xref: /freebsd/contrib/ntp/NEWS (revision 4f0a4502a1f33fef287ac558c98e5ef99a32216f)
1---
2
3NTP 4.2.8p6
4
5Focus: Security, Bug fixes, enhancements.
6
7Severity: MEDIUM
8
9In addition to bug fixes and enhancements, this release fixes the
10following X low- and Y medium-severity vulnerabilities:
11
12* Potential Infinite Loop in 'ntpq'
13   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
14   References: Sec 2548 / CVE-2015-8158
15   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
16	4.3.0 up to, but not including 4.3.90
17   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
18   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
19   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
20	The loop's only stopping conditions are receiving a complete and
21	correct response or hitting a small number of error conditions.
22	If the packet contains incorrect values that don't trigger one of
23	the error conditions, the loop continues to receive new packets.
24	Note well, this is an attack against an instance of 'ntpq', not
25	'ntpd', and this attack requires the attacker to do one of the
26	following:
27	* Own a malicious NTP server that the client trusts
28	* Prevent a legitimate NTP server from sending packets to
29	    the 'ntpq' client
30	* MITM the 'ntpq' communications between the 'ntpq' client
31	    and the NTP server
32   Mitigation:
33	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
34	or the NTP Public Services Project Download Page
35   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
36
37* 0rigin: Zero Origin Timestamp Bypass
38   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
39   References: Sec 2945 / CVE-2015-8138
40   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
41	4.3.0 up to, but not including 4.3.90
42   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
43   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
44	(3.7 - LOW if you score AC:L)
45   Summary: To distinguish legitimate peer responses from forgeries, a
46	client attempts to verify a response packet by ensuring that the
47	origin timestamp in the packet matches the origin timestamp it
48	transmitted in its last request.  A logic error exists that
49	allows packets with an origin timestamp of zero to bypass this
50	check whenever there is not an outstanding request to the server.
51   Mitigation:
52	Configure 'ntpd' to get time from multiple sources.
53	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
54	    or the NTP Public Services Project Download Page.
55	Monitor your 'ntpd= instances.
56   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
57
58* Stack exhaustion in recursive traversal of restriction list
59   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
60   References: Sec 2940 / CVE-2015-7978
61   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
62	4.3.0 up to, but not including 4.3.90
63   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
64   Summary: An unauthenticated 'ntpdc reslist' command can cause a
65   	segmentation fault in ntpd by exhausting the call stack.
66   Mitigation:
67	Implement BCP-38.
68	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
69	    or the NTP Public Services Project Download Page.
70	If you are unable to upgrade:
71            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
72	    If you must enable mode 7:
73		configure the use of a 'requestkey' to control who can
74		    issue mode 7 requests.
75		configure 'restrict noquery' to further limit mode 7
76		    requests to trusted sources.
77		Monitor your ntpd instances.
78   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
79
80* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
81   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
82   References: Sec 2942 / CVE-2015-7979
83   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
84	4.3.0 up to, but not including 4.3.90
85   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
86   Summary: An off-path attacker can send broadcast packets with bad
87	authentication (wrong key, mismatched key, incorrect MAC, etc)
88	to broadcast clients. It is observed that the broadcast client
89	tears down the association with the broadcast server upon
90	receiving just one bad packet.
91   Mitigation:
92	Implement BCP-38.
93	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
94	or the NTP Public Services Project Download Page.
95	Monitor your 'ntpd' instances.
96	If this sort of attack is an active problem for you, you have
97	    deeper problems to investigate.  In this case also consider
98	    having smaller NTP broadcast domains.
99   Credit: This weakness was discovered by Aanchal Malhotra of Boston
100   	University.
101
102* reslist NULL pointer dereference
103   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
104   References: Sec 2939 / CVE-2015-7977
105   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
106	4.3.0 up to, but not including 4.3.90
107   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
108   Summary: An unauthenticated 'ntpdc reslist' command can cause a
109	segmentation fault in ntpd by causing a NULL pointer dereference.
110   Mitigation:
111	Implement BCP-38.
112	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
113	the NTP Public Services Project Download Page.
114	If you are unable to upgrade:
115	    mode 7 is disabled by default.  Don't enable it.
116	    If you must enable mode 7:
117		configure the use of a 'requestkey' to control who can
118		    issue mode 7 requests.
119		configure 'restrict noquery' to further limit mode 7
120		    requests to trusted sources.
121	Monitor your ntpd instances.
122   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
123
124* 'ntpq saveconfig' command allows dangerous characters in filenames.
125   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
126   References: Sec 2938 / CVE-2015-7976
127   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
128	4.3.0 up to, but not including 4.3.90
129   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
130   Summary: The ntpq saveconfig command does not do adequate filtering
131   	of special characters from the supplied filename.
132	Note well: The ability to use the saveconfig command is controlled
133	by the 'restrict nomodify' directive, and the recommended default
134	configuration is to disable this capability.  If the ability to
135	execute a 'saveconfig' is required, it can easily (and should) be
136	limited and restricted to a known small number of IP addresses.
137   Mitigation:
138	Implement BCP-38.
139	use 'restrict default nomodify' in your 'ntp.conf' file.
140	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
141	If you are unable to upgrade:
142	    build NTP with 'configure --disable-saveconfig' if you will
143	    	never need this capability, or
144	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
145		careful about what IPs have the ability to send 'modify'
146		requests to 'ntpd'.
147	Monitor your ntpd instances.
148	'saveconfig' requests are logged to syslog - monitor your syslog files.
149   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
150
151* nextvar() missing length check in ntpq
152   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
153   References: Sec 2937 / CVE-2015-7975
154   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
155	4.3.0 up to, but not including 4.3.90
156   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
157	If you score A:C, this becomes 4.0.
158   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
159   Summary: ntpq may call nextvar() which executes a memcpy() into the
160	name buffer without a proper length check against its maximum
161	length of 256 bytes. Note well that we're taking about ntpq here.
162	The usual worst-case effect of this vulnerability is that the
163	specific instance of ntpq will crash and the person or process
164	that did this will have stopped themselves.
165   Mitigation:
166	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
167	    or the NTP Public Services Project Download Page.
168	If you are unable to upgrade:
169	    If you have scripts that feed input to ntpq make sure there are
170		some sanity checks on the input received from the "outside".
171	    This is potentially more dangerous if ntpq is run as root.
172   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
173
174* Skeleton Key: Any trusted key system can serve time
175   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
176   References: Sec 2936 / CVE-2015-7974
177   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
178	4.3.0 up to, but not including 4.3.90
179   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
180   Summary: Symmetric key encryption uses a shared trusted key. The
181	reported title for this issue was "Missing key check allows
182	impersonation between authenticated peers" and the report claimed
183	"A key specified only for one server should only work to
184	authenticate that server, other trusted keys should be refused."
185	Except there has never been any correlation between this trusted
186	key and server v. clients machines and there has never been any
187	way to specify a key only for one server. We have treated this as
188	an enhancement request, and ntp-4.2.8p6 includes other checks and
189	tests to strengthen clients against attacks coming from broadcast
190	servers.
191   Mitigation:
192	Implement BCP-38.
193	If this scenario represents a real or a potential issue for you,
194	    upgrade to 4.2.8p6, or later, from the NTP Project Download
195	    Page or the NTP Public Services Project Download Page, and
196	    use the new field in the ntp.keys file that specifies the list
197	    of IPs that are allowed to serve time. Note that this alone
198	    will not protect against time packets with forged source IP
199	    addresses, however other changes in ntp-4.2.8p6 provide
200	    significant mitigation against broadcast attacks. MITM attacks
201	    are a different story.
202	If you are unable to upgrade:
203	    Don't use broadcast mode if you cannot monitor your client
204	    	servers.
205	    If you choose to use symmetric keys to authenticate time
206	    	packets in a hostile environment where ephemeral time
207		servers can be created, or if it is expected that malicious
208		time servers will participate in an NTP broadcast domain,
209		limit the number of participating systems that participate
210		in the shared-key group.
211	Monitor your ntpd instances.
212   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
213
214* Deja Vu: Replay attack on authenticated broadcast mode
215   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
216   References: Sec 2935 / CVE-2015-7973
217   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
218   	4.3.0 up to, but not including 4.3.90
219   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
220   Summary: If an NTP network is configured for broadcast operations then
221   	either a man-in-the-middle attacker or a malicious participant
222	that has the same trusted keys as the victim can replay time packets.
223   Mitigation:
224	Implement BCP-38.
225	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
226	    or the NTP Public Services Project Download Page.
227	If you are unable to upgrade:
228	    Don't use broadcast mode if you cannot monitor your client servers.
229	Monitor your ntpd instances.
230   Credit: This weakness was discovered by Aanchal Malhotra of Boston
231	University.
232
233Other fixes:
234
235* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
236* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
237  - applied patch by shenpeng11@huawei.com with minor adjustments
238* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
239* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
240* [Bug 2892] Several test cases assume IPv6 capabilities even when
241             IPv6 is disabled in the build. perlinger@ntp.org
242  - Found this already fixed, but validation led to cleanup actions.
243* [Bug 2905] DNS lookups broken. perlinger@ntp.org
244  - added limits to stack consumption, fixed some return code handling
245* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
246  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
247  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
248* [Bug 2980] reduce number of warnings. perlinger@ntp.org
249  - integrated several patches from Havard Eidnes (he@uninett.no)
250* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
251  - implement 'auth_log2()' using integer bithack instead of float calculation
252* Make leapsec_query debug messages less verbose.  Harlan Stenn.
253
254---
255
256NTP 4.2.8p5
257
258Focus: Security, Bug fixes, enhancements.
259
260Severity: MEDIUM
261
262In addition to bug fixes and enhancements, this release fixes the
263following medium-severity vulnerability:
264
265* Small-step/big-step.  Close the panic gate earlier.
266    References: Sec 2956, CVE-2015-5300
267    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
268	4.3.0 up to, but not including 4.3.78
269    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
270    Summary: If ntpd is always started with the -g option, which is
271	common and against long-standing recommendation, and if at the
272	moment ntpd is restarted an attacker can immediately respond to
273	enough requests from enough sources trusted by the target, which
274	is difficult and not common, there is a window of opportunity
275	where the attacker can cause ntpd to set the time to an
276	arbitrary value. Similarly, if an attacker is able to respond
277	to enough requests from enough sources trusted by the target,
278	the attacker can cause ntpd to abort and restart, at which
279	point it can tell the target to set the time to an arbitrary
280	value if and only if ntpd was re-started against long-standing
281	recommendation with the -g flag, or if ntpd was not given the
282	-g flag, the attacker can move the target system's time by at
283	most 900 seconds' time per attack.
284    Mitigation:
285	Configure ntpd to get time from multiple sources.
286	Upgrade to 4.2.8p5, or later, from the NTP Project Download
287	    Page or the NTP Public Services Project Download Page
288	As we've long documented, only use the -g option to ntpd in
289	    cold-start situations.
290	Monitor your ntpd instances.
291    Credit: This weakness was discovered by Aanchal Malhotra,
292	Isaac E. Cohen, and Sharon Goldberg at Boston University.
293
294    NOTE WELL: The -g flag disables the limit check on the panic_gate
295	in ntpd, which is 900 seconds by default. The bug identified by
296	the researchers at Boston University is that the panic_gate
297	check was only re-enabled after the first change to the system
298	clock that was greater than 128 milliseconds, by default. The
299	correct behavior is that the panic_gate check should be
300	re-enabled after any initial time correction.
301
302	If an attacker is able to inject consistent but erroneous time
303	responses to your systems via the network or "over the air",
304	perhaps by spoofing radio, cellphone, or navigation satellite
305	transmissions, they are in a great position to affect your
306	system's clock. There comes a point where your very best
307	defenses include:
308
309	    Configure ntpd to get time from multiple sources.
310	    Monitor your ntpd instances.
311
312Other fixes:
313
314* Coverity submission process updated from Coverity 5 to Coverity 7.
315  The NTP codebase has been undergoing regular Coverity scans on an
316  ongoing basis since 2006.  As part of our recent upgrade from
317  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
318  the newly-written Unity test programs.  These were fixed.
319* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
320* [Bug 2887] stratum -1 config results as showing value 99
321  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
322* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
323* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
324* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
325  - applied patch by Christos Zoulas.  perlinger@ntp.org
326* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
327* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
328  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
329  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
330* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
331  - accept key file only if there are no parsing errors
332  - fixed size_t/u_int format clash
333  - fixed wrong use of 'strlcpy'
334* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
335* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
336  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
337  - promote use of 'size_t' for values that express a size
338  - use ptr-to-const for read-only arguments
339  - make sure SOCKET values are not truncated (win32-specific)
340  - format string fixes
341* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
342* [Bug 2967] ntpdate command suffers an assertion failure
343  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
344* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
345              lots of clients. perlinger@ntp.org
346* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
347  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
348* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
349* Unity test cleanup.  Harlan Stenn.
350* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
351* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
352* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
353* Quiet a warning from clang.  Harlan Stenn.
354
355---
356NTP 4.2.8p4
357
358Focus: Security, Bug fixes, enhancements.
359
360Severity: MEDIUM
361
362In addition to bug fixes and enhancements, this release fixes the
363following 13 low- and medium-severity vulnerabilities:
364
365* Incomplete vallen (value length) checks in ntp_crypto.c, leading
366  to potential crashes or potential code injection/information leakage.
367
368    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
369    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
370    	and 4.3.0 up to, but not including 4.3.77
371    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
372    Summary: The fix for CVE-2014-9750 was incomplete in that there were
373    	certain code paths where a packet with particular autokey operations
374	that contained malicious data was not always being completely
375	validated. Receipt of these packets can cause ntpd to crash.
376    Mitigation:
377        Don't use autokey.
378	Upgrade to 4.2.8p4, or later, from the NTP Project Download
379	    Page or the NTP Public Services Project Download Page
380	Monitor your ntpd instances.
381	Credit: This weakness was discovered by Tenable Network Security.
382
383* Clients that receive a KoD should validate the origin timestamp field.
384
385    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
386    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
387	and 4.3.0 up to, but not including 4.3.77
388    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
389    Summary: An ntpd client that honors Kiss-of-Death responses will honor
390    	KoD messages that have been forged by an attacker, causing it to
391	delay or stop querying its servers for time updates. Also, an
392	attacker can forge packets that claim to be from the target and
393	send them to servers often enough that a server that implements
394	KoD rate limiting will send the target machine a KoD response to
395	attempt to reduce the rate of incoming packets, or it may also
396	trigger a firewall block at the server for packets from the target
397	machine. For either of these attacks to succeed, the attacker must
398	know what servers the target is communicating with. An attacker
399	can be anywhere on the Internet and can frequently learn the
400	identity of the target's time source by sending the target a
401	time query.
402    Mitigation:
403        Implement BCP-38.
404	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
405	    or the NTP Public Services Project Download Page
406	If you can't upgrade, restrict who can query ntpd to learn who
407	    its servers are, and what IPs are allowed to ask your system
408	    for the time. This mitigation is heavy-handed.
409	Monitor your ntpd instances.
410    Note:
411    	4.2.8p4 protects against the first attack. For the second attack,
412    	all we can do is warn when it is happening, which we do in 4.2.8p4.
413    Credit: This weakness was discovered by Aanchal Malhotra,
414    	Issac E. Cohen, and Sharon Goldberg of Boston University.
415
416* configuration directives to change "pidfile" and "driftfile" should
417  only be allowed locally.
418
419  References: Sec 2902 / CVE-2015-5196
420  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
421	and 4.3.0 up to, but not including 4.3.77
422   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
423   Summary: If ntpd is configured to allow for remote configuration,
424	and if the (possibly spoofed) source IP address is allowed to
425	send remote configuration requests, and if the attacker knows
426	the remote configuration password, it's possible for an attacker
427	to use the "pidfile" or "driftfile" directives to potentially
428	overwrite other files.
429   Mitigation:
430	Implement BCP-38.
431	Upgrade to 4.2.8p4, or later, from the NTP Project Download
432	    Page or the NTP Public Services Project Download Page
433	If you cannot upgrade, don't enable remote configuration.
434	If you must enable remote configuration and cannot upgrade,
435	    remote configuration of NTF's ntpd requires:
436	    - an explicitly configured trustedkey, and you should also
437	    	configure a controlkey.
438	    - access from a permitted IP. You choose the IPs.
439	    - authentication. Don't disable it. Practice secure key safety.
440	Monitor your ntpd instances.
441   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
442
443* Slow memory leak in CRYPTO_ASSOC
444
445  References: Sec 2909 / CVE-2015-7701
446  Affects: All ntp-4 releases that use autokey up to, but not
447    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
448  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
449  	4.6 otherwise
450  Summary: If ntpd is configured to use autokey, then an attacker can
451	send packets to ntpd that will, after several days of ongoing
452	attack, cause it to run out of memory.
453  Mitigation:
454	Don't use autokey.
455	Upgrade to 4.2.8p4, or later, from the NTP Project Download
456	    Page or the NTP Public Services Project Download Page
457	Monitor your ntpd instances.
458  Credit: This weakness was discovered by Tenable Network Security.
459
460* mode 7 loop counter underrun
461
462  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
463  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
464  	and 4.3.0 up to, but not including 4.3.77
465  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
466  Summary: If ntpd is configured to enable mode 7 packets, and if the
467	use of mode 7 packets is not properly protected thru the use of
468	the available mode 7 authentication and restriction mechanisms,
469	and if the (possibly spoofed) source IP address is allowed to
470	send mode 7 queries, then an attacker can send a crafted packet
471	to ntpd that will cause it to crash.
472  Mitigation:
473	Implement BCP-38.
474	Upgrade to 4.2.8p4, or later, from the NTP Project Download
475	    Page or the NTP Public Services Project Download Page.
476	      If you are unable to upgrade:
477	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
478	If you must enable mode 7:
479	    configure the use of a requestkey to control who can issue
480		mode 7 requests.
481	    configure restrict noquery to further limit mode 7 requests
482		to trusted sources.
483	Monitor your ntpd instances.
484Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
485
486* memory corruption in password store
487
488  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
489  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
490  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
491  Summary: If ntpd is configured to allow remote configuration, and if
492	the (possibly spoofed) source IP address is allowed to send
493	remote configuration requests, and if the attacker knows the
494	remote configuration password or if ntpd was configured to
495	disable authentication, then an attacker can send a set of
496	packets to ntpd that may cause a crash or theoretically
497	perform a code injection attack.
498  Mitigation:
499	Implement BCP-38.
500	Upgrade to 4.2.8p4, or later, from the NTP Project Download
501	    Page or the NTP Public Services Project Download Page.
502	If you are unable to upgrade, remote configuration of NTF's
503	    ntpd requires:
504		an explicitly configured "trusted" key. Only configure
505			this if you need it.
506		access from a permitted IP address. You choose the IPs.
507		authentication. Don't disable it. Practice secure key safety.
508	Monitor your ntpd instances.
509  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
510
511* Infinite loop if extended logging enabled and the logfile and
512  keyfile are the same.
513
514    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
515    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
516	and 4.3.0 up to, but not including 4.3.77
517    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
518    Summary: If ntpd is configured to allow remote configuration, and if
519	the (possibly spoofed) source IP address is allowed to send
520	remote configuration requests, and if the attacker knows the
521	remote configuration password or if ntpd was configured to
522	disable authentication, then an attacker can send a set of
523	packets to ntpd that will cause it to crash and/or create a
524	potentially huge log file. Specifically, the attacker could
525	enable extended logging, point the key file at the log file,
526	and cause what amounts to an infinite loop.
527    Mitigation:
528	Implement BCP-38.
529	Upgrade to 4.2.8p4, or later, from the NTP Project Download
530	    Page or the NTP Public Services Project Download Page.
531	If you are unable to upgrade, remote configuration of NTF's ntpd
532	  requires:
533            an explicitly configured "trusted" key. Only configure this
534	    	if you need it.
535            access from a permitted IP address. You choose the IPs.
536            authentication. Don't disable it. Practice secure key safety.
537        Monitor your ntpd instances.
538    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
539
540* Potential path traversal vulnerability in the config file saving of
541  ntpd on VMS.
542
543  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
544  Affects: All ntp-4 releases running under VMS up to, but not
545	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
546  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
547  Summary: If ntpd is configured to allow remote configuration, and if
548	the (possibly spoofed) IP address is allowed to send remote
549	configuration requests, and if the attacker knows the remote
550	configuration password or if ntpd was configured to disable
551	authentication, then an attacker can send a set of packets to
552	ntpd that may cause ntpd to overwrite files.
553  Mitigation:
554	Implement BCP-38.
555	Upgrade to 4.2.8p4, or later, from the NTP Project Download
556	    Page or the NTP Public Services Project Download Page.
557	If you are unable to upgrade, remote configuration of NTF's ntpd
558	    requires:
559		an explicitly configured "trusted" key. Only configure
560			this if you need it.
561		access from permitted IP addresses. You choose the IPs.
562		authentication. Don't disable it. Practice key security safety.
563        Monitor your ntpd instances.
564    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
565
566* ntpq atoascii() potential memory corruption
567
568  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
569  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
570	and 4.3.0 up to, but not including 4.3.77
571  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
572  Summary: If an attacker can figure out the precise moment that ntpq
573	is listening for data and the port number it is listening on or
574	if the attacker can provide a malicious instance ntpd that
575	victims will connect to then an attacker can send a set of
576	crafted mode 6 response packets that, if received by ntpq,
577	can cause ntpq to crash.
578  Mitigation:
579	Implement BCP-38.
580	Upgrade to 4.2.8p4, or later, from the NTP Project Download
581	    Page or the NTP Public Services Project Download Page.
582	If you are unable to upgrade and you run ntpq against a server
583	    and ntpq crashes, try again using raw mode. Build or get a
584	    patched ntpq and see if that fixes the problem. Report new
585	    bugs in ntpq or abusive servers appropriately.
586	If you use ntpq in scripts, make sure ntpq does what you expect
587	    in your scripts.
588  Credit: This weakness was discovered by Yves Younan and
589  	Aleksander Nikolich of Cisco Talos.
590
591* Invalid length data provided by a custom refclock driver could cause
592  a buffer overflow.
593
594  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
595  Affects: Potentially all ntp-4 releases running up to, but not
596	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
597	that have custom refclocks
598  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
599	5.9 unusual worst case
600  Summary: A negative value for the datalen parameter will overflow a
601	data buffer. NTF's ntpd driver implementations always set this
602	value to 0 and are therefore not vulnerable to this weakness.
603	If you are running a custom refclock driver in ntpd and that
604	driver supplies a negative value for datalen (no custom driver
605	of even minimal competence would do this) then ntpd would
606	overflow a data buffer. It is even hypothetically possible
607	in this case that instead of simply crashing ntpd the attacker
608	could effect a code injection attack.
609  Mitigation:
610	Upgrade to 4.2.8p4, or later, from the NTP Project Download
611	    Page or the NTP Public Services Project Download Page.
612	If you are unable to upgrade:
613		If you are running custom refclock drivers, make sure
614			the signed datalen value is either zero or positive.
615	Monitor your ntpd instances.
616  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
617
618* Password Length Memory Corruption Vulnerability
619
620  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
621  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
622  	4.3.0 up to, but not including 4.3.77
623  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
624  	1.7 usual case, 6.8, worst case
625  Summary: If ntpd is configured to allow remote configuration, and if
626	the (possibly spoofed) source IP address is allowed to send
627	remote configuration requests, and if the attacker knows the
628	remote configuration password or if ntpd was (foolishly)
629	configured to disable authentication, then an attacker can
630	send a set of packets to ntpd that may cause it to crash,
631	with the hypothetical possibility of a small code injection.
632  Mitigation:
633	Implement BCP-38.
634	Upgrade to 4.2.8p4, or later, from the NTP Project Download
635	    Page or the NTP Public Services Project Download Page.
636	If you are unable to upgrade, remote configuration of NTF's
637	    ntpd requires:
638		an explicitly configured "trusted" key. Only configure
639			this if you need it.
640		access from a permitted IP address. You choose the IPs.
641		authentication. Don't disable it. Practice secure key safety.
642	Monitor your ntpd instances.
643  Credit: This weakness was discovered by Yves Younan and
644  	Aleksander Nikolich of Cisco Talos.
645
646* decodenetnum() will ASSERT botch instead of returning FAIL on some
647  bogus values.
648
649  References: Sec 2922 / CVE-2015-7855
650  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
651	4.3.0 up to, but not including 4.3.77
652  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
653  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
654	an unusually long data value where a network address is expected,
655	the decodenetnum() function will abort with an assertion failure
656	instead of simply returning a failure condition.
657  Mitigation:
658	Implement BCP-38.
659	Upgrade to 4.2.8p4, or later, from the NTP Project Download
660	    Page or the NTP Public Services Project Download Page.
661	If you are unable to upgrade:
662		mode 7 is disabled by default. Don't enable it.
663		Use restrict noquery to limit who can send mode 6
664			and mode 7 requests.
665		Configure and use the controlkey and requestkey
666			authentication directives to limit who can
667			send mode 6 and mode 7 requests.
668	Monitor your ntpd instances.
669  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
670
671* NAK to the Future: Symmetric association authentication bypass via
672  crypto-NAK.
673
674  References: Sec 2941 / CVE-2015-7871
675  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
676  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
677  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
678  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
679	from unauthenticated ephemeral symmetric peers by bypassing the
680	authentication required to mobilize peer associations. This
681	vulnerability appears to have been introduced in ntp-4.2.5p186
682	when the code handling mobilization of new passive symmetric
683	associations (lines 1103-1165) was refactored.
684  Mitigation:
685	Implement BCP-38.
686	Upgrade to 4.2.8p4, or later, from the NTP Project Download
687	    Page or the NTP Public Services Project Download Page.
688	If you are unable to upgrade:
689		Apply the patch to the bottom of the "authentic" check
690			block around line 1136 of ntp_proto.c.
691	Monitor your ntpd instances.
692  Credit: This weakness was discovered by Stephen Gray <stepgray@cisco.com>.
693
694Backward-Incompatible changes:
695* [Bug 2817] Default on Linux is now "rlimit memlock -1".
696  While the general default of 32M is still the case, under Linux
697  the default value has been changed to -1 (do not lock ntpd into
698  memory).  A value of 0 means "lock ntpd into memory with whatever
699  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
700  value in it, that value will continue to be used.
701
702* [Bug 2886] Misspelling: "outlyer" should be "outlier".
703  If you've written a script that looks for this case in, say, the
704  output of ntpq, you probably want to change your regex matches
705  from 'outlyer' to 'outl[iy]er'.
706
707New features in this release:
708* 'rlimit memlock' now has finer-grained control.  A value of -1 means
709  "don't lock ntpd into memore".  This is the default for Linux boxes.
710  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
711  the value is the number of megabytes of memory to lock.  The default
712  is 32 megabytes.
713
714* The old Google Test framework has been replaced with a new framework,
715  based on http://www.throwtheswitch.org/unity/ .
716
717Bug Fixes and Improvements:
718* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
719  privileges and limiting resources in NTPD removes the need to link
720  forcefully against 'libgcc_s' which does not always work. J.Perlinger
721* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
722* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
723* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
724* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
725* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
726* [Bug 2849] Systems with more than one default route may never
727  synchronize.  Brian Utterback.  Note that this patch might need to
728  be reverted once Bug 2043 has been fixed.
729* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
730* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
731* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
732* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
733* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
734* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
735  be configured for the distribution targets.  Harlan Stenn.
736* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
737* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
738* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
739* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
740* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
741* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
742* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
743* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
744* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
745* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
746* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
747* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
748* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
749* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
750* sntp/tests/ function parameter list cleanup.  Damir Tomić.
751* tests/libntp/ function parameter list cleanup.  Damir Tomić.
752* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
753* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
754* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
755* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
756* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
757* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
758  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
759  formatting; first declaration, then code (C90); deleted unnecessary comments;
760  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
761* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
762  fix formatting, cleanup. Tomasz Flendrich
763* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
764  Tomasz Flendrich
765* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
766  fix formatting. Tomasz Flendrich
767* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
768* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
769* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
770  Tomasz Flendrich
771* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
772* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
773* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
774* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
775* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
776* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
777* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
778fixed formatting. Tomasz Flendrich
779* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
780  removed unnecessary comments, cleanup. Tomasz Flendrich
781* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
782  comments, cleanup. Tomasz Flendrich
783* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
784  Tomasz Flendrich
785* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
786* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
787* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
788  Tomasz Flendrich
789* sntp/tests/kodDatabase.c added consts, deleted empty function,
790  fixed formatting. Tomasz Flendrich
791* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
792* sntp/tests/packetHandling.c is now using proper Unity's assertions,
793  fixed formatting, deleted unused variable. Tomasz Flendrich
794* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
795  Tomasz Flendrich
796* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
797  fixed formatting. Tomasz Flendrich
798* sntp/tests/utilities.c is now using proper Unity's assertions, changed
799  the order of includes, fixed formatting, removed unnecessary comments.
800  Tomasz Flendrich
801* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
802* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
803  made one function do its job, deleted unnecessary prints, fixed formatting.
804  Tomasz Flendrich
805* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
806* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
807* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
808* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
809* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
810* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
811* Don't build sntp/libevent/sample/.  Harlan Stenn.
812* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
813* br-flock: --enable-local-libevent.  Harlan Stenn.
814* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
815* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
816* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
817* Code cleanup.  Harlan Stenn.
818* libntp/icom.c: Typo fix.  Harlan Stenn.
819* util/ntptime.c: initialization nit.  Harlan Stenn.
820* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
821* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
822* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
823  Tomasz Flendrich
824* Changed progname to be const in many files - now it's consistent. Tomasz
825  Flendrich
826* Typo fix for GCC warning suppression.  Harlan Stenn.
827* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
828* Added declarations to all Unity tests, and did minor fixes to them.
829  Reduced the number of warnings by half. Damir Tomić.
830* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
831  with the latest Unity updates from Mark. Damir Tomić.
832* Retire google test - phase I.  Harlan Stenn.
833* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
834* Update the NEWS file.  Harlan Stenn.
835* Autoconf cleanup.  Harlan Stenn.
836* Unit test dist cleanup. Harlan Stenn.
837* Cleanup various test Makefile.am files.  Harlan Stenn.
838* Pthread autoconf macro cleanup.  Harlan Stenn.
839* Fix progname definition in unity runner scripts.  Harlan Stenn.
840* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
841* Update the patch for bug 2817.  Harlan Stenn.
842* More updates for bug 2817.  Harlan Stenn.
843* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
844* gcc on older HPUX may need +allowdups.  Harlan Stenn.
845* Adding missing MCAST protection.  Harlan Stenn.
846* Disable certain test programs on certain platforms.  Harlan Stenn.
847* Implement --enable-problem-tests (on by default).  Harlan Stenn.
848* build system tweaks.  Harlan Stenn.
849
850---
851NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
852
853Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
854
855Severity: MEDIUM
856
857Security Fix:
858
859* [Sec 2853] Crafted remote config packet can crash some versions of
860  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
861
862Under specific circumstances an attacker can send a crafted packet to
863cause a vulnerable ntpd instance to crash. This requires each of the
864following to be true:
865
8661) ntpd set up to allow remote configuration (not allowed by default), and
8672) knowledge of the configuration password, and
8683) access to a computer entrusted to perform remote configuration.
869
870This vulnerability is considered low-risk.
871
872New features in this release:
873
874Optional (disabled by default) support to have ntpd provide smeared
875leap second time.  A specially built and configured ntpd will only
876offer smeared time in response to client packets.  These response
877packets will also contain a "refid" of 254.a.b.c, where the 24 bits
878of a, b, and c encode the amount of smear in a 2:22 integer:fraction
879format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
880information.
881
882   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
883   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
884
885We've imported the Unity test framework, and have begun converting
886the existing google-test items to this new framework.  If you want
887to write new tests or change old ones, you'll need to have ruby
888installed.  You don't need ruby to run the test suite.
889
890Bug Fixes and Improvements:
891
892* CID 739725: Fix a rare resource leak in libevent/listener.c.
893* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
894* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
895* CID 1269537: Clean up a line of dead code in getShmTime().
896* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
897* [Bug 2590] autogen-5.18.5.
898* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
899  of 'limited'.
900* [Bug 2650] fix includefile processing.
901* [Bug 2745] ntpd -x steps clock on leap second
902   Fixed an initial-value problem that caused misbehaviour in absence of
903   any leapsecond information.
904   Do leap second stepping only of the step adjustment is beyond the
905   proper jump distance limit and step correction is allowed at all.
906* [Bug 2750] build for Win64
907  Building for 32bit of loopback ppsapi needs def file
908* [Bug 2776] Improve ntpq's 'help keytype'.
909* [Bug 2778] Implement "apeers"  ntpq command to include associd.
910* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
911* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
912  interface is ignored as long as this flag is not set since the
913  interface is not usable (e.g., no link).
914* [Bug 2794] Clean up kernel clock status reports.
915* [Bug 2800] refclock_true.c true_debug() can't open debug log because
916  of incompatible open/fdopen parameters.
917* [Bug 2804] install-local-data assumes GNU 'find' semantics.
918* [Bug 2805] ntpd fails to join multicast group.
919* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
920* [Bug 2808] GPSD_JSON driver enhancements, step 1.
921  Fix crash during cleanup if GPS device not present and char device.
922  Increase internal token buffer to parse all JSON data, even SKY.
923  Defer logging of errors during driver init until the first unit is
924  started, so the syslog is not cluttered when the driver is not used.
925  Various improvements, see http://bugs.ntp.org/2808 for details.
926  Changed libjsmn to a more recent version.
927* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
928* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
929* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
930* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
931* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
932* [Bug 2824] Convert update-leap to perl. (also see 2769)
933* [Bug 2825] Quiet file installation in html/ .
934* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
935   NTPD transfers the current TAI (instead of an announcement) now.
936   This might still needed improvement.
937   Update autokey data ASAP when 'sys_tai' changes.
938   Fix unit test that was broken by changes for autokey update.
939   Avoid potential signature length issue and use DPRINTF where possible
940     in ntp_crypto.c.
941* [Bug 2832] refclock_jjy.c supports the TDC-300.
942* [Bug 2834] Correct a broken html tag in html/refclock.html
943* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
944  robust, and require 2 consecutive timestamps to be consistent.
945* [Bug 2837] Allow a configurable DSCP value.
946* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
947* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
948* [Bug 2842] Bug in mdoc2man.
949* [Bug 2843] make check fails on 4.3.36
950   Fixed compiler warnings about numeric range overflow
951   (The original topic was fixed in a byplay to bug#2830)
952* [Bug 2845] Harden memory allocation in ntpd.
953* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
954* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
955* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
956* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
957* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
958* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
959* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
960* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
961* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
962* html/drivers/driver22.html: typo fix.  Harlan Stenn.
963* refidsmear test cleanup.  Tomasz Flendrich.
964* refidsmear function support and tests.  Harlan Stenn.
965* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
966  something that was only in the 4.2.6 sntp.  Harlan Stenn.
967* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
968  Damir Tomić
969* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
970  Damir Tomić
971* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
972  Damir Tomić
973* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
974* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
975* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
976  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
977  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
978  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
979  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
980  Damir Tomić
981* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
982  networking.c, keyFile.c, utilities.cpp, sntptest.h,
983  fileHandlingTest.h. Damir Tomić
984* Initial support for experimental leap smear code.  Harlan Stenn.
985* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
986* Report select() debug messages at debug level 3 now.
987* sntp/scripts/genLocInfo: treat raspbian as debian.
988* Unity test framework fixes.
989  ** Requires ruby for changes to tests.
990* Initial support for PACKAGE_VERSION tests.
991* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
992* tests/bug-2803/Makefile.am must distribute bug-2803.h.
993* Add an assert to the ntpq ifstats code.
994* Clean up the RLIMIT_STACK code.
995* Improve the ntpq documentation around the controlkey keyid.
996* ntpq.c cleanup.
997* Windows port build cleanup.
998
999---
1000NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
1001
1002Focus: Security and Bug fixes, enhancements.
1003
1004Severity: MEDIUM
1005
1006In addition to bug fixes and enhancements, this release fixes the
1007following medium-severity vulnerabilities involving private key
1008authentication:
1009
1010* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1011
1012    References: Sec 2779 / CVE-2015-1798 / VU#374268
1013    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
1014	including ntp-4.2.8p2 where the installation uses symmetric keys
1015	to authenticate remote associations.
1016    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1017    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1018    Summary: When ntpd is configured to use a symmetric key to authenticate
1019	a remote NTP server/peer, it checks if the NTP message
1020	authentication code (MAC) in received packets is valid, but not if
1021	there actually is any MAC included. Packets without a MAC are
1022	accepted as if they had a valid MAC. This allows a MITM attacker to
1023	send false packets that are accepted by the client/peer without
1024	having to know the symmetric key. The attacker needs to know the
1025	transmit timestamp of the client to match it in the forged reply
1026	and the false reply needs to reach the client before the genuine
1027	reply from the server. The attacker doesn't necessarily need to be
1028	relaying the packets between the client and the server.
1029
1030	Authentication using autokey doesn't have this problem as there is
1031	a check that requires the key ID to be larger than NTP_MAXKEY,
1032	which fails for packets without a MAC.
1033    Mitigation:
1034        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1035	or the NTP Public Services Project Download Page
1036        Configure ntpd with enough time sources and monitor it properly.
1037    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1038
1039* [Sec 2781] Authentication doesn't protect symmetric associations against
1040  DoS attacks.
1041
1042    References: Sec 2781 / CVE-2015-1799 / VU#374268
1043    Affects: All NTP releases starting with at least xntp3.3wy up to but
1044	not including ntp-4.2.8p2 where the installation uses symmetric
1045	key authentication.
1046    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1047    Note: the CVSS base Score for this issue could be 4.3 or lower, and
1048	it could be higher than 5.4.
1049    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1050    Summary: An attacker knowing that NTP hosts A and B are peering with
1051	each other (symmetric association) can send a packet to host A
1052	with source address of B which will set the NTP state variables
1053	on A to the values sent by the attacker. Host A will then send
1054	on its next poll to B a packet with originate timestamp that
1055	doesn't match the transmit timestamp of B and the packet will
1056	be dropped. If the attacker does this periodically for both
1057	hosts, they won't be able to synchronize to each other. This is
1058	a known denial-of-service attack, described at
1059	https://www.eecis.udel.edu/~mills/onwire.html .
1060
1061	According to the document the NTP authentication is supposed to
1062	protect symmetric associations against this attack, but that
1063	doesn't seem to be the case. The state variables are updated even
1064	when authentication fails and the peers are sending packets with
1065	originate timestamps that don't match the transmit timestamps on
1066	the receiving side.
1067
1068	This seems to be a very old problem, dating back to at least
1069	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
1070	specifications, so other NTP implementations with support for
1071	symmetric associations and authentication may be vulnerable too.
1072	An update to the NTP RFC to correct this error is in-process.
1073    Mitigation:
1074        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1075	or the NTP Public Services Project Download Page
1076        Note that for users of autokey, this specific style of MITM attack
1077	is simply a long-known potential problem.
1078        Configure ntpd with appropriate time sources and monitor ntpd.
1079	Alert your staff if problems are detected.
1080    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1081
1082* New script: update-leap
1083The update-leap script will verify and if necessary, update the
1084leap-second definition file.
1085It requires the following commands in order to work:
1086
1087	wget logger tr sed shasum
1088
1089Some may choose to run this from cron.  It needs more portability testing.
1090
1091Bug Fixes and Improvements:
1092
1093* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
1094* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
1095* [Bug 2346] "graceful termination" signals do not do peer cleanup.
1096* [Bug 2728] See if C99-style structure initialization works.
1097* [Bug 2747] Upgrade libevent to 2.1.5-beta.
1098* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
1099* [Bug 2751] jitter.h has stale copies of l_fp macros.
1100* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
1101* [Bug 2757] Quiet compiler warnings.
1102* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
1103* [Bug 2763] Allow different thresholds for forward and backward steps.
1104* [Bug 2766] ntp-keygen output files should not be world-readable.
1105* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
1106* [Bug 2771] nonvolatile value is documented in wrong units.
1107* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
1108* [Bug 2774] Unreasonably verbose printout - leap pending/warning
1109* [Bug 2775] ntp-keygen.c fails to compile under Windows.
1110* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
1111  Removed non-ASCII characters from some copyright comments.
1112  Removed trailing whitespace.
1113  Updated definitions for Meinberg clocks from current Meinberg header files.
1114  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
1115  Account for updated definitions pulled from Meinberg header files.
1116  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
1117  Replaced some constant numbers by defines from ntp_calendar.h
1118  Modified creation of parse-specific variables for Meinberg devices
1119  in gps16x_message().
1120  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
1121  Modified mbg_tm_str() which now expexts an additional parameter controlling
1122  if the time status shall be printed.
1123* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1124* [Sec 2781] Authentication doesn't protect symmetric associations against
1125  DoS attacks.
1126* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
1127* [Bug 2789] Quiet compiler warnings from libevent.
1128* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
1129  pause briefly before measuring system clock precision to yield
1130  correct results.
1131* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
1132* Use predefined function types for parse driver functions
1133  used to set up function pointers.
1134  Account for changed prototype of parse_inp_fnc_t functions.
1135  Cast parse conversion results to appropriate types to avoid
1136  compiler warnings.
1137  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
1138  when called with pointers to different types.
1139
1140---
1141NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
1142
1143Focus: Security and Bug fixes, enhancements.
1144
1145Severity: HIGH
1146
1147In addition to bug fixes and enhancements, this release fixes the
1148following high-severity vulnerabilities:
1149
1150* vallen is not validated in several places in ntp_crypto.c, leading
1151  to a potential information leak or possibly a crash
1152
1153    References: Sec 2671 / CVE-2014-9297 / VU#852879
1154    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
1155    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1156    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
1157    Summary: The vallen packet value is not validated in several code
1158             paths in ntp_crypto.c which can lead to information leakage
1159	     or perhaps a crash of the ntpd process.
1160    Mitigation - any of:
1161	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1162		or the NTP Public Services Project Download Page.
1163	Disable Autokey Authentication by removing, or commenting out,
1164		all configuration directives beginning with the "crypto"
1165		keyword in your ntp.conf file.
1166    Credit: This vulnerability was discovered by Stephen Roettger of the
1167    	Google Security Team, with additional cases found by Sebastian
1168	Krahmer of the SUSE Security Team and Harlan Stenn of Network
1169	Time Foundation.
1170
1171* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
1172  can be bypassed.
1173
1174    References: Sec 2672 / CVE-2014-9298 / VU#852879
1175    Affects: All NTP4 releases before 4.2.8p1, under at least some
1176	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
1177    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
1178    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
1179    Summary: While available kernels will prevent 127.0.0.1 addresses
1180	from "appearing" on non-localhost IPv4 interfaces, some kernels
1181	do not offer the same protection for ::1 source addresses on
1182	IPv6 interfaces. Since NTP's access control is based on source
1183	address and localhost addresses generally have no restrictions,
1184	an attacker can send malicious control and configuration packets
1185	by spoofing ::1 addresses from the outside. Note Well: This is
1186	not really a bug in NTP, it's a problem with some OSes. If you
1187	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
1188	ACL restrictions on any application can be bypassed!
1189    Mitigation:
1190        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1191	or the NTP Public Services Project Download Page
1192        Install firewall rules to block packets claiming to come from
1193	::1 from inappropriate network interfaces.
1194    Credit: This vulnerability was discovered by Stephen Roettger of
1195	the Google Security Team.
1196
1197Additionally, over 30 bugfixes and improvements were made to the codebase.
1198See the ChangeLog for more information.
1199
1200---
1201NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
1202
1203Focus: Security and Bug fixes, enhancements.
1204
1205Severity: HIGH
1206
1207In addition to bug fixes and enhancements, this release fixes the
1208following high-severity vulnerabilities:
1209
1210************************** vv NOTE WELL vv *****************************
1211
1212The vulnerabilities listed below can be significantly mitigated by
1213following the BCP of putting
1214
1215 restrict default ... noquery
1216
1217in the ntp.conf file.  With the exception of:
1218
1219   receive(): missing return on error
1220   References: Sec 2670 / CVE-2014-9296 / VU#852879
1221
1222below (which is a limited-risk vulnerability), none of the recent
1223vulnerabilities listed below can be exploited if the source IP is
1224restricted from sending a 'query'-class packet by your ntp.conf file.
1225
1226************************** ^^ NOTE WELL ^^ *****************************
1227
1228* Weak default key in config_auth().
1229
1230  References: [Sec 2665] / CVE-2014-9293 / VU#852879
1231  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1232  Vulnerable Versions: all releases prior to 4.2.7p11
1233  Date Resolved: 28 Jan 2010
1234
1235  Summary: If no 'auth' key is set in the configuration file, ntpd
1236	would generate a random key on the fly.  There were two
1237	problems with this: 1) the generated key was 31 bits in size,
1238	and 2) it used the (now weak) ntp_random() function, which was
1239	seeded with a 32-bit value and could only provide 32 bits of
1240	entropy.  This was sufficient back in the late 1990s when the
1241	code was written.  Not today.
1242
1243  Mitigation - any of:
1244	- Upgrade to 4.2.7p11 or later.
1245	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1246
1247  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
1248  	of the Google Security Team.
1249
1250* Non-cryptographic random number generator with weak seed used by
1251  ntp-keygen to generate symmetric keys.
1252
1253  References: [Sec 2666] / CVE-2014-9294 / VU#852879
1254  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1255  Vulnerable Versions: All NTP4 releases before 4.2.7p230
1256  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
1257
1258  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
1259  	prepare a random number generator that was of good quality back
1260	in the late 1990s. The random numbers produced was then used to
1261	generate symmetric keys. In ntp-4.2.8 we use a current-technology
1262	cryptographic random number generator, either RAND_bytes from
1263	OpenSSL, or arc4random().
1264
1265  Mitigation - any of:
1266  	- Upgrade to 4.2.7p230 or later.
1267	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1268
1269  Credit:  This vulnerability was discovered in ntp-4.2.6 by
1270  	Stephen Roettger of the Google Security Team.
1271
1272* Buffer overflow in crypto_recv()
1273
1274  References: Sec 2667 / CVE-2014-9295 / VU#852879
1275  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1276  Versions: All releases before 4.2.8
1277  Date Resolved: Stable (4.2.8) 18 Dec 2014
1278
1279  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
1280  	file contains a 'crypto pw ...' directive) a remote attacker
1281	can send a carefully crafted packet that can overflow a stack
1282	buffer and potentially allow malicious code to be executed
1283	with the privilege level of the ntpd process.
1284
1285  Mitigation - any of:
1286  	- Upgrade to 4.2.8, or later, or
1287	- Disable Autokey Authentication by removing, or commenting out,
1288	  all configuration directives beginning with the crypto keyword
1289	  in your ntp.conf file.
1290
1291  Credit: This vulnerability was discovered by Stephen Roettger of the
1292  	Google Security Team.
1293
1294* Buffer overflow in ctl_putdata()
1295
1296  References: Sec 2668 / CVE-2014-9295 / VU#852879
1297  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1298  Versions: All NTP4 releases before 4.2.8
1299  Date Resolved: Stable (4.2.8) 18 Dec 2014
1300
1301  Summary: A remote attacker can send a carefully crafted packet that
1302  	can overflow a stack buffer and potentially allow malicious
1303	code to be executed with the privilege level of the ntpd process.
1304
1305  Mitigation - any of:
1306  	- Upgrade to 4.2.8, or later.
1307	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1308
1309  Credit: This vulnerability was discovered by Stephen Roettger of the
1310  	Google Security Team.
1311
1312* Buffer overflow in configure()
1313
1314  References: Sec 2669 / CVE-2014-9295 / VU#852879
1315  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1316  Versions: All NTP4 releases before 4.2.8
1317  Date Resolved: Stable (4.2.8) 18 Dec 2014
1318
1319  Summary: A remote attacker can send a carefully crafted packet that
1320	can overflow a stack buffer and potentially allow malicious
1321	code to be executed with the privilege level of the ntpd process.
1322
1323  Mitigation - any of:
1324  	- Upgrade to 4.2.8, or later.
1325	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1326
1327  Credit: This vulnerability was discovered by Stephen Roettger of the
1328	Google Security Team.
1329
1330* receive(): missing return on error
1331
1332  References: Sec 2670 / CVE-2014-9296 / VU#852879
1333  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
1334  Versions: All NTP4 releases before 4.2.8
1335  Date Resolved: Stable (4.2.8) 18 Dec 2014
1336
1337  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
1338  	the code path where an error was detected, which meant
1339	processing did not stop when a specific rare error occurred.
1340	We haven't found a way for this bug to affect system integrity.
1341	If there is no way to affect system integrity the base CVSS
1342	score for this bug is 0. If there is one avenue through which
1343	system integrity can be partially affected, the base score
1344	becomes a 5. If system integrity can be partially affected
1345	via all three integrity metrics, the CVSS base score become 7.5.
1346
1347  Mitigation - any of:
1348        - Upgrade to 4.2.8, or later,
1349        - Remove or comment out all configuration directives
1350	  beginning with the crypto keyword in your ntp.conf file.
1351
1352  Credit: This vulnerability was discovered by Stephen Roettger of the
1353  	Google Security Team.
1354
1355See http://support.ntp.org/security for more information.
1356
1357New features / changes in this release:
1358
1359Important Changes
1360
1361* Internal NTP Era counters
1362
1363The internal counters that track the "era" (range of years) we are in
1364rolls over every 136 years'.  The current "era" started at the stroke of
1365midnight on 1 Jan 1900, and ends just before the stroke of midnight on
13661 Jan 2036.
1367In the past, we have used the "midpoint" of the  range to decide which
1368era we were in.  Given the longevity of some products, it became clear
1369that it would be more functional to "look back" less, and "look forward"
1370more.  We now compile a timestamp into the ntpd executable and when we
1371get a timestamp we us the "built-on" to tell us what era we are in.
1372This check "looks back" 10 years, and "looks forward" 126 years.
1373
1374* ntpdc responses disabled by default
1375
1376Dave Hart writes:
1377
1378For a long time, ntpq and its mostly text-based mode 6 (control)
1379protocol have been preferred over ntpdc and its mode 7 (private
1380request) protocol for runtime queries and configuration.  There has
1381been a goal of deprecating ntpdc, previously held back by numerous
1382capabilities exposed by ntpdc with no ntpq equivalent.  I have been
1383adding commands to ntpq to cover these cases, and I believe I've
1384covered them all, though I've not compared command-by-command
1385recently.
1386
1387As I've said previously, the binary mode 7 protocol involves a lot of
1388hand-rolled structure layout and byte-swapping code in both ntpd and
1389ntpdc which is hard to get right.  As ntpd grows and changes, the
1390changes are difficult to expose via ntpdc while maintaining forward
1391and backward compatibility between ntpdc and ntpd.  In contrast,
1392ntpq's text-based, label=value approach involves more code reuse and
1393allows compatible changes without extra work in most cases.
1394
1395Mode 7 has always been defined as vendor/implementation-specific while
1396mode 6 is described in RFC 1305 and intended to be open to interoperate
1397with other implementations.  There is an early draft of an updated
1398mode 6 description that likely will join the other NTPv4 RFCs
1399eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
1400
1401For these reasons, ntpd 4.2.7p230 by default disables processing of
1402ntpdc queries, reducing ntpd's attack surface and functionally
1403deprecating ntpdc.  If you are in the habit of using ntpdc for certain
1404operations, please try the ntpq equivalent.  If there's no equivalent,
1405please open a bug report at http://bugs.ntp.org./
1406
1407In addition to the above, over 1100 issues have been resolved between
1408the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
1409lists these.
1410
1411---
1412NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
1413
1414Focus: Bug fixes
1415
1416Severity: Medium
1417
1418This is a recommended upgrade.
1419
1420This release updates sys_rootdisp and sys_jitter calculations to match the
1421RFC specification, fixes a potential IPv6 address matching error for the
1422"nic" and "interface" configuration directives, suppresses the creation of
1423extraneous ephemeral associations for certain broadcastclient and
1424multicastclient configurations, cleans up some ntpq display issues, and
1425includes improvements to orphan mode, minor bugs fixes and code clean-ups.
1426
1427New features / changes in this release:
1428
1429ntpd
1430
1431 * Updated "nic" and "interface" IPv6 address handling to prevent
1432   mismatches with localhost [::1] and wildcard [::] which resulted from
1433   using the address/prefix format (e.g. fe80::/64)
1434 * Fix orphan mode stratum incorrectly counting to infinity
1435 * Orphan parent selection metric updated to includes missing ntohl()
1436 * Non-printable stratum 16 refid no longer sent to ntp
1437 * Duplicate ephemeral associations suppressed for broadcastclient and
1438   multicastclient without broadcastdelay
1439 * Exclude undetermined sys_refid from use in loopback TEST12
1440 * Exclude MODE_SERVER responses from KoD rate limiting
1441 * Include root delay in clock_update() sys_rootdisp calculations
1442 * get_systime() updated to exclude sys_residual offset (which only
1443   affected bits "below" sys_tick, the precision threshold)
1444 * sys.peer jitter weighting corrected in sys_jitter calculation
1445
1446ntpq
1447
1448 * -n option extended to include the billboard "server" column
1449 * IPv6 addresses in the local column truncated to prevent overruns
1450
1451---
1452NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
1453
1454Focus: Bug fixes and portability improvements
1455
1456Severity: Medium
1457
1458This is a recommended upgrade.
1459
1460This release includes build infrastructure updates, code
1461clean-ups, minor bug fixes, fixes for a number of minor
1462ref-clock issues, and documentation revisions.
1463
1464Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
1465
1466New features / changes in this release:
1467
1468Build system
1469
1470* Fix checking for struct rtattr
1471* Update config.guess and config.sub for AIX
1472* Upgrade required version of autogen and libopts for building
1473  from our source code repository
1474
1475ntpd
1476
1477* Back-ported several fixes for Coverity warnings from ntp-dev
1478* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
1479* Allow "logconfig =allall" configuration directive
1480* Bind tentative IPv6 addresses on Linux
1481* Correct WWVB/Spectracom driver to timestamp CR instead of LF
1482* Improved tally bit handling to prevent incorrect ntpq peer status reports
1483* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
1484  candidate list unless they are designated a "prefer peer"
1485* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
1486  selection during the 'tos orphanwait' period
1487* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
1488  drivers
1489* Improved support of the Parse Refclock trusttime flag in Meinberg mode
1490* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
1491* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
1492  clock slew on Microsoft Windows
1493* Code cleanup in libntpq
1494
1495ntpdc
1496
1497* Fix timerstats reporting
1498
1499ntpdate
1500
1501* Reduce time required to set clock
1502* Allow a timeout greater than 2 seconds
1503
1504sntp
1505
1506* Backward incompatible command-line option change:
1507  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
1508
1509Documentation
1510
1511* Update html2man. Fix some tags in the .html files
1512* Distribute ntp-wait.html
1513
1514---
1515NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
1516
1517Focus: Bug fixes and portability improvements
1518
1519Severity: Medium
1520
1521This is a recommended upgrade.
1522
1523This release includes build infrastructure updates, code
1524clean-ups, minor bug fixes, fixes for a number of minor
1525ref-clock issues, and documentation revisions.
1526
1527Portability improvements in this release affect AIX, Atari FreeMiNT,
1528FreeBSD4, Linux and Microsoft Windows.
1529
1530New features / changes in this release:
1531
1532Build system
1533* Use lsb_release to get information about Linux distributions.
1534* 'test' is in /usr/bin (instead of /bin) on some systems.
1535* Basic sanity checks for the ChangeLog file.
1536* Source certain build files with ./filename for systems without . in PATH.
1537* IRIX portability fix.
1538* Use a single copy of the "libopts" code.
1539* autogen/libopts upgrade.
1540* configure.ac m4 quoting cleanup.
1541
1542ntpd
1543* Do not bind to IN6_IFF_ANYCAST addresses.
1544* Log the reason for exiting under Windows.
1545* Multicast fixes for Windows.
1546* Interpolation fixes for Windows.
1547* IPv4 and IPv6 Multicast fixes.
1548* Manycast solicitation fixes and general repairs.
1549* JJY refclock cleanup.
1550* NMEA refclock improvements.
1551* Oncore debug message cleanup.
1552* Palisade refclock now builds under Linux.
1553* Give RAWDCF more baud rates.
1554* Support Truetime Satellite clocks under Windows.
1555* Support Arbiter 1093C Satellite clocks under Windows.
1556* Make sure that the "filegen" configuration command defaults to "enable".
1557* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
1558* Prohibit 'includefile' directive in remote configuration command.
1559* Fix 'nic' interface bindings.
1560* Fix the way we link with openssl if openssl is installed in the base
1561  system.
1562
1563ntp-keygen
1564* Fix -V coredump.
1565* OpenSSL version display cleanup.
1566
1567ntpdc
1568* Many counters should be treated as unsigned.
1569
1570ntpdate
1571* Do not ignore replies with equal receive and transmit timestamps.
1572
1573ntpq
1574* libntpq warning cleanup.
1575
1576ntpsnmpd
1577* Correct SNMP type for "precision" and "resolution".
1578* Update the MIB from the draft version to RFC-5907.
1579
1580sntp
1581* Display timezone offset when showing time for sntp in the local
1582  timezone.
1583* Pay proper attention to RATE KoD packets.
1584* Fix a miscalculation of the offset.
1585* Properly parse empty lines in the key file.
1586* Logging cleanup.
1587* Use tv_usec correctly in set_time().
1588* Documentation cleanup.
1589
1590---
1591NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
1592
1593Focus: Bug fixes and portability improvements
1594
1595Severity: Medium
1596
1597This is a recommended upgrade.
1598
1599This release includes build infrastructure updates, code
1600clean-ups, minor bug fixes, fixes for a number of minor
1601ref-clock issues, improved KOD handling, OpenSSL related
1602updates and documentation revisions.
1603
1604Portability improvements in this release affect Irix, Linux,
1605Mac OS, Microsoft Windows, OpenBSD and QNX6
1606
1607New features / changes in this release:
1608
1609ntpd
1610* Range syntax for the trustedkey configuration directive
1611* Unified IPv4 and IPv6 restrict lists
1612
1613ntpdate
1614* Rate limiting and KOD handling
1615
1616ntpsnmpd
1617* default connection to net-snmpd via a unix-domain socket
1618* command-line 'socket name' option
1619
1620ntpq / ntpdc
1621* support for the "passwd ..." syntax
1622* key-type specific password prompts
1623
1624sntp
1625* MD5 authentication of an ntpd
1626* Broadcast and crypto
1627* OpenSSL support
1628
1629---
1630NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
1631
1632Focus: Bug fixes, portability fixes, and documentation improvements
1633
1634Severity: Medium
1635
1636This is a recommended upgrade.
1637
1638---
1639NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1640
1641Focus: enhancements and bug fixes.
1642
1643---
1644NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1645
1646Focus: Security Fixes
1647
1648Severity: HIGH
1649
1650This release fixes the following high-severity vulnerability:
1651
1652* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
1653
1654  See http://support.ntp.org/security for more information.
1655
1656  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
1657  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
1658  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
1659  request or a mode 7 error response from an address which is not listed
1660  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
1661  reply with a mode 7 error response (and log a message).  In this case:
1662
1663	* If an attacker spoofs the source address of ntpd host A in a
1664	  mode 7 response packet sent to ntpd host B, both A and B will
1665	  continuously send each other error responses, for as long as
1666	  those packets get through.
1667
1668	* If an attacker spoofs an address of ntpd host A in a mode 7
1669	  response packet sent to ntpd host A, A will respond to itself
1670	  endlessly, consuming CPU and logging excessively.
1671
1672  Credit for finding this vulnerability goes to Robin Park and Dmitri
1673  Vinokurov of Alcatel-Lucent.
1674
1675THIS IS A STRONGLY RECOMMENDED UPGRADE.
1676
1677---
1678ntpd now syncs to refclocks right away.
1679
1680Backward-Incompatible changes:
1681
1682ntpd no longer accepts '-v name' or '-V name' to define internal variables.
1683Use '--var name' or '--dvar name' instead. (Bug 817)
1684
1685---
1686NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
1687
1688Focus: Security and Bug Fixes
1689
1690Severity: HIGH
1691
1692This release fixes the following high-severity vulnerability:
1693
1694* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
1695
1696  See http://support.ntp.org/security for more information.
1697
1698  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
1699  line) then a carefully crafted packet sent to the machine will cause
1700  a buffer overflow and possible execution of injected code, running
1701  with the privileges of the ntpd process (often root).
1702
1703  Credit for finding this vulnerability goes to Chris Ries of CMU.
1704
1705This release fixes the following low-severity vulnerabilities:
1706
1707* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
1708  Credit for finding this vulnerability goes to Geoff Keating of Apple.
1709
1710* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
1711  Credit for finding this issue goes to Dave Hart.
1712
1713This release fixes a number of bugs and adds some improvements:
1714
1715* Improved logging
1716* Fix many compiler warnings
1717* Many fixes and improvements for Windows
1718* Adds support for AIX 6.1
1719* Resolves some issues under MacOS X and Solaris
1720
1721THIS IS A STRONGLY RECOMMENDED UPGRADE.
1722
1723---
1724NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
1725
1726Focus: Security Fix
1727
1728Severity: Low
1729
1730This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
1731the OpenSSL library relating to the incorrect checking of the return
1732value of EVP_VerifyFinal function.
1733
1734Credit for finding this issue goes to the Google Security Team for
1735finding the original issue with OpenSSL, and to ocert.org for finding
1736the problem in NTP and telling us about it.
1737
1738This is a recommended upgrade.
1739---
1740NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
1741
1742Focus: Minor Bugfixes
1743
1744This release fixes a number of Windows-specific ntpd bugs and
1745platform-independent ntpdate bugs. A logging bugfix has been applied
1746to the ONCORE driver.
1747
1748The "dynamic" keyword and is now obsolete and deferred binding to local
1749interfaces is the new default. The minimum time restriction for the
1750interface update interval has been dropped.
1751
1752A number of minor build system and documentation fixes are included.
1753
1754This is a recommended upgrade for Windows.
1755
1756---
1757NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
1758
1759Focus: Minor Bugfixes
1760
1761This release updates certain copyright information, fixes several display
1762bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
1763shutdown in the parse refclock driver, removes some lint from the code,
1764stops accessing certain buffers immediately after they were freed, fixes
1765a problem with non-command-line specification of -6, and allows the loopback
1766interface to share addresses with other interfaces.
1767
1768---
1769NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
1770
1771Focus: Minor Bugfixes
1772
1773This release fixes a bug in Windows that made it difficult to
1774terminate ntpd under windows.
1775This is a recommended upgrade for Windows.
1776
1777---
1778NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
1779
1780Focus: Minor Bugfixes
1781
1782This release fixes a multicast mode authentication problem,
1783an error in NTP packet handling on Windows that could lead to
1784ntpd crashing, and several other minor bugs. Handling of
1785multicast interfaces and logging configuration were improved.
1786The required versions of autogen and libopts were incremented.
1787This is a recommended upgrade for Windows and multicast users.
1788
1789---
1790NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
1791
1792Focus: enhancements and bug fixes.
1793
1794Dynamic interface rescanning was added to simplify the use of ntpd in
1795conjunction with DHCP. GNU AutoGen is used for its command-line options
1796processing. Separate PPS devices are supported for PARSE refclocks, MD5
1797signatures are now provided for the release files. Drivers have been
1798added for some new ref-clocks and have been removed for some older
1799ref-clocks. This release also includes other improvements, documentation
1800and bug fixes.
1801
1802K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
1803C support.
1804
1805---
1806NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
1807
1808Focus: enhancements and bug fixes.
1809