xref: /freebsd/contrib/ntp/NEWS (revision 3806950135d2c8633ec0764e8807eacc87cf3e10)
1--
2NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
3
4Focus: Security, Bug fixes, enhancements.
5
6Severity: MEDIUM
7
8This release fixes 5 medium-, 6 low-, and 4 informational-severity
9vulnerabilities, and provides 15 other non-security fixes and improvements:
10
11* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
12   Date Resolved: 21 Mar 2017
13   References: Sec 3389 / CVE-2017-6464 / VU#325339
14   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
15	ntp-4.3.0 up to, but not including ntp-4.3.94.
16   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
17   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
18   Summary:
19	A vulnerability found in the NTP server makes it possible for an
20	authenticated remote user to crash ntpd via a malformed mode
21	configuration directive.
22   Mitigation:
23	Implement BCP-38.
24	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
25	    the NTP Public Services Project Download Page
26	Properly monitor your ntpd instances, and auto-restart
27	    ntpd (without -g) if it stops running.
28   Credit:
29	This weakness was discovered by Cure53.
30
31* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
32    Date Resolved: 21 Mar 2017
33    References: Sec 3388 / CVE-2017-6462 / VU#325339
34    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
35    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
36    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
37    Summary:
38	There is a potential for a buffer overflow in the legacy Datum
39	Programmable Time Server refclock driver.  Here the packets are
40	processed from the /dev/datum device and handled in
41	datum_pts_receive().  Since an attacker would be required to
42	somehow control a malicious /dev/datum device, this does not
43	appear to be a practical attack and renders this issue "Low" in
44	terms of severity.
45   Mitigation:
46	If you have a Datum reference clock installed and think somebody
47	    may maliciously change the device, upgrade to 4.2.8p10, or
48	    later, from the NTP Project Download Page or the NTP Public
49	    Services Project Download Page
50	Properly monitor your ntpd instances, and auto-restart
51	    ntpd (without -g) if it stops running.
52   Credit:
53	This weakness was discovered by Cure53.
54
55* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
56   Date Resolved: 21 Mar 2017
57   References: Sec 3387 / CVE-2017-6463 / VU#325339
58   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
59	ntp-4.3.0 up to, but not including ntp-4.3.94.
60   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
61   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
62   Summary:
63	A vulnerability found in the NTP server allows an authenticated
64	remote attacker to crash the daemon by sending an invalid setting
65	via the :config directive.  The unpeer option expects a number or
66	an address as an argument.  In case the value is "0", a
67	segmentation fault occurs.
68   Mitigation:
69	Implement BCP-38.
70	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
71	    or the NTP Public Services Project Download Page
72	Properly monitor your ntpd instances, and auto-restart
73	    ntpd (without -g) if it stops running.
74   Credit:
75	This weakness was discovered by Cure53.
76
77* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
78   Date Resolved: 21 Mar 2017
79   References: Sec 3386
80   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
81	ntp-4.3.0 up to, but not including ntp-4.3.94.
82   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
83   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
84   Summary:
85	The NTP Mode 6 monitoring and control client, ntpq, uses the
86	function ntpq_stripquotes() to remove quotes and escape characters
87	from a given string.  According to the documentation, the function
88	is supposed to return the number of copied bytes but due to
89	incorrect pointer usage this value is always zero.  Although the
90	return value of this function is never used in the code, this
91	flaw could lead to a vulnerability in the future.  Since relying
92	on wrong return values when performing memory operations is a
93	dangerous practice, it is recommended to return the correct value
94	in accordance with the documentation pertinent to the code.
95   Mitigation:
96	Implement BCP-38.
97	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
98	    or the NTP Public Services Project Download Page
99	Properly monitor your ntpd instances, and auto-restart
100	    ntpd (without -g) if it stops running.
101   Credit:
102	This weakness was discovered by Cure53.
103
104* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
105   Date Resolved: 21 Mar 2017
106   References: Sec 3385
107   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
108	ntp-4.3.0 up to, but not including ntp-4.3.94.
109   Summary:
110	NTP makes use of several wrappers around the standard heap memory
111	allocation functions that are provided by libc.  This is mainly
112	done to introduce additional safety checks concentrated on
113	several goals.  First, they seek to ensure that memory is not
114	accidentally freed, secondly they verify that a correct amount
115	is always allocated and, thirdly, that allocation failures are
116	correctly handled.  There is an additional implementation for
117	scenarios where memory for a specific amount of items of the
118	same size needs to be allocated.  The handling can be found in
119	the oreallocarray() function for which a further number-of-elements
120	parameter needs to be provided.  Although no considerable threat
121	was identified as tied to a lack of use of this function, it is
122	recommended to correctly apply oreallocarray() as a preferred
123	option across all of the locations where it is possible.
124   Mitigation:
125	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
126	    or the NTP Public Services Project Download Page
127   Credit:
128	This weakness was discovered by Cure53.
129
130* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
131	PPSAPI ONLY) (Low)
132   Date Resolved: 21 Mar 2017
133   References: Sec 3384 / CVE-2017-6455 / VU#325339
134   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
135	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
136	including ntp-4.3.94.
137   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
138   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
139   Summary:
140	The Windows NT port has the added capability to preload DLLs
141	defined in the inherited global local environment variable
142	PPSAPI_DLLS.  The code contained within those libraries is then
143	called from the NTPD service, usually running with elevated
144	privileges. Depending on how securely the machine is setup and
145	configured, if ntpd is configured to use the PPSAPI under Windows
146	this can easily lead to a code injection.
147   Mitigation:
148	Implement BCP-38.
149	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
150	    or the NTP Public Services Project Download Page
151   Credit:
152   This weakness was discovered by Cure53.
153
154* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
155	installer ONLY) (Low)
156   Date Resolved: 21 Mar 2017
157   References: Sec 3383 / CVE-2017-6452 / VU#325339
158   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
159	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
160	to, but not including ntp-4.3.94.
161   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
162   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
163   Summary:
164	The Windows installer for NTP calls strcat(), blindly appending
165	the string passed to the stack buffer in the addSourceToRegistry()
166	function.  The stack buffer is 70 bytes smaller than the buffer
167	in the calling main() function.  Together with the initially
168	copied Registry path, the combination causes a stack buffer
169	overflow and effectively overwrites the stack frame.  The
170	passed application path is actually limited to 256 bytes by the
171	operating system, but this is not sufficient to assure that the
172	affected stack buffer is consistently protected against
173	overflowing at all times.
174   Mitigation:
175	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
176	or the NTP Public Services Project Download Page
177   Credit:
178	This weakness was discovered by Cure53.
179
180* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
181	installer ONLY) (Low)
182   Date Resolved: 21 Mar 2017
183   References: Sec 3382 / CVE-2017-6459 / VU#325339
184   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
185	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
186	up to, but not including ntp-4.3.94.
187   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
188   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
189   Summary:
190	The Windows installer for NTP calls strcpy() with an argument
191	that specifically contains multiple null bytes.  strcpy() only
192	copies a single terminating null character into the target
193	buffer instead of copying the required double null bytes in the
194	addKeysToRegistry() function.  As a consequence, a garbage
195	registry entry can be created.  The additional arsize parameter
196	is erroneously set to contain two null bytes and the following
197	call to RegSetValueEx() claims to be passing in a multi-string
198	value, though this may not be true.
199   Mitigation:
200	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
201	    or the NTP Public Services Project Download Page
202   Credit:
203	This weakness was discovered by Cure53.
204
205* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
206   References: Sec 3381
207   Summary:
208	The report says: Statically included external projects
209	potentially introduce several problems and the issue of having
210	extensive amounts of code that is "dead" in the resulting binary
211	must clearly be pointed out.  The unnecessary unused code may or
212	may not contain bugs and, quite possibly, might be leveraged for
213	code-gadget-based branch-flow redirection exploits.  Analogically,
214	having source trees statically included as well means a failure
215	in taking advantage of the free feature for periodical updates.
216	This solution is offered by the system's Package Manager. The
217	three libraries identified are libisc, libevent, and libopts.
218   Resolution:
219	For libisc, we already only use a portion of the original library.
220	We've found and fixed bugs in the original implementation (and
221	offered the patches to ISC), and plan to see what has changed
222	since we last upgraded the code.  libisc is generally not
223	installed, and when it it we usually only see the static libisc.a
224	file installed.  Until we know for sure that the bugs we've found
225	and fixed are fixed upstream, we're better off with the copy we
226	are using.
227
228        Version 1 of libevent was the only production version available
229	until recently, and we've been requiring version 2 for a long time.
230	But if the build system has at least version 2 of libevent
231	installed, we'll use the version that is installed on the system.
232	Otherwise, we provide a copy of libevent that we know works.
233
234        libopts is provided by GNU AutoGen, and that library and package
235	undergoes frequent API version updates.  The version of autogen
236	used to generate the tables for the code must match the API
237	version in libopts.  AutoGen can be ... difficult to build and
238	install, and very few developers really need it.  So we have it
239	on our build and development machines, and we provide the
240	specific version of the libopts code in the distribution to make
241	sure that the proper API version of libopts is available.
242
243        As for the point about there being code in these libraries that
244	NTP doesn't use, OK.  But other packages used these libraries as
245	well, and it is reasonable to assume that other people are paying
246	attention to security and code quality issues for the overall
247	libraries.  It takes significant resources to analyze and
248	customize these libraries to only include what we need, and to
249	date we believe the cost of this effort does not justify the benefit.
250   Credit:
251	This issue was discovered by Cure53.
252
253* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
254   Date Resolved: 21 Mar 2017
255   References: Sec 3380
256   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
257   	ntp-4.3.0 up to, but not including ntp-4.3.94.
258   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
259   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
260   Summary:
261	There is a fencepost error in a "recovery branch" of the code for
262	the Oncore GPS receiver if the communication link to the ONCORE
263	is weak / distorted and the decoding doesn't work.
264   Mitigation:
265        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
266	    the NTP Public Services Project Download Page
267        Properly monitor your ntpd instances, and auto-restart
268	    ntpd (without -g) if it stops running.
269   Credit:
270	This weakness was discovered by Cure53.
271
272* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
273   Date Resolved: 21 Mar 2017
274   References: Sec 3379 / CVE-2017-6458 / VU#325339
275   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
276	ntp-4.3.0 up to, but not including ntp-4.3.94.
277   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
278   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
279   Summary:
280	ntpd makes use of different wrappers around ctl_putdata() to
281	create name/value ntpq (mode 6) response strings.  For example,
282	ctl_putstr() is usually used to send string data (variable names
283	or string data).  The formatting code was missing a length check
284	for variable names.  If somebody explicitly created any unusually
285	long variable names in ntpd (longer than 200-512 bytes, depending
286	on the type of variable), then if any of these variables are
287	added to the response list it would overflow a buffer.
288   Mitigation:
289	Implement BCP-38.
290	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
291	    or the NTP Public Services Project Download Page
292	If you don't want to upgrade, then don't setvar variable names
293	    longer than 200-512 bytes in your ntp.conf file.
294	Properly monitor your ntpd instances, and auto-restart
295	    ntpd (without -g) if it stops running.
296   Credit:
297	This weakness was discovered by Cure53.
298
299* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
300   Date Resolved: 21 Mar 2017
301   References: Sec 3378 / CVE-2017-6451 / VU#325339
302   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
303	ntp-4.3.0 up to, but not including ntp-4.3.94.
304   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
305   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
306   Summary:
307	The legacy MX4200 refclock is only built if is specifically
308	enabled, and furthermore additional code changes are required to
309	compile and use it.  But it uses the libc functions snprintf()
310	and vsnprintf() incorrectly, which can lead to an out-of-bounds
311	memory write due to an improper handling of the return value of
312	snprintf()/vsnprintf().  Since the return value is used as an
313	iterator and it can be larger than the buffer's size, it is
314	possible for the iterator to point somewhere outside of the
315	allocated buffer space.  This results in an out-of-bound memory
316	write.  This behavior can be leveraged to overwrite a saved
317	instruction pointer on the stack and gain control over the
318	execution flow.  During testing it was not possible to identify
319	any malicious usage for this vulnerability.  Specifically, no
320	way for an attacker to exploit this vulnerability was ultimately
321	unveiled.  However, it has the potential to be exploited, so the
322	code should be fixed.
323   Mitigation, if you have a Magnavox MX4200 refclock:
324	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
325	    or the NTP Public Services Project Download Page.
326	Properly monitor your ntpd instances, and auto-restart
327	    ntpd (without -g) if it stops running.
328   Credit:
329	This weakness was discovered by Cure53.
330
331* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
332	malicious ntpd (Medium)
333   Date Resolved: 21 Mar 2017
334   References: Sec 3377 / CVE-2017-6460 / VU#325339
335   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
336	ntp-4.3.0 up to, but not including ntp-4.3.94.
337   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
338   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
339   Summary:
340	A stack buffer overflow in ntpq can be triggered by a malicious
341	ntpd server when ntpq requests the restriction list from the server.
342	This is due to a missing length check in the reslist() function.
343	It occurs whenever the function parses the server's response and
344	encounters a flagstr variable of an excessive length.  The string
345	will be copied into a fixed-size buffer, leading to an overflow on
346	the function's stack-frame.  Note well that this problem requires
347	a malicious server, and affects ntpq, not ntpd.
348   Mitigation:
349	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
350	    or the NTP Public Services Project Download Page
351	If you can't upgrade your version of ntpq then if you want to know
352	    the reslist of an instance of ntpd that you do not control,
353	    know that if the target ntpd is malicious that it can send back
354	    a response that intends to crash your ntpq process.
355   Credit:
356	This weakness was discovered by Cure53.
357
358* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
359   Date Resolved: 21 Mar 2017
360   References: Sec 3376
361   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
362	ntp-4.3.0 up to, but not including ntp-4.3.94.
363   CVSS2: N/A
364   CVSS3: N/A
365   Summary:
366	The build process for NTP has not, by default, provided compile
367	or link flags to offer "hardened" security options.  Package
368	maintainers have always been able to provide hardening security
369	flags for their builds.  As of ntp-4.2.8p10, the NTP build
370	system has a way to provide OS-specific hardening flags.  Please
371	note that this is still not a really great solution because it
372	is specific to NTP builds.  It's inefficient to have every
373	package supply, track and maintain this information for every
374	target build.  It would be much better if there was a common way
375	for OSes to provide this information in a way that arbitrary
376	packages could benefit from it.
377   Mitigation:
378	Implement BCP-38.
379	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
380	    or the NTP Public Services Project Download Page
381	Properly monitor your ntpd instances, and auto-restart
382	    ntpd (without -g) if it stops running.
383   Credit:
384	This weakness was reported by Cure53.
385
386* 0rigin DoS (Medium)
387   Date Resolved: 21 Mar 2017
388   References: Sec 3361 / CVE-2016-9042 / VU#325339
389   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
390   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
391   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
392   Summary:
393	An exploitable denial of service vulnerability exists in the
394	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
395	crafted unauthenticated network packet can be used to reset the
396	expected origin timestamp for target peers.  Legitimate replies
397	from targeted peers will fail the origin timestamp check (TEST2)
398	causing the reply to be dropped and creating a denial of service
399	condition.  This vulnerability can only be exploited if the
400	attacker can spoof all of the servers.
401   Mitigation:
402	Implement BCP-38.
403	Configure enough servers/peers that an attacker cannot target
404	    all of your time sources.
405	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
406	    or the NTP Public Services Project Download Page
407	Properly monitor your ntpd instances, and auto-restart
408	    ntpd (without -g) if it stops running.
409   Credit:
410	This weakness was discovered by Matthew Van Gundy of Cisco.
411
412Other fixes:
413
414* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
415* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
416  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
417* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
418* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
419  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
420  - original patch by Majdi S. Abbas
421* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
422* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
423  - initial patch by Christos Zoulas
424* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
425  - move loader API from 'inline' to proper source
426  - augment pathless dlls with absolute path to NTPD
427  - use 'msyslog()' instead of 'printf() 'for reporting trouble
428* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
429  - applied patch by Matthew Van Gundy
430* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
431  - applied some of the patches provided by Havard. Not all of them
432    still match the current code base, and I did not touch libopt.
433* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
434  - applied patch by Reinhard Max. See bugzilla for limitations.
435* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
436  - fixed dependency inversion from [Bug 2837]
437* [Bug 2896] Nothing happens if minsane < maxclock < minclock
438  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
439* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
440  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
441* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
442  - Fixed these and some more locations of this pattern.
443    Probably din't get them all, though. <perlinger@ntp.org>
444* Update copyright year.
445
446--
447(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
448
449* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
450  - added missed changeset for automatic openssl lib detection
451  - fixed some minor warning issues
452* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
453* configure.ac cleanup.  stenn@ntp.org
454* openssl configure cleanup.  stenn@ntp.org
455
456--
457NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
458
459Focus: Security, Bug fixes, enhancements.
460
461Severity: HIGH
462
463In addition to bug fixes and enhancements, this release fixes the
464following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
4655 low-severity vulnerabilities, and provides 28 other non-security
466fixes and improvements:
467
468* Trap crash
469   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
470   References: Sec 3119 / CVE-2016-9311 / VU#633847
471   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
472   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
473   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
474   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
475   Summary:
476	ntpd does not enable trap service by default. If trap service
477	has been explicitly enabled, an attacker can send a specially
478	crafted packet to cause a null pointer dereference that will
479	crash ntpd, resulting in a denial of service.
480   Mitigation:
481        Implement BCP-38.
482	Use "restrict default noquery ..." in your ntp.conf file. Only
483	    allow mode 6 queries from trusted networks and hosts.
484        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
485	    or the NTP Public Services Project Download Page
486        Properly monitor your ntpd instances, and auto-restart ntpd
487	    (without -g) if it stops running.
488   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
489
490* Mode 6 information disclosure and DDoS vector
491   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
492   References: Sec 3118 / CVE-2016-9310 / VU#633847
493   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
494	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
495   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
496   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
497   Summary:
498	An exploitable configuration modification vulnerability exists
499	in the control mode (mode 6) functionality of ntpd. If, against
500	long-standing BCP recommendations, "restrict default noquery ..."
501	is not specified, a specially crafted control mode packet can set
502	ntpd traps, providing information disclosure and DDoS
503	amplification, and unset ntpd traps, disabling legitimate
504	monitoring. A remote, unauthenticated, network attacker can
505	trigger this vulnerability.
506   Mitigation:
507        Implement BCP-38.
508	Use "restrict default noquery ..." in your ntp.conf file.
509        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
510	    or the NTP Public Services Project Download Page
511        Properly monitor your ntpd instances, and auto-restart ntpd
512	    (without -g) if it stops running.
513   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
514
515* Broadcast Mode Replay Prevention DoS
516   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
517   References: Sec 3114 / CVE-2016-7427 / VU#633847
518   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
519	ntp-4.3.90 up to, but not including ntp-4.3.94.
520   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
521   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
522   Summary:
523	The broadcast mode of NTP is expected to only be used in a
524	trusted network. If the broadcast network is accessible to an
525	attacker, a potentially exploitable denial of service
526	vulnerability in ntpd's broadcast mode replay prevention
527	functionality can be abused. An attacker with access to the NTP
528	broadcast domain can periodically inject specially crafted
529	broadcast mode NTP packets into the broadcast domain which,
530	while being logged by ntpd, can cause ntpd to reject broadcast
531	mode packets from legitimate NTP broadcast servers.
532   Mitigation:
533        Implement BCP-38.
534        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
535	    or the NTP Public Services Project Download Page
536        Properly monitor your ntpd instances, and auto-restart ntpd
537	    (without -g) if it stops running.
538   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
539
540* Broadcast Mode Poll Interval Enforcement DoS
541   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
542   References: Sec 3113 / CVE-2016-7428 / VU#633847
543   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
544	ntp-4.3.90 up to, but not including ntp-4.3.94
545   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
546   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
547   Summary:
548	The broadcast mode of NTP is expected to only be used in a
549	trusted network. If the broadcast network is accessible to an
550	attacker, a potentially exploitable denial of service
551	vulnerability in ntpd's broadcast mode poll interval enforcement
552	functionality can be abused. To limit abuse, ntpd restricts the
553	rate at which each broadcast association will process incoming
554	packets. ntpd will reject broadcast mode packets that arrive
555	before the poll interval specified in the preceding broadcast
556	packet expires. An attacker with access to the NTP broadcast
557	domain can send specially crafted broadcast mode NTP packets to
558	the broadcast domain which, while being logged by ntpd, will
559	cause ntpd to reject broadcast mode packets from legitimate NTP
560	broadcast servers.
561   Mitigation:
562        Implement BCP-38.
563        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
564	    or the NTP Public Services Project Download Page
565        Properly monitor your ntpd instances, and auto-restart ntpd
566	    (without -g) if it stops running.
567   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
568
569* Windows: ntpd DoS by oversized UDP packet
570   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
571   References: Sec 3110 / CVE-2016-9312 / VU#633847
572   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
573	and ntp-4.3.0 up to, but not including ntp-4.3.94.
574   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
575   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
576   Summary:
577	If a vulnerable instance of ntpd on Windows receives a crafted
578	malicious packet that is "too big", ntpd will stop working.
579   Mitigation:
580        Implement BCP-38.
581        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
582	    or the NTP Public Services Project Download Page
583        Properly monitor your ntpd instances, and auto-restart ntpd
584	    (without -g) if it stops running.
585   Credit: This weakness was discovered by Robert Pajak of ABB.
586
587* 0rigin (zero origin) issues
588   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
589   References: Sec 3102 / CVE-2016-7431 / VU#633847
590   Affects: ntp-4.2.8p8, and ntp-4.3.93.
591   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
592   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
593   Summary:
594	Zero Origin timestamp problems were fixed by Bug 2945 in
595	ntp-4.2.8p6. However, subsequent timestamp validation checks
596	introduced a regression in the handling of some Zero origin
597	timestamp checks.
598   Mitigation:
599        Implement BCP-38.
600        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
601	    or the NTP Public Services Project Download Page
602        Properly monitor your ntpd instances, and auto-restart ntpd
603	    (without -g) if it stops running.
604   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
605	Malhotra of Boston University.
606
607* read_mru_list() does inadequate incoming packet checks
608   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
609   References: Sec 3082 / CVE-2016-7434 / VU#633847
610   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
611	ntp-4.3.0 up to, but not including ntp-4.3.94.
612   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
613   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
614   Summary:
615	If ntpd is configured to allow mrulist query requests from a
616	server that sends a crafted malicious packet, ntpd will crash
617	on receipt of that crafted malicious mrulist query packet.
618   Mitigation:
619	Only allow mrulist query packets from trusted hosts.
620        Implement BCP-38.
621        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
622	    or the NTP Public Services Project Download Page
623        Properly monitor your ntpd instances, and auto-restart ntpd
624	    (without -g) if it stops running.
625   Credit: This weakness was discovered by Magnus Stubman.
626
627* Attack on interface selection
628   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
629   References: Sec 3072 / CVE-2016-7429 / VU#633847
630   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
631	ntp-4.3.0 up to, but not including ntp-4.3.94
632   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
633   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
634   Summary:
635	When ntpd receives a server response on a socket that corresponds
636	to a different interface than was used for the request, the peer
637	structure is updated to use the interface for new requests. If
638	ntpd is running on a host with multiple interfaces in separate
639	networks and the operating system doesn't check source address in
640	received packets (e.g. rp_filter on Linux is set to 0), an
641	attacker that knows the address of the source can send a packet
642	with spoofed source address which will cause ntpd to select wrong
643	interface for the source and prevent it from sending new requests
644	until the list of interfaces is refreshed, which happens on
645	routing changes or every 5 minutes by default. If the attack is
646	repeated often enough (once per second), ntpd will not be able to
647	synchronize with the source.
648   Mitigation:
649        Implement BCP-38.
650        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
651	    or the NTP Public Services Project Download Page
652	If you are going to configure your OS to disable source address
653	    checks, also configure your firewall configuration to control
654	    what interfaces can receive packets from what networks.
655        Properly monitor your ntpd instances, and auto-restart ntpd
656	    (without -g) if it stops running.
657   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
658
659* Client rate limiting and server responses
660   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
661   References: Sec 3071 / CVE-2016-7426 / VU#633847
662   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
663	ntp-4.3.0 up to, but not including ntp-4.3.94
664   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
665   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
666   Summary:
667	When ntpd is configured with rate limiting for all associations
668	(restrict default limited in ntp.conf), the limits are applied
669	also to responses received from its configured sources. An
670	attacker who knows the sources (e.g., from an IPv4 refid in
671	server response) and knows the system is (mis)configured in this
672	way can periodically send packets with spoofed source address to
673	keep the rate limiting activated and prevent ntpd from accepting
674	valid responses from its sources.
675
676	While this blanket rate limiting can be useful to prevent
677	brute-force attacks on the origin timestamp, it allows this DoS
678	attack. Similarly, it allows the attacker to prevent mobilization
679	of ephemeral associations.
680   Mitigation:
681        Implement BCP-38.
682        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
683	    or the NTP Public Services Project Download Page
684        Properly monitor your ntpd instances, and auto-restart ntpd
685	    (without -g) if it stops running.
686   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
687
688* Fix for bug 2085 broke initial sync calculations
689   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
690   References: Sec 3067 / CVE-2016-7433 / VU#633847
691   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
692	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
693	root-distance calculation in general is incorrect in all versions
694	of ntp-4 until this release.
695   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
696   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
697   Summary:
698	Bug 2085 described a condition where the root delay was included
699	twice, causing the jitter value to be higher than expected. Due
700	to a misinterpretation of a small-print variable in The Book, the
701	fix for this problem was incorrect, resulting in a root distance
702	that did not include the peer dispersion. The calculations and
703	formulae have been reviewed and reconciled, and the code has been
704	updated accordingly.
705   Mitigation:
706        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
707	    or the NTP Public Services Project Download Page
708        Properly monitor your ntpd instances, and auto-restart ntpd
709	    (without -g) if it stops running.
710   Credit: This weakness was discovered independently by Brian Utterback of
711	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
712
713Other fixes:
714
715* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
716* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
717* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
718  - moved retry decision where it belongs. <perlinger@ntp.org>
719* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
720  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
721* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
722* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
723  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
724* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
725  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
726  - added shim layer for SSL API calls with issues (both directions)
727* [Bug 3089] Serial Parser does not work anymore for hopfser like device
728  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
729* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
730* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
731  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
732* [Bug 3067] Root distance calculation needs improvement.  HStenn
733* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
734  - PPS-HACK works again.
735* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
736  - applied patch by Brian Utterback <brian.utterback@oracle.com>
737* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
738* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
739  <perlinger@ntp.org>
740  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
741* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
742  - Patch provided by Kuramatsu.
743* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
744  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
745* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
746* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
747* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
748* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
749  - fixed GPS week expansion to work based on build date. Special thanks
750    to Craig Leres for initial patch and testing.
751* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
752  - fixed Makefile.am <perlinger@ntp.org>
753* [Bug 2689] ATOM driver processes last PPS pulse at startup,
754             even if it is very old <perlinger@ntp.org>
755  - make sure PPS source is alive before processing samples
756  - improve stability close to the 500ms phase jump (phase gate)
757* Fix typos in include/ntp.h.
758* Shim X509_get_signature_nid() if needed
759* git author attribution cleanup
760* bk ignore file cleanup
761* remove locks in Windows IO, use rpc-like thread synchronisation instead
762
763---
764NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
765
766Focus: Security, Bug fixes, enhancements.
767
768Severity: HIGH
769
770In addition to bug fixes and enhancements, this release fixes the
771following 1 high- and 4 low-severity vulnerabilities:
772
773* CRYPTO_NAK crash
774   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
775   References: Sec 3046 / CVE-2016-4957 / VU#321640
776   Affects: ntp-4.2.8p7, and ntp-4.3.92.
777   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
778   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
779   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
780	could cause ntpd to crash.
781   Mitigation:
782        Implement BCP-38.
783        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
784	    or the NTP Public Services Project Download Page
785        If you cannot upgrade from 4.2.8p7, the only other alternatives
786	    are to patch your code or filter CRYPTO_NAK packets.
787        Properly monitor your ntpd instances, and auto-restart ntpd
788	    (without -g) if it stops running.
789   Credit: This weakness was discovered by Nicolas Edet of Cisco.
790
791* Bad authentication demobilizes ephemeral associations
792   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
793   References: Sec 3045 / CVE-2016-4953 / VU#321640
794   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
795	ntp-4.3.0 up to, but not including ntp-4.3.93.
796   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
797   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
798   Summary: An attacker who knows the origin timestamp and can send a
799	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
800	target before any other response is sent can demobilize that
801	association.
802   Mitigation:
803	Implement BCP-38.
804	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
805	    or the NTP Public Services Project Download Page
806	Properly monitor your ntpd instances.
807	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
808
809* Processing spoofed server packets
810   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
811   References: Sec 3044 / CVE-2016-4954 / VU#321640
812   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
813	ntp-4.3.0 up to, but not including ntp-4.3.93.
814   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
815   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
816   Summary: An attacker who is able to spoof packets with correct origin
817	timestamps from enough servers before the expected response
818	packets arrive at the target machine can affect some peer
819	variables and, for example, cause a false leap indication to be set.
820   Mitigation:
821	Implement BCP-38.
822	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
823	    or the NTP Public Services Project Download Page
824	Properly monitor your ntpd instances.
825   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
826
827* Autokey association reset
828   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
829   References: Sec 3043 / CVE-2016-4955 / VU#321640
830   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
831	ntp-4.3.0 up to, but not including ntp-4.3.93.
832   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
833   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
834   Summary: An attacker who is able to spoof a packet with a correct
835	origin timestamp before the expected response packet arrives at
836	the target machine can send a CRYPTO_NAK or a bad MAC and cause
837	the association's peer variables to be cleared. If this can be
838	done often enough, it will prevent that association from working.
839   Mitigation:
840	Implement BCP-38.
841	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
842	    or the NTP Public Services Project Download Page
843	Properly monitor your ntpd instances.
844   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
845
846* Broadcast interleave
847   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
848   References: Sec 3042 / CVE-2016-4956 / VU#321640
849   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
850   	ntp-4.3.0 up to, but not including ntp-4.3.93.
851   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
852   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
853   Summary: The fix for NtpBug2978 does not cover broadcast associations,
854   	so broadcast clients can be triggered to flip into interleave mode.
855   Mitigation:
856	Implement BCP-38.
857	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
858	    or the NTP Public Services Project Download Page
859	Properly monitor your ntpd instances.
860   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
861
862Other fixes:
863* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
864  - provide build environment
865  - 'wint_t' and 'struct timespec' defined by VS2015
866  - fixed print()/scanf() format issues
867* [Bug 3052] Add a .gitignore file.  Edmund Wong.
868* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
869* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
870  JPerlinger, HStenn.
871* Fix typo in ntp-wait and plot_summary.  HStenn.
872* Make sure we have an "author" file for git imports.  HStenn.
873* Update the sntp problem tests for MacOS.  HStenn.
874
875---
876NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
877
878Focus: Security, Bug fixes, enhancements.
879
880Severity: MEDIUM
881
882When building NTP from source, there is a new configure option
883available, --enable-dynamic-interleave.  More information on this below.
884
885Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
886versions of ntp.  These events have almost certainly happened in the
887past, it's just that they were silently counted and not logged.  With
888the increasing awareness around security, we feel it's better to clearly
889log these events to help detect abusive behavior.  This increased
890logging can also help detect other problems, too.
891
892In addition to bug fixes and enhancements, this release fixes the
893following 9 low- and medium-severity vulnerabilities:
894
895* Improve NTP security against buffer comparison timing attacks,
896  AKA: authdecrypt-timing
897   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
898   References: Sec 2879 / CVE-2016-1550
899   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
900	4.3.0 up to, but not including 4.3.92
901   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
902   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
903   Summary: Packet authentication tests have been performed using
904	memcmp() or possibly bcmp(), and it is potentially possible
905	for a local or perhaps LAN-based attacker to send a packet with
906	an authentication payload and indirectly observe how much of
907	the digest has matched.
908   Mitigation:
909	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
910	    or the NTP Public Services Project Download Page.
911	Properly monitor your ntpd instances.
912   Credit: This weakness was discovered independently by Loganaden
913   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
914
915* Zero origin timestamp bypass: Additional KoD checks.
916   References: Sec 2945 / Sec 2901 / CVE-2015-8138
917   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
918   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
919
920* peer associations were broken by the fix for NtpBug2899
921   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
922   References: Sec 2952 / CVE-2015-7704
923   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
924   	4.3.0 up to, but not including 4.3.92
925   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
926   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
927   	associations did not address all of the issues.
928   Mitigation:
929        Implement BCP-38.
930        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
931	    or the NTP Public Services Project Download Page
932        If you can't upgrade, use "server" associations instead of
933	    "peer" associations.
934        Monitor your ntpd instances.
935   Credit: This problem was discovered by Michael Tatarinov.
936
937* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
938   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
939   References: Sec 3007 / CVE-2016-1547 / VU#718152
940   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
941	4.3.0 up to, but not including 4.3.92
942   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
943   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
944   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
945	off-path attacker can cause a preemptable client association to
946	be demobilized by sending a crypto NAK packet to a victim client
947	with a spoofed source address of an existing associated peer.
948	This is true even if authentication is enabled.
949
950	Furthermore, if the attacker keeps sending crypto NAK packets,
951	for example one every second, the victim never has a chance to
952	reestablish the association and synchronize time with that
953	legitimate server.
954
955	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
956	stringent checks are performed on incoming packets, but there
957	are still ways to exploit this vulnerability in versions before
958	ntp-4.2.8p7.
959   Mitigation:
960	Implement BCP-38.
961	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
962	    or the NTP Public Services Project Download Page
963	Properly monitor your =ntpd= instances
964   Credit: This weakness was discovered by Stephen Gray and
965   	Matthew Van Gundy of Cisco ASIG.
966
967* ctl_getitem() return value not always checked
968   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
969   References: Sec 3008 / CVE-2016-2519
970   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
971	4.3.0 up to, but not including 4.3.92
972   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
973   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
974   Summary: ntpq and ntpdc can be used to store and retrieve information
975   	in ntpd. It is possible to store a data value that is larger
976	than the size of the buffer that the ctl_getitem() function of
977	ntpd uses to report the return value. If the length of the
978	requested data value returned by ctl_getitem() is too large,
979	the value NULL is returned instead. There are 2 cases where the
980	return value from ctl_getitem() was not directly checked to make
981	sure it's not NULL, but there are subsequent INSIST() checks
982	that make sure the return value is not NULL. There are no data
983	values ordinarily stored in ntpd that would exceed this buffer
984	length. But if one has permission to store values and one stores
985	a value that is "too large", then ntpd will abort if an attempt
986	is made to read that oversized value.
987    Mitigation:
988        Implement BCP-38.
989        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
990	    or the NTP Public Services Project Download Page
991        Properly monitor your ntpd instances.
992    Credit: This weakness was discovered by Yihan Lian of the Cloud
993    	Security Team, Qihoo 360.
994
995* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
996   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
997   References: Sec 3009 / CVE-2016-2518 / VU#718152
998   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
999	4.3.0 up to, but not including 4.3.92
1000   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1001   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1002   Summary: Using a crafted packet to create a peer association with
1003   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
1004	out-of-bounds reference.
1005   Mitigation:
1006	Implement BCP-38.
1007	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1008	    or the NTP Public Services Project Download Page
1009	Properly monitor your ntpd instances
1010   Credit: This weakness was discovered by Yihan Lian of the Cloud
1011   	Security Team, Qihoo 360.
1012
1013* remote configuration trustedkey/requestkey/controlkey values are not
1014	properly validated
1015   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1016   References: Sec 3010 / CVE-2016-2517 / VU#718152
1017   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1018	4.3.0 up to, but not including 4.3.92
1019   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1020   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1021   Summary: If ntpd was expressly configured to allow for remote
1022   	configuration, a malicious user who knows the controlkey for
1023	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1024	can create a session with ntpd and then send a crafted packet to
1025	ntpd that will change the value of the trustedkey, controlkey,
1026	or requestkey to a value that will prevent any subsequent
1027	authentication with ntpd until ntpd is restarted.
1028   Mitigation:
1029	Implement BCP-38.
1030	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1031	    or the NTP Public Services Project Download Page
1032	Properly monitor your =ntpd= instances
1033   Credit: This weakness was discovered by Yihan Lian of the Cloud
1034   	Security Team, Qihoo 360.
1035
1036* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1037   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1038   References: Sec 3011 / CVE-2016-2516 / VU#718152
1039   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1040   	4.3.0 up to, but not including 4.3.92
1041   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1042   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1043   Summary: If ntpd was expressly configured to allow for remote
1044   	configuration, a malicious user who knows the controlkey for
1045	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1046	can create a session with ntpd and if an existing association is
1047	unconfigured using the same IP twice on the unconfig directive
1048	line, ntpd will abort.
1049   Mitigation:
1050	Implement BCP-38.
1051	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1052	    or the NTP Public Services Project Download Page
1053	Properly monitor your ntpd instances
1054   Credit: This weakness was discovered by Yihan Lian of the Cloud
1055   	Security Team, Qihoo 360.
1056
1057* Refclock impersonation vulnerability
1058   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1059   References: Sec 3020 / CVE-2016-1551
1060   Affects: On a very limited number of OSes, all NTP releases up to but
1061	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1062	By "very limited number of OSes" we mean no general-purpose OSes
1063	have yet been identified that have this vulnerability.
1064   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1065   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1066   Summary: While most OSes implement martian packet filtering in their
1067   	network stack, at least regarding 127.0.0.0/8, some will allow
1068	packets claiming to be from 127.0.0.0/8 that arrive over a
1069	physical network. On these OSes, if ntpd is configured to use a
1070	reference clock an attacker can inject packets over the network
1071	that look like they are coming from that reference clock.
1072   Mitigation:
1073        Implement martian packet filtering and BCP-38.
1074        Configure ntpd to use an adequate number of time sources.
1075        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1076	    or the NTP Public Services Project Download Page
1077        If you are unable to upgrade and if you are running an OS that
1078	    has this vulnerability, implement martian packet filters and
1079	    lobby your OS vendor to fix this problem, or run your
1080	    refclocks on computers that use OSes that are not vulnerable
1081	    to these attacks and have your vulnerable machines get their
1082	    time from protected resources.
1083        Properly monitor your ntpd instances.
1084   Credit: This weakness was discovered by Matt Street and others of
1085   	Cisco ASIG.
1086
1087The following issues were fixed in earlier releases and contain
1088improvements in 4.2.8p7:
1089
1090* Clients that receive a KoD should validate the origin timestamp field.
1091   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1092   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1093   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1094
1095* Skeleton key: passive server with trusted key can serve time.
1096   References: Sec 2936 / CVE-2015-7974
1097   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1098   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1099
1100Two other vulnerabilities have been reported, and the mitigations
1101for these are as follows:
1102
1103* Interleave-pivot
1104   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1105   References: Sec 2978 / CVE-2016-1548
1106   Affects: All ntp-4 releases.
1107   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1108   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1109   Summary: It is possible to change the time of an ntpd client or deny
1110   	service to an ntpd client by forcing it to change from basic
1111	client/server mode to interleaved symmetric mode. An attacker
1112	can spoof a packet from a legitimate ntpd server with an origin
1113	timestamp that matches the peer->dst timestamp recorded for that
1114	server. After making this switch, the client will reject all
1115	future legitimate server responses. It is possible to force the
1116	victim client to move time after the mode has been changed.
1117	ntpq gives no indication that the mode has been switched.
1118   Mitigation:
1119        Implement BCP-38.
1120        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1121	    or the NTP Public Services Project Download Page.  These
1122	    versions will not dynamically "flip" into interleave mode
1123	    unless configured to do so.
1124        Properly monitor your ntpd instances.
1125   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
1126   	and separately by Jonathan Gardner of Cisco ASIG.
1127
1128* Sybil vulnerability: ephemeral association attack
1129   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1130   References: Sec 3012 / CVE-2016-1549
1131   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1132   	4.3.0 up to, but not including 4.3.92
1133   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1134   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1135   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
1136   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
1137	field in the ntp.keys file to specify which IPs can serve time,
1138	a malicious authenticated peer can create arbitrarily-many
1139	ephemeral associations in order to win the clock selection of
1140	ntpd and modify a victim's clock.
1141   Mitigation:
1142        Implement BCP-38.
1143        Use the 4th field in the ntp.keys file to specify which IPs
1144	    can be time servers.
1145        Properly monitor your ntpd instances.
1146   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1147
1148Other fixes:
1149
1150* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
1151  - fixed yet another race condition in the threaded resolver code.
1152* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
1153* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
1154  - integrated patches by Loganaden Velvidron <logan@ntp.org>
1155    with some modifications & unit tests
1156* [Bug 2960] async name resolution fixes for chroot() environments.
1157  Reinhard Max.
1158* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
1159* [Bug 2995] Fixes to compile on Windows
1160* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
1161* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
1162  - Patch provided by Ch. Weisgerber
1163* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
1164  - A change related to [Bug 2853] forbids trailing white space in
1165    remote config commands. perlinger@ntp.org
1166* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
1167  - report and patch from Aleksandr Kostikov.
1168  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
1169* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
1170  - fixed memory leak in access list (auth[read]keys.c)
1171  - refactored handling of key access lists (auth[read]keys.c)
1172  - reduced number of error branches (authreadkeys.c)
1173* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
1174* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
1175* [Bug 3031] ntp broadcastclient unable to synchronize to an server
1176             when the time of server changed. perlinger@ntp.org
1177  - Check the initial delay calculation and reject/unpeer the broadcast
1178    server if the delay exceeds 50ms. Retry again after the next
1179    broadcast packet.
1180* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
1181* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
1182* Update html/xleave.html documentation.  Harlan Stenn.
1183* Update ntp.conf documentation.  Harlan Stenn.
1184* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
1185* Fix typo in html/monopt.html.  Harlan Stenn.
1186* Add README.pullrequests.  Harlan Stenn.
1187* Cleanup to include/ntp.h.  Harlan Stenn.
1188
1189New option to 'configure':
1190
1191While looking in to the issues around Bug 2978, the "interleave pivot"
1192issue, it became clear that there are some intricate and unresolved
1193issues with interleave operations.  We also realized that the interleave
1194protocol was never added to the NTPv4 Standard, and it should have been.
1195
1196Interleave mode was first released in July of 2008, and can be engaged
1197in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
1198contain the 'xleave' option, which will expressly enable interlave mode
1199for that association.  Additionally, if a time packet arrives and is
1200found inconsistent with normal protocol behavior but has certain
1201characteristics that are compatible with interleave mode, NTP will
1202dynamically switch to interleave mode.  With sufficient knowledge, an
1203attacker can send a crafted forged packet to an NTP instance that
1204triggers only one side to enter interleaved mode.
1205
1206To prevent this attack until we can thoroughly document, describe,
1207fix, and test the dynamic interleave mode, we've added a new
1208'configure' option to the build process:
1209
1210 --enable-dynamic-interleave
1211
1212This option controls whether or not NTP will, if conditions are right,
1213engage dynamic interleave mode.  Dynamic interleave mode is disabled by
1214default in ntp-4.2.8p7.
1215
1216---
1217NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
1218
1219Focus: Security, Bug fixes, enhancements.
1220
1221Severity: MEDIUM
1222
1223In addition to bug fixes and enhancements, this release fixes the
1224following 1 low- and 8 medium-severity vulnerabilities:
1225
1226* Potential Infinite Loop in 'ntpq'
1227   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1228   References: Sec 2548 / CVE-2015-8158
1229   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1230	4.3.0 up to, but not including 4.3.90
1231   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1232   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1233   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
1234	The loop's only stopping conditions are receiving a complete and
1235	correct response or hitting a small number of error conditions.
1236	If the packet contains incorrect values that don't trigger one of
1237	the error conditions, the loop continues to receive new packets.
1238	Note well, this is an attack against an instance of 'ntpq', not
1239	'ntpd', and this attack requires the attacker to do one of the
1240	following:
1241	* Own a malicious NTP server that the client trusts
1242	* Prevent a legitimate NTP server from sending packets to
1243	    the 'ntpq' client
1244	* MITM the 'ntpq' communications between the 'ntpq' client
1245	    and the NTP server
1246   Mitigation:
1247	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1248	or the NTP Public Services Project Download Page
1249   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1250
1251* 0rigin: Zero Origin Timestamp Bypass
1252   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1253   References: Sec 2945 / CVE-2015-8138
1254   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1255	4.3.0 up to, but not including 4.3.90
1256   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
1257   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1258	(3.7 - LOW if you score AC:L)
1259   Summary: To distinguish legitimate peer responses from forgeries, a
1260	client attempts to verify a response packet by ensuring that the
1261	origin timestamp in the packet matches the origin timestamp it
1262	transmitted in its last request.  A logic error exists that
1263	allows packets with an origin timestamp of zero to bypass this
1264	check whenever there is not an outstanding request to the server.
1265   Mitigation:
1266	Configure 'ntpd' to get time from multiple sources.
1267	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1268	    or the NTP Public Services Project Download Page.
1269	Monitor your 'ntpd= instances.
1270   Credit: This weakness was discovered by Matthey Van Gundy and
1271	Jonathan Gardner of Cisco ASIG.
1272
1273* Stack exhaustion in recursive traversal of restriction list
1274   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
1275   References: Sec 2940 / CVE-2015-7978
1276   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1277	4.3.0 up to, but not including 4.3.90
1278   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1279   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1280   	segmentation fault in ntpd by exhausting the call stack.
1281   Mitigation:
1282	Implement BCP-38.
1283	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1284	    or the NTP Public Services Project Download Page.
1285	If you are unable to upgrade:
1286            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1287	    If you must enable mode 7:
1288		configure the use of a 'requestkey' to control who can
1289		    issue mode 7 requests.
1290		configure 'restrict noquery' to further limit mode 7
1291		    requests to trusted sources.
1292		Monitor your ntpd instances.
1293   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
1294
1295* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
1296   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1297   References: Sec 2942 / CVE-2015-7979
1298   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1299	4.3.0 up to, but not including 4.3.90
1300   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
1301   Summary: An off-path attacker can send broadcast packets with bad
1302	authentication (wrong key, mismatched key, incorrect MAC, etc)
1303	to broadcast clients. It is observed that the broadcast client
1304	tears down the association with the broadcast server upon
1305	receiving just one bad packet.
1306   Mitigation:
1307	Implement BCP-38.
1308	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1309	or the NTP Public Services Project Download Page.
1310	Monitor your 'ntpd' instances.
1311	If this sort of attack is an active problem for you, you have
1312	    deeper problems to investigate.  In this case also consider
1313	    having smaller NTP broadcast domains.
1314   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1315   	University.
1316
1317* reslist NULL pointer dereference
1318   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1319   References: Sec 2939 / CVE-2015-7977
1320   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1321	4.3.0 up to, but not including 4.3.90
1322   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1323   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1324	segmentation fault in ntpd by causing a NULL pointer dereference.
1325   Mitigation:
1326	Implement BCP-38.
1327	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
1328	the NTP Public Services Project Download Page.
1329	If you are unable to upgrade:
1330	    mode 7 is disabled by default.  Don't enable it.
1331	    If you must enable mode 7:
1332		configure the use of a 'requestkey' to control who can
1333		    issue mode 7 requests.
1334		configure 'restrict noquery' to further limit mode 7
1335		    requests to trusted sources.
1336	Monitor your ntpd instances.
1337   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
1338
1339* 'ntpq saveconfig' command allows dangerous characters in filenames.
1340   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1341   References: Sec 2938 / CVE-2015-7976
1342   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1343	4.3.0 up to, but not including 4.3.90
1344   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
1345   Summary: The ntpq saveconfig command does not do adequate filtering
1346   	of special characters from the supplied filename.
1347	Note well: The ability to use the saveconfig command is controlled
1348	by the 'restrict nomodify' directive, and the recommended default
1349	configuration is to disable this capability.  If the ability to
1350	execute a 'saveconfig' is required, it can easily (and should) be
1351	limited and restricted to a known small number of IP addresses.
1352   Mitigation:
1353	Implement BCP-38.
1354	use 'restrict default nomodify' in your 'ntp.conf' file.
1355	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
1356	If you are unable to upgrade:
1357	    build NTP with 'configure --disable-saveconfig' if you will
1358	    	never need this capability, or
1359	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
1360		careful about what IPs have the ability to send 'modify'
1361		requests to 'ntpd'.
1362	Monitor your ntpd instances.
1363	'saveconfig' requests are logged to syslog - monitor your syslog files.
1364   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1365
1366* nextvar() missing length check in ntpq
1367   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1368   References: Sec 2937 / CVE-2015-7975
1369   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1370	4.3.0 up to, but not including 4.3.90
1371   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
1372	If you score A:C, this becomes 4.0.
1373   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
1374   Summary: ntpq may call nextvar() which executes a memcpy() into the
1375	name buffer without a proper length check against its maximum
1376	length of 256 bytes. Note well that we're taking about ntpq here.
1377	The usual worst-case effect of this vulnerability is that the
1378	specific instance of ntpq will crash and the person or process
1379	that did this will have stopped themselves.
1380   Mitigation:
1381	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1382	    or the NTP Public Services Project Download Page.
1383	If you are unable to upgrade:
1384	    If you have scripts that feed input to ntpq make sure there are
1385		some sanity checks on the input received from the "outside".
1386	    This is potentially more dangerous if ntpq is run as root.
1387   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
1388
1389* Skeleton Key: Any trusted key system can serve time
1390   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1391   References: Sec 2936 / CVE-2015-7974
1392   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1393	4.3.0 up to, but not including 4.3.90
1394   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
1395   Summary: Symmetric key encryption uses a shared trusted key. The
1396	reported title for this issue was "Missing key check allows
1397	impersonation between authenticated peers" and the report claimed
1398	"A key specified only for one server should only work to
1399	authenticate that server, other trusted keys should be refused."
1400	Except there has never been any correlation between this trusted
1401	key and server v. clients machines and there has never been any
1402	way to specify a key only for one server. We have treated this as
1403	an enhancement request, and ntp-4.2.8p6 includes other checks and
1404	tests to strengthen clients against attacks coming from broadcast
1405	servers.
1406   Mitigation:
1407	Implement BCP-38.
1408	If this scenario represents a real or a potential issue for you,
1409	    upgrade to 4.2.8p6, or later, from the NTP Project Download
1410	    Page or the NTP Public Services Project Download Page, and
1411	    use the new field in the ntp.keys file that specifies the list
1412	    of IPs that are allowed to serve time. Note that this alone
1413	    will not protect against time packets with forged source IP
1414	    addresses, however other changes in ntp-4.2.8p6 provide
1415	    significant mitigation against broadcast attacks. MITM attacks
1416	    are a different story.
1417	If you are unable to upgrade:
1418	    Don't use broadcast mode if you cannot monitor your client
1419	    	servers.
1420	    If you choose to use symmetric keys to authenticate time
1421	    	packets in a hostile environment where ephemeral time
1422		servers can be created, or if it is expected that malicious
1423		time servers will participate in an NTP broadcast domain,
1424		limit the number of participating systems that participate
1425		in the shared-key group.
1426	Monitor your ntpd instances.
1427   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
1428
1429* Deja Vu: Replay attack on authenticated broadcast mode
1430   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1431   References: Sec 2935 / CVE-2015-7973
1432   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1433   	4.3.0 up to, but not including 4.3.90
1434   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
1435   Summary: If an NTP network is configured for broadcast operations then
1436   	either a man-in-the-middle attacker or a malicious participant
1437	that has the same trusted keys as the victim can replay time packets.
1438   Mitigation:
1439	Implement BCP-38.
1440	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1441	    or the NTP Public Services Project Download Page.
1442	If you are unable to upgrade:
1443	    Don't use broadcast mode if you cannot monitor your client servers.
1444	Monitor your ntpd instances.
1445   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1446	University.
1447
1448Other fixes:
1449
1450* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
1451* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
1452  - applied patch by shenpeng11@huawei.com with minor adjustments
1453* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
1454* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
1455* [Bug 2892] Several test cases assume IPv6 capabilities even when
1456             IPv6 is disabled in the build. perlinger@ntp.org
1457  - Found this already fixed, but validation led to cleanup actions.
1458* [Bug 2905] DNS lookups broken. perlinger@ntp.org
1459  - added limits to stack consumption, fixed some return code handling
1460* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1461  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1462  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
1463* [Bug 2980] reduce number of warnings. perlinger@ntp.org
1464  - integrated several patches from Havard Eidnes (he@uninett.no)
1465* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
1466  - implement 'auth_log2()' using integer bithack instead of float calculation
1467* Make leapsec_query debug messages less verbose.  Harlan Stenn.
1468
1469---
1470NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
1471
1472Focus: Security, Bug fixes, enhancements.
1473
1474Severity: MEDIUM
1475
1476In addition to bug fixes and enhancements, this release fixes the
1477following medium-severity vulnerability:
1478
1479* Small-step/big-step.  Close the panic gate earlier.
1480    References: Sec 2956, CVE-2015-5300
1481    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
1482	4.3.0 up to, but not including 4.3.78
1483    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
1484    Summary: If ntpd is always started with the -g option, which is
1485	common and against long-standing recommendation, and if at the
1486	moment ntpd is restarted an attacker can immediately respond to
1487	enough requests from enough sources trusted by the target, which
1488	is difficult and not common, there is a window of opportunity
1489	where the attacker can cause ntpd to set the time to an
1490	arbitrary value. Similarly, if an attacker is able to respond
1491	to enough requests from enough sources trusted by the target,
1492	the attacker can cause ntpd to abort and restart, at which
1493	point it can tell the target to set the time to an arbitrary
1494	value if and only if ntpd was re-started against long-standing
1495	recommendation with the -g flag, or if ntpd was not given the
1496	-g flag, the attacker can move the target system's time by at
1497	most 900 seconds' time per attack.
1498    Mitigation:
1499	Configure ntpd to get time from multiple sources.
1500	Upgrade to 4.2.8p5, or later, from the NTP Project Download
1501	    Page or the NTP Public Services Project Download Page
1502	As we've long documented, only use the -g option to ntpd in
1503	    cold-start situations.
1504	Monitor your ntpd instances.
1505    Credit: This weakness was discovered by Aanchal Malhotra,
1506	Isaac E. Cohen, and Sharon Goldberg at Boston University.
1507
1508    NOTE WELL: The -g flag disables the limit check on the panic_gate
1509	in ntpd, which is 900 seconds by default. The bug identified by
1510	the researchers at Boston University is that the panic_gate
1511	check was only re-enabled after the first change to the system
1512	clock that was greater than 128 milliseconds, by default. The
1513	correct behavior is that the panic_gate check should be
1514	re-enabled after any initial time correction.
1515
1516	If an attacker is able to inject consistent but erroneous time
1517	responses to your systems via the network or "over the air",
1518	perhaps by spoofing radio, cellphone, or navigation satellite
1519	transmissions, they are in a great position to affect your
1520	system's clock. There comes a point where your very best
1521	defenses include:
1522
1523	    Configure ntpd to get time from multiple sources.
1524	    Monitor your ntpd instances.
1525
1526Other fixes:
1527
1528* Coverity submission process updated from Coverity 5 to Coverity 7.
1529  The NTP codebase has been undergoing regular Coverity scans on an
1530  ongoing basis since 2006.  As part of our recent upgrade from
1531  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
1532  the newly-written Unity test programs.  These were fixed.
1533* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
1534* [Bug 2887] stratum -1 config results as showing value 99
1535  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
1536* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
1537* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
1538* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
1539  - applied patch by Christos Zoulas.  perlinger@ntp.org
1540* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
1541* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
1542  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
1543  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
1544* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
1545  - accept key file only if there are no parsing errors
1546  - fixed size_t/u_int format clash
1547  - fixed wrong use of 'strlcpy'
1548* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
1549* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
1550  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
1551  - promote use of 'size_t' for values that express a size
1552  - use ptr-to-const for read-only arguments
1553  - make sure SOCKET values are not truncated (win32-specific)
1554  - format string fixes
1555* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
1556* [Bug 2967] ntpdate command suffers an assertion failure
1557  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
1558* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
1559              lots of clients. perlinger@ntp.org
1560* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1561  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1562* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
1563* Unity test cleanup.  Harlan Stenn.
1564* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
1565* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
1566* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
1567* Quiet a warning from clang.  Harlan Stenn.
1568
1569---
1570NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
1571
1572Focus: Security, Bug fixes, enhancements.
1573
1574Severity: MEDIUM
1575
1576In addition to bug fixes and enhancements, this release fixes the
1577following 13 low- and medium-severity vulnerabilities:
1578
1579* Incomplete vallen (value length) checks in ntp_crypto.c, leading
1580  to potential crashes or potential code injection/information leakage.
1581
1582    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
1583    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1584    	and 4.3.0 up to, but not including 4.3.77
1585    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1586    Summary: The fix for CVE-2014-9750 was incomplete in that there were
1587    	certain code paths where a packet with particular autokey operations
1588	that contained malicious data was not always being completely
1589	validated. Receipt of these packets can cause ntpd to crash.
1590    Mitigation:
1591        Don't use autokey.
1592	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1593	    Page or the NTP Public Services Project Download Page
1594	Monitor your ntpd instances.
1595	Credit: This weakness was discovered by Tenable Network Security.
1596
1597* Clients that receive a KoD should validate the origin timestamp field.
1598
1599    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1600    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1601	and 4.3.0 up to, but not including 4.3.77
1602    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
1603    Summary: An ntpd client that honors Kiss-of-Death responses will honor
1604    	KoD messages that have been forged by an attacker, causing it to
1605	delay or stop querying its servers for time updates. Also, an
1606	attacker can forge packets that claim to be from the target and
1607	send them to servers often enough that a server that implements
1608	KoD rate limiting will send the target machine a KoD response to
1609	attempt to reduce the rate of incoming packets, or it may also
1610	trigger a firewall block at the server for packets from the target
1611	machine. For either of these attacks to succeed, the attacker must
1612	know what servers the target is communicating with. An attacker
1613	can be anywhere on the Internet and can frequently learn the
1614	identity of the target's time source by sending the target a
1615	time query.
1616    Mitigation:
1617        Implement BCP-38.
1618	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
1619	    or the NTP Public Services Project Download Page
1620	If you can't upgrade, restrict who can query ntpd to learn who
1621	    its servers are, and what IPs are allowed to ask your system
1622	    for the time. This mitigation is heavy-handed.
1623	Monitor your ntpd instances.
1624    Note:
1625    	4.2.8p4 protects against the first attack. For the second attack,
1626    	all we can do is warn when it is happening, which we do in 4.2.8p4.
1627    Credit: This weakness was discovered by Aanchal Malhotra,
1628    	Issac E. Cohen, and Sharon Goldberg of Boston University.
1629
1630* configuration directives to change "pidfile" and "driftfile" should
1631  only be allowed locally.
1632
1633  References: Sec 2902 / CVE-2015-5196
1634  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1635	and 4.3.0 up to, but not including 4.3.77
1636   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
1637   Summary: If ntpd is configured to allow for remote configuration,
1638	and if the (possibly spoofed) source IP address is allowed to
1639	send remote configuration requests, and if the attacker knows
1640	the remote configuration password, it's possible for an attacker
1641	to use the "pidfile" or "driftfile" directives to potentially
1642	overwrite other files.
1643   Mitigation:
1644	Implement BCP-38.
1645	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1646	    Page or the NTP Public Services Project Download Page
1647	If you cannot upgrade, don't enable remote configuration.
1648	If you must enable remote configuration and cannot upgrade,
1649	    remote configuration of NTF's ntpd requires:
1650	    - an explicitly configured trustedkey, and you should also
1651	    	configure a controlkey.
1652	    - access from a permitted IP. You choose the IPs.
1653	    - authentication. Don't disable it. Practice secure key safety.
1654	Monitor your ntpd instances.
1655   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1656
1657* Slow memory leak in CRYPTO_ASSOC
1658
1659  References: Sec 2909 / CVE-2015-7701
1660  Affects: All ntp-4 releases that use autokey up to, but not
1661    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1662  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
1663  	4.6 otherwise
1664  Summary: If ntpd is configured to use autokey, then an attacker can
1665	send packets to ntpd that will, after several days of ongoing
1666	attack, cause it to run out of memory.
1667  Mitigation:
1668	Don't use autokey.
1669	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1670	    Page or the NTP Public Services Project Download Page
1671	Monitor your ntpd instances.
1672  Credit: This weakness was discovered by Tenable Network Security.
1673
1674* mode 7 loop counter underrun
1675
1676  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
1677  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1678  	and 4.3.0 up to, but not including 4.3.77
1679  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1680  Summary: If ntpd is configured to enable mode 7 packets, and if the
1681	use of mode 7 packets is not properly protected thru the use of
1682	the available mode 7 authentication and restriction mechanisms,
1683	and if the (possibly spoofed) source IP address is allowed to
1684	send mode 7 queries, then an attacker can send a crafted packet
1685	to ntpd that will cause it to crash.
1686  Mitigation:
1687	Implement BCP-38.
1688	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1689	    Page or the NTP Public Services Project Download Page.
1690	      If you are unable to upgrade:
1691	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1692	If you must enable mode 7:
1693	    configure the use of a requestkey to control who can issue
1694		mode 7 requests.
1695	    configure restrict noquery to further limit mode 7 requests
1696		to trusted sources.
1697	Monitor your ntpd instances.
1698Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
1699
1700* memory corruption in password store
1701
1702  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
1703  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1704  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
1705  Summary: If ntpd is configured to allow remote configuration, and if
1706	the (possibly spoofed) source IP address is allowed to send
1707	remote configuration requests, and if the attacker knows the
1708	remote configuration password or if ntpd was configured to
1709	disable authentication, then an attacker can send a set of
1710	packets to ntpd that may cause a crash or theoretically
1711	perform a code injection attack.
1712  Mitigation:
1713	Implement BCP-38.
1714	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1715	    Page or the NTP Public Services Project Download Page.
1716	If you are unable to upgrade, remote configuration of NTF's
1717	    ntpd requires:
1718		an explicitly configured "trusted" key. Only configure
1719			this if you need it.
1720		access from a permitted IP address. You choose the IPs.
1721		authentication. Don't disable it. Practice secure key safety.
1722	Monitor your ntpd instances.
1723  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1724
1725* Infinite loop if extended logging enabled and the logfile and
1726  keyfile are the same.
1727
1728    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
1729    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1730	and 4.3.0 up to, but not including 4.3.77
1731    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1732    Summary: If ntpd is configured to allow remote configuration, and if
1733	the (possibly spoofed) source IP address is allowed to send
1734	remote configuration requests, and if the attacker knows the
1735	remote configuration password or if ntpd was configured to
1736	disable authentication, then an attacker can send a set of
1737	packets to ntpd that will cause it to crash and/or create a
1738	potentially huge log file. Specifically, the attacker could
1739	enable extended logging, point the key file at the log file,
1740	and cause what amounts to an infinite loop.
1741    Mitigation:
1742	Implement BCP-38.
1743	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1744	    Page or the NTP Public Services Project Download Page.
1745	If you are unable to upgrade, remote configuration of NTF's ntpd
1746	  requires:
1747            an explicitly configured "trusted" key. Only configure this
1748	    	if you need it.
1749            access from a permitted IP address. You choose the IPs.
1750            authentication. Don't disable it. Practice secure key safety.
1751        Monitor your ntpd instances.
1752    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1753
1754* Potential path traversal vulnerability in the config file saving of
1755  ntpd on VMS.
1756
1757  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
1758  Affects: All ntp-4 releases running under VMS up to, but not
1759	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1760  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
1761  Summary: If ntpd is configured to allow remote configuration, and if
1762	the (possibly spoofed) IP address is allowed to send remote
1763	configuration requests, and if the attacker knows the remote
1764	configuration password or if ntpd was configured to disable
1765	authentication, then an attacker can send a set of packets to
1766	ntpd that may cause ntpd to overwrite files.
1767  Mitigation:
1768	Implement BCP-38.
1769	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1770	    Page or the NTP Public Services Project Download Page.
1771	If you are unable to upgrade, remote configuration of NTF's ntpd
1772	    requires:
1773		an explicitly configured "trusted" key. Only configure
1774			this if you need it.
1775		access from permitted IP addresses. You choose the IPs.
1776		authentication. Don't disable it. Practice key security safety.
1777        Monitor your ntpd instances.
1778    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1779
1780* ntpq atoascii() potential memory corruption
1781
1782  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
1783  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
1784	and 4.3.0 up to, but not including 4.3.77
1785  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
1786  Summary: If an attacker can figure out the precise moment that ntpq
1787	is listening for data and the port number it is listening on or
1788	if the attacker can provide a malicious instance ntpd that
1789	victims will connect to then an attacker can send a set of
1790	crafted mode 6 response packets that, if received by ntpq,
1791	can cause ntpq to crash.
1792  Mitigation:
1793	Implement BCP-38.
1794	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1795	    Page or the NTP Public Services Project Download Page.
1796	If you are unable to upgrade and you run ntpq against a server
1797	    and ntpq crashes, try again using raw mode. Build or get a
1798	    patched ntpq and see if that fixes the problem. Report new
1799	    bugs in ntpq or abusive servers appropriately.
1800	If you use ntpq in scripts, make sure ntpq does what you expect
1801	    in your scripts.
1802  Credit: This weakness was discovered by Yves Younan and
1803  	Aleksander Nikolich of Cisco Talos.
1804
1805* Invalid length data provided by a custom refclock driver could cause
1806  a buffer overflow.
1807
1808  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
1809  Affects: Potentially all ntp-4 releases running up to, but not
1810	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1811	that have custom refclocks
1812  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
1813	5.9 unusual worst case
1814  Summary: A negative value for the datalen parameter will overflow a
1815	data buffer. NTF's ntpd driver implementations always set this
1816	value to 0 and are therefore not vulnerable to this weakness.
1817	If you are running a custom refclock driver in ntpd and that
1818	driver supplies a negative value for datalen (no custom driver
1819	of even minimal competence would do this) then ntpd would
1820	overflow a data buffer. It is even hypothetically possible
1821	in this case that instead of simply crashing ntpd the attacker
1822	could effect a code injection attack.
1823  Mitigation:
1824	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1825	    Page or the NTP Public Services Project Download Page.
1826	If you are unable to upgrade:
1827		If you are running custom refclock drivers, make sure
1828			the signed datalen value is either zero or positive.
1829	Monitor your ntpd instances.
1830  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1831
1832* Password Length Memory Corruption Vulnerability
1833
1834  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
1835  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1836  	4.3.0 up to, but not including 4.3.77
1837  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
1838  	1.7 usual case, 6.8, worst case
1839  Summary: If ntpd is configured to allow remote configuration, and if
1840	the (possibly spoofed) source IP address is allowed to send
1841	remote configuration requests, and if the attacker knows the
1842	remote configuration password or if ntpd was (foolishly)
1843	configured to disable authentication, then an attacker can
1844	send a set of packets to ntpd that may cause it to crash,
1845	with the hypothetical possibility of a small code injection.
1846  Mitigation:
1847	Implement BCP-38.
1848	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1849	    Page or the NTP Public Services Project Download Page.
1850	If you are unable to upgrade, remote configuration of NTF's
1851	    ntpd requires:
1852		an explicitly configured "trusted" key. Only configure
1853			this if you need it.
1854		access from a permitted IP address. You choose the IPs.
1855		authentication. Don't disable it. Practice secure key safety.
1856	Monitor your ntpd instances.
1857  Credit: This weakness was discovered by Yves Younan and
1858  	Aleksander Nikolich of Cisco Talos.
1859
1860* decodenetnum() will ASSERT botch instead of returning FAIL on some
1861  bogus values.
1862
1863  References: Sec 2922 / CVE-2015-7855
1864  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1865	4.3.0 up to, but not including 4.3.77
1866  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1867  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
1868	an unusually long data value where a network address is expected,
1869	the decodenetnum() function will abort with an assertion failure
1870	instead of simply returning a failure condition.
1871  Mitigation:
1872	Implement BCP-38.
1873	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1874	    Page or the NTP Public Services Project Download Page.
1875	If you are unable to upgrade:
1876		mode 7 is disabled by default. Don't enable it.
1877		Use restrict noquery to limit who can send mode 6
1878			and mode 7 requests.
1879		Configure and use the controlkey and requestkey
1880			authentication directives to limit who can
1881			send mode 6 and mode 7 requests.
1882	Monitor your ntpd instances.
1883  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
1884
1885* NAK to the Future: Symmetric association authentication bypass via
1886  crypto-NAK.
1887
1888  References: Sec 2941 / CVE-2015-7871
1889  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
1890  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
1891  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
1892  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
1893	from unauthenticated ephemeral symmetric peers by bypassing the
1894	authentication required to mobilize peer associations. This
1895	vulnerability appears to have been introduced in ntp-4.2.5p186
1896	when the code handling mobilization of new passive symmetric
1897	associations (lines 1103-1165) was refactored.
1898  Mitigation:
1899	Implement BCP-38.
1900	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1901	    Page or the NTP Public Services Project Download Page.
1902	If you are unable to upgrade:
1903		Apply the patch to the bottom of the "authentic" check
1904			block around line 1136 of ntp_proto.c.
1905	Monitor your ntpd instances.
1906  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1907
1908Backward-Incompatible changes:
1909* [Bug 2817] Default on Linux is now "rlimit memlock -1".
1910  While the general default of 32M is still the case, under Linux
1911  the default value has been changed to -1 (do not lock ntpd into
1912  memory).  A value of 0 means "lock ntpd into memory with whatever
1913  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
1914  value in it, that value will continue to be used.
1915
1916* [Bug 2886] Misspelling: "outlyer" should be "outlier".
1917  If you've written a script that looks for this case in, say, the
1918  output of ntpq, you probably want to change your regex matches
1919  from 'outlyer' to 'outl[iy]er'.
1920
1921New features in this release:
1922* 'rlimit memlock' now has finer-grained control.  A value of -1 means
1923  "don't lock ntpd into memore".  This is the default for Linux boxes.
1924  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
1925  the value is the number of megabytes of memory to lock.  The default
1926  is 32 megabytes.
1927
1928* The old Google Test framework has been replaced with a new framework,
1929  based on http://www.throwtheswitch.org/unity/ .
1930
1931Bug Fixes and Improvements:
1932* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
1933  privileges and limiting resources in NTPD removes the need to link
1934  forcefully against 'libgcc_s' which does not always work. J.Perlinger
1935* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
1936* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
1937* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
1938* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
1939* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
1940* [Bug 2849] Systems with more than one default route may never
1941  synchronize.  Brian Utterback.  Note that this patch might need to
1942  be reverted once Bug 2043 has been fixed.
1943* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
1944* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
1945* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
1946* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
1947* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
1948* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
1949  be configured for the distribution targets.  Harlan Stenn.
1950* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
1951* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
1952* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
1953* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
1954* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
1955* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
1956* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
1957* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
1958* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
1959* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
1960* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
1961* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
1962* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
1963* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
1964* sntp/tests/ function parameter list cleanup.  Damir Tomić.
1965* tests/libntp/ function parameter list cleanup.  Damir Tomić.
1966* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
1967* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
1968* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
1969* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
1970* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
1971* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1972  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
1973  formatting; first declaration, then code (C90); deleted unnecessary comments;
1974  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
1975* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
1976  fix formatting, cleanup. Tomasz Flendrich
1977* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
1978  Tomasz Flendrich
1979* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
1980  fix formatting. Tomasz Flendrich
1981* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
1982* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
1983* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
1984  Tomasz Flendrich
1985* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
1986* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
1987* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
1988* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
1989* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
1990* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
1991* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
1992fixed formatting. Tomasz Flendrich
1993* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
1994  removed unnecessary comments, cleanup. Tomasz Flendrich
1995* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
1996  comments, cleanup. Tomasz Flendrich
1997* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
1998  Tomasz Flendrich
1999* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2000* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2001* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2002  Tomasz Flendrich
2003* sntp/tests/kodDatabase.c added consts, deleted empty function,
2004  fixed formatting. Tomasz Flendrich
2005* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2006* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2007  fixed formatting, deleted unused variable. Tomasz Flendrich
2008* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2009  Tomasz Flendrich
2010* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2011  fixed formatting. Tomasz Flendrich
2012* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2013  the order of includes, fixed formatting, removed unnecessary comments.
2014  Tomasz Flendrich
2015* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2016* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2017  made one function do its job, deleted unnecessary prints, fixed formatting.
2018  Tomasz Flendrich
2019* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2020* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2021* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2022* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2023* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2024* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2025* Don't build sntp/libevent/sample/.  Harlan Stenn.
2026* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2027* br-flock: --enable-local-libevent.  Harlan Stenn.
2028* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2029* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2030* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2031* Code cleanup.  Harlan Stenn.
2032* libntp/icom.c: Typo fix.  Harlan Stenn.
2033* util/ntptime.c: initialization nit.  Harlan Stenn.
2034* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2035* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2036* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2037  Tomasz Flendrich
2038* Changed progname to be const in many files - now it's consistent. Tomasz
2039  Flendrich
2040* Typo fix for GCC warning suppression.  Harlan Stenn.
2041* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2042* Added declarations to all Unity tests, and did minor fixes to them.
2043  Reduced the number of warnings by half. Damir Tomić.
2044* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2045  with the latest Unity updates from Mark. Damir Tomić.
2046* Retire google test - phase I.  Harlan Stenn.
2047* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2048* Update the NEWS file.  Harlan Stenn.
2049* Autoconf cleanup.  Harlan Stenn.
2050* Unit test dist cleanup. Harlan Stenn.
2051* Cleanup various test Makefile.am files.  Harlan Stenn.
2052* Pthread autoconf macro cleanup.  Harlan Stenn.
2053* Fix progname definition in unity runner scripts.  Harlan Stenn.
2054* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2055* Update the patch for bug 2817.  Harlan Stenn.
2056* More updates for bug 2817.  Harlan Stenn.
2057* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2058* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2059* Adding missing MCAST protection.  Harlan Stenn.
2060* Disable certain test programs on certain platforms.  Harlan Stenn.
2061* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2062* build system tweaks.  Harlan Stenn.
2063
2064---
2065NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2066
2067Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2068
2069Severity: MEDIUM
2070
2071Security Fix:
2072
2073* [Sec 2853] Crafted remote config packet can crash some versions of
2074  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2075
2076Under specific circumstances an attacker can send a crafted packet to
2077cause a vulnerable ntpd instance to crash. This requires each of the
2078following to be true:
2079
20801) ntpd set up to allow remote configuration (not allowed by default), and
20812) knowledge of the configuration password, and
20823) access to a computer entrusted to perform remote configuration.
2083
2084This vulnerability is considered low-risk.
2085
2086New features in this release:
2087
2088Optional (disabled by default) support to have ntpd provide smeared
2089leap second time.  A specially built and configured ntpd will only
2090offer smeared time in response to client packets.  These response
2091packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2092of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2093format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2094information.
2095
2096   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2097   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2098
2099We've imported the Unity test framework, and have begun converting
2100the existing google-test items to this new framework.  If you want
2101to write new tests or change old ones, you'll need to have ruby
2102installed.  You don't need ruby to run the test suite.
2103
2104Bug Fixes and Improvements:
2105
2106* CID 739725: Fix a rare resource leak in libevent/listener.c.
2107* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2108* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2109* CID 1269537: Clean up a line of dead code in getShmTime().
2110* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2111* [Bug 2590] autogen-5.18.5.
2112* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2113  of 'limited'.
2114* [Bug 2650] fix includefile processing.
2115* [Bug 2745] ntpd -x steps clock on leap second
2116   Fixed an initial-value problem that caused misbehaviour in absence of
2117   any leapsecond information.
2118   Do leap second stepping only of the step adjustment is beyond the
2119   proper jump distance limit and step correction is allowed at all.
2120* [Bug 2750] build for Win64
2121  Building for 32bit of loopback ppsapi needs def file
2122* [Bug 2776] Improve ntpq's 'help keytype'.
2123* [Bug 2778] Implement "apeers"  ntpq command to include associd.
2124* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
2125* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
2126  interface is ignored as long as this flag is not set since the
2127  interface is not usable (e.g., no link).
2128* [Bug 2794] Clean up kernel clock status reports.
2129* [Bug 2800] refclock_true.c true_debug() can't open debug log because
2130  of incompatible open/fdopen parameters.
2131* [Bug 2804] install-local-data assumes GNU 'find' semantics.
2132* [Bug 2805] ntpd fails to join multicast group.
2133* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
2134* [Bug 2808] GPSD_JSON driver enhancements, step 1.
2135  Fix crash during cleanup if GPS device not present and char device.
2136  Increase internal token buffer to parse all JSON data, even SKY.
2137  Defer logging of errors during driver init until the first unit is
2138  started, so the syslog is not cluttered when the driver is not used.
2139  Various improvements, see http://bugs.ntp.org/2808 for details.
2140  Changed libjsmn to a more recent version.
2141* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
2142* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
2143* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
2144* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
2145* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
2146* [Bug 2824] Convert update-leap to perl. (also see 2769)
2147* [Bug 2825] Quiet file installation in html/ .
2148* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
2149   NTPD transfers the current TAI (instead of an announcement) now.
2150   This might still needed improvement.
2151   Update autokey data ASAP when 'sys_tai' changes.
2152   Fix unit test that was broken by changes for autokey update.
2153   Avoid potential signature length issue and use DPRINTF where possible
2154     in ntp_crypto.c.
2155* [Bug 2832] refclock_jjy.c supports the TDC-300.
2156* [Bug 2834] Correct a broken html tag in html/refclock.html
2157* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
2158  robust, and require 2 consecutive timestamps to be consistent.
2159* [Bug 2837] Allow a configurable DSCP value.
2160* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
2161* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
2162* [Bug 2842] Bug in mdoc2man.
2163* [Bug 2843] make check fails on 4.3.36
2164   Fixed compiler warnings about numeric range overflow
2165   (The original topic was fixed in a byplay to bug#2830)
2166* [Bug 2845] Harden memory allocation in ntpd.
2167* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
2168* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
2169* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
2170* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
2171* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
2172* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
2173* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
2174* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
2175* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
2176* html/drivers/driver22.html: typo fix.  Harlan Stenn.
2177* refidsmear test cleanup.  Tomasz Flendrich.
2178* refidsmear function support and tests.  Harlan Stenn.
2179* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
2180  something that was only in the 4.2.6 sntp.  Harlan Stenn.
2181* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
2182  Damir Tomić
2183* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
2184  Damir Tomić
2185* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
2186  Damir Tomić
2187* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
2188* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
2189* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
2190  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2191  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
2192  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
2193  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
2194  Damir Tomić
2195* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
2196  networking.c, keyFile.c, utilities.cpp, sntptest.h,
2197  fileHandlingTest.h. Damir Tomić
2198* Initial support for experimental leap smear code.  Harlan Stenn.
2199* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
2200* Report select() debug messages at debug level 3 now.
2201* sntp/scripts/genLocInfo: treat raspbian as debian.
2202* Unity test framework fixes.
2203  ** Requires ruby for changes to tests.
2204* Initial support for PACKAGE_VERSION tests.
2205* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
2206* tests/bug-2803/Makefile.am must distribute bug-2803.h.
2207* Add an assert to the ntpq ifstats code.
2208* Clean up the RLIMIT_STACK code.
2209* Improve the ntpq documentation around the controlkey keyid.
2210* ntpq.c cleanup.
2211* Windows port build cleanup.
2212
2213---
2214NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
2215
2216Focus: Security and Bug fixes, enhancements.
2217
2218Severity: MEDIUM
2219
2220In addition to bug fixes and enhancements, this release fixes the
2221following medium-severity vulnerabilities involving private key
2222authentication:
2223
2224* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2225
2226    References: Sec 2779 / CVE-2015-1798 / VU#374268
2227    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
2228	including ntp-4.2.8p2 where the installation uses symmetric keys
2229	to authenticate remote associations.
2230    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2231    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2232    Summary: When ntpd is configured to use a symmetric key to authenticate
2233	a remote NTP server/peer, it checks if the NTP message
2234	authentication code (MAC) in received packets is valid, but not if
2235	there actually is any MAC included. Packets without a MAC are
2236	accepted as if they had a valid MAC. This allows a MITM attacker to
2237	send false packets that are accepted by the client/peer without
2238	having to know the symmetric key. The attacker needs to know the
2239	transmit timestamp of the client to match it in the forged reply
2240	and the false reply needs to reach the client before the genuine
2241	reply from the server. The attacker doesn't necessarily need to be
2242	relaying the packets between the client and the server.
2243
2244	Authentication using autokey doesn't have this problem as there is
2245	a check that requires the key ID to be larger than NTP_MAXKEY,
2246	which fails for packets without a MAC.
2247    Mitigation:
2248        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2249	or the NTP Public Services Project Download Page
2250        Configure ntpd with enough time sources and monitor it properly.
2251    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2252
2253* [Sec 2781] Authentication doesn't protect symmetric associations against
2254  DoS attacks.
2255
2256    References: Sec 2781 / CVE-2015-1799 / VU#374268
2257    Affects: All NTP releases starting with at least xntp3.3wy up to but
2258	not including ntp-4.2.8p2 where the installation uses symmetric
2259	key authentication.
2260    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2261    Note: the CVSS base Score for this issue could be 4.3 or lower, and
2262	it could be higher than 5.4.
2263    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2264    Summary: An attacker knowing that NTP hosts A and B are peering with
2265	each other (symmetric association) can send a packet to host A
2266	with source address of B which will set the NTP state variables
2267	on A to the values sent by the attacker. Host A will then send
2268	on its next poll to B a packet with originate timestamp that
2269	doesn't match the transmit timestamp of B and the packet will
2270	be dropped. If the attacker does this periodically for both
2271	hosts, they won't be able to synchronize to each other. This is
2272	a known denial-of-service attack, described at
2273	https://www.eecis.udel.edu/~mills/onwire.html .
2274
2275	According to the document the NTP authentication is supposed to
2276	protect symmetric associations against this attack, but that
2277	doesn't seem to be the case. The state variables are updated even
2278	when authentication fails and the peers are sending packets with
2279	originate timestamps that don't match the transmit timestamps on
2280	the receiving side.
2281
2282	This seems to be a very old problem, dating back to at least
2283	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
2284	specifications, so other NTP implementations with support for
2285	symmetric associations and authentication may be vulnerable too.
2286	An update to the NTP RFC to correct this error is in-process.
2287    Mitigation:
2288        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2289	or the NTP Public Services Project Download Page
2290        Note that for users of autokey, this specific style of MITM attack
2291	is simply a long-known potential problem.
2292        Configure ntpd with appropriate time sources and monitor ntpd.
2293	Alert your staff if problems are detected.
2294    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2295
2296* New script: update-leap
2297The update-leap script will verify and if necessary, update the
2298leap-second definition file.
2299It requires the following commands in order to work:
2300
2301	wget logger tr sed shasum
2302
2303Some may choose to run this from cron.  It needs more portability testing.
2304
2305Bug Fixes and Improvements:
2306
2307* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
2308* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
2309* [Bug 2346] "graceful termination" signals do not do peer cleanup.
2310* [Bug 2728] See if C99-style structure initialization works.
2311* [Bug 2747] Upgrade libevent to 2.1.5-beta.
2312* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
2313* [Bug 2751] jitter.h has stale copies of l_fp macros.
2314* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
2315* [Bug 2757] Quiet compiler warnings.
2316* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
2317* [Bug 2763] Allow different thresholds for forward and backward steps.
2318* [Bug 2766] ntp-keygen output files should not be world-readable.
2319* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
2320* [Bug 2771] nonvolatile value is documented in wrong units.
2321* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
2322* [Bug 2774] Unreasonably verbose printout - leap pending/warning
2323* [Bug 2775] ntp-keygen.c fails to compile under Windows.
2324* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
2325  Removed non-ASCII characters from some copyright comments.
2326  Removed trailing whitespace.
2327  Updated definitions for Meinberg clocks from current Meinberg header files.
2328  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
2329  Account for updated definitions pulled from Meinberg header files.
2330  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
2331  Replaced some constant numbers by defines from ntp_calendar.h
2332  Modified creation of parse-specific variables for Meinberg devices
2333  in gps16x_message().
2334  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
2335  Modified mbg_tm_str() which now expexts an additional parameter controlling
2336  if the time status shall be printed.
2337* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2338* [Sec 2781] Authentication doesn't protect symmetric associations against
2339  DoS attacks.
2340* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
2341* [Bug 2789] Quiet compiler warnings from libevent.
2342* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
2343  pause briefly before measuring system clock precision to yield
2344  correct results.
2345* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
2346* Use predefined function types for parse driver functions
2347  used to set up function pointers.
2348  Account for changed prototype of parse_inp_fnc_t functions.
2349  Cast parse conversion results to appropriate types to avoid
2350  compiler warnings.
2351  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
2352  when called with pointers to different types.
2353
2354---
2355NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
2356
2357Focus: Security and Bug fixes, enhancements.
2358
2359Severity: HIGH
2360
2361In addition to bug fixes and enhancements, this release fixes the
2362following high-severity vulnerabilities:
2363
2364* vallen is not validated in several places in ntp_crypto.c, leading
2365  to a potential information leak or possibly a crash
2366
2367    References: Sec 2671 / CVE-2014-9297 / VU#852879
2368    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
2369    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2370    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
2371    Summary: The vallen packet value is not validated in several code
2372             paths in ntp_crypto.c which can lead to information leakage
2373	     or perhaps a crash of the ntpd process.
2374    Mitigation - any of:
2375	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2376		or the NTP Public Services Project Download Page.
2377	Disable Autokey Authentication by removing, or commenting out,
2378		all configuration directives beginning with the "crypto"
2379		keyword in your ntp.conf file.
2380    Credit: This vulnerability was discovered by Stephen Roettger of the
2381    	Google Security Team, with additional cases found by Sebastian
2382	Krahmer of the SUSE Security Team and Harlan Stenn of Network
2383	Time Foundation.
2384
2385* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
2386  can be bypassed.
2387
2388    References: Sec 2672 / CVE-2014-9298 / VU#852879
2389    Affects: All NTP4 releases before 4.2.8p1, under at least some
2390	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
2391    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
2392    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
2393    Summary: While available kernels will prevent 127.0.0.1 addresses
2394	from "appearing" on non-localhost IPv4 interfaces, some kernels
2395	do not offer the same protection for ::1 source addresses on
2396	IPv6 interfaces. Since NTP's access control is based on source
2397	address and localhost addresses generally have no restrictions,
2398	an attacker can send malicious control and configuration packets
2399	by spoofing ::1 addresses from the outside. Note Well: This is
2400	not really a bug in NTP, it's a problem with some OSes. If you
2401	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
2402	ACL restrictions on any application can be bypassed!
2403    Mitigation:
2404        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2405	or the NTP Public Services Project Download Page
2406        Install firewall rules to block packets claiming to come from
2407	::1 from inappropriate network interfaces.
2408    Credit: This vulnerability was discovered by Stephen Roettger of
2409	the Google Security Team.
2410
2411Additionally, over 30 bugfixes and improvements were made to the codebase.
2412See the ChangeLog for more information.
2413
2414---
2415NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
2416
2417Focus: Security and Bug fixes, enhancements.
2418
2419Severity: HIGH
2420
2421In addition to bug fixes and enhancements, this release fixes the
2422following high-severity vulnerabilities:
2423
2424************************** vv NOTE WELL vv *****************************
2425
2426The vulnerabilities listed below can be significantly mitigated by
2427following the BCP of putting
2428
2429 restrict default ... noquery
2430
2431in the ntp.conf file.  With the exception of:
2432
2433   receive(): missing return on error
2434   References: Sec 2670 / CVE-2014-9296 / VU#852879
2435
2436below (which is a limited-risk vulnerability), none of the recent
2437vulnerabilities listed below can be exploited if the source IP is
2438restricted from sending a 'query'-class packet by your ntp.conf file.
2439
2440************************** ^^ NOTE WELL ^^ *****************************
2441
2442* Weak default key in config_auth().
2443
2444  References: [Sec 2665] / CVE-2014-9293 / VU#852879
2445  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2446  Vulnerable Versions: all releases prior to 4.2.7p11
2447  Date Resolved: 28 Jan 2010
2448
2449  Summary: If no 'auth' key is set in the configuration file, ntpd
2450	would generate a random key on the fly.  There were two
2451	problems with this: 1) the generated key was 31 bits in size,
2452	and 2) it used the (now weak) ntp_random() function, which was
2453	seeded with a 32-bit value and could only provide 32 bits of
2454	entropy.  This was sufficient back in the late 1990s when the
2455	code was written.  Not today.
2456
2457  Mitigation - any of:
2458	- Upgrade to 4.2.7p11 or later.
2459	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2460
2461  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
2462  	of the Google Security Team.
2463
2464* Non-cryptographic random number generator with weak seed used by
2465  ntp-keygen to generate symmetric keys.
2466
2467  References: [Sec 2666] / CVE-2014-9294 / VU#852879
2468  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2469  Vulnerable Versions: All NTP4 releases before 4.2.7p230
2470  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
2471
2472  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
2473  	prepare a random number generator that was of good quality back
2474	in the late 1990s. The random numbers produced was then used to
2475	generate symmetric keys. In ntp-4.2.8 we use a current-technology
2476	cryptographic random number generator, either RAND_bytes from
2477	OpenSSL, or arc4random().
2478
2479  Mitigation - any of:
2480  	- Upgrade to 4.2.7p230 or later.
2481	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2482
2483  Credit:  This vulnerability was discovered in ntp-4.2.6 by
2484  	Stephen Roettger of the Google Security Team.
2485
2486* Buffer overflow in crypto_recv()
2487
2488  References: Sec 2667 / CVE-2014-9295 / VU#852879
2489  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2490  Versions: All releases before 4.2.8
2491  Date Resolved: Stable (4.2.8) 18 Dec 2014
2492
2493  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
2494  	file contains a 'crypto pw ...' directive) a remote attacker
2495	can send a carefully crafted packet that can overflow a stack
2496	buffer and potentially allow malicious code to be executed
2497	with the privilege level of the ntpd process.
2498
2499  Mitigation - any of:
2500  	- Upgrade to 4.2.8, or later, or
2501	- Disable Autokey Authentication by removing, or commenting out,
2502	  all configuration directives beginning with the crypto keyword
2503	  in your ntp.conf file.
2504
2505  Credit: This vulnerability was discovered by Stephen Roettger of the
2506  	Google Security Team.
2507
2508* Buffer overflow in ctl_putdata()
2509
2510  References: Sec 2668 / CVE-2014-9295 / VU#852879
2511  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2512  Versions: All NTP4 releases before 4.2.8
2513  Date Resolved: Stable (4.2.8) 18 Dec 2014
2514
2515  Summary: A remote attacker can send a carefully crafted packet that
2516  	can overflow a stack buffer and potentially allow malicious
2517	code to be executed with the privilege level of the ntpd process.
2518
2519  Mitigation - any of:
2520  	- Upgrade to 4.2.8, or later.
2521	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2522
2523  Credit: This vulnerability was discovered by Stephen Roettger of the
2524  	Google Security Team.
2525
2526* Buffer overflow in configure()
2527
2528  References: Sec 2669 / CVE-2014-9295 / VU#852879
2529  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2530  Versions: All NTP4 releases before 4.2.8
2531  Date Resolved: Stable (4.2.8) 18 Dec 2014
2532
2533  Summary: A remote attacker can send a carefully crafted packet that
2534	can overflow a stack buffer and potentially allow malicious
2535	code to be executed with the privilege level of the ntpd process.
2536
2537  Mitigation - any of:
2538  	- Upgrade to 4.2.8, or later.
2539	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2540
2541  Credit: This vulnerability was discovered by Stephen Roettger of the
2542	Google Security Team.
2543
2544* receive(): missing return on error
2545
2546  References: Sec 2670 / CVE-2014-9296 / VU#852879
2547  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
2548  Versions: All NTP4 releases before 4.2.8
2549  Date Resolved: Stable (4.2.8) 18 Dec 2014
2550
2551  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
2552  	the code path where an error was detected, which meant
2553	processing did not stop when a specific rare error occurred.
2554	We haven't found a way for this bug to affect system integrity.
2555	If there is no way to affect system integrity the base CVSS
2556	score for this bug is 0. If there is one avenue through which
2557	system integrity can be partially affected, the base score
2558	becomes a 5. If system integrity can be partially affected
2559	via all three integrity metrics, the CVSS base score become 7.5.
2560
2561  Mitigation - any of:
2562        - Upgrade to 4.2.8, or later,
2563        - Remove or comment out all configuration directives
2564	  beginning with the crypto keyword in your ntp.conf file.
2565
2566  Credit: This vulnerability was discovered by Stephen Roettger of the
2567  	Google Security Team.
2568
2569See http://support.ntp.org/security for more information.
2570
2571New features / changes in this release:
2572
2573Important Changes
2574
2575* Internal NTP Era counters
2576
2577The internal counters that track the "era" (range of years) we are in
2578rolls over every 136 years'.  The current "era" started at the stroke of
2579midnight on 1 Jan 1900, and ends just before the stroke of midnight on
25801 Jan 2036.
2581In the past, we have used the "midpoint" of the  range to decide which
2582era we were in.  Given the longevity of some products, it became clear
2583that it would be more functional to "look back" less, and "look forward"
2584more.  We now compile a timestamp into the ntpd executable and when we
2585get a timestamp we us the "built-on" to tell us what era we are in.
2586This check "looks back" 10 years, and "looks forward" 126 years.
2587
2588* ntpdc responses disabled by default
2589
2590Dave Hart writes:
2591
2592For a long time, ntpq and its mostly text-based mode 6 (control)
2593protocol have been preferred over ntpdc and its mode 7 (private
2594request) protocol for runtime queries and configuration.  There has
2595been a goal of deprecating ntpdc, previously held back by numerous
2596capabilities exposed by ntpdc with no ntpq equivalent.  I have been
2597adding commands to ntpq to cover these cases, and I believe I've
2598covered them all, though I've not compared command-by-command
2599recently.
2600
2601As I've said previously, the binary mode 7 protocol involves a lot of
2602hand-rolled structure layout and byte-swapping code in both ntpd and
2603ntpdc which is hard to get right.  As ntpd grows and changes, the
2604changes are difficult to expose via ntpdc while maintaining forward
2605and backward compatibility between ntpdc and ntpd.  In contrast,
2606ntpq's text-based, label=value approach involves more code reuse and
2607allows compatible changes without extra work in most cases.
2608
2609Mode 7 has always been defined as vendor/implementation-specific while
2610mode 6 is described in RFC 1305 and intended to be open to interoperate
2611with other implementations.  There is an early draft of an updated
2612mode 6 description that likely will join the other NTPv4 RFCs
2613eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
2614
2615For these reasons, ntpd 4.2.7p230 by default disables processing of
2616ntpdc queries, reducing ntpd's attack surface and functionally
2617deprecating ntpdc.  If you are in the habit of using ntpdc for certain
2618operations, please try the ntpq equivalent.  If there's no equivalent,
2619please open a bug report at http://bugs.ntp.org./
2620
2621In addition to the above, over 1100 issues have been resolved between
2622the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
2623lists these.
2624
2625---
2626NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
2627
2628Focus: Bug fixes
2629
2630Severity: Medium
2631
2632This is a recommended upgrade.
2633
2634This release updates sys_rootdisp and sys_jitter calculations to match the
2635RFC specification, fixes a potential IPv6 address matching error for the
2636"nic" and "interface" configuration directives, suppresses the creation of
2637extraneous ephemeral associations for certain broadcastclient and
2638multicastclient configurations, cleans up some ntpq display issues, and
2639includes improvements to orphan mode, minor bugs fixes and code clean-ups.
2640
2641New features / changes in this release:
2642
2643ntpd
2644
2645 * Updated "nic" and "interface" IPv6 address handling to prevent
2646   mismatches with localhost [::1] and wildcard [::] which resulted from
2647   using the address/prefix format (e.g. fe80::/64)
2648 * Fix orphan mode stratum incorrectly counting to infinity
2649 * Orphan parent selection metric updated to includes missing ntohl()
2650 * Non-printable stratum 16 refid no longer sent to ntp
2651 * Duplicate ephemeral associations suppressed for broadcastclient and
2652   multicastclient without broadcastdelay
2653 * Exclude undetermined sys_refid from use in loopback TEST12
2654 * Exclude MODE_SERVER responses from KoD rate limiting
2655 * Include root delay in clock_update() sys_rootdisp calculations
2656 * get_systime() updated to exclude sys_residual offset (which only
2657   affected bits "below" sys_tick, the precision threshold)
2658 * sys.peer jitter weighting corrected in sys_jitter calculation
2659
2660ntpq
2661
2662 * -n option extended to include the billboard "server" column
2663 * IPv6 addresses in the local column truncated to prevent overruns
2664
2665---
2666NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
2667
2668Focus: Bug fixes and portability improvements
2669
2670Severity: Medium
2671
2672This is a recommended upgrade.
2673
2674This release includes build infrastructure updates, code
2675clean-ups, minor bug fixes, fixes for a number of minor
2676ref-clock issues, and documentation revisions.
2677
2678Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
2679
2680New features / changes in this release:
2681
2682Build system
2683
2684* Fix checking for struct rtattr
2685* Update config.guess and config.sub for AIX
2686* Upgrade required version of autogen and libopts for building
2687  from our source code repository
2688
2689ntpd
2690
2691* Back-ported several fixes for Coverity warnings from ntp-dev
2692* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
2693* Allow "logconfig =allall" configuration directive
2694* Bind tentative IPv6 addresses on Linux
2695* Correct WWVB/Spectracom driver to timestamp CR instead of LF
2696* Improved tally bit handling to prevent incorrect ntpq peer status reports
2697* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
2698  candidate list unless they are designated a "prefer peer"
2699* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
2700  selection during the 'tos orphanwait' period
2701* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
2702  drivers
2703* Improved support of the Parse Refclock trusttime flag in Meinberg mode
2704* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
2705* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
2706  clock slew on Microsoft Windows
2707* Code cleanup in libntpq
2708
2709ntpdc
2710
2711* Fix timerstats reporting
2712
2713ntpdate
2714
2715* Reduce time required to set clock
2716* Allow a timeout greater than 2 seconds
2717
2718sntp
2719
2720* Backward incompatible command-line option change:
2721  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
2722
2723Documentation
2724
2725* Update html2man. Fix some tags in the .html files
2726* Distribute ntp-wait.html
2727
2728---
2729NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
2730
2731Focus: Bug fixes and portability improvements
2732
2733Severity: Medium
2734
2735This is a recommended upgrade.
2736
2737This release includes build infrastructure updates, code
2738clean-ups, minor bug fixes, fixes for a number of minor
2739ref-clock issues, and documentation revisions.
2740
2741Portability improvements in this release affect AIX, Atari FreeMiNT,
2742FreeBSD4, Linux and Microsoft Windows.
2743
2744New features / changes in this release:
2745
2746Build system
2747* Use lsb_release to get information about Linux distributions.
2748* 'test' is in /usr/bin (instead of /bin) on some systems.
2749* Basic sanity checks for the ChangeLog file.
2750* Source certain build files with ./filename for systems without . in PATH.
2751* IRIX portability fix.
2752* Use a single copy of the "libopts" code.
2753* autogen/libopts upgrade.
2754* configure.ac m4 quoting cleanup.
2755
2756ntpd
2757* Do not bind to IN6_IFF_ANYCAST addresses.
2758* Log the reason for exiting under Windows.
2759* Multicast fixes for Windows.
2760* Interpolation fixes for Windows.
2761* IPv4 and IPv6 Multicast fixes.
2762* Manycast solicitation fixes and general repairs.
2763* JJY refclock cleanup.
2764* NMEA refclock improvements.
2765* Oncore debug message cleanup.
2766* Palisade refclock now builds under Linux.
2767* Give RAWDCF more baud rates.
2768* Support Truetime Satellite clocks under Windows.
2769* Support Arbiter 1093C Satellite clocks under Windows.
2770* Make sure that the "filegen" configuration command defaults to "enable".
2771* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
2772* Prohibit 'includefile' directive in remote configuration command.
2773* Fix 'nic' interface bindings.
2774* Fix the way we link with openssl if openssl is installed in the base
2775  system.
2776
2777ntp-keygen
2778* Fix -V coredump.
2779* OpenSSL version display cleanup.
2780
2781ntpdc
2782* Many counters should be treated as unsigned.
2783
2784ntpdate
2785* Do not ignore replies with equal receive and transmit timestamps.
2786
2787ntpq
2788* libntpq warning cleanup.
2789
2790ntpsnmpd
2791* Correct SNMP type for "precision" and "resolution".
2792* Update the MIB from the draft version to RFC-5907.
2793
2794sntp
2795* Display timezone offset when showing time for sntp in the local
2796  timezone.
2797* Pay proper attention to RATE KoD packets.
2798* Fix a miscalculation of the offset.
2799* Properly parse empty lines in the key file.
2800* Logging cleanup.
2801* Use tv_usec correctly in set_time().
2802* Documentation cleanup.
2803
2804---
2805NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
2806
2807Focus: Bug fixes and portability improvements
2808
2809Severity: Medium
2810
2811This is a recommended upgrade.
2812
2813This release includes build infrastructure updates, code
2814clean-ups, minor bug fixes, fixes for a number of minor
2815ref-clock issues, improved KOD handling, OpenSSL related
2816updates and documentation revisions.
2817
2818Portability improvements in this release affect Irix, Linux,
2819Mac OS, Microsoft Windows, OpenBSD and QNX6
2820
2821New features / changes in this release:
2822
2823ntpd
2824* Range syntax for the trustedkey configuration directive
2825* Unified IPv4 and IPv6 restrict lists
2826
2827ntpdate
2828* Rate limiting and KOD handling
2829
2830ntpsnmpd
2831* default connection to net-snmpd via a unix-domain socket
2832* command-line 'socket name' option
2833
2834ntpq / ntpdc
2835* support for the "passwd ..." syntax
2836* key-type specific password prompts
2837
2838sntp
2839* MD5 authentication of an ntpd
2840* Broadcast and crypto
2841* OpenSSL support
2842
2843---
2844NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
2845
2846Focus: Bug fixes, portability fixes, and documentation improvements
2847
2848Severity: Medium
2849
2850This is a recommended upgrade.
2851
2852---
2853NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2854
2855Focus: enhancements and bug fixes.
2856
2857---
2858NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2859
2860Focus: Security Fixes
2861
2862Severity: HIGH
2863
2864This release fixes the following high-severity vulnerability:
2865
2866* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
2867
2868  See http://support.ntp.org/security for more information.
2869
2870  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
2871  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
2872  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
2873  request or a mode 7 error response from an address which is not listed
2874  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
2875  reply with a mode 7 error response (and log a message).  In this case:
2876
2877	* If an attacker spoofs the source address of ntpd host A in a
2878	  mode 7 response packet sent to ntpd host B, both A and B will
2879	  continuously send each other error responses, for as long as
2880	  those packets get through.
2881
2882	* If an attacker spoofs an address of ntpd host A in a mode 7
2883	  response packet sent to ntpd host A, A will respond to itself
2884	  endlessly, consuming CPU and logging excessively.
2885
2886  Credit for finding this vulnerability goes to Robin Park and Dmitri
2887  Vinokurov of Alcatel-Lucent.
2888
2889THIS IS A STRONGLY RECOMMENDED UPGRADE.
2890
2891---
2892ntpd now syncs to refclocks right away.
2893
2894Backward-Incompatible changes:
2895
2896ntpd no longer accepts '-v name' or '-V name' to define internal variables.
2897Use '--var name' or '--dvar name' instead. (Bug 817)
2898
2899---
2900NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
2901
2902Focus: Security and Bug Fixes
2903
2904Severity: HIGH
2905
2906This release fixes the following high-severity vulnerability:
2907
2908* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
2909
2910  See http://support.ntp.org/security for more information.
2911
2912  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
2913  line) then a carefully crafted packet sent to the machine will cause
2914  a buffer overflow and possible execution of injected code, running
2915  with the privileges of the ntpd process (often root).
2916
2917  Credit for finding this vulnerability goes to Chris Ries of CMU.
2918
2919This release fixes the following low-severity vulnerabilities:
2920
2921* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
2922  Credit for finding this vulnerability goes to Geoff Keating of Apple.
2923
2924* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
2925  Credit for finding this issue goes to Dave Hart.
2926
2927This release fixes a number of bugs and adds some improvements:
2928
2929* Improved logging
2930* Fix many compiler warnings
2931* Many fixes and improvements for Windows
2932* Adds support for AIX 6.1
2933* Resolves some issues under MacOS X and Solaris
2934
2935THIS IS A STRONGLY RECOMMENDED UPGRADE.
2936
2937---
2938NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
2939
2940Focus: Security Fix
2941
2942Severity: Low
2943
2944This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
2945the OpenSSL library relating to the incorrect checking of the return
2946value of EVP_VerifyFinal function.
2947
2948Credit for finding this issue goes to the Google Security Team for
2949finding the original issue with OpenSSL, and to ocert.org for finding
2950the problem in NTP and telling us about it.
2951
2952This is a recommended upgrade.
2953---
2954NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
2955
2956Focus: Minor Bugfixes
2957
2958This release fixes a number of Windows-specific ntpd bugs and
2959platform-independent ntpdate bugs. A logging bugfix has been applied
2960to the ONCORE driver.
2961
2962The "dynamic" keyword and is now obsolete and deferred binding to local
2963interfaces is the new default. The minimum time restriction for the
2964interface update interval has been dropped.
2965
2966A number of minor build system and documentation fixes are included.
2967
2968This is a recommended upgrade for Windows.
2969
2970---
2971NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
2972
2973Focus: Minor Bugfixes
2974
2975This release updates certain copyright information, fixes several display
2976bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
2977shutdown in the parse refclock driver, removes some lint from the code,
2978stops accessing certain buffers immediately after they were freed, fixes
2979a problem with non-command-line specification of -6, and allows the loopback
2980interface to share addresses with other interfaces.
2981
2982---
2983NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
2984
2985Focus: Minor Bugfixes
2986
2987This release fixes a bug in Windows that made it difficult to
2988terminate ntpd under windows.
2989This is a recommended upgrade for Windows.
2990
2991---
2992NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
2993
2994Focus: Minor Bugfixes
2995
2996This release fixes a multicast mode authentication problem,
2997an error in NTP packet handling on Windows that could lead to
2998ntpd crashing, and several other minor bugs. Handling of
2999multicast interfaces and logging configuration were improved.
3000The required versions of autogen and libopts were incremented.
3001This is a recommended upgrade for Windows and multicast users.
3002
3003---
3004NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3005
3006Focus: enhancements and bug fixes.
3007
3008Dynamic interface rescanning was added to simplify the use of ntpd in
3009conjunction with DHCP. GNU AutoGen is used for its command-line options
3010processing. Separate PPS devices are supported for PARSE refclocks, MD5
3011signatures are now provided for the release files. Drivers have been
3012added for some new ref-clocks and have been removed for some older
3013ref-clocks. This release also includes other improvements, documentation
3014and bug fixes.
3015
3016K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3017C support.
3018
3019---
3020NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3021
3022Focus: enhancements and bug fixes.
3023