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2539	    Page or the NTP Public Services Project Download Page.
2540	If you are unable to upgrade and you run ntpq against a server
2541	    and ntpq crashes, try again using raw mode. Build or get a
2542	    patched ntpq and see if that fixes the problem. Report new
2543	    bugs in ntpq or abusive servers appropriately.
2544	If you use ntpq in scripts, make sure ntpq does what you expect
2545	    in your scripts.
2546  Credit: This weakness was discovered by Yves Younan and
2547  	Aleksander Nikolich of Cisco Talos.
2548
2549* Invalid length data provided by a custom refclock driver could cause
2550  a buffer overflow.
2551
2552  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
2553  Affects: Potentially all ntp-4 releases running up to, but not
2554	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2555	that have custom refclocks
2556  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
2557	5.9 unusual worst case
2558  Summary: A negative value for the datalen parameter will overflow a
2559	data buffer. NTF's ntpd driver implementations always set this
2560	value to 0 and are therefore not vulnerable to this weakness.
2561	If you are running a custom refclock driver in ntpd and that
2562	driver supplies a negative value for datalen (no custom driver
2563	of even minimal competence would do this) then ntpd would
2564	overflow a data buffer. It is even hypothetically possible
2565	in this case that instead of simply crashing ntpd the attacker
2566	could effect a code injection attack.
2567  Mitigation:
2568	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2569	    Page or the NTP Public Services Project Download Page.
2570	If you are unable to upgrade:
2571		If you are running custom refclock drivers, make sure
2572			the signed datalen value is either zero or positive.
2573	Monitor your ntpd instances.
2574  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2575
2576* Password Length Memory Corruption Vulnerability
2577
2578  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
2579  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2580  	4.3.0 up to, but not including 4.3.77
2581  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
2582  	1.7 usual case, 6.8, worst case
2583  Summary: If ntpd is configured to allow remote configuration, and if
2584	the (possibly spoofed) source IP address is allowed to send
2585	remote configuration requests, and if the attacker knows the
2586	remote configuration password or if ntpd was (foolishly)
2587	configured to disable authentication, then an attacker can
2588	send a set of packets to ntpd that may cause it to crash,
2589	with the hypothetical possibility of a small code injection.
2590  Mitigation:
2591	Implement BCP-38.
2592	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2593	    Page or the NTP Public Services Project Download Page.
2594	If you are unable to upgrade, remote configuration of NTF's
2595	    ntpd requires:
2596		an explicitly configured "trusted" key. Only configure
2597			this if you need it.
2598		access from a permitted IP address. You choose the IPs.
2599		authentication. Don't disable it. Practice secure key safety.
2600	Monitor your ntpd instances.
2601  Credit: This weakness was discovered by Yves Younan and
2602  	Aleksander Nikolich of Cisco Talos.
2603
2604* decodenetnum() will ASSERT botch instead of returning FAIL on some
2605  bogus values.
2606
2607  References: Sec 2922 / CVE-2015-7855
2608  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2609	4.3.0 up to, but not including 4.3.77
2610  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2611  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
2612	an unusually long data value where a network address is expected,
2613	the decodenetnum() function will abort with an assertion failure
2614	instead of simply returning a failure condition.
2615  Mitigation:
2616	Implement BCP-38.
2617	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2618	    Page or the NTP Public Services Project Download Page.
2619	If you are unable to upgrade:
2620		mode 7 is disabled by default. Don't enable it.
2621		Use restrict noquery to limit who can send mode 6
2622			and mode 7 requests.
2623		Configure and use the controlkey and requestkey
2624			authentication directives to limit who can
2625			send mode 6 and mode 7 requests.
2626	Monitor your ntpd instances.
2627  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
2628
2629* NAK to the Future: Symmetric association authentication bypass via
2630  crypto-NAK.
2631
2632  References: Sec 2941 / CVE-2015-7871
2633  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
2634  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
2635  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
2636  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
2637	from unauthenticated ephemeral symmetric peers by bypassing the
2638	authentication required to mobilize peer associations. This
2639	vulnerability appears to have been introduced in ntp-4.2.5p186
2640	when the code handling mobilization of new passive symmetric
2641	associations (lines 1103-1165) was refactored.
2642  Mitigation:
2643	Implement BCP-38.
2644	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2645	    Page or the NTP Public Services Project Download Page.
2646	If you are unable to upgrade:
2647		Apply the patch to the bottom of the "authentic" check
2648			block around line 1136 of ntp_proto.c.
2649	Monitor your ntpd instances.
2650  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2651
2652Backward-Incompatible changes:
2653* [Bug 2817] Default on Linux is now "rlimit memlock -1".
2654  While the general default of 32M is still the case, under Linux
2655  the default value has been changed to -1 (do not lock ntpd into
2656  memory).  A value of 0 means "lock ntpd into memory with whatever
2657  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
2658  value in it, that value will continue to be used.
2659
2660* [Bug 2886] Misspelling: "outlyer" should be "outlier".
2661  If you've written a script that looks for this case in, say, the
2662  output of ntpq, you probably want to change your regex matches
2663  from 'outlyer' to 'outl[iy]er'.
2664
2665New features in this release:
2666* 'rlimit memlock' now has finer-grained control.  A value of -1 means
2667  "don't lock ntpd into memore".  This is the default for Linux boxes.
2668  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
2669  the value is the number of megabytes of memory to lock.  The default
2670  is 32 megabytes.
2671
2672* The old Google Test framework has been replaced with a new framework,
2673  based on http://www.throwtheswitch.org/unity/ .
2674
2675Bug Fixes and Improvements:
2676* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
2677  privileges and limiting resources in NTPD removes the need to link
2678  forcefully against 'libgcc_s' which does not always work. J.Perlinger
2679* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
2680* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
2681* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
2682* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
2683* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
2684* [Bug 2849] Systems with more than one default route may never
2685  synchronize.  Brian Utterback.  Note that this patch might need to
2686  be reverted once Bug 2043 has been fixed.
2687* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
2688* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
2689* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
2690* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
2691* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
2692* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
2693  be configured for the distribution targets.  Harlan Stenn.
2694* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
2695* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
2696* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
2697* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
2698* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
2699* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
2700* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
2701* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
2702* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
2703* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
2704* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
2705* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
2706* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
2707* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
2708* sntp/tests/ function parameter list cleanup.  Damir Tomić.
2709* tests/libntp/ function parameter list cleanup.  Damir Tomić.
2710* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
2711* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
2712* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
2713* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
2714* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
2715* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2716  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
2717  formatting; first declaration, then code (C90); deleted unnecessary comments;
2718  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
2719* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
2720  fix formatting, cleanup. Tomasz Flendrich
2721* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
2722  Tomasz Flendrich
2723* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
2724  fix formatting. Tomasz Flendrich
2725* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
2726* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
2727* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
2728  Tomasz Flendrich
2729* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
2730* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
2731* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
2732* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
2733* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
2734* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
2735* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
2736fixed formatting. Tomasz Flendrich
2737* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
2738  removed unnecessary comments, cleanup. Tomasz Flendrich
2739* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
2740  comments, cleanup. Tomasz Flendrich
2741* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
2742  Tomasz Flendrich
2743* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2744* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2745* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2746  Tomasz Flendrich
2747* sntp/tests/kodDatabase.c added consts, deleted empty function,
2748  fixed formatting. Tomasz Flendrich
2749* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2750* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2751  fixed formatting, deleted unused variable. Tomasz Flendrich
2752* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2753  Tomasz Flendrich
2754* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2755  fixed formatting. Tomasz Flendrich
2756* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2757  the order of includes, fixed formatting, removed unnecessary comments.
2758  Tomasz Flendrich
2759* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2760* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2761  made one function do its job, deleted unnecessary prints, fixed formatting.
2762  Tomasz Flendrich
2763* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2764* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2765* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2766* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2767* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2768* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2769* Don't build sntp/libevent/sample/.  Harlan Stenn.
2770* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2771* br-flock: --enable-local-libevent.  Harlan Stenn.
2772* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2773* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2774* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2775* Code cleanup.  Harlan Stenn.
2776* libntp/icom.c: Typo fix.  Harlan Stenn.
2777* util/ntptime.c: initialization nit.  Harlan Stenn.
2778* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2779* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2780* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2781  Tomasz Flendrich
2782* Changed progname to be const in many files - now it's consistent. Tomasz
2783  Flendrich
2784* Typo fix for GCC warning suppression.  Harlan Stenn.
2785* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2786* Added declarations to all Unity tests, and did minor fixes to them.
2787  Reduced the number of warnings by half. Damir Tomić.
2788* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2789  with the latest Unity updates from Mark. Damir Tomić.
2790* Retire google test - phase I.  Harlan Stenn.
2791* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2792* Update the NEWS file.  Harlan Stenn.
2793* Autoconf cleanup.  Harlan Stenn.
2794* Unit test dist cleanup. Harlan Stenn.
2795* Cleanup various test Makefile.am files.  Harlan Stenn.
2796* Pthread autoconf macro cleanup.  Harlan Stenn.
2797* Fix progname definition in unity runner scripts.  Harlan Stenn.
2798* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2799* Update the patch for bug 2817.  Harlan Stenn.
2800* More updates for bug 2817.  Harlan Stenn.
2801* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2802* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2803* Adding missing MCAST protection.  Harlan Stenn.
2804* Disable certain test programs on certain platforms.  Harlan Stenn.
2805* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2806* build system tweaks.  Harlan Stenn.
2807
2808---
2809NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2810
2811Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2812
2813Severity: MEDIUM
2814
2815Security Fix:
2816
2817* [Sec 2853] Crafted remote config packet can crash some versions of
2818  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2819
2820Under specific circumstances an attacker can send a crafted packet to
2821cause a vulnerable ntpd instance to crash. This requires each of the
2822following to be true:
2823
28241) ntpd set up to allow remote configuration (not allowed by default), and
28252) knowledge of the configuration password, and
28263) access to a computer entrusted to perform remote configuration.
2827
2828This vulnerability is considered low-risk.
2829
2830New features in this release:
2831
2832Optional (disabled by default) support to have ntpd provide smeared
2833leap second time.  A specially built and configured ntpd will only
2834offer smeared time in response to client packets.  These response
2835packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2836of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2837format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2838information.
2839
2840   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2841   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2842
2843We've imported the Unity test framework, and have begun converting
2844the existing google-test items to this new framework.  If you want
2845to write new tests or change old ones, you'll need to have ruby
2846installed.  You don't need ruby to run the test suite.
2847
2848Bug Fixes and Improvements:
2849
2850* CID 739725: Fix a rare resource leak in libevent/listener.c.
2851* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2852* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2853* CID 1269537: Clean up a line of dead code in getShmTime().
2854* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2855* [Bug 2590] autogen-5.18.5.
2856* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2857  of 'limited'.
2858* [Bug 2650] fix includefile processing.
2859* [Bug 2745] ntpd -x steps clock on leap second
2860   Fixed an initial-value problem that caused misbehaviour in absence of
2861   any leapsecond information.
2862   Do leap second stepping only of the step adjustment is beyond the
2863   proper jump distance limit and step correction is allowed at all.
2864* [Bug 2750] build for Win64
2865  Building for 32bit of loopback ppsapi needs def file
2866* [Bug 2776] Improve ntpq's 'help keytype'.
2867* [Bug 2778] Implement "apeers"  ntpq command to include associd.
2868* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
2869* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
2870  interface is ignored as long as this flag is not set since the
2871  interface is not usable (e.g., no link).
2872* [Bug 2794] Clean up kernel clock status reports.
2873* [Bug 2800] refclock_true.c true_debug() can't open debug log because
2874  of incompatible open/fdopen parameters.
2875* [Bug 2804] install-local-data assumes GNU 'find' semantics.
2876* [Bug 2805] ntpd fails to join multicast group.
2877* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
2878* [Bug 2808] GPSD_JSON driver enhancements, step 1.
2879  Fix crash during cleanup if GPS device not present and char device.
2880  Increase internal token buffer to parse all JSON data, even SKY.
2881  Defer logging of errors during driver init until the first unit is
2882  started, so the syslog is not cluttered when the driver is not used.
2883  Various improvements, see http://bugs.ntp.org/2808 for details.
2884  Changed libjsmn to a more recent version.
2885* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
2886* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
2887* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
2888* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
2889* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
2890* [Bug 2824] Convert update-leap to perl. (also see 2769)
2891* [Bug 2825] Quiet file installation in html/ .
2892* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
2893   NTPD transfers the current TAI (instead of an announcement) now.
2894   This might still needed improvement.
2895   Update autokey data ASAP when 'sys_tai' changes.
2896   Fix unit test that was broken by changes for autokey update.
2897   Avoid potential signature length issue and use DPRINTF where possible
2898     in ntp_crypto.c.
2899* [Bug 2832] refclock_jjy.c supports the TDC-300.
2900* [Bug 2834] Correct a broken html tag in html/refclock.html
2901* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
2902  robust, and require 2 consecutive timestamps to be consistent.
2903* [Bug 2837] Allow a configurable DSCP value.
2904* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
2905* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
2906* [Bug 2842] Bug in mdoc2man.
2907* [Bug 2843] make check fails on 4.3.36
2908   Fixed compiler warnings about numeric range overflow
2909   (The original topic was fixed in a byplay to bug#2830)
2910* [Bug 2845] Harden memory allocation in ntpd.
2911* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
2912* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
2913* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
2914* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
2915* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
2916* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
2917* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
2918* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
2919* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
2920* html/drivers/driver22.html: typo fix.  Harlan Stenn.
2921* refidsmear test cleanup.  Tomasz Flendrich.
2922* refidsmear function support and tests.  Harlan Stenn.
2923* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
2924  something that was only in the 4.2.6 sntp.  Harlan Stenn.
2925* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
2926  Damir Tomić
2927* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
2928  Damir Tomić
2929* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
2930  Damir Tomić
2931* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
2932* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
2933* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
2934  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2935  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
2936  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
2937  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
2938  Damir Tomić
2939* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
2940  networking.c, keyFile.c, utilities.cpp, sntptest.h,
2941  fileHandlingTest.h. Damir Tomić
2942* Initial support for experimental leap smear code.  Harlan Stenn.
2943* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
2944* Report select() debug messages at debug level 3 now.
2945* sntp/scripts/genLocInfo: treat raspbian as debian.
2946* Unity test framework fixes.
2947  ** Requires ruby for changes to tests.
2948* Initial support for PACKAGE_VERSION tests.
2949* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
2950* tests/bug-2803/Makefile.am must distribute bug-2803.h.
2951* Add an assert to the ntpq ifstats code.
2952* Clean up the RLIMIT_STACK code.
2953* Improve the ntpq documentation around the controlkey keyid.
2954* ntpq.c cleanup.
2955* Windows port build cleanup.
2956
2957---
2958NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
2959
2960Focus: Security and Bug fixes, enhancements.
2961
2962Severity: MEDIUM
2963
2964In addition to bug fixes and enhancements, this release fixes the
2965following medium-severity vulnerabilities involving private key
2966authentication:
2967
2968* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2969
2970    References: Sec 2779 / CVE-2015-1798 / VU#374268
2971    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
2972	including ntp-4.2.8p2 where the installation uses symmetric keys
2973	to authenticate remote associations.
2974    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2975    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2976    Summary: When ntpd is configured to use a symmetric key to authenticate
2977	a remote NTP server/peer, it checks if the NTP message
2978	authentication code (MAC) in received packets is valid, but not if
2979	there actually is any MAC included. Packets without a MAC are
2980	accepted as if they had a valid MAC. This allows a MITM attacker to
2981	send false packets that are accepted by the client/peer without
2982	having to know the symmetric key. The attacker needs to know the
2983	transmit timestamp of the client to match it in the forged reply
2984	and the false reply needs to reach the client before the genuine
2985	reply from the server. The attacker doesn't necessarily need to be
2986	relaying the packets between the client and the server.
2987
2988	Authentication using autokey doesn't have this problem as there is
2989	a check that requires the key ID to be larger than NTP_MAXKEY,
2990	which fails for packets without a MAC.
2991    Mitigation:
2992        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2993	or the NTP Public Services Project Download Page
2994        Configure ntpd with enough time sources and monitor it properly.
2995    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2996
2997* [Sec 2781] Authentication doesn't protect symmetric associations against
2998  DoS attacks.
2999
3000    References: Sec 2781 / CVE-2015-1799 / VU#374268
3001    Affects: All NTP releases starting with at least xntp3.3wy up to but
3002	not including ntp-4.2.8p2 where the installation uses symmetric
3003	key authentication.
3004    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
3005    Note: the CVSS base Score for this issue could be 4.3 or lower, and
3006	it could be higher than 5.4.
3007    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
3008    Summary: An attacker knowing that NTP hosts A and B are peering with
3009	each other (symmetric association) can send a packet to host A
3010	with source address of B which will set the NTP state variables
3011	on A to the values sent by the attacker. Host A will then send
3012	on its next poll to B a packet with originate timestamp that
3013	doesn't match the transmit timestamp of B and the packet will
3014	be dropped. If the attacker does this periodically for both
3015	hosts, they won't be able to synchronize to each other. This is
3016	a known denial-of-service attack, described at
3017	https://www.eecis.udel.edu/~mills/onwire.html .
3018
3019	According to the document the NTP authentication is supposed to
3020	protect symmetric associations against this attack, but that
3021	doesn't seem to be the case. The state variables are updated even
3022	when authentication fails and the peers are sending packets with
3023	originate timestamps that don't match the transmit timestamps on
3024	the receiving side.
3025
3026	This seems to be a very old problem, dating back to at least
3027	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
3028	specifications, so other NTP implementations with support for
3029	symmetric associations and authentication may be vulnerable too.
3030	An update to the NTP RFC to correct this error is in-process.
3031    Mitigation:
3032        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
3033	or the NTP Public Services Project Download Page
3034        Note that for users of autokey, this specific style of MITM attack
3035	is simply a long-known potential problem.
3036        Configure ntpd with appropriate time sources and monitor ntpd.
3037	Alert your staff if problems are detected.
3038    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
3039
3040* New script: update-leap
3041The update-leap script will verify and if necessary, update the
3042leap-second definition file.
3043It requires the following commands in order to work:
3044
3045	wget logger tr sed shasum
3046
3047Some may choose to run this from cron.  It needs more portability testing.
3048
3049Bug Fixes and Improvements:
3050
3051* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
3052* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
3053* [Bug 2346] "graceful termination" signals do not do peer cleanup.
3054* [Bug 2728] See if C99-style structure initialization works.
3055* [Bug 2747] Upgrade libevent to 2.1.5-beta.
3056* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
3057* [Bug 2751] jitter.h has stale copies of l_fp macros.
3058* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
3059* [Bug 2757] Quiet compiler warnings.
3060* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
3061* [Bug 2763] Allow different thresholds for forward and backward steps.
3062* [Bug 2766] ntp-keygen output files should not be world-readable.
3063* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
3064* [Bug 2771] nonvolatile value is documented in wrong units.
3065* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
3066* [Bug 2774] Unreasonably verbose printout - leap pending/warning
3067* [Bug 2775] ntp-keygen.c fails to compile under Windows.
3068* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
3069  Removed non-ASCII characters from some copyright comments.
3070  Removed trailing whitespace.
3071  Updated definitions for Meinberg clocks from current Meinberg header files.
3072  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
3073  Account for updated definitions pulled from Meinberg header files.
3074  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
3075  Replaced some constant numbers by defines from ntp_calendar.h
3076  Modified creation of parse-specific variables for Meinberg devices
3077  in gps16x_message().
3078  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
3079  Modified mbg_tm_str() which now expexts an additional parameter controlling
3080  if the time status shall be printed.
3081* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
3082* [Sec 2781] Authentication doesn't protect symmetric associations against
3083  DoS attacks.
3084* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
3085* [Bug 2789] Quiet compiler warnings from libevent.
3086* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
3087  pause briefly before measuring system clock precision to yield
3088  correct results.
3089* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
3090* Use predefined function types for parse driver functions
3091  used to set up function pointers.
3092  Account for changed prototype of parse_inp_fnc_t functions.
3093  Cast parse conversion results to appropriate types to avoid
3094  compiler warnings.
3095  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
3096  when called with pointers to different types.
3097
3098---
3099NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
3100
3101Focus: Security and Bug fixes, enhancements.
3102
3103Severity: HIGH
3104
3105In addition to bug fixes and enhancements, this release fixes the
3106following high-severity vulnerabilities:
3107
3108* vallen is not validated in several places in ntp_crypto.c, leading
3109  to a potential information leak or possibly a crash
3110
3111    References: Sec 2671 / CVE-2014-9297 / VU#852879
3112    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
3113    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3114    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
3115    Summary: The vallen packet value is not validated in several code
3116             paths in ntp_crypto.c which can lead to information leakage
3117	     or perhaps a crash of the ntpd process.
3118    Mitigation - any of:
3119	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
3120		or the NTP Public Services Project Download Page.
3121	Disable Autokey Authentication by removing, or commenting out,
3122		all configuration directives beginning with the "crypto"
3123		keyword in your ntp.conf file.
3124    Credit: This vulnerability was discovered by Stephen Roettger of the
3125    	Google Security Team, with additional cases found by Sebastian
3126	Krahmer of the SUSE Security Team and Harlan Stenn of Network
3127	Time Foundation.
3128
3129* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
3130  can be bypassed.
3131
3132    References: Sec 2672 / CVE-2014-9298 / VU#852879
3133    Affects: All NTP4 releases before 4.2.8p1, under at least some
3134	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
3135    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
3136    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
3137    Summary: While available kernels will prevent 127.0.0.1 addresses
3138	from "appearing" on non-localhost IPv4 interfaces, some kernels
3139	do not offer the same protection for ::1 source addresses on
3140	IPv6 interfaces. Since NTP's access control is based on source
3141	address and localhost addresses generally have no restrictions,
3142	an attacker can send malicious control and configuration packets
3143	by spoofing ::1 addresses from the outside. Note Well: This is
3144	not really a bug in NTP, it's a problem with some OSes. If you
3145	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
3146	ACL restrictions on any application can be bypassed!
3147    Mitigation:
3148        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
3149	or the NTP Public Services Project Download Page
3150        Install firewall rules to block packets claiming to come from
3151	::1 from inappropriate network interfaces.
3152    Credit: This vulnerability was discovered by Stephen Roettger of
3153	the Google Security Team.
3154
3155Additionally, over 30 bugfixes and improvements were made to the codebase.
3156See the ChangeLog for more information.
3157
3158---
3159NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
3160
3161Focus: Security and Bug fixes, enhancements.
3162
3163Severity: HIGH
3164
3165In addition to bug fixes and enhancements, this release fixes the
3166following high-severity vulnerabilities:
3167
3168************************** vv NOTE WELL vv *****************************
3169
3170The vulnerabilities listed below can be significantly mitigated by
3171following the BCP of putting
3172
3173 restrict default ... noquery
3174
3175in the ntp.conf file.  With the exception of:
3176
3177   receive(): missing return on error
3178   References: Sec 2670 / CVE-2014-9296 / VU#852879
3179
3180below (which is a limited-risk vulnerability), none of the recent
3181vulnerabilities listed below can be exploited if the source IP is
3182restricted from sending a 'query'-class packet by your ntp.conf file.
3183
3184************************** ^^ NOTE WELL ^^ *****************************
3185
3186* Weak default key in config_auth().
3187
3188  References: [Sec 2665] / CVE-2014-9293 / VU#852879
3189  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3190  Vulnerable Versions: all releases prior to 4.2.7p11
3191  Date Resolved: 28 Jan 2010
3192
3193  Summary: If no 'auth' key is set in the configuration file, ntpd
3194	would generate a random key on the fly.  There were two
3195	problems with this: 1) the generated key was 31 bits in size,
3196	and 2) it used the (now weak) ntp_random() function, which was
3197	seeded with a 32-bit value and could only provide 32 bits of
3198	entropy.  This was sufficient back in the late 1990s when the
3199	code was written.  Not today.
3200
3201  Mitigation - any of:
3202	- Upgrade to 4.2.7p11 or later.
3203	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3204
3205  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
3206  	of the Google Security Team.
3207
3208* Non-cryptographic random number generator with weak seed used by
3209  ntp-keygen to generate symmetric keys.
3210
3211  References: [Sec 2666] / CVE-2014-9294 / VU#852879
3212  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3213  Vulnerable Versions: All NTP4 releases before 4.2.7p230
3214  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
3215
3216  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
3217  	prepare a random number generator that was of good quality back
3218	in the late 1990s. The random numbers produced was then used to
3219	generate symmetric keys. In ntp-4.2.8 we use a current-technology
3220	cryptographic random number generator, either RAND_bytes from
3221	OpenSSL, or arc4random().
3222
3223  Mitigation - any of:
3224  	- Upgrade to 4.2.7p230 or later.
3225	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3226
3227  Credit:  This vulnerability was discovered in ntp-4.2.6 by
3228  	Stephen Roettger of the Google Security Team.
3229
3230* Buffer overflow in crypto_recv()
3231
3232  References: Sec 2667 / CVE-2014-9295 / VU#852879
3233  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3234  Versions: All releases before 4.2.8
3235  Date Resolved: Stable (4.2.8) 18 Dec 2014
3236
3237  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
3238  	file contains a 'crypto pw ...' directive) a remote attacker
3239	can send a carefully crafted packet that can overflow a stack
3240	buffer and potentially allow malicious code to be executed
3241	with the privilege level of the ntpd process.
3242
3243  Mitigation - any of:
3244  	- Upgrade to 4.2.8, or later, or
3245	- Disable Autokey Authentication by removing, or commenting out,
3246	  all configuration directives beginning with the crypto keyword
3247	  in your ntp.conf file.
3248
3249  Credit: This vulnerability was discovered by Stephen Roettger of the
3250  	Google Security Team.
3251
3252* Buffer overflow in ctl_putdata()
3253
3254  References: Sec 2668 / CVE-2014-9295 / VU#852879
3255  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3256  Versions: All NTP4 releases before 4.2.8
3257  Date Resolved: Stable (4.2.8) 18 Dec 2014
3258
3259  Summary: A remote attacker can send a carefully crafted packet that
3260  	can overflow a stack buffer and potentially allow malicious
3261	code to be executed with the privilege level of the ntpd process.
3262
3263  Mitigation - any of:
3264  	- Upgrade to 4.2.8, or later.
3265	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3266
3267  Credit: This vulnerability was discovered by Stephen Roettger of the
3268  	Google Security Team.
3269
3270* Buffer overflow in configure()
3271
3272  References: Sec 2669 / CVE-2014-9295 / VU#852879
3273  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3274  Versions: All NTP4 releases before 4.2.8
3275  Date Resolved: Stable (4.2.8) 18 Dec 2014
3276
3277  Summary: A remote attacker can send a carefully crafted packet that
3278	can overflow a stack buffer and potentially allow malicious
3279	code to be executed with the privilege level of the ntpd process.
3280
3281  Mitigation - any of:
3282  	- Upgrade to 4.2.8, or later.
3283	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3284
3285  Credit: This vulnerability was discovered by Stephen Roettger of the
3286	Google Security Team.
3287
3288* receive(): missing return on error
3289
3290  References: Sec 2670 / CVE-2014-9296 / VU#852879
3291  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
3292  Versions: All NTP4 releases before 4.2.8
3293  Date Resolved: Stable (4.2.8) 18 Dec 2014
3294
3295  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
3296  	the code path where an error was detected, which meant
3297	processing did not stop when a specific rare error occurred.
3298	We haven't found a way for this bug to affect system integrity.
3299	If there is no way to affect system integrity the base CVSS
3300	score for this bug is 0. If there is one avenue through which
3301	system integrity can be partially affected, the base score
3302	becomes a 5. If system integrity can be partially affected
3303	via all three integrity metrics, the CVSS base score become 7.5.
3304
3305  Mitigation - any of:
3306        - Upgrade to 4.2.8, or later,
3307        - Remove or comment out all configuration directives
3308	  beginning with the crypto keyword in your ntp.conf file.
3309
3310  Credit: This vulnerability was discovered by Stephen Roettger of the
3311  	Google Security Team.
3312
3313See http://support.ntp.org/security for more information.
3314
3315New features / changes in this release:
3316
3317Important Changes
3318
3319* Internal NTP Era counters
3320
3321The internal counters that track the "era" (range of years) we are in
3322rolls over every 136 years'.  The current "era" started at the stroke of
3323midnight on 1 Jan 1900, and ends just before the stroke of midnight on
33241 Jan 2036.
3325In the past, we have used the "midpoint" of the  range to decide which
3326era we were in.  Given the longevity of some products, it became clear
3327that it would be more functional to "look back" less, and "look forward"
3328more.  We now compile a timestamp into the ntpd executable and when we
3329get a timestamp we us the "built-on" to tell us what era we are in.
3330This check "looks back" 10 years, and "looks forward" 126 years.
3331
3332* ntpdc responses disabled by default
3333
3334Dave Hart writes:
3335
3336For a long time, ntpq and its mostly text-based mode 6 (control)
3337protocol have been preferred over ntpdc and its mode 7 (private
3338request) protocol for runtime queries and configuration.  There has
3339been a goal of deprecating ntpdc, previously held back by numerous
3340capabilities exposed by ntpdc with no ntpq equivalent.  I have been
3341adding commands to ntpq to cover these cases, and I believe I've
3342covered them all, though I've not compared command-by-command
3343recently.
3344
3345As I've said previously, the binary mode 7 protocol involves a lot of
3346hand-rolled structure layout and byte-swapping code in both ntpd and
3347ntpdc which is hard to get right.  As ntpd grows and changes, the
3348changes are difficult to expose via ntpdc while maintaining forward
3349and backward compatibility between ntpdc and ntpd.  In contrast,
3350ntpq's text-based, label=value approach involves more code reuse and
3351allows compatible changes without extra work in most cases.
3352
3353Mode 7 has always been defined as vendor/implementation-specific while
3354mode 6 is described in RFC 1305 and intended to be open to interoperate
3355with other implementations.  There is an early draft of an updated
3356mode 6 description that likely will join the other NTPv4 RFCs
3357eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
3358
3359For these reasons, ntpd 4.2.7p230 by default disables processing of
3360ntpdc queries, reducing ntpd's attack surface and functionally
3361deprecating ntpdc.  If you are in the habit of using ntpdc for certain
3362operations, please try the ntpq equivalent.  If there's no equivalent,
3363please open a bug report at http://bugs.ntp.org./
3364
3365In addition to the above, over 1100 issues have been resolved between
3366the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
3367lists these.
3368
3369---
3370NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
3371
3372Focus: Bug fixes
3373
3374Severity: Medium
3375
3376This is a recommended upgrade.
3377
3378This release updates sys_rootdisp and sys_jitter calculations to match the
3379RFC specification, fixes a potential IPv6 address matching error for the
3380"nic" and "interface" configuration directives, suppresses the creation of
3381extraneous ephemeral associations for certain broadcastclient and
3382multicastclient configurations, cleans up some ntpq display issues, and
3383includes improvements to orphan mode, minor bugs fixes and code clean-ups.
3384
3385New features / changes in this release:
3386
3387ntpd
3388
3389 * Updated "nic" and "interface" IPv6 address handling to prevent
3390   mismatches with localhost [::1] and wildcard [::] which resulted from
3391   using the address/prefix format (e.g. fe80::/64)
3392 * Fix orphan mode stratum incorrectly counting to infinity
3393 * Orphan parent selection metric updated to includes missing ntohl()
3394 * Non-printable stratum 16 refid no longer sent to ntp
3395 * Duplicate ephemeral associations suppressed for broadcastclient and
3396   multicastclient without broadcastdelay
3397 * Exclude undetermined sys_refid from use in loopback TEST12
3398 * Exclude MODE_SERVER responses from KoD rate limiting
3399 * Include root delay in clock_update() sys_rootdisp calculations
3400 * get_systime() updated to exclude sys_residual offset (which only
3401   affected bits "below" sys_tick, the precision threshold)
3402 * sys.peer jitter weighting corrected in sys_jitter calculation
3403
3404ntpq
3405
3406 * -n option extended to include the billboard "server" column
3407 * IPv6 addresses in the local column truncated to prevent overruns
3408
3409---
3410NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
3411
3412Focus: Bug fixes and portability improvements
3413
3414Severity: Medium
3415
3416This is a recommended upgrade.
3417
3418This release includes build infrastructure updates, code
3419clean-ups, minor bug fixes, fixes for a number of minor
3420ref-clock issues, and documentation revisions.
3421
3422Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
3423
3424New features / changes in this release:
3425
3426Build system
3427
3428* Fix checking for struct rtattr
3429* Update config.guess and config.sub for AIX
3430* Upgrade required version of autogen and libopts for building
3431  from our source code repository
3432
3433ntpd
3434
3435* Back-ported several fixes for Coverity warnings from ntp-dev
3436* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
3437* Allow "logconfig =allall" configuration directive
3438* Bind tentative IPv6 addresses on Linux
3439* Correct WWVB/Spectracom driver to timestamp CR instead of LF
3440* Improved tally bit handling to prevent incorrect ntpq peer status reports
3441* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
3442  candidate list unless they are designated a "prefer peer"
3443* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
3444  selection during the 'tos orphanwait' period
3445* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
3446  drivers
3447* Improved support of the Parse Refclock trusttime flag in Meinberg mode
3448* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
3449* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
3450  clock slew on Microsoft Windows
3451* Code cleanup in libntpq
3452
3453ntpdc
3454
3455* Fix timerstats reporting
3456
3457ntpdate
3458
3459* Reduce time required to set clock
3460* Allow a timeout greater than 2 seconds
3461
3462sntp
3463
3464* Backward incompatible command-line option change:
3465  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
3466
3467Documentation
3468
3469* Update html2man. Fix some tags in the .html files
3470* Distribute ntp-wait.html
3471
3472---
3473NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
3474
3475Focus: Bug fixes and portability improvements
3476
3477Severity: Medium
3478
3479This is a recommended upgrade.
3480
3481This release includes build infrastructure updates, code
3482clean-ups, minor bug fixes, fixes for a number of minor
3483ref-clock issues, and documentation revisions.
3484
3485Portability improvements in this release affect AIX, Atari FreeMiNT,
3486FreeBSD4, Linux and Microsoft Windows.
3487
3488New features / changes in this release:
3489
3490Build system
3491* Use lsb_release to get information about Linux distributions.
3492* 'test' is in /usr/bin (instead of /bin) on some systems.
3493* Basic sanity checks for the ChangeLog file.
3494* Source certain build files with ./filename for systems without . in PATH.
3495* IRIX portability fix.
3496* Use a single copy of the "libopts" code.
3497* autogen/libopts upgrade.
3498* configure.ac m4 quoting cleanup.
3499
3500ntpd
3501* Do not bind to IN6_IFF_ANYCAST addresses.
3502* Log the reason for exiting under Windows.
3503* Multicast fixes for Windows.
3504* Interpolation fixes for Windows.
3505* IPv4 and IPv6 Multicast fixes.
3506* Manycast solicitation fixes and general repairs.
3507* JJY refclock cleanup.
3508* NMEA refclock improvements.
3509* Oncore debug message cleanup.
3510* Palisade refclock now builds under Linux.
3511* Give RAWDCF more baud rates.
3512* Support Truetime Satellite clocks under Windows.
3513* Support Arbiter 1093C Satellite clocks under Windows.
3514* Make sure that the "filegen" configuration command defaults to "enable".
3515* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
3516* Prohibit 'includefile' directive in remote configuration command.
3517* Fix 'nic' interface bindings.
3518* Fix the way we link with openssl if openssl is installed in the base
3519  system.
3520
3521ntp-keygen
3522* Fix -V coredump.
3523* OpenSSL version display cleanup.
3524
3525ntpdc
3526* Many counters should be treated as unsigned.
3527
3528ntpdate
3529* Do not ignore replies with equal receive and transmit timestamps.
3530
3531ntpq
3532* libntpq warning cleanup.
3533
3534ntpsnmpd
3535* Correct SNMP type for "precision" and "resolution".
3536* Update the MIB from the draft version to RFC-5907.
3537
3538sntp
3539* Display timezone offset when showing time for sntp in the local
3540  timezone.
3541* Pay proper attention to RATE KoD packets.
3542* Fix a miscalculation of the offset.
3543* Properly parse empty lines in the key file.
3544* Logging cleanup.
3545* Use tv_usec correctly in set_time().
3546* Documentation cleanup.
3547
3548---
3549NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
3550
3551Focus: Bug fixes and portability improvements
3552
3553Severity: Medium
3554
3555This is a recommended upgrade.
3556
3557This release includes build infrastructure updates, code
3558clean-ups, minor bug fixes, fixes for a number of minor
3559ref-clock issues, improved KOD handling, OpenSSL related
3560updates and documentation revisions.
3561
3562Portability improvements in this release affect Irix, Linux,
3563Mac OS, Microsoft Windows, OpenBSD and QNX6
3564
3565New features / changes in this release:
3566
3567ntpd
3568* Range syntax for the trustedkey configuration directive
3569* Unified IPv4 and IPv6 restrict lists
3570
3571ntpdate
3572* Rate limiting and KOD handling
3573
3574ntpsnmpd
3575* default connection to net-snmpd via a unix-domain socket
3576* command-line 'socket name' option
3577
3578ntpq / ntpdc
3579* support for the "passwd ..." syntax
3580* key-type specific password prompts
3581
3582sntp
3583* MD5 authentication of an ntpd
3584* Broadcast and crypto
3585* OpenSSL support
3586
3587---
3588NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
3589
3590Focus: Bug fixes, portability fixes, and documentation improvements
3591
3592Severity: Medium
3593
3594This is a recommended upgrade.
3595
3596---
3597NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3598
3599Focus: enhancements and bug fixes.
3600
3601---
3602NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3603
3604Focus: Security Fixes
3605
3606Severity: HIGH
3607
3608This release fixes the following high-severity vulnerability:
3609
3610* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
3611
3612  See http://support.ntp.org/security for more information.
3613
3614  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
3615  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
3616  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
3617  request or a mode 7 error response from an address which is not listed
3618  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
3619  reply with a mode 7 error response (and log a message).  In this case:
3620
3621	* If an attacker spoofs the source address of ntpd host A in a
3622	  mode 7 response packet sent to ntpd host B, both A and B will
3623	  continuously send each other error responses, for as long as
3624	  those packets get through.
3625
3626	* If an attacker spoofs an address of ntpd host A in a mode 7
3627	  response packet sent to ntpd host A, A will respond to itself
3628	  endlessly, consuming CPU and logging excessively.
3629
3630  Credit for finding this vulnerability goes to Robin Park and Dmitri
3631  Vinokurov of Alcatel-Lucent.
3632
3633THIS IS A STRONGLY RECOMMENDED UPGRADE.
3634
3635---
3636ntpd now syncs to refclocks right away.
3637
3638Backward-Incompatible changes:
3639
3640ntpd no longer accepts '-v name' or '-V name' to define internal variables.
3641Use '--var name' or '--dvar name' instead. (Bug 817)
3642
3643---
3644NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
3645
3646Focus: Security and Bug Fixes
3647
3648Severity: HIGH
3649
3650This release fixes the following high-severity vulnerability:
3651
3652* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
3653
3654  See http://support.ntp.org/security for more information.
3655
3656  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
3657  line) then a carefully crafted packet sent to the machine will cause
3658  a buffer overflow and possible execution of injected code, running
3659  with the privileges of the ntpd process (often root).
3660
3661  Credit for finding this vulnerability goes to Chris Ries of CMU.
3662
3663This release fixes the following low-severity vulnerabilities:
3664
3665* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
3666  Credit for finding this vulnerability goes to Geoff Keating of Apple.
3667
3668* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
3669  Credit for finding this issue goes to Dave Hart.
3670
3671This release fixes a number of bugs and adds some improvements:
3672
3673* Improved logging
3674* Fix many compiler warnings
3675* Many fixes and improvements for Windows
3676* Adds support for AIX 6.1
3677* Resolves some issues under MacOS X and Solaris
3678
3679THIS IS A STRONGLY RECOMMENDED UPGRADE.
3680
3681---
3682NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
3683
3684Focus: Security Fix
3685
3686Severity: Low
3687
3688This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
3689the OpenSSL library relating to the incorrect checking of the return
3690value of EVP_VerifyFinal function.
3691
3692Credit for finding this issue goes to the Google Security Team for
3693finding the original issue with OpenSSL, and to ocert.org for finding
3694the problem in NTP and telling us about it.
3695
3696This is a recommended upgrade.
3697---
3698NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
3699
3700Focus: Minor Bugfixes
3701
3702This release fixes a number of Windows-specific ntpd bugs and
3703platform-independent ntpdate bugs. A logging bugfix has been applied
3704to the ONCORE driver.
3705
3706The "dynamic" keyword and is now obsolete and deferred binding to local
3707interfaces is the new default. The minimum time restriction for the
3708interface update interval has been dropped.
3709
3710A number of minor build system and documentation fixes are included.
3711
3712This is a recommended upgrade for Windows.
3713
3714---
3715NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
3716
3717Focus: Minor Bugfixes
3718
3719This release updates certain copyright information, fixes several display
3720bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
3721shutdown in the parse refclock driver, removes some lint from the code,
3722stops accessing certain buffers immediately after they were freed, fixes
3723a problem with non-command-line specification of -6, and allows the loopback
3724interface to share addresses with other interfaces.
3725
3726---
3727NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
3728
3729Focus: Minor Bugfixes
3730
3731This release fixes a bug in Windows that made it difficult to
3732terminate ntpd under windows.
3733This is a recommended upgrade for Windows.
3734
3735---
3736NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
3737
3738Focus: Minor Bugfixes
3739
3740This release fixes a multicast mode authentication problem,
3741an error in NTP packet handling on Windows that could lead to
3742ntpd crashing, and several other minor bugs. Handling of
3743multicast interfaces and logging configuration were improved.
3744The required versions of autogen and libopts were incremented.
3745This is a recommended upgrade for Windows and multicast users.
3746
3747---
3748NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3749
3750Focus: enhancements and bug fixes.
3751
3752Dynamic interface rescanning was added to simplify the use of ntpd in
3753conjunction with DHCP. GNU AutoGen is used for its command-line options
3754processing. Separate PPS devices are supported for PARSE refclocks, MD5
3755signatures are now provided for the release files. Drivers have been
3756added for some new ref-clocks and have been removed for some older
3757ref-clocks. This release also includes other improvements, documentation
3758and bug fixes.
3759
3760K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3761C support.
3762
3763---
3764NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3765
3766Focus: enhancements and bug fixes.
3767