xref: /freebsd/contrib/ntp/NEWS (revision 63d1fd5970ec814904aa0f4580b10a0d302d08b2)
1---
2NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
3
4Focus: Security, Bug fixes, enhancements.
5
6Severity: HIGH
7
8In addition to bug fixes and enhancements, this release fixes the
9following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
105 low-severity vulnerabilities, and provides 28 other non-security
11fixes and improvements:
12
13* Trap crash
14   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
15   References: Sec 3119 / CVE-2016-9311 / VU#633847
16   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
17   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
18   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
19   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
20   Summary:
21	ntpd does not enable trap service by default. If trap service
22	has been explicitly enabled, an attacker can send a specially
23	crafted packet to cause a null pointer dereference that will
24	crash ntpd, resulting in a denial of service.
25   Mitigation:
26        Implement BCP-38.
27	Use "restrict default noquery ..." in your ntp.conf file. Only
28	    allow mode 6 queries from trusted networks and hosts.
29        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
30	    or the NTP Public Services Project Download Page
31        Properly monitor your ntpd instances, and auto-restart ntpd
32	    (without -g) if it stops running.
33   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
34
35* Mode 6 information disclosure and DDoS vector
36   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
37   References: Sec 3118 / CVE-2016-9310 / VU#633847
38   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
39	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
40   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
41   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
42   Summary:
43	An exploitable configuration modification vulnerability exists
44	in the control mode (mode 6) functionality of ntpd. If, against
45	long-standing BCP recommendations, "restrict default noquery ..."
46	is not specified, a specially crafted control mode packet can set
47	ntpd traps, providing information disclosure and DDoS
48	amplification, and unset ntpd traps, disabling legitimate
49	monitoring. A remote, unauthenticated, network attacker can
50	trigger this vulnerability.
51   Mitigation:
52        Implement BCP-38.
53	Use "restrict default noquery ..." in your ntp.conf file.
54        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
55	    or the NTP Public Services Project Download Page
56        Properly monitor your ntpd instances, and auto-restart ntpd
57	    (without -g) if it stops running.
58   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
59
60* Broadcast Mode Replay Prevention DoS
61   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
62   References: Sec 3114 / CVE-2016-7427 / VU#633847
63   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
64	ntp-4.3.90 up to, but not including ntp-4.3.94.
65   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
66   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
67   Summary:
68	The broadcast mode of NTP is expected to only be used in a
69	trusted network. If the broadcast network is accessible to an
70	attacker, a potentially exploitable denial of service
71	vulnerability in ntpd's broadcast mode replay prevention
72	functionality can be abused. An attacker with access to the NTP
73	broadcast domain can periodically inject specially crafted
74	broadcast mode NTP packets into the broadcast domain which,
75	while being logged by ntpd, can cause ntpd to reject broadcast
76	mode packets from legitimate NTP broadcast servers.
77   Mitigation:
78        Implement BCP-38.
79        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
80	    or the NTP Public Services Project Download Page
81        Properly monitor your ntpd instances, and auto-restart ntpd
82	    (without -g) if it stops running.
83   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
84
85* Broadcast Mode Poll Interval Enforcement DoS
86   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
87   References: Sec 3113 / CVE-2016-7428 / VU#633847
88   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
89	ntp-4.3.90 up to, but not including ntp-4.3.94
90   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
91   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
92   Summary:
93	The broadcast mode of NTP is expected to only be used in a
94	trusted network. If the broadcast network is accessible to an
95	attacker, a potentially exploitable denial of service
96	vulnerability in ntpd's broadcast mode poll interval enforcement
97	functionality can be abused. To limit abuse, ntpd restricts the
98	rate at which each broadcast association will process incoming
99	packets. ntpd will reject broadcast mode packets that arrive
100	before the poll interval specified in the preceding broadcast
101	packet expires. An attacker with access to the NTP broadcast
102	domain can send specially crafted broadcast mode NTP packets to
103	the broadcast domain which, while being logged by ntpd, will
104	cause ntpd to reject broadcast mode packets from legitimate NTP
105	broadcast servers.
106   Mitigation:
107        Implement BCP-38.
108        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
109	    or the NTP Public Services Project Download Page
110        Properly monitor your ntpd instances, and auto-restart ntpd
111	    (without -g) if it stops running.
112   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
113
114* Windows: ntpd DoS by oversized UDP packet
115   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
116   References: Sec 3110 / CVE-2016-9312 / VU#633847
117   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
118	and ntp-4.3.0 up to, but not including ntp-4.3.94.
119   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
120   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
121   Summary:
122	If a vulnerable instance of ntpd on Windows receives a crafted
123	malicious packet that is "too big", ntpd will stop working.
124   Mitigation:
125        Implement BCP-38.
126        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
127	    or the NTP Public Services Project Download Page
128        Properly monitor your ntpd instances, and auto-restart ntpd
129	    (without -g) if it stops running.
130   Credit: This weakness was discovered by Robert Pajak of ABB.
131
132* 0rigin (zero origin) issues
133   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
134   References: Sec 3102 / CVE-2016-7431 / VU#633847
135   Affects: ntp-4.2.8p8, and ntp-4.3.93.
136   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
137   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
138   Summary:
139	Zero Origin timestamp problems were fixed by Bug 2945 in
140	ntp-4.2.8p6. However, subsequent timestamp validation checks
141	introduced a regression in the handling of some Zero origin
142	timestamp checks.
143   Mitigation:
144        Implement BCP-38.
145        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
146	    or the NTP Public Services Project Download Page
147        Properly monitor your ntpd instances, and auto-restart ntpd
148	    (without -g) if it stops running.
149   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
150	Malhotra of Boston University.
151
152* read_mru_list() does inadequate incoming packet checks
153   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
154   References: Sec 3082 / CVE-2016-7434 / VU#633847
155   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
156	ntp-4.3.0 up to, but not including ntp-4.3.94.
157   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
158   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
159   Summary:
160	If ntpd is configured to allow mrulist query requests from a
161	server that sends a crafted malicious packet, ntpd will crash
162	on receipt of that crafted malicious mrulist query packet.
163   Mitigation:
164	Only allow mrulist query packets from trusted hosts.
165        Implement BCP-38.
166        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
167	    or the NTP Public Services Project Download Page
168        Properly monitor your ntpd instances, and auto-restart ntpd
169	    (without -g) if it stops running.
170   Credit: This weakness was discovered by Magnus Stubman.
171
172* Attack on interface selection
173   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
174   References: Sec 3072 / CVE-2016-7429 / VU#633847
175   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
176	ntp-4.3.0 up to, but not including ntp-4.3.94
177   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
178   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
179   Summary:
180	When ntpd receives a server response on a socket that corresponds
181	to a different interface than was used for the request, the peer
182	structure is updated to use the interface for new requests. If
183	ntpd is running on a host with multiple interfaces in separate
184	networks and the operating system doesn't check source address in
185	received packets (e.g. rp_filter on Linux is set to 0), an
186	attacker that knows the address of the source can send a packet
187	with spoofed source address which will cause ntpd to select wrong
188	interface for the source and prevent it from sending new requests
189	until the list of interfaces is refreshed, which happens on
190	routing changes or every 5 minutes by default. If the attack is
191	repeated often enough (once per second), ntpd will not be able to
192	synchronize with the source.
193   Mitigation:
194        Implement BCP-38.
195        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
196	    or the NTP Public Services Project Download Page
197	If you are going to configure your OS to disable source address
198	    checks, also configure your firewall configuration to control
199	    what interfaces can receive packets from what networks.
200        Properly monitor your ntpd instances, and auto-restart ntpd
201	    (without -g) if it stops running.
202   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
203
204* Client rate limiting and server responses
205   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
206   References: Sec 3071 / CVE-2016-7426 / VU#633847
207   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
208	ntp-4.3.0 up to, but not including ntp-4.3.94
209   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
210   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
211   Summary:
212	When ntpd is configured with rate limiting for all associations
213	(restrict default limited in ntp.conf), the limits are applied
214	also to responses received from its configured sources. An
215	attacker who knows the sources (e.g., from an IPv4 refid in
216	server response) and knows the system is (mis)configured in this
217	way can periodically send packets with spoofed source address to
218	keep the rate limiting activated and prevent ntpd from accepting
219	valid responses from its sources.
220
221	While this blanket rate limiting can be useful to prevent
222	brute-force attacks on the origin timestamp, it allows this DoS
223	attack. Similarly, it allows the attacker to prevent mobilization
224	of ephemeral associations.
225   Mitigation:
226        Implement BCP-38.
227        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
228	    or the NTP Public Services Project Download Page
229        Properly monitor your ntpd instances, and auto-restart ntpd
230	    (without -g) if it stops running.
231   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
232
233* Fix for bug 2085 broke initial sync calculations
234   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
235   References: Sec 3067 / CVE-2016-7433 / VU#633847
236   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
237	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
238	root-distance calculation in general is incorrect in all versions
239	of ntp-4 until this release.
240   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
241   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
242   Summary:
243	Bug 2085 described a condition where the root delay was included
244	twice, causing the jitter value to be higher than expected. Due
245	to a misinterpretation of a small-print variable in The Book, the
246	fix for this problem was incorrect, resulting in a root distance
247	that did not include the peer dispersion. The calculations and
248	formulae have been reviewed and reconciled, and the code has been
249	updated accordingly.
250   Mitigation:
251        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
252	    or the NTP Public Services Project Download Page
253        Properly monitor your ntpd instances, and auto-restart ntpd
254	    (without -g) if it stops running.
255   Credit: This weakness was discovered independently by Brian Utterback of
256	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
257
258Other fixes:
259
260* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
261* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
262* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
263  - moved retry decision where it belongs. <perlinger@ntp.org>
264* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
265  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
266* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
267* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
268  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
269* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
270  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
271  - added shim layer for SSL API calls with issues (both directions)
272* [Bug 3089] Serial Parser does not work anymore for hopfser like device
273  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
274* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
275* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
276  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
277* [Bug 3067] Root distance calculation needs improvement.  HStenn
278* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
279  - PPS-HACK works again.
280* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
281  - applied patch by Brian Utterback <brian.utterback@oracle.com>
282* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
283* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
284  <perlinger@ntp.org>
285  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
286* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
287  - Patch provided by Kuramatsu.
288* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
289  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
290* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
291* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
292* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
293* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
294  - fixed GPS week expansion to work based on build date. Special thanks
295    to Craig Leres for initial patch and testing.
296* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
297  - fixed Makefile.am <perlinger@ntp.org>
298* [Bug 2689] ATOM driver processes last PPS pulse at startup,
299             even if it is very old <perlinger@ntp.org>
300  - make sure PPS source is alive before processing samples
301  - improve stability close to the 500ms phase jump (phase gate)
302* Fix typos in include/ntp.h.
303* Shim X509_get_signature_nid() if needed
304* git author attribution cleanup
305* bk ignore file cleanup
306* remove locks in Windows IO, use rpc-like thread synchronisation instead
307
308---
309NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
310
311Focus: Security, Bug fixes, enhancements.
312
313Severity: HIGH
314
315In addition to bug fixes and enhancements, this release fixes the
316following 1 high- and 4 low-severity vulnerabilities:
317
318* CRYPTO_NAK crash
319   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
320   References: Sec 3046 / CVE-2016-4957 / VU#321640
321   Affects: ntp-4.2.8p7, and ntp-4.3.92.
322   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
323   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
324   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
325	could cause ntpd to crash.
326   Mitigation:
327        Implement BCP-38.
328        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
329	    or the NTP Public Services Project Download Page
330        If you cannot upgrade from 4.2.8p7, the only other alternatives
331	    are to patch your code or filter CRYPTO_NAK packets.
332        Properly monitor your ntpd instances, and auto-restart ntpd
333	    (without -g) if it stops running.
334   Credit: This weakness was discovered by Nicolas Edet of Cisco.
335
336* Bad authentication demobilizes ephemeral associations
337   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
338   References: Sec 3045 / CVE-2016-4953 / VU#321640
339   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
340	ntp-4.3.0 up to, but not including ntp-4.3.93.
341   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
342   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
343   Summary: An attacker who knows the origin timestamp and can send a
344	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
345	target before any other response is sent can demobilize that
346	association.
347   Mitigation:
348	Implement BCP-38.
349	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
350	    or the NTP Public Services Project Download Page
351	Properly monitor your ntpd instances.
352	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
353
354* Processing spoofed server packets
355   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
356   References: Sec 3044 / CVE-2016-4954 / VU#321640
357   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
358	ntp-4.3.0 up to, but not including ntp-4.3.93.
359   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
360   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
361   Summary: An attacker who is able to spoof packets with correct origin
362	timestamps from enough servers before the expected response
363	packets arrive at the target machine can affect some peer
364	variables and, for example, cause a false leap indication to be set.
365   Mitigation:
366	Implement BCP-38.
367	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
368	    or the NTP Public Services Project Download Page
369	Properly monitor your ntpd instances.
370   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
371
372* Autokey association reset
373   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
374   References: Sec 3043 / CVE-2016-4955 / VU#321640
375   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
376	ntp-4.3.0 up to, but not including ntp-4.3.93.
377   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
378   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
379   Summary: An attacker who is able to spoof a packet with a correct
380	origin timestamp before the expected response packet arrives at
381	the target machine can send a CRYPTO_NAK or a bad MAC and cause
382	the association's peer variables to be cleared. If this can be
383	done often enough, it will prevent that association from working.
384   Mitigation:
385	Implement BCP-38.
386	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
387	    or the NTP Public Services Project Download Page
388	Properly monitor your ntpd instances.
389   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
390
391* Broadcast interleave
392   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
393   References: Sec 3042 / CVE-2016-4956 / VU#321640
394   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
395   	ntp-4.3.0 up to, but not including ntp-4.3.93.
396   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
397   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
398   Summary: The fix for NtpBug2978 does not cover broadcast associations,
399   	so broadcast clients can be triggered to flip into interleave mode.
400   Mitigation:
401	Implement BCP-38.
402	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
403	    or the NTP Public Services Project Download Page
404	Properly monitor your ntpd instances.
405   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
406
407Other fixes:
408* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
409  - provide build environment
410  - 'wint_t' and 'struct timespec' defined by VS2015
411  - fixed print()/scanf() format issues
412* [Bug 3052] Add a .gitignore file.  Edmund Wong.
413* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
414* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
415  JPerlinger, HStenn.
416* Fix typo in ntp-wait and plot_summary.  HStenn.
417* Make sure we have an "author" file for git imports.  HStenn.
418* Update the sntp problem tests for MacOS.  HStenn.
419
420---
421NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
422
423Focus: Security, Bug fixes, enhancements.
424
425Severity: MEDIUM
426
427When building NTP from source, there is a new configure option
428available, --enable-dynamic-interleave.  More information on this below.
429
430Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
431versions of ntp.  These events have almost certainly happened in the
432past, it's just that they were silently counted and not logged.  With
433the increasing awareness around security, we feel it's better to clearly
434log these events to help detect abusive behavior.  This increased
435logging can also help detect other problems, too.
436
437In addition to bug fixes and enhancements, this release fixes the
438following 9 low- and medium-severity vulnerabilities:
439
440* Improve NTP security against buffer comparison timing attacks,
441  AKA: authdecrypt-timing
442   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
443   References: Sec 2879 / CVE-2016-1550
444   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
445	4.3.0 up to, but not including 4.3.92
446   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
447   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
448   Summary: Packet authentication tests have been performed using
449	memcmp() or possibly bcmp(), and it is potentially possible
450	for a local or perhaps LAN-based attacker to send a packet with
451	an authentication payload and indirectly observe how much of
452	the digest has matched.
453   Mitigation:
454	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
455	    or the NTP Public Services Project Download Page.
456	Properly monitor your ntpd instances.
457   Credit: This weakness was discovered independently by Loganaden
458   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
459
460* Zero origin timestamp bypass: Additional KoD checks.
461   References: Sec 2945 / Sec 2901 / CVE-2015-8138
462   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
463   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
464
465* peer associations were broken by the fix for NtpBug2899
466   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
467   References: Sec 2952 / CVE-2015-7704
468   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
469   	4.3.0 up to, but not including 4.3.92
470   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
471   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
472   	associations did not address all of the issues.
473   Mitigation:
474        Implement BCP-38.
475        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
476	    or the NTP Public Services Project Download Page
477        If you can't upgrade, use "server" associations instead of
478	    "peer" associations.
479        Monitor your ntpd instances.
480   Credit: This problem was discovered by Michael Tatarinov.
481
482* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
483   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
484   References: Sec 3007 / CVE-2016-1547 / VU#718152
485   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
486	4.3.0 up to, but not including 4.3.92
487   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
488   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
489   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
490	off-path attacker can cause a preemptable client association to
491	be demobilized by sending a crypto NAK packet to a victim client
492	with a spoofed source address of an existing associated peer.
493	This is true even if authentication is enabled.
494
495	Furthermore, if the attacker keeps sending crypto NAK packets,
496	for example one every second, the victim never has a chance to
497	reestablish the association and synchronize time with that
498	legitimate server.
499
500	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
501	stringent checks are performed on incoming packets, but there
502	are still ways to exploit this vulnerability in versions before
503	ntp-4.2.8p7.
504   Mitigation:
505	Implement BCP-38.
506	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
507	    or the NTP Public Services Project Download Page
508	Properly monitor your =ntpd= instances
509   Credit: This weakness was discovered by Stephen Gray and
510   	Matthew Van Gundy of Cisco ASIG.
511
512* ctl_getitem() return value not always checked
513   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
514   References: Sec 3008 / CVE-2016-2519
515   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
516	4.3.0 up to, but not including 4.3.92
517   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
518   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
519   Summary: ntpq and ntpdc can be used to store and retrieve information
520   	in ntpd. It is possible to store a data value that is larger
521	than the size of the buffer that the ctl_getitem() function of
522	ntpd uses to report the return value. If the length of the
523	requested data value returned by ctl_getitem() is too large,
524	the value NULL is returned instead. There are 2 cases where the
525	return value from ctl_getitem() was not directly checked to make
526	sure it's not NULL, but there are subsequent INSIST() checks
527	that make sure the return value is not NULL. There are no data
528	values ordinarily stored in ntpd that would exceed this buffer
529	length. But if one has permission to store values and one stores
530	a value that is "too large", then ntpd will abort if an attempt
531	is made to read that oversized value.
532    Mitigation:
533        Implement BCP-38.
534        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
535	    or the NTP Public Services Project Download Page
536        Properly monitor your ntpd instances.
537    Credit: This weakness was discovered by Yihan Lian of the Cloud
538    	Security Team, Qihoo 360.
539
540* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
541   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
542   References: Sec 3009 / CVE-2016-2518 / VU#718152
543   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
544	4.3.0 up to, but not including 4.3.92
545   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
546   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
547   Summary: Using a crafted packet to create a peer association with
548   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
549	out-of-bounds reference.
550   Mitigation:
551	Implement BCP-38.
552	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
553	    or the NTP Public Services Project Download Page
554	Properly monitor your ntpd instances
555   Credit: This weakness was discovered by Yihan Lian of the Cloud
556   	Security Team, Qihoo 360.
557
558* remote configuration trustedkey/requestkey/controlkey values are not
559	properly validated
560   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
561   References: Sec 3010 / CVE-2016-2517 / VU#718152
562   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
563	4.3.0 up to, but not including 4.3.92
564   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
565   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
566   Summary: If ntpd was expressly configured to allow for remote
567   	configuration, a malicious user who knows the controlkey for
568	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
569	can create a session with ntpd and then send a crafted packet to
570	ntpd that will change the value of the trustedkey, controlkey,
571	or requestkey to a value that will prevent any subsequent
572	authentication with ntpd until ntpd is restarted.
573   Mitigation:
574	Implement BCP-38.
575	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
576	    or the NTP Public Services Project Download Page
577	Properly monitor your =ntpd= instances
578   Credit: This weakness was discovered by Yihan Lian of the Cloud
579   	Security Team, Qihoo 360.
580
581* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
582   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
583   References: Sec 3011 / CVE-2016-2516 / VU#718152
584   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
585   	4.3.0 up to, but not including 4.3.92
586   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
587   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
588   Summary: If ntpd was expressly configured to allow for remote
589   	configuration, a malicious user who knows the controlkey for
590	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
591	can create a session with ntpd and if an existing association is
592	unconfigured using the same IP twice on the unconfig directive
593	line, ntpd will abort.
594   Mitigation:
595	Implement BCP-38.
596	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
597	    or the NTP Public Services Project Download Page
598	Properly monitor your ntpd instances
599   Credit: This weakness was discovered by Yihan Lian of the Cloud
600   	Security Team, Qihoo 360.
601
602* Refclock impersonation vulnerability
603   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
604   References: Sec 3020 / CVE-2016-1551
605   Affects: On a very limited number of OSes, all NTP releases up to but
606	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
607	By "very limited number of OSes" we mean no general-purpose OSes
608	have yet been identified that have this vulnerability.
609   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
610   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
611   Summary: While most OSes implement martian packet filtering in their
612   	network stack, at least regarding 127.0.0.0/8, some will allow
613	packets claiming to be from 127.0.0.0/8 that arrive over a
614	physical network. On these OSes, if ntpd is configured to use a
615	reference clock an attacker can inject packets over the network
616	that look like they are coming from that reference clock.
617   Mitigation:
618        Implement martian packet filtering and BCP-38.
619        Configure ntpd to use an adequate number of time sources.
620        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
621	    or the NTP Public Services Project Download Page
622        If you are unable to upgrade and if you are running an OS that
623	    has this vulnerability, implement martian packet filters and
624	    lobby your OS vendor to fix this problem, or run your
625	    refclocks on computers that use OSes that are not vulnerable
626	    to these attacks and have your vulnerable machines get their
627	    time from protected resources.
628        Properly monitor your ntpd instances.
629   Credit: This weakness was discovered by Matt Street and others of
630   	Cisco ASIG.
631
632The following issues were fixed in earlier releases and contain
633improvements in 4.2.8p7:
634
635* Clients that receive a KoD should validate the origin timestamp field.
636   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
637   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
638   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
639
640* Skeleton key: passive server with trusted key can serve time.
641   References: Sec 2936 / CVE-2015-7974
642   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
643   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
644
645Two other vulnerabilities have been reported, and the mitigations
646for these are as follows:
647
648* Interleave-pivot
649   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
650   References: Sec 2978 / CVE-2016-1548
651   Affects: All ntp-4 releases.
652   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
653   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
654   Summary: It is possible to change the time of an ntpd client or deny
655   	service to an ntpd client by forcing it to change from basic
656	client/server mode to interleaved symmetric mode. An attacker
657	can spoof a packet from a legitimate ntpd server with an origin
658	timestamp that matches the peer->dst timestamp recorded for that
659	server. After making this switch, the client will reject all
660	future legitimate server responses. It is possible to force the
661	victim client to move time after the mode has been changed.
662	ntpq gives no indication that the mode has been switched.
663   Mitigation:
664        Implement BCP-38.
665        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
666	    or the NTP Public Services Project Download Page.  These
667	    versions will not dynamically "flip" into interleave mode
668	    unless configured to do so.
669        Properly monitor your ntpd instances.
670   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
671   	and separately by Jonathan Gardner of Cisco ASIG.
672
673* Sybil vulnerability: ephemeral association attack
674   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
675   References: Sec 3012 / CVE-2016-1549
676   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
677   	4.3.0 up to, but not including 4.3.92
678   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
679   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
680   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
681   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
682	field in the ntp.keys file to specify which IPs can serve time,
683	a malicious authenticated peer can create arbitrarily-many
684	ephemeral associations in order to win the clock selection of
685	ntpd and modify a victim's clock.
686   Mitigation:
687        Implement BCP-38.
688        Use the 4th field in the ntp.keys file to specify which IPs
689	    can be time servers.
690        Properly monitor your ntpd instances.
691   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
692
693Other fixes:
694
695* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
696  - fixed yet another race condition in the threaded resolver code.
697* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
698* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
699  - integrated patches by Loganaden Velvidron <logan@ntp.org>
700    with some modifications & unit tests
701* [Bug 2960] async name resolution fixes for chroot() environments.
702  Reinhard Max.
703* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
704* [Bug 2995] Fixes to compile on Windows
705* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
706* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
707  - Patch provided by Ch. Weisgerber
708* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
709  - A change related to [Bug 2853] forbids trailing white space in
710    remote config commands. perlinger@ntp.org
711* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
712  - report and patch from Aleksandr Kostikov.
713  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
714* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
715  - fixed memory leak in access list (auth[read]keys.c)
716  - refactored handling of key access lists (auth[read]keys.c)
717  - reduced number of error branches (authreadkeys.c)
718* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
719* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
720* [Bug 3031] ntp broadcastclient unable to synchronize to an server
721             when the time of server changed. perlinger@ntp.org
722  - Check the initial delay calculation and reject/unpeer the broadcast
723    server if the delay exceeds 50ms. Retry again after the next
724    broadcast packet.
725* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
726* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
727* Update html/xleave.html documentation.  Harlan Stenn.
728* Update ntp.conf documentation.  Harlan Stenn.
729* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
730* Fix typo in html/monopt.html.  Harlan Stenn.
731* Add README.pullrequests.  Harlan Stenn.
732* Cleanup to include/ntp.h.  Harlan Stenn.
733
734New option to 'configure':
735
736While looking in to the issues around Bug 2978, the "interleave pivot"
737issue, it became clear that there are some intricate and unresolved
738issues with interleave operations.  We also realized that the interleave
739protocol was never added to the NTPv4 Standard, and it should have been.
740
741Interleave mode was first released in July of 2008, and can be engaged
742in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
743contain the 'xleave' option, which will expressly enable interlave mode
744for that association.  Additionally, if a time packet arrives and is
745found inconsistent with normal protocol behavior but has certain
746characteristics that are compatible with interleave mode, NTP will
747dynamically switch to interleave mode.  With sufficient knowledge, an
748attacker can send a crafted forged packet to an NTP instance that
749triggers only one side to enter interleaved mode.
750
751To prevent this attack until we can thoroughly document, describe,
752fix, and test the dynamic interleave mode, we've added a new
753'configure' option to the build process:
754
755 --enable-dynamic-interleave
756
757This option controls whether or not NTP will, if conditions are right,
758engage dynamic interleave mode.  Dynamic interleave mode is disabled by
759default in ntp-4.2.8p7.
760
761---
762NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
763
764Focus: Security, Bug fixes, enhancements.
765
766Severity: MEDIUM
767
768In addition to bug fixes and enhancements, this release fixes the
769following 1 low- and 8 medium-severity vulnerabilities:
770
771* Potential Infinite Loop in 'ntpq'
772   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
773   References: Sec 2548 / CVE-2015-8158
774   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
775	4.3.0 up to, but not including 4.3.90
776   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
777   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
778   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
779	The loop's only stopping conditions are receiving a complete and
780	correct response or hitting a small number of error conditions.
781	If the packet contains incorrect values that don't trigger one of
782	the error conditions, the loop continues to receive new packets.
783	Note well, this is an attack against an instance of 'ntpq', not
784	'ntpd', and this attack requires the attacker to do one of the
785	following:
786	* Own a malicious NTP server that the client trusts
787	* Prevent a legitimate NTP server from sending packets to
788	    the 'ntpq' client
789	* MITM the 'ntpq' communications between the 'ntpq' client
790	    and the NTP server
791   Mitigation:
792	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
793	or the NTP Public Services Project Download Page
794   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
795
796* 0rigin: Zero Origin Timestamp Bypass
797   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
798   References: Sec 2945 / CVE-2015-8138
799   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
800	4.3.0 up to, but not including 4.3.90
801   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
802   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
803	(3.7 - LOW if you score AC:L)
804   Summary: To distinguish legitimate peer responses from forgeries, a
805	client attempts to verify a response packet by ensuring that the
806	origin timestamp in the packet matches the origin timestamp it
807	transmitted in its last request.  A logic error exists that
808	allows packets with an origin timestamp of zero to bypass this
809	check whenever there is not an outstanding request to the server.
810   Mitigation:
811	Configure 'ntpd' to get time from multiple sources.
812	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
813	    or the NTP Public Services Project Download Page.
814	Monitor your 'ntpd= instances.
815   Credit: This weakness was discovered by Matthey Van Gundy and
816	Jonathan Gardner of Cisco ASIG.
817
818* Stack exhaustion in recursive traversal of restriction list
819   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
820   References: Sec 2940 / CVE-2015-7978
821   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
822	4.3.0 up to, but not including 4.3.90
823   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
824   Summary: An unauthenticated 'ntpdc reslist' command can cause a
825   	segmentation fault in ntpd by exhausting the call stack.
826   Mitigation:
827	Implement BCP-38.
828	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
829	    or the NTP Public Services Project Download Page.
830	If you are unable to upgrade:
831            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
832	    If you must enable mode 7:
833		configure the use of a 'requestkey' to control who can
834		    issue mode 7 requests.
835		configure 'restrict noquery' to further limit mode 7
836		    requests to trusted sources.
837		Monitor your ntpd instances.
838   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
839
840* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
841   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
842   References: Sec 2942 / CVE-2015-7979
843   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
844	4.3.0 up to, but not including 4.3.90
845   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
846   Summary: An off-path attacker can send broadcast packets with bad
847	authentication (wrong key, mismatched key, incorrect MAC, etc)
848	to broadcast clients. It is observed that the broadcast client
849	tears down the association with the broadcast server upon
850	receiving just one bad packet.
851   Mitigation:
852	Implement BCP-38.
853	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
854	or the NTP Public Services Project Download Page.
855	Monitor your 'ntpd' instances.
856	If this sort of attack is an active problem for you, you have
857	    deeper problems to investigate.  In this case also consider
858	    having smaller NTP broadcast domains.
859   Credit: This weakness was discovered by Aanchal Malhotra of Boston
860   	University.
861
862* reslist NULL pointer dereference
863   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
864   References: Sec 2939 / CVE-2015-7977
865   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
866	4.3.0 up to, but not including 4.3.90
867   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
868   Summary: An unauthenticated 'ntpdc reslist' command can cause a
869	segmentation fault in ntpd by causing a NULL pointer dereference.
870   Mitigation:
871	Implement BCP-38.
872	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
873	the NTP Public Services Project Download Page.
874	If you are unable to upgrade:
875	    mode 7 is disabled by default.  Don't enable it.
876	    If you must enable mode 7:
877		configure the use of a 'requestkey' to control who can
878		    issue mode 7 requests.
879		configure 'restrict noquery' to further limit mode 7
880		    requests to trusted sources.
881	Monitor your ntpd instances.
882   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
883
884* 'ntpq saveconfig' command allows dangerous characters in filenames.
885   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
886   References: Sec 2938 / CVE-2015-7976
887   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
888	4.3.0 up to, but not including 4.3.90
889   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
890   Summary: The ntpq saveconfig command does not do adequate filtering
891   	of special characters from the supplied filename.
892	Note well: The ability to use the saveconfig command is controlled
893	by the 'restrict nomodify' directive, and the recommended default
894	configuration is to disable this capability.  If the ability to
895	execute a 'saveconfig' is required, it can easily (and should) be
896	limited and restricted to a known small number of IP addresses.
897   Mitigation:
898	Implement BCP-38.
899	use 'restrict default nomodify' in your 'ntp.conf' file.
900	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
901	If you are unable to upgrade:
902	    build NTP with 'configure --disable-saveconfig' if you will
903	    	never need this capability, or
904	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
905		careful about what IPs have the ability to send 'modify'
906		requests to 'ntpd'.
907	Monitor your ntpd instances.
908	'saveconfig' requests are logged to syslog - monitor your syslog files.
909   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
910
911* nextvar() missing length check in ntpq
912   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
913   References: Sec 2937 / CVE-2015-7975
914   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
915	4.3.0 up to, but not including 4.3.90
916   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
917	If you score A:C, this becomes 4.0.
918   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
919   Summary: ntpq may call nextvar() which executes a memcpy() into the
920	name buffer without a proper length check against its maximum
921	length of 256 bytes. Note well that we're taking about ntpq here.
922	The usual worst-case effect of this vulnerability is that the
923	specific instance of ntpq will crash and the person or process
924	that did this will have stopped themselves.
925   Mitigation:
926	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
927	    or the NTP Public Services Project Download Page.
928	If you are unable to upgrade:
929	    If you have scripts that feed input to ntpq make sure there are
930		some sanity checks on the input received from the "outside".
931	    This is potentially more dangerous if ntpq is run as root.
932   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
933
934* Skeleton Key: Any trusted key system can serve time
935   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
936   References: Sec 2936 / CVE-2015-7974
937   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
938	4.3.0 up to, but not including 4.3.90
939   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
940   Summary: Symmetric key encryption uses a shared trusted key. The
941	reported title for this issue was "Missing key check allows
942	impersonation between authenticated peers" and the report claimed
943	"A key specified only for one server should only work to
944	authenticate that server, other trusted keys should be refused."
945	Except there has never been any correlation between this trusted
946	key and server v. clients machines and there has never been any
947	way to specify a key only for one server. We have treated this as
948	an enhancement request, and ntp-4.2.8p6 includes other checks and
949	tests to strengthen clients against attacks coming from broadcast
950	servers.
951   Mitigation:
952	Implement BCP-38.
953	If this scenario represents a real or a potential issue for you,
954	    upgrade to 4.2.8p6, or later, from the NTP Project Download
955	    Page or the NTP Public Services Project Download Page, and
956	    use the new field in the ntp.keys file that specifies the list
957	    of IPs that are allowed to serve time. Note that this alone
958	    will not protect against time packets with forged source IP
959	    addresses, however other changes in ntp-4.2.8p6 provide
960	    significant mitigation against broadcast attacks. MITM attacks
961	    are a different story.
962	If you are unable to upgrade:
963	    Don't use broadcast mode if you cannot monitor your client
964	    	servers.
965	    If you choose to use symmetric keys to authenticate time
966	    	packets in a hostile environment where ephemeral time
967		servers can be created, or if it is expected that malicious
968		time servers will participate in an NTP broadcast domain,
969		limit the number of participating systems that participate
970		in the shared-key group.
971	Monitor your ntpd instances.
972   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
973
974* Deja Vu: Replay attack on authenticated broadcast mode
975   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
976   References: Sec 2935 / CVE-2015-7973
977   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
978   	4.3.0 up to, but not including 4.3.90
979   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
980   Summary: If an NTP network is configured for broadcast operations then
981   	either a man-in-the-middle attacker or a malicious participant
982	that has the same trusted keys as the victim can replay time packets.
983   Mitigation:
984	Implement BCP-38.
985	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
986	    or the NTP Public Services Project Download Page.
987	If you are unable to upgrade:
988	    Don't use broadcast mode if you cannot monitor your client servers.
989	Monitor your ntpd instances.
990   Credit: This weakness was discovered by Aanchal Malhotra of Boston
991	University.
992
993Other fixes:
994
995* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
996* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
997  - applied patch by shenpeng11@huawei.com with minor adjustments
998* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
999* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
1000* [Bug 2892] Several test cases assume IPv6 capabilities even when
1001             IPv6 is disabled in the build. perlinger@ntp.org
1002  - Found this already fixed, but validation led to cleanup actions.
1003* [Bug 2905] DNS lookups broken. perlinger@ntp.org
1004  - added limits to stack consumption, fixed some return code handling
1005* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1006  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1007  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
1008* [Bug 2980] reduce number of warnings. perlinger@ntp.org
1009  - integrated several patches from Havard Eidnes (he@uninett.no)
1010* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
1011  - implement 'auth_log2()' using integer bithack instead of float calculation
1012* Make leapsec_query debug messages less verbose.  Harlan Stenn.
1013
1014---
1015NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
1016
1017Focus: Security, Bug fixes, enhancements.
1018
1019Severity: MEDIUM
1020
1021In addition to bug fixes and enhancements, this release fixes the
1022following medium-severity vulnerability:
1023
1024* Small-step/big-step.  Close the panic gate earlier.
1025    References: Sec 2956, CVE-2015-5300
1026    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
1027	4.3.0 up to, but not including 4.3.78
1028    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
1029    Summary: If ntpd is always started with the -g option, which is
1030	common and against long-standing recommendation, and if at the
1031	moment ntpd is restarted an attacker can immediately respond to
1032	enough requests from enough sources trusted by the target, which
1033	is difficult and not common, there is a window of opportunity
1034	where the attacker can cause ntpd to set the time to an
1035	arbitrary value. Similarly, if an attacker is able to respond
1036	to enough requests from enough sources trusted by the target,
1037	the attacker can cause ntpd to abort and restart, at which
1038	point it can tell the target to set the time to an arbitrary
1039	value if and only if ntpd was re-started against long-standing
1040	recommendation with the -g flag, or if ntpd was not given the
1041	-g flag, the attacker can move the target system's time by at
1042	most 900 seconds' time per attack.
1043    Mitigation:
1044	Configure ntpd to get time from multiple sources.
1045	Upgrade to 4.2.8p5, or later, from the NTP Project Download
1046	    Page or the NTP Public Services Project Download Page
1047	As we've long documented, only use the -g option to ntpd in
1048	    cold-start situations.
1049	Monitor your ntpd instances.
1050    Credit: This weakness was discovered by Aanchal Malhotra,
1051	Isaac E. Cohen, and Sharon Goldberg at Boston University.
1052
1053    NOTE WELL: The -g flag disables the limit check on the panic_gate
1054	in ntpd, which is 900 seconds by default. The bug identified by
1055	the researchers at Boston University is that the panic_gate
1056	check was only re-enabled after the first change to the system
1057	clock that was greater than 128 milliseconds, by default. The
1058	correct behavior is that the panic_gate check should be
1059	re-enabled after any initial time correction.
1060
1061	If an attacker is able to inject consistent but erroneous time
1062	responses to your systems via the network or "over the air",
1063	perhaps by spoofing radio, cellphone, or navigation satellite
1064	transmissions, they are in a great position to affect your
1065	system's clock. There comes a point where your very best
1066	defenses include:
1067
1068	    Configure ntpd to get time from multiple sources.
1069	    Monitor your ntpd instances.
1070
1071Other fixes:
1072
1073* Coverity submission process updated from Coverity 5 to Coverity 7.
1074  The NTP codebase has been undergoing regular Coverity scans on an
1075  ongoing basis since 2006.  As part of our recent upgrade from
1076  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
1077  the newly-written Unity test programs.  These were fixed.
1078* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
1079* [Bug 2887] stratum -1 config results as showing value 99
1080  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
1081* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
1082* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
1083* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
1084  - applied patch by Christos Zoulas.  perlinger@ntp.org
1085* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
1086* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
1087  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
1088  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
1089* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
1090  - accept key file only if there are no parsing errors
1091  - fixed size_t/u_int format clash
1092  - fixed wrong use of 'strlcpy'
1093* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
1094* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
1095  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
1096  - promote use of 'size_t' for values that express a size
1097  - use ptr-to-const for read-only arguments
1098  - make sure SOCKET values are not truncated (win32-specific)
1099  - format string fixes
1100* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
1101* [Bug 2967] ntpdate command suffers an assertion failure
1102  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
1103* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
1104              lots of clients. perlinger@ntp.org
1105* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1106  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1107* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
1108* Unity test cleanup.  Harlan Stenn.
1109* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
1110* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
1111* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
1112* Quiet a warning from clang.  Harlan Stenn.
1113
1114---
1115NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
1116
1117Focus: Security, Bug fixes, enhancements.
1118
1119Severity: MEDIUM
1120
1121In addition to bug fixes and enhancements, this release fixes the
1122following 13 low- and medium-severity vulnerabilities:
1123
1124* Incomplete vallen (value length) checks in ntp_crypto.c, leading
1125  to potential crashes or potential code injection/information leakage.
1126
1127    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
1128    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1129    	and 4.3.0 up to, but not including 4.3.77
1130    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1131    Summary: The fix for CVE-2014-9750 was incomplete in that there were
1132    	certain code paths where a packet with particular autokey operations
1133	that contained malicious data was not always being completely
1134	validated. Receipt of these packets can cause ntpd to crash.
1135    Mitigation:
1136        Don't use autokey.
1137	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1138	    Page or the NTP Public Services Project Download Page
1139	Monitor your ntpd instances.
1140	Credit: This weakness was discovered by Tenable Network Security.
1141
1142* Clients that receive a KoD should validate the origin timestamp field.
1143
1144    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1145    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1146	and 4.3.0 up to, but not including 4.3.77
1147    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
1148    Summary: An ntpd client that honors Kiss-of-Death responses will honor
1149    	KoD messages that have been forged by an attacker, causing it to
1150	delay or stop querying its servers for time updates. Also, an
1151	attacker can forge packets that claim to be from the target and
1152	send them to servers often enough that a server that implements
1153	KoD rate limiting will send the target machine a KoD response to
1154	attempt to reduce the rate of incoming packets, or it may also
1155	trigger a firewall block at the server for packets from the target
1156	machine. For either of these attacks to succeed, the attacker must
1157	know what servers the target is communicating with. An attacker
1158	can be anywhere on the Internet and can frequently learn the
1159	identity of the target's time source by sending the target a
1160	time query.
1161    Mitigation:
1162        Implement BCP-38.
1163	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
1164	    or the NTP Public Services Project Download Page
1165	If you can't upgrade, restrict who can query ntpd to learn who
1166	    its servers are, and what IPs are allowed to ask your system
1167	    for the time. This mitigation is heavy-handed.
1168	Monitor your ntpd instances.
1169    Note:
1170    	4.2.8p4 protects against the first attack. For the second attack,
1171    	all we can do is warn when it is happening, which we do in 4.2.8p4.
1172    Credit: This weakness was discovered by Aanchal Malhotra,
1173    	Issac E. Cohen, and Sharon Goldberg of Boston University.
1174
1175* configuration directives to change "pidfile" and "driftfile" should
1176  only be allowed locally.
1177
1178  References: Sec 2902 / CVE-2015-5196
1179  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1180	and 4.3.0 up to, but not including 4.3.77
1181   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
1182   Summary: If ntpd is configured to allow for remote configuration,
1183	and if the (possibly spoofed) source IP address is allowed to
1184	send remote configuration requests, and if the attacker knows
1185	the remote configuration password, it's possible for an attacker
1186	to use the "pidfile" or "driftfile" directives to potentially
1187	overwrite other files.
1188   Mitigation:
1189	Implement BCP-38.
1190	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1191	    Page or the NTP Public Services Project Download Page
1192	If you cannot upgrade, don't enable remote configuration.
1193	If you must enable remote configuration and cannot upgrade,
1194	    remote configuration of NTF's ntpd requires:
1195	    - an explicitly configured trustedkey, and you should also
1196	    	configure a controlkey.
1197	    - access from a permitted IP. You choose the IPs.
1198	    - authentication. Don't disable it. Practice secure key safety.
1199	Monitor your ntpd instances.
1200   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1201
1202* Slow memory leak in CRYPTO_ASSOC
1203
1204  References: Sec 2909 / CVE-2015-7701
1205  Affects: All ntp-4 releases that use autokey up to, but not
1206    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1207  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
1208  	4.6 otherwise
1209  Summary: If ntpd is configured to use autokey, then an attacker can
1210	send packets to ntpd that will, after several days of ongoing
1211	attack, cause it to run out of memory.
1212  Mitigation:
1213	Don't use autokey.
1214	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1215	    Page or the NTP Public Services Project Download Page
1216	Monitor your ntpd instances.
1217  Credit: This weakness was discovered by Tenable Network Security.
1218
1219* mode 7 loop counter underrun
1220
1221  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
1222  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1223  	and 4.3.0 up to, but not including 4.3.77
1224  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
1225  Summary: If ntpd is configured to enable mode 7 packets, and if the
1226	use of mode 7 packets is not properly protected thru the use of
1227	the available mode 7 authentication and restriction mechanisms,
1228	and if the (possibly spoofed) source IP address is allowed to
1229	send mode 7 queries, then an attacker can send a crafted packet
1230	to ntpd that will cause it to crash.
1231  Mitigation:
1232	Implement BCP-38.
1233	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1234	    Page or the NTP Public Services Project Download Page.
1235	      If you are unable to upgrade:
1236	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1237	If you must enable mode 7:
1238	    configure the use of a requestkey to control who can issue
1239		mode 7 requests.
1240	    configure restrict noquery to further limit mode 7 requests
1241		to trusted sources.
1242	Monitor your ntpd instances.
1243Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
1244
1245* memory corruption in password store
1246
1247  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
1248  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1249  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
1250  Summary: If ntpd is configured to allow remote configuration, and if
1251	the (possibly spoofed) source IP address is allowed to send
1252	remote configuration requests, and if the attacker knows the
1253	remote configuration password or if ntpd was configured to
1254	disable authentication, then an attacker can send a set of
1255	packets to ntpd that may cause a crash or theoretically
1256	perform a code injection attack.
1257  Mitigation:
1258	Implement BCP-38.
1259	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1260	    Page or the NTP Public Services Project Download Page.
1261	If you are unable to upgrade, remote configuration of NTF's
1262	    ntpd requires:
1263		an explicitly configured "trusted" key. Only configure
1264			this if you need it.
1265		access from a permitted IP address. You choose the IPs.
1266		authentication. Don't disable it. Practice secure key safety.
1267	Monitor your ntpd instances.
1268  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1269
1270* Infinite loop if extended logging enabled and the logfile and
1271  keyfile are the same.
1272
1273    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
1274    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
1275	and 4.3.0 up to, but not including 4.3.77
1276    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1277    Summary: If ntpd is configured to allow remote configuration, and if
1278	the (possibly spoofed) source IP address is allowed to send
1279	remote configuration requests, and if the attacker knows the
1280	remote configuration password or if ntpd was configured to
1281	disable authentication, then an attacker can send a set of
1282	packets to ntpd that will cause it to crash and/or create a
1283	potentially huge log file. Specifically, the attacker could
1284	enable extended logging, point the key file at the log file,
1285	and cause what amounts to an infinite loop.
1286    Mitigation:
1287	Implement BCP-38.
1288	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1289	    Page or the NTP Public Services Project Download Page.
1290	If you are unable to upgrade, remote configuration of NTF's ntpd
1291	  requires:
1292            an explicitly configured "trusted" key. Only configure this
1293	    	if you need it.
1294            access from a permitted IP address. You choose the IPs.
1295            authentication. Don't disable it. Practice secure key safety.
1296        Monitor your ntpd instances.
1297    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1298
1299* Potential path traversal vulnerability in the config file saving of
1300  ntpd on VMS.
1301
1302  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
1303  Affects: All ntp-4 releases running under VMS up to, but not
1304	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1305  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
1306  Summary: If ntpd is configured to allow remote configuration, and if
1307	the (possibly spoofed) IP address is allowed to send remote
1308	configuration requests, and if the attacker knows the remote
1309	configuration password or if ntpd was configured to disable
1310	authentication, then an attacker can send a set of packets to
1311	ntpd that may cause ntpd to overwrite files.
1312  Mitigation:
1313	Implement BCP-38.
1314	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1315	    Page or the NTP Public Services Project Download Page.
1316	If you are unable to upgrade, remote configuration of NTF's ntpd
1317	    requires:
1318		an explicitly configured "trusted" key. Only configure
1319			this if you need it.
1320		access from permitted IP addresses. You choose the IPs.
1321		authentication. Don't disable it. Practice key security safety.
1322        Monitor your ntpd instances.
1323    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1324
1325* ntpq atoascii() potential memory corruption
1326
1327  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
1328  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
1329	and 4.3.0 up to, but not including 4.3.77
1330  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
1331  Summary: If an attacker can figure out the precise moment that ntpq
1332	is listening for data and the port number it is listening on or
1333	if the attacker can provide a malicious instance ntpd that
1334	victims will connect to then an attacker can send a set of
1335	crafted mode 6 response packets that, if received by ntpq,
1336	can cause ntpq to crash.
1337  Mitigation:
1338	Implement BCP-38.
1339	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1340	    Page or the NTP Public Services Project Download Page.
1341	If you are unable to upgrade and you run ntpq against a server
1342	    and ntpq crashes, try again using raw mode. Build or get a
1343	    patched ntpq and see if that fixes the problem. Report new
1344	    bugs in ntpq or abusive servers appropriately.
1345	If you use ntpq in scripts, make sure ntpq does what you expect
1346	    in your scripts.
1347  Credit: This weakness was discovered by Yves Younan and
1348  	Aleksander Nikolich of Cisco Talos.
1349
1350* Invalid length data provided by a custom refclock driver could cause
1351  a buffer overflow.
1352
1353  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
1354  Affects: Potentially all ntp-4 releases running up to, but not
1355	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
1356	that have custom refclocks
1357  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
1358	5.9 unusual worst case
1359  Summary: A negative value for the datalen parameter will overflow a
1360	data buffer. NTF's ntpd driver implementations always set this
1361	value to 0 and are therefore not vulnerable to this weakness.
1362	If you are running a custom refclock driver in ntpd and that
1363	driver supplies a negative value for datalen (no custom driver
1364	of even minimal competence would do this) then ntpd would
1365	overflow a data buffer. It is even hypothetically possible
1366	in this case that instead of simply crashing ntpd the attacker
1367	could effect a code injection attack.
1368  Mitigation:
1369	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1370	    Page or the NTP Public Services Project Download Page.
1371	If you are unable to upgrade:
1372		If you are running custom refclock drivers, make sure
1373			the signed datalen value is either zero or positive.
1374	Monitor your ntpd instances.
1375  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
1376
1377* Password Length Memory Corruption Vulnerability
1378
1379  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
1380  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1381  	4.3.0 up to, but not including 4.3.77
1382  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
1383  	1.7 usual case, 6.8, worst case
1384  Summary: If ntpd is configured to allow remote configuration, and if
1385	the (possibly spoofed) source IP address is allowed to send
1386	remote configuration requests, and if the attacker knows the
1387	remote configuration password or if ntpd was (foolishly)
1388	configured to disable authentication, then an attacker can
1389	send a set of packets to ntpd that may cause it to crash,
1390	with the hypothetical possibility of a small code injection.
1391  Mitigation:
1392	Implement BCP-38.
1393	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1394	    Page or the NTP Public Services Project Download Page.
1395	If you are unable to upgrade, remote configuration of NTF's
1396	    ntpd requires:
1397		an explicitly configured "trusted" key. Only configure
1398			this if you need it.
1399		access from a permitted IP address. You choose the IPs.
1400		authentication. Don't disable it. Practice secure key safety.
1401	Monitor your ntpd instances.
1402  Credit: This weakness was discovered by Yves Younan and
1403  	Aleksander Nikolich of Cisco Talos.
1404
1405* decodenetnum() will ASSERT botch instead of returning FAIL on some
1406  bogus values.
1407
1408  References: Sec 2922 / CVE-2015-7855
1409  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
1410	4.3.0 up to, but not including 4.3.77
1411  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
1412  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
1413	an unusually long data value where a network address is expected,
1414	the decodenetnum() function will abort with an assertion failure
1415	instead of simply returning a failure condition.
1416  Mitigation:
1417	Implement BCP-38.
1418	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1419	    Page or the NTP Public Services Project Download Page.
1420	If you are unable to upgrade:
1421		mode 7 is disabled by default. Don't enable it.
1422		Use restrict noquery to limit who can send mode 6
1423			and mode 7 requests.
1424		Configure and use the controlkey and requestkey
1425			authentication directives to limit who can
1426			send mode 6 and mode 7 requests.
1427	Monitor your ntpd instances.
1428  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
1429
1430* NAK to the Future: Symmetric association authentication bypass via
1431  crypto-NAK.
1432
1433  References: Sec 2941 / CVE-2015-7871
1434  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
1435  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
1436  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
1437  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
1438	from unauthenticated ephemeral symmetric peers by bypassing the
1439	authentication required to mobilize peer associations. This
1440	vulnerability appears to have been introduced in ntp-4.2.5p186
1441	when the code handling mobilization of new passive symmetric
1442	associations (lines 1103-1165) was refactored.
1443  Mitigation:
1444	Implement BCP-38.
1445	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1446	    Page or the NTP Public Services Project Download Page.
1447	If you are unable to upgrade:
1448		Apply the patch to the bottom of the "authentic" check
1449			block around line 1136 of ntp_proto.c.
1450	Monitor your ntpd instances.
1451  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1452
1453Backward-Incompatible changes:
1454* [Bug 2817] Default on Linux is now "rlimit memlock -1".
1455  While the general default of 32M is still the case, under Linux
1456  the default value has been changed to -1 (do not lock ntpd into
1457  memory).  A value of 0 means "lock ntpd into memory with whatever
1458  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
1459  value in it, that value will continue to be used.
1460
1461* [Bug 2886] Misspelling: "outlyer" should be "outlier".
1462  If you've written a script that looks for this case in, say, the
1463  output of ntpq, you probably want to change your regex matches
1464  from 'outlyer' to 'outl[iy]er'.
1465
1466New features in this release:
1467* 'rlimit memlock' now has finer-grained control.  A value of -1 means
1468  "don't lock ntpd into memore".  This is the default for Linux boxes.
1469  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
1470  the value is the number of megabytes of memory to lock.  The default
1471  is 32 megabytes.
1472
1473* The old Google Test framework has been replaced with a new framework,
1474  based on http://www.throwtheswitch.org/unity/ .
1475
1476Bug Fixes and Improvements:
1477* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
1478  privileges and limiting resources in NTPD removes the need to link
1479  forcefully against 'libgcc_s' which does not always work. J.Perlinger
1480* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
1481* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
1482* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
1483* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
1484* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
1485* [Bug 2849] Systems with more than one default route may never
1486  synchronize.  Brian Utterback.  Note that this patch might need to
1487  be reverted once Bug 2043 has been fixed.
1488* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
1489* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
1490* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
1491* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
1492* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
1493* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
1494  be configured for the distribution targets.  Harlan Stenn.
1495* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
1496* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
1497* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
1498* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
1499* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
1500* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
1501* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
1502* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
1503* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
1504* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
1505* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
1506* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
1507* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
1508* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
1509* sntp/tests/ function parameter list cleanup.  Damir Tomić.
1510* tests/libntp/ function parameter list cleanup.  Damir Tomić.
1511* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
1512* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
1513* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
1514* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
1515* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
1516* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1517  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
1518  formatting; first declaration, then code (C90); deleted unnecessary comments;
1519  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
1520* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
1521  fix formatting, cleanup. Tomasz Flendrich
1522* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
1523  Tomasz Flendrich
1524* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
1525  fix formatting. Tomasz Flendrich
1526* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
1527* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
1528* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
1529  Tomasz Flendrich
1530* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
1531* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
1532* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
1533* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
1534* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
1535* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
1536* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
1537fixed formatting. Tomasz Flendrich
1538* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
1539  removed unnecessary comments, cleanup. Tomasz Flendrich
1540* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
1541  comments, cleanup. Tomasz Flendrich
1542* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
1543  Tomasz Flendrich
1544* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
1545* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
1546* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
1547  Tomasz Flendrich
1548* sntp/tests/kodDatabase.c added consts, deleted empty function,
1549  fixed formatting. Tomasz Flendrich
1550* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
1551* sntp/tests/packetHandling.c is now using proper Unity's assertions,
1552  fixed formatting, deleted unused variable. Tomasz Flendrich
1553* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
1554  Tomasz Flendrich
1555* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
1556  fixed formatting. Tomasz Flendrich
1557* sntp/tests/utilities.c is now using proper Unity's assertions, changed
1558  the order of includes, fixed formatting, removed unnecessary comments.
1559  Tomasz Flendrich
1560* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
1561* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
1562  made one function do its job, deleted unnecessary prints, fixed formatting.
1563  Tomasz Flendrich
1564* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
1565* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
1566* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
1567* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
1568* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
1569* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
1570* Don't build sntp/libevent/sample/.  Harlan Stenn.
1571* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
1572* br-flock: --enable-local-libevent.  Harlan Stenn.
1573* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
1574* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
1575* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
1576* Code cleanup.  Harlan Stenn.
1577* libntp/icom.c: Typo fix.  Harlan Stenn.
1578* util/ntptime.c: initialization nit.  Harlan Stenn.
1579* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
1580* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
1581* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
1582  Tomasz Flendrich
1583* Changed progname to be const in many files - now it's consistent. Tomasz
1584  Flendrich
1585* Typo fix for GCC warning suppression.  Harlan Stenn.
1586* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
1587* Added declarations to all Unity tests, and did minor fixes to them.
1588  Reduced the number of warnings by half. Damir Tomić.
1589* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
1590  with the latest Unity updates from Mark. Damir Tomić.
1591* Retire google test - phase I.  Harlan Stenn.
1592* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
1593* Update the NEWS file.  Harlan Stenn.
1594* Autoconf cleanup.  Harlan Stenn.
1595* Unit test dist cleanup. Harlan Stenn.
1596* Cleanup various test Makefile.am files.  Harlan Stenn.
1597* Pthread autoconf macro cleanup.  Harlan Stenn.
1598* Fix progname definition in unity runner scripts.  Harlan Stenn.
1599* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
1600* Update the patch for bug 2817.  Harlan Stenn.
1601* More updates for bug 2817.  Harlan Stenn.
1602* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
1603* gcc on older HPUX may need +allowdups.  Harlan Stenn.
1604* Adding missing MCAST protection.  Harlan Stenn.
1605* Disable certain test programs on certain platforms.  Harlan Stenn.
1606* Implement --enable-problem-tests (on by default).  Harlan Stenn.
1607* build system tweaks.  Harlan Stenn.
1608
1609---
1610NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
1611
1612Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
1613
1614Severity: MEDIUM
1615
1616Security Fix:
1617
1618* [Sec 2853] Crafted remote config packet can crash some versions of
1619  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
1620
1621Under specific circumstances an attacker can send a crafted packet to
1622cause a vulnerable ntpd instance to crash. This requires each of the
1623following to be true:
1624
16251) ntpd set up to allow remote configuration (not allowed by default), and
16262) knowledge of the configuration password, and
16273) access to a computer entrusted to perform remote configuration.
1628
1629This vulnerability is considered low-risk.
1630
1631New features in this release:
1632
1633Optional (disabled by default) support to have ntpd provide smeared
1634leap second time.  A specially built and configured ntpd will only
1635offer smeared time in response to client packets.  These response
1636packets will also contain a "refid" of 254.a.b.c, where the 24 bits
1637of a, b, and c encode the amount of smear in a 2:22 integer:fraction
1638format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
1639information.
1640
1641   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
1642   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
1643
1644We've imported the Unity test framework, and have begun converting
1645the existing google-test items to this new framework.  If you want
1646to write new tests or change old ones, you'll need to have ruby
1647installed.  You don't need ruby to run the test suite.
1648
1649Bug Fixes and Improvements:
1650
1651* CID 739725: Fix a rare resource leak in libevent/listener.c.
1652* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
1653* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
1654* CID 1269537: Clean up a line of dead code in getShmTime().
1655* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
1656* [Bug 2590] autogen-5.18.5.
1657* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
1658  of 'limited'.
1659* [Bug 2650] fix includefile processing.
1660* [Bug 2745] ntpd -x steps clock on leap second
1661   Fixed an initial-value problem that caused misbehaviour in absence of
1662   any leapsecond information.
1663   Do leap second stepping only of the step adjustment is beyond the
1664   proper jump distance limit and step correction is allowed at all.
1665* [Bug 2750] build for Win64
1666  Building for 32bit of loopback ppsapi needs def file
1667* [Bug 2776] Improve ntpq's 'help keytype'.
1668* [Bug 2778] Implement "apeers"  ntpq command to include associd.
1669* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
1670* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
1671  interface is ignored as long as this flag is not set since the
1672  interface is not usable (e.g., no link).
1673* [Bug 2794] Clean up kernel clock status reports.
1674* [Bug 2800] refclock_true.c true_debug() can't open debug log because
1675  of incompatible open/fdopen parameters.
1676* [Bug 2804] install-local-data assumes GNU 'find' semantics.
1677* [Bug 2805] ntpd fails to join multicast group.
1678* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
1679* [Bug 2808] GPSD_JSON driver enhancements, step 1.
1680  Fix crash during cleanup if GPS device not present and char device.
1681  Increase internal token buffer to parse all JSON data, even SKY.
1682  Defer logging of errors during driver init until the first unit is
1683  started, so the syslog is not cluttered when the driver is not used.
1684  Various improvements, see http://bugs.ntp.org/2808 for details.
1685  Changed libjsmn to a more recent version.
1686* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
1687* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
1688* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
1689* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
1690* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
1691* [Bug 2824] Convert update-leap to perl. (also see 2769)
1692* [Bug 2825] Quiet file installation in html/ .
1693* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
1694   NTPD transfers the current TAI (instead of an announcement) now.
1695   This might still needed improvement.
1696   Update autokey data ASAP when 'sys_tai' changes.
1697   Fix unit test that was broken by changes for autokey update.
1698   Avoid potential signature length issue and use DPRINTF where possible
1699     in ntp_crypto.c.
1700* [Bug 2832] refclock_jjy.c supports the TDC-300.
1701* [Bug 2834] Correct a broken html tag in html/refclock.html
1702* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
1703  robust, and require 2 consecutive timestamps to be consistent.
1704* [Bug 2837] Allow a configurable DSCP value.
1705* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
1706* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
1707* [Bug 2842] Bug in mdoc2man.
1708* [Bug 2843] make check fails on 4.3.36
1709   Fixed compiler warnings about numeric range overflow
1710   (The original topic was fixed in a byplay to bug#2830)
1711* [Bug 2845] Harden memory allocation in ntpd.
1712* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
1713* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
1714* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
1715* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
1716* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
1717* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
1718* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
1719* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
1720* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
1721* html/drivers/driver22.html: typo fix.  Harlan Stenn.
1722* refidsmear test cleanup.  Tomasz Flendrich.
1723* refidsmear function support and tests.  Harlan Stenn.
1724* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
1725  something that was only in the 4.2.6 sntp.  Harlan Stenn.
1726* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
1727  Damir Tomić
1728* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
1729  Damir Tomić
1730* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
1731  Damir Tomić
1732* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
1733* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
1734* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
1735  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1736  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
1737  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
1738  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
1739  Damir Tomić
1740* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
1741  networking.c, keyFile.c, utilities.cpp, sntptest.h,
1742  fileHandlingTest.h. Damir Tomić
1743* Initial support for experimental leap smear code.  Harlan Stenn.
1744* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
1745* Report select() debug messages at debug level 3 now.
1746* sntp/scripts/genLocInfo: treat raspbian as debian.
1747* Unity test framework fixes.
1748  ** Requires ruby for changes to tests.
1749* Initial support for PACKAGE_VERSION tests.
1750* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
1751* tests/bug-2803/Makefile.am must distribute bug-2803.h.
1752* Add an assert to the ntpq ifstats code.
1753* Clean up the RLIMIT_STACK code.
1754* Improve the ntpq documentation around the controlkey keyid.
1755* ntpq.c cleanup.
1756* Windows port build cleanup.
1757
1758---
1759NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
1760
1761Focus: Security and Bug fixes, enhancements.
1762
1763Severity: MEDIUM
1764
1765In addition to bug fixes and enhancements, this release fixes the
1766following medium-severity vulnerabilities involving private key
1767authentication:
1768
1769* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1770
1771    References: Sec 2779 / CVE-2015-1798 / VU#374268
1772    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
1773	including ntp-4.2.8p2 where the installation uses symmetric keys
1774	to authenticate remote associations.
1775    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1776    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1777    Summary: When ntpd is configured to use a symmetric key to authenticate
1778	a remote NTP server/peer, it checks if the NTP message
1779	authentication code (MAC) in received packets is valid, but not if
1780	there actually is any MAC included. Packets without a MAC are
1781	accepted as if they had a valid MAC. This allows a MITM attacker to
1782	send false packets that are accepted by the client/peer without
1783	having to know the symmetric key. The attacker needs to know the
1784	transmit timestamp of the client to match it in the forged reply
1785	and the false reply needs to reach the client before the genuine
1786	reply from the server. The attacker doesn't necessarily need to be
1787	relaying the packets between the client and the server.
1788
1789	Authentication using autokey doesn't have this problem as there is
1790	a check that requires the key ID to be larger than NTP_MAXKEY,
1791	which fails for packets without a MAC.
1792    Mitigation:
1793        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1794	or the NTP Public Services Project Download Page
1795        Configure ntpd with enough time sources and monitor it properly.
1796    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1797
1798* [Sec 2781] Authentication doesn't protect symmetric associations against
1799  DoS attacks.
1800
1801    References: Sec 2781 / CVE-2015-1799 / VU#374268
1802    Affects: All NTP releases starting with at least xntp3.3wy up to but
1803	not including ntp-4.2.8p2 where the installation uses symmetric
1804	key authentication.
1805    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1806    Note: the CVSS base Score for this issue could be 4.3 or lower, and
1807	it could be higher than 5.4.
1808    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1809    Summary: An attacker knowing that NTP hosts A and B are peering with
1810	each other (symmetric association) can send a packet to host A
1811	with source address of B which will set the NTP state variables
1812	on A to the values sent by the attacker. Host A will then send
1813	on its next poll to B a packet with originate timestamp that
1814	doesn't match the transmit timestamp of B and the packet will
1815	be dropped. If the attacker does this periodically for both
1816	hosts, they won't be able to synchronize to each other. This is
1817	a known denial-of-service attack, described at
1818	https://www.eecis.udel.edu/~mills/onwire.html .
1819
1820	According to the document the NTP authentication is supposed to
1821	protect symmetric associations against this attack, but that
1822	doesn't seem to be the case. The state variables are updated even
1823	when authentication fails and the peers are sending packets with
1824	originate timestamps that don't match the transmit timestamps on
1825	the receiving side.
1826
1827	This seems to be a very old problem, dating back to at least
1828	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
1829	specifications, so other NTP implementations with support for
1830	symmetric associations and authentication may be vulnerable too.
1831	An update to the NTP RFC to correct this error is in-process.
1832    Mitigation:
1833        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1834	or the NTP Public Services Project Download Page
1835        Note that for users of autokey, this specific style of MITM attack
1836	is simply a long-known potential problem.
1837        Configure ntpd with appropriate time sources and monitor ntpd.
1838	Alert your staff if problems are detected.
1839    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1840
1841* New script: update-leap
1842The update-leap script will verify and if necessary, update the
1843leap-second definition file.
1844It requires the following commands in order to work:
1845
1846	wget logger tr sed shasum
1847
1848Some may choose to run this from cron.  It needs more portability testing.
1849
1850Bug Fixes and Improvements:
1851
1852* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
1853* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
1854* [Bug 2346] "graceful termination" signals do not do peer cleanup.
1855* [Bug 2728] See if C99-style structure initialization works.
1856* [Bug 2747] Upgrade libevent to 2.1.5-beta.
1857* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
1858* [Bug 2751] jitter.h has stale copies of l_fp macros.
1859* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
1860* [Bug 2757] Quiet compiler warnings.
1861* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
1862* [Bug 2763] Allow different thresholds for forward and backward steps.
1863* [Bug 2766] ntp-keygen output files should not be world-readable.
1864* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
1865* [Bug 2771] nonvolatile value is documented in wrong units.
1866* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
1867* [Bug 2774] Unreasonably verbose printout - leap pending/warning
1868* [Bug 2775] ntp-keygen.c fails to compile under Windows.
1869* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
1870  Removed non-ASCII characters from some copyright comments.
1871  Removed trailing whitespace.
1872  Updated definitions for Meinberg clocks from current Meinberg header files.
1873  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
1874  Account for updated definitions pulled from Meinberg header files.
1875  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
1876  Replaced some constant numbers by defines from ntp_calendar.h
1877  Modified creation of parse-specific variables for Meinberg devices
1878  in gps16x_message().
1879  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
1880  Modified mbg_tm_str() which now expexts an additional parameter controlling
1881  if the time status shall be printed.
1882* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1883* [Sec 2781] Authentication doesn't protect symmetric associations against
1884  DoS attacks.
1885* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
1886* [Bug 2789] Quiet compiler warnings from libevent.
1887* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
1888  pause briefly before measuring system clock precision to yield
1889  correct results.
1890* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
1891* Use predefined function types for parse driver functions
1892  used to set up function pointers.
1893  Account for changed prototype of parse_inp_fnc_t functions.
1894  Cast parse conversion results to appropriate types to avoid
1895  compiler warnings.
1896  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
1897  when called with pointers to different types.
1898
1899---
1900NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
1901
1902Focus: Security and Bug fixes, enhancements.
1903
1904Severity: HIGH
1905
1906In addition to bug fixes and enhancements, this release fixes the
1907following high-severity vulnerabilities:
1908
1909* vallen is not validated in several places in ntp_crypto.c, leading
1910  to a potential information leak or possibly a crash
1911
1912    References: Sec 2671 / CVE-2014-9297 / VU#852879
1913    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
1914    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1915    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
1916    Summary: The vallen packet value is not validated in several code
1917             paths in ntp_crypto.c which can lead to information leakage
1918	     or perhaps a crash of the ntpd process.
1919    Mitigation - any of:
1920	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1921		or the NTP Public Services Project Download Page.
1922	Disable Autokey Authentication by removing, or commenting out,
1923		all configuration directives beginning with the "crypto"
1924		keyword in your ntp.conf file.
1925    Credit: This vulnerability was discovered by Stephen Roettger of the
1926    	Google Security Team, with additional cases found by Sebastian
1927	Krahmer of the SUSE Security Team and Harlan Stenn of Network
1928	Time Foundation.
1929
1930* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
1931  can be bypassed.
1932
1933    References: Sec 2672 / CVE-2014-9298 / VU#852879
1934    Affects: All NTP4 releases before 4.2.8p1, under at least some
1935	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
1936    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
1937    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
1938    Summary: While available kernels will prevent 127.0.0.1 addresses
1939	from "appearing" on non-localhost IPv4 interfaces, some kernels
1940	do not offer the same protection for ::1 source addresses on
1941	IPv6 interfaces. Since NTP's access control is based on source
1942	address and localhost addresses generally have no restrictions,
1943	an attacker can send malicious control and configuration packets
1944	by spoofing ::1 addresses from the outside. Note Well: This is
1945	not really a bug in NTP, it's a problem with some OSes. If you
1946	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
1947	ACL restrictions on any application can be bypassed!
1948    Mitigation:
1949        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1950	or the NTP Public Services Project Download Page
1951        Install firewall rules to block packets claiming to come from
1952	::1 from inappropriate network interfaces.
1953    Credit: This vulnerability was discovered by Stephen Roettger of
1954	the Google Security Team.
1955
1956Additionally, over 30 bugfixes and improvements were made to the codebase.
1957See the ChangeLog for more information.
1958
1959---
1960NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
1961
1962Focus: Security and Bug fixes, enhancements.
1963
1964Severity: HIGH
1965
1966In addition to bug fixes and enhancements, this release fixes the
1967following high-severity vulnerabilities:
1968
1969************************** vv NOTE WELL vv *****************************
1970
1971The vulnerabilities listed below can be significantly mitigated by
1972following the BCP of putting
1973
1974 restrict default ... noquery
1975
1976in the ntp.conf file.  With the exception of:
1977
1978   receive(): missing return on error
1979   References: Sec 2670 / CVE-2014-9296 / VU#852879
1980
1981below (which is a limited-risk vulnerability), none of the recent
1982vulnerabilities listed below can be exploited if the source IP is
1983restricted from sending a 'query'-class packet by your ntp.conf file.
1984
1985************************** ^^ NOTE WELL ^^ *****************************
1986
1987* Weak default key in config_auth().
1988
1989  References: [Sec 2665] / CVE-2014-9293 / VU#852879
1990  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1991  Vulnerable Versions: all releases prior to 4.2.7p11
1992  Date Resolved: 28 Jan 2010
1993
1994  Summary: If no 'auth' key is set in the configuration file, ntpd
1995	would generate a random key on the fly.  There were two
1996	problems with this: 1) the generated key was 31 bits in size,
1997	and 2) it used the (now weak) ntp_random() function, which was
1998	seeded with a 32-bit value and could only provide 32 bits of
1999	entropy.  This was sufficient back in the late 1990s when the
2000	code was written.  Not today.
2001
2002  Mitigation - any of:
2003	- Upgrade to 4.2.7p11 or later.
2004	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2005
2006  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
2007  	of the Google Security Team.
2008
2009* Non-cryptographic random number generator with weak seed used by
2010  ntp-keygen to generate symmetric keys.
2011
2012  References: [Sec 2666] / CVE-2014-9294 / VU#852879
2013  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2014  Vulnerable Versions: All NTP4 releases before 4.2.7p230
2015  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
2016
2017  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
2018  	prepare a random number generator that was of good quality back
2019	in the late 1990s. The random numbers produced was then used to
2020	generate symmetric keys. In ntp-4.2.8 we use a current-technology
2021	cryptographic random number generator, either RAND_bytes from
2022	OpenSSL, or arc4random().
2023
2024  Mitigation - any of:
2025  	- Upgrade to 4.2.7p230 or later.
2026	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2027
2028  Credit:  This vulnerability was discovered in ntp-4.2.6 by
2029  	Stephen Roettger of the Google Security Team.
2030
2031* Buffer overflow in crypto_recv()
2032
2033  References: Sec 2667 / CVE-2014-9295 / VU#852879
2034  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2035  Versions: All releases before 4.2.8
2036  Date Resolved: Stable (4.2.8) 18 Dec 2014
2037
2038  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
2039  	file contains a 'crypto pw ...' directive) a remote attacker
2040	can send a carefully crafted packet that can overflow a stack
2041	buffer and potentially allow malicious code to be executed
2042	with the privilege level of the ntpd process.
2043
2044  Mitigation - any of:
2045  	- Upgrade to 4.2.8, or later, or
2046	- Disable Autokey Authentication by removing, or commenting out,
2047	  all configuration directives beginning with the crypto keyword
2048	  in your ntp.conf file.
2049
2050  Credit: This vulnerability was discovered by Stephen Roettger of the
2051  	Google Security Team.
2052
2053* Buffer overflow in ctl_putdata()
2054
2055  References: Sec 2668 / CVE-2014-9295 / VU#852879
2056  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2057  Versions: All NTP4 releases before 4.2.8
2058  Date Resolved: Stable (4.2.8) 18 Dec 2014
2059
2060  Summary: A remote attacker can send a carefully crafted packet that
2061  	can overflow a stack buffer and potentially allow malicious
2062	code to be executed with the privilege level of the ntpd process.
2063
2064  Mitigation - any of:
2065  	- Upgrade to 4.2.8, or later.
2066	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2067
2068  Credit: This vulnerability was discovered by Stephen Roettger of the
2069  	Google Security Team.
2070
2071* Buffer overflow in configure()
2072
2073  References: Sec 2669 / CVE-2014-9295 / VU#852879
2074  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2075  Versions: All NTP4 releases before 4.2.8
2076  Date Resolved: Stable (4.2.8) 18 Dec 2014
2077
2078  Summary: A remote attacker can send a carefully crafted packet that
2079	can overflow a stack buffer and potentially allow malicious
2080	code to be executed with the privilege level of the ntpd process.
2081
2082  Mitigation - any of:
2083  	- Upgrade to 4.2.8, or later.
2084	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2085
2086  Credit: This vulnerability was discovered by Stephen Roettger of the
2087	Google Security Team.
2088
2089* receive(): missing return on error
2090
2091  References: Sec 2670 / CVE-2014-9296 / VU#852879
2092  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
2093  Versions: All NTP4 releases before 4.2.8
2094  Date Resolved: Stable (4.2.8) 18 Dec 2014
2095
2096  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
2097  	the code path where an error was detected, which meant
2098	processing did not stop when a specific rare error occurred.
2099	We haven't found a way for this bug to affect system integrity.
2100	If there is no way to affect system integrity the base CVSS
2101	score for this bug is 0. If there is one avenue through which
2102	system integrity can be partially affected, the base score
2103	becomes a 5. If system integrity can be partially affected
2104	via all three integrity metrics, the CVSS base score become 7.5.
2105
2106  Mitigation - any of:
2107        - Upgrade to 4.2.8, or later,
2108        - Remove or comment out all configuration directives
2109	  beginning with the crypto keyword in your ntp.conf file.
2110
2111  Credit: This vulnerability was discovered by Stephen Roettger of the
2112  	Google Security Team.
2113
2114See http://support.ntp.org/security for more information.
2115
2116New features / changes in this release:
2117
2118Important Changes
2119
2120* Internal NTP Era counters
2121
2122The internal counters that track the "era" (range of years) we are in
2123rolls over every 136 years'.  The current "era" started at the stroke of
2124midnight on 1 Jan 1900, and ends just before the stroke of midnight on
21251 Jan 2036.
2126In the past, we have used the "midpoint" of the  range to decide which
2127era we were in.  Given the longevity of some products, it became clear
2128that it would be more functional to "look back" less, and "look forward"
2129more.  We now compile a timestamp into the ntpd executable and when we
2130get a timestamp we us the "built-on" to tell us what era we are in.
2131This check "looks back" 10 years, and "looks forward" 126 years.
2132
2133* ntpdc responses disabled by default
2134
2135Dave Hart writes:
2136
2137For a long time, ntpq and its mostly text-based mode 6 (control)
2138protocol have been preferred over ntpdc and its mode 7 (private
2139request) protocol for runtime queries and configuration.  There has
2140been a goal of deprecating ntpdc, previously held back by numerous
2141capabilities exposed by ntpdc with no ntpq equivalent.  I have been
2142adding commands to ntpq to cover these cases, and I believe I've
2143covered them all, though I've not compared command-by-command
2144recently.
2145
2146As I've said previously, the binary mode 7 protocol involves a lot of
2147hand-rolled structure layout and byte-swapping code in both ntpd and
2148ntpdc which is hard to get right.  As ntpd grows and changes, the
2149changes are difficult to expose via ntpdc while maintaining forward
2150and backward compatibility between ntpdc and ntpd.  In contrast,
2151ntpq's text-based, label=value approach involves more code reuse and
2152allows compatible changes without extra work in most cases.
2153
2154Mode 7 has always been defined as vendor/implementation-specific while
2155mode 6 is described in RFC 1305 and intended to be open to interoperate
2156with other implementations.  There is an early draft of an updated
2157mode 6 description that likely will join the other NTPv4 RFCs
2158eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
2159
2160For these reasons, ntpd 4.2.7p230 by default disables processing of
2161ntpdc queries, reducing ntpd's attack surface and functionally
2162deprecating ntpdc.  If you are in the habit of using ntpdc for certain
2163operations, please try the ntpq equivalent.  If there's no equivalent,
2164please open a bug report at http://bugs.ntp.org./
2165
2166In addition to the above, over 1100 issues have been resolved between
2167the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
2168lists these.
2169
2170---
2171NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
2172
2173Focus: Bug fixes
2174
2175Severity: Medium
2176
2177This is a recommended upgrade.
2178
2179This release updates sys_rootdisp and sys_jitter calculations to match the
2180RFC specification, fixes a potential IPv6 address matching error for the
2181"nic" and "interface" configuration directives, suppresses the creation of
2182extraneous ephemeral associations for certain broadcastclient and
2183multicastclient configurations, cleans up some ntpq display issues, and
2184includes improvements to orphan mode, minor bugs fixes and code clean-ups.
2185
2186New features / changes in this release:
2187
2188ntpd
2189
2190 * Updated "nic" and "interface" IPv6 address handling to prevent
2191   mismatches with localhost [::1] and wildcard [::] which resulted from
2192   using the address/prefix format (e.g. fe80::/64)
2193 * Fix orphan mode stratum incorrectly counting to infinity
2194 * Orphan parent selection metric updated to includes missing ntohl()
2195 * Non-printable stratum 16 refid no longer sent to ntp
2196 * Duplicate ephemeral associations suppressed for broadcastclient and
2197   multicastclient without broadcastdelay
2198 * Exclude undetermined sys_refid from use in loopback TEST12
2199 * Exclude MODE_SERVER responses from KoD rate limiting
2200 * Include root delay in clock_update() sys_rootdisp calculations
2201 * get_systime() updated to exclude sys_residual offset (which only
2202   affected bits "below" sys_tick, the precision threshold)
2203 * sys.peer jitter weighting corrected in sys_jitter calculation
2204
2205ntpq
2206
2207 * -n option extended to include the billboard "server" column
2208 * IPv6 addresses in the local column truncated to prevent overruns
2209
2210---
2211NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
2212
2213Focus: Bug fixes and portability improvements
2214
2215Severity: Medium
2216
2217This is a recommended upgrade.
2218
2219This release includes build infrastructure updates, code
2220clean-ups, minor bug fixes, fixes for a number of minor
2221ref-clock issues, and documentation revisions.
2222
2223Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
2224
2225New features / changes in this release:
2226
2227Build system
2228
2229* Fix checking for struct rtattr
2230* Update config.guess and config.sub for AIX
2231* Upgrade required version of autogen and libopts for building
2232  from our source code repository
2233
2234ntpd
2235
2236* Back-ported several fixes for Coverity warnings from ntp-dev
2237* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
2238* Allow "logconfig =allall" configuration directive
2239* Bind tentative IPv6 addresses on Linux
2240* Correct WWVB/Spectracom driver to timestamp CR instead of LF
2241* Improved tally bit handling to prevent incorrect ntpq peer status reports
2242* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
2243  candidate list unless they are designated a "prefer peer"
2244* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
2245  selection during the 'tos orphanwait' period
2246* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
2247  drivers
2248* Improved support of the Parse Refclock trusttime flag in Meinberg mode
2249* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
2250* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
2251  clock slew on Microsoft Windows
2252* Code cleanup in libntpq
2253
2254ntpdc
2255
2256* Fix timerstats reporting
2257
2258ntpdate
2259
2260* Reduce time required to set clock
2261* Allow a timeout greater than 2 seconds
2262
2263sntp
2264
2265* Backward incompatible command-line option change:
2266  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
2267
2268Documentation
2269
2270* Update html2man. Fix some tags in the .html files
2271* Distribute ntp-wait.html
2272
2273---
2274NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
2275
2276Focus: Bug fixes and portability improvements
2277
2278Severity: Medium
2279
2280This is a recommended upgrade.
2281
2282This release includes build infrastructure updates, code
2283clean-ups, minor bug fixes, fixes for a number of minor
2284ref-clock issues, and documentation revisions.
2285
2286Portability improvements in this release affect AIX, Atari FreeMiNT,
2287FreeBSD4, Linux and Microsoft Windows.
2288
2289New features / changes in this release:
2290
2291Build system
2292* Use lsb_release to get information about Linux distributions.
2293* 'test' is in /usr/bin (instead of /bin) on some systems.
2294* Basic sanity checks for the ChangeLog file.
2295* Source certain build files with ./filename for systems without . in PATH.
2296* IRIX portability fix.
2297* Use a single copy of the "libopts" code.
2298* autogen/libopts upgrade.
2299* configure.ac m4 quoting cleanup.
2300
2301ntpd
2302* Do not bind to IN6_IFF_ANYCAST addresses.
2303* Log the reason for exiting under Windows.
2304* Multicast fixes for Windows.
2305* Interpolation fixes for Windows.
2306* IPv4 and IPv6 Multicast fixes.
2307* Manycast solicitation fixes and general repairs.
2308* JJY refclock cleanup.
2309* NMEA refclock improvements.
2310* Oncore debug message cleanup.
2311* Palisade refclock now builds under Linux.
2312* Give RAWDCF more baud rates.
2313* Support Truetime Satellite clocks under Windows.
2314* Support Arbiter 1093C Satellite clocks under Windows.
2315* Make sure that the "filegen" configuration command defaults to "enable".
2316* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
2317* Prohibit 'includefile' directive in remote configuration command.
2318* Fix 'nic' interface bindings.
2319* Fix the way we link with openssl if openssl is installed in the base
2320  system.
2321
2322ntp-keygen
2323* Fix -V coredump.
2324* OpenSSL version display cleanup.
2325
2326ntpdc
2327* Many counters should be treated as unsigned.
2328
2329ntpdate
2330* Do not ignore replies with equal receive and transmit timestamps.
2331
2332ntpq
2333* libntpq warning cleanup.
2334
2335ntpsnmpd
2336* Correct SNMP type for "precision" and "resolution".
2337* Update the MIB from the draft version to RFC-5907.
2338
2339sntp
2340* Display timezone offset when showing time for sntp in the local
2341  timezone.
2342* Pay proper attention to RATE KoD packets.
2343* Fix a miscalculation of the offset.
2344* Properly parse empty lines in the key file.
2345* Logging cleanup.
2346* Use tv_usec correctly in set_time().
2347* Documentation cleanup.
2348
2349---
2350NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
2351
2352Focus: Bug fixes and portability improvements
2353
2354Severity: Medium
2355
2356This is a recommended upgrade.
2357
2358This release includes build infrastructure updates, code
2359clean-ups, minor bug fixes, fixes for a number of minor
2360ref-clock issues, improved KOD handling, OpenSSL related
2361updates and documentation revisions.
2362
2363Portability improvements in this release affect Irix, Linux,
2364Mac OS, Microsoft Windows, OpenBSD and QNX6
2365
2366New features / changes in this release:
2367
2368ntpd
2369* Range syntax for the trustedkey configuration directive
2370* Unified IPv4 and IPv6 restrict lists
2371
2372ntpdate
2373* Rate limiting and KOD handling
2374
2375ntpsnmpd
2376* default connection to net-snmpd via a unix-domain socket
2377* command-line 'socket name' option
2378
2379ntpq / ntpdc
2380* support for the "passwd ..." syntax
2381* key-type specific password prompts
2382
2383sntp
2384* MD5 authentication of an ntpd
2385* Broadcast and crypto
2386* OpenSSL support
2387
2388---
2389NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
2390
2391Focus: Bug fixes, portability fixes, and documentation improvements
2392
2393Severity: Medium
2394
2395This is a recommended upgrade.
2396
2397---
2398NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2399
2400Focus: enhancements and bug fixes.
2401
2402---
2403NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
2404
2405Focus: Security Fixes
2406
2407Severity: HIGH
2408
2409This release fixes the following high-severity vulnerability:
2410
2411* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
2412
2413  See http://support.ntp.org/security for more information.
2414
2415  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
2416  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
2417  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
2418  request or a mode 7 error response from an address which is not listed
2419  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
2420  reply with a mode 7 error response (and log a message).  In this case:
2421
2422	* If an attacker spoofs the source address of ntpd host A in a
2423	  mode 7 response packet sent to ntpd host B, both A and B will
2424	  continuously send each other error responses, for as long as
2425	  those packets get through.
2426
2427	* If an attacker spoofs an address of ntpd host A in a mode 7
2428	  response packet sent to ntpd host A, A will respond to itself
2429	  endlessly, consuming CPU and logging excessively.
2430
2431  Credit for finding this vulnerability goes to Robin Park and Dmitri
2432  Vinokurov of Alcatel-Lucent.
2433
2434THIS IS A STRONGLY RECOMMENDED UPGRADE.
2435
2436---
2437ntpd now syncs to refclocks right away.
2438
2439Backward-Incompatible changes:
2440
2441ntpd no longer accepts '-v name' or '-V name' to define internal variables.
2442Use '--var name' or '--dvar name' instead. (Bug 817)
2443
2444---
2445NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
2446
2447Focus: Security and Bug Fixes
2448
2449Severity: HIGH
2450
2451This release fixes the following high-severity vulnerability:
2452
2453* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
2454
2455  See http://support.ntp.org/security for more information.
2456
2457  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
2458  line) then a carefully crafted packet sent to the machine will cause
2459  a buffer overflow and possible execution of injected code, running
2460  with the privileges of the ntpd process (often root).
2461
2462  Credit for finding this vulnerability goes to Chris Ries of CMU.
2463
2464This release fixes the following low-severity vulnerabilities:
2465
2466* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
2467  Credit for finding this vulnerability goes to Geoff Keating of Apple.
2468
2469* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
2470  Credit for finding this issue goes to Dave Hart.
2471
2472This release fixes a number of bugs and adds some improvements:
2473
2474* Improved logging
2475* Fix many compiler warnings
2476* Many fixes and improvements for Windows
2477* Adds support for AIX 6.1
2478* Resolves some issues under MacOS X and Solaris
2479
2480THIS IS A STRONGLY RECOMMENDED UPGRADE.
2481
2482---
2483NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
2484
2485Focus: Security Fix
2486
2487Severity: Low
2488
2489This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
2490the OpenSSL library relating to the incorrect checking of the return
2491value of EVP_VerifyFinal function.
2492
2493Credit for finding this issue goes to the Google Security Team for
2494finding the original issue with OpenSSL, and to ocert.org for finding
2495the problem in NTP and telling us about it.
2496
2497This is a recommended upgrade.
2498---
2499NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
2500
2501Focus: Minor Bugfixes
2502
2503This release fixes a number of Windows-specific ntpd bugs and
2504platform-independent ntpdate bugs. A logging bugfix has been applied
2505to the ONCORE driver.
2506
2507The "dynamic" keyword and is now obsolete and deferred binding to local
2508interfaces is the new default. The minimum time restriction for the
2509interface update interval has been dropped.
2510
2511A number of minor build system and documentation fixes are included.
2512
2513This is a recommended upgrade for Windows.
2514
2515---
2516NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
2517
2518Focus: Minor Bugfixes
2519
2520This release updates certain copyright information, fixes several display
2521bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
2522shutdown in the parse refclock driver, removes some lint from the code,
2523stops accessing certain buffers immediately after they were freed, fixes
2524a problem with non-command-line specification of -6, and allows the loopback
2525interface to share addresses with other interfaces.
2526
2527---
2528NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
2529
2530Focus: Minor Bugfixes
2531
2532This release fixes a bug in Windows that made it difficult to
2533terminate ntpd under windows.
2534This is a recommended upgrade for Windows.
2535
2536---
2537NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
2538
2539Focus: Minor Bugfixes
2540
2541This release fixes a multicast mode authentication problem,
2542an error in NTP packet handling on Windows that could lead to
2543ntpd crashing, and several other minor bugs. Handling of
2544multicast interfaces and logging configuration were improved.
2545The required versions of autogen and libopts were incremented.
2546This is a recommended upgrade for Windows and multicast users.
2547
2548---
2549NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
2550
2551Focus: enhancements and bug fixes.
2552
2553Dynamic interface rescanning was added to simplify the use of ntpd in
2554conjunction with DHCP. GNU AutoGen is used for its command-line options
2555processing. Separate PPS devices are supported for PARSE refclocks, MD5
2556signatures are now provided for the release files. Drivers have been
2557added for some new ref-clocks and have been removed for some older
2558ref-clocks. This release also includes other improvements, documentation
2559and bug fixes.
2560
2561K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
2562C support.
2563
2564---
2565NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
2566
2567Focus: enhancements and bug fixes.
2568