xref: /freebsd/contrib/ntp/NEWS (revision 7899f917b1c0ea178f1d2be0cfb452086d079d23)
1---
2NTP 4.2.8p18 (Harlan Stenn <stenn@ntp.org>, 2024 May 24)
3
4Focus: Bug fixes
5
6Severity: Recommended
7
8This release:
9
10- changes crypto (OpenSSL or compatible) detection and default build behavior.
11  Previously, crypto was supported if available unless the --without-crypto
12  option was given to configure.  With this release, the prior behavior of
13  falling back to a crypto-free build if usable libcrypto was not found has
14  changed to instead cause configure to fail with an error.
15  The --without-crypto option must be explicitly provided if you want a build
16  that does not use libcrypto functionality.
17- Fixes 40 bugs
18- Includes 40 other improvements
19
20Details below:
21
22* [Bug 3918] Tweak openssl header/library handling. <stenn@ntp.org>
23* [Bug 3914] Spurious "Unexpected origin timestamp" logged after time
24             stepped. <hart@ntp.org>
25* [Bug 3913] Avoid duplicate IPv6 link-local manycast associations.
26             <hart@ntp.org>
27* [Bug 3912] Avoid rare math errors in ntptrace.  <brian.utterback@oracle.com>
28* [Bug 3910] Memory leak using openssl-3 <hart@ntp.org>
29* [Bug 3909] Do not select multicast local address for unicast peer.
30             <hart@ntp.org>
31* [Bug 3903] lib/isc/win32/strerror.c NTstrerror() is not thread-safe.
32             <hart@ntp.org>
33* [Bug 3901] LIB_GETBUF isn't thread-safe. <hart@ntp.org>
34* [Bug 3900] fast_xmit() selects wrong local addr responding to mcast on
35             Windows. <hart@ntp.org>
36* [Bug 3888] ntpd with multiple same-subnet IPs using manycastclient creates
37             duplicate associations. <hart@ntp.org>
38* [Bug 3872] Ignore restrict mask for hostname. <hart@ntp.org>
39* [Bug 3871] 4.2.8p17 build without hopf6021 refclock enabled fails.
40             Reported by Hans Mayer.  Moved NONEMPTY_TRANSLATION_UNIT
41             declaration from ntp_types.h to config.h.  <hart@ntp.org>
42* [Bug 3870] Server drops client packets with ppoll < 4.  <stenn@ntp.org>
43* [Bug 3869] Remove long-gone "calldelay" & "crypto sign" from docs.
44             Reported by PoolMUC@web.de. <hart@ntp.org>
45* [Bug 3868] Cannot restrict a pool peer. <hart@ntp.org>  Thanks to
46             Edward McGuire for tracking down the deficiency.
47* [Bug 3864] ntpd IPv6 refid different for big-endian and little-endian.
48             <hart@ntp.org>
49* [Bug 3859] Use NotifyIpInterfaceChange on Windows ntpd. <hart@ntp.org>
50* [Bug 3856] Enable Edit & Continue debugging with Visual Studio.
51             <hart@ntp.org>
52* [Bug 3855] ntpq lacks an equivalent to ntpdc's delrestrict. <hart@ntp.org>
53* [Bug 3854] ntpd 4.2.8p17 corrupts rawstats file with space in refid.
54             <hart@ntp.org>
55* [Bug 3853] Clean up warnings with modern compilers. <hart@ntp.org>
56* [Bug 3852] check-libntp.mf and friends are not triggering rebuilds as
57             intended. <hart@ntp.org>
58* [Bug 3851] Drop pool server when no local address can reach it.
59             <hart@ntp.org>
60* [Bug 3850] ntpq -c apeers breaks column formatting s2 w/refclock refid.
61             <hart@ntp.org>
62* [Bug 3849] ntpd --wait-sync times out. <hart@ntp.org>
63* [Bug 3847] SSL detection in configure should run-test if runpath is needed.
64             <hart@ntp.org>
65* [Bug 3846] Use -Wno-format-truncation by default. <hart@ntp.org>
66* [Bug 3845] accelerate pool clock_sync when IPv6 has only link-local access.
67             <hart@ntp.org>
68* [Bug 3842] Windows ntpd PPSAPI DLL load failure crashes. <hart@ntp.org>
69* [Bug 3841] 4.2.8p17 build break w/ gcc 12 -Wformat-security without -Wformat
70             Need to remove --Wformat-security when removing -Wformat to
71             silence numerous libopts warnings.  <hart@ntp.org>
72* [Bug 3837] NULL pointer deref crash when ntpd deletes last interface.
73             Reported by renmingshuai.  Correct UNLINK_EXPR_SLIST() when the
74             list is empty. <hart@ntp.org>
75* [Bug 3835] NTP_HARD_*FLAGS not used by libevent tearoff. <hart@ntp.org>
76* [Bug 3831] pollskewlist zeroed on runtime configuration. <hart@ntp.org>
77* [Bug 3830] configure libevent check intersperses output with answer. <stenn@>
78* [Bug 3828] BK should ignore a git repo in the same directory.
79             <burnicki@ntp.org>
80* [Bug 3827] Fix build in case CLOCK_HOPF6021 or CLOCK_WHARTON_400A
81             is disabled.  <burnicki@ntp.org>
82* [Bug 3825] Don't touch HTML files unless building inside a BK repo.
83             Fix the script checkHtmlFileDates.  <burnicki@ntp.org>
84* [Bug 3756] Improve OpenSSL library/header detection.
85* [Bug 3753] ntpd fails to start with FIPS-enabled OpenSSL 3. <hart@ntp.org>
86* [Bug 2734] TEST3 prevents initial interleave sync.  Fix from <PoolMUC@web.de>
87* Log failures to allocate receive buffers.  <hart@ntp.org>
88* Remove extraneous */ from libparse/ieee754io.c
89* Fix .datecheck target line in Makefile.am.  <stenn@ntp.org>
90* Update the copyright year.  <stenn@ntp.org>
91* Update ntp.conf documentation to add "delrestrict" and correct information
92  about KoD rate limiting.  <hart@ntp.org>
93* html/clockopt.html cleanup.  <stenn@ntp.org>
94* util/lsf-times - added.  <stenn@ntp.org>
95* Add DSA, DSA-SHA, and SHA to tests/libntp/digests.c. <hart@ntp.org>
96* Provide ntpd thread names to debugger on Windows. <hart@ntp.org>
97* Remove dead code libntp/numtohost.c and its unit tests. <hart@ntp.org>
98* Remove class A, B, C IPv4 distinctions in netof(). <hart@ntp.org>
99* Use @configure_input@ in various *.in files to include a comment that
100  the file is generated from another pointing to the *.in. <hart@ntp.org>
101* Correct underquoting, indents in ntp_facilitynames.m4. <hart@ntp.org>
102* Clean up a few warnings seen building with older gcc. <hart@ntp.org>
103* Fix build on older FreeBSD lacking sys/procctl.h. <hart@ntp.org>
104* Disable [Bug 3627] workaround on newer FreeBSD which has the kernel fix
105  that makes it unnecessary, re-enabling ASLR stack gap. <hart@ntp.org>
106* Use NONEMPTY_COMPILATION_UNIT in more conditionally-compiled files.
107* Remove useless pointer to Windows Help from system error messages.
108* Avoid newlines within Windows error messages. <hart@ntp.org>
109* Ensure unique association IDs if wrapped. <hart@ntp.org>
110* Simplify calc_addr_distance(). <hart@ntp.org>
111* Clamp min/maxpoll in edge cases in newpeer(). <hart@ntp.org>
112* Quiet local addr change logging when unpeering. <hart@ntp.org>
113* Correct missing arg for %s printf specifier in
114  send_blocking_resp_internal(). <hart@ntp.org>
115* Suppress OpenSSL 3 deprecation warning clutter. <hart@ntp.org>
116* Correct OpenSSL usage in Autokey code to avoid warnings about
117  discarding const qualifiers with OpenSSL 3. <hart@ntp.org>
118* Display KoD refid as text in recently added message. <hart@ntp.org>
119* Avoid running checkHtmlFileDates script repeatedly when no html/*.html
120    files have changed. <hart@ntp.org>
121* Abort configure if --enable-crypto-rand given & unavailable. <hart@ntp.org>
122* Add configure --enable-verbose-ssl to trace SSL detection. <hart@ntp.org>
123* Add build test coverage for --disable-saveconfig to flock-build script.
124  <hart@ntp.org>
125* Remove deprecated configure --with-arlib option. <hart@ntp.org>
126* Remove configure support for ISC UNIX ca. 1998. <hart@ntp.org>
127* Move NTP_OPENSSL and NTP_CRYPTO_RAND invocations from configure.ac files
128  to NTP_LIBNTP. <hart@ntp.org>
129* Remove dead code: HAVE_U_INT32_ONLY_WITH_DNS. <hart@ntp.org>
130* Eliminate [v]snprintf redefinition warnings on macOS. <hart@ntp.org>
131* Fix clang 14 cast increases alignment warning on Linux. <hart@ntp.org>
132* Move ENABLE_CMAC to ntp_openssl.m4, reviving sntp/tests CMAC unit tests.
133  <hart@ntp.org>
134* Use NTP_HARD_CPPFLAGS in libopts tearoff. <hart@ntp.org>
135* wire in --enable-build-framework-help
136
137---
138NTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06)
139
140Focus: Bug fixes
141
142Severity: HIGH (for people running 4.2.8p16)
143
144This release:
145
146- fixes 3 bugs, including a regression
147- adds new unit tests
148
149Details below:
150
151* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
152             event_sync.  Reported by Edward McGuire.  <hart@ntp.org>
153* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
154             <hart@ntp.org>  Miroslav Lichvar identified regression in 4.2.8p16.
155* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
156             4.2.8p15 or earlier.  Reported by Matt Nordhoff, thanks to
157	     Miroslav Lichvar and Matt for rapid testing and identifying the
158	     problem. <hart@ntp.org>
159* Add tests/libntp/digests.c to catch regressions reading keys file or with
160  symmetric authentication digest output.
161
162---
163NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30)
164
165Focus: Security, Bug fixes
166
167Severity: LOW
168
169This release:
170
171- fixes 4 vulnerabilities (3 LOW and 1 None severity),
172- fixes 46 bugs
173- includes 15 general improvements
174- adds support for OpenSSL-3.0
175
176Details below:
177
178* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
179* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
180             hypothetical input buffer overflow. Reported by ... stenn@
181* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
182  - solved numerically instead of using string manipulation
183* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
184             <stenn@ntp.org>
185* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
186* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
187* [Bug 3814] First poll delay of new or cleared associations miscalculated.
188             <hart@ntp.org>
189* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
190             OpenSSL 3.  Reported by rmsh1216@163.com <hart@ntp.org>
191* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
192* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
193* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
194* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
195             disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
196* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
197  - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
198* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
199  - Report and patch by Yuezhen LUAN <wei6410@sina.com>.
200* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
201* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
202             <hart@ntp.org>
203* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
204* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
205  - Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
206* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
207* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
208* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
209* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
210             Philippe De Muyter <phdm@macqel.be>
211* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
212  - openssl applink needed again for openSSL-1.1.1
213* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
214             Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
215* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
216  - command line options override config statements where applicable
217  - make initial frequency settings idempotent and reversible
218  - make sure kernel PLL gets a recovered drift componsation
219* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
220* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
221  - misleading title; essentially a request to ignore the receiver status.
222    Added a mode bit for this. <perlinger@ntp.org>
223* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
224  - original patch by Richard Schmidt, with mods & unit test fixes
225* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
226  - implement/wrap 'realpath()' to resolve symlinks in device names
227* [Bug 3691] Buffer Overflow reading GPSD output
228  - original patch by matt<ntpbr@mattcorallo.com>
229  - increased max PDU size to 4k to avoid truncation
230* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
231  - patch by Frank Kardel
232* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
233  - ntp{q,dc} now use the same password processing as ntpd does in the key
234    file, so having a binary secret >= 11 bytes is possible for all keys.
235    (This is a different approach to the problem than suggested)
236* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
237* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
238  - patch by Gerry Garvey
239* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
240  - original patch by Gerry Garvey
241* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
242  - original patch by Gerry Garvey
243* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
244  - applied patches by Gerry Garvey
245* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
246* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
247  - idea+patch by Gerry Garvey
248* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
249* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
250  - follow-up: fix inverted sense in check, reset shortfall counter
251* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
252* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
253  - fixed bug identified by Edward McGuire <perlinger@ntp.org>
254* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
255  - applied patch by Gerry Garvey
256* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org>
257  - backport from -dev, plus some more work on warnings for unchecked results
258* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
259             Reported by Israel G. Lugo. <hart@ntp.org>
260* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
261* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
262             Integrated patch from Brian Utterback. <hart@ntp.org>
263* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
264* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
265* Use correct rounding in mstolfp(). perlinger/hart
266* M_ADDF should use u_int32.  <hart@ntp.org>
267* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
268* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
269* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
270* If DEBUG is enabled, the startup banner now says that debug assertions
271  are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
272* syslog valid incoming KoDs.  <stenn@ntp.org>
273* Rename a poorly-named variable.  <stenn@ntp.org>
274* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
275* Use https in the AC_INIT URLs in configure.ac.  <stenn@ntp.org>
276* Implement NTP_FUNC_REALPATH.  <stenn@ntp.org>
277* Lose a gmake construct in ntpd/Makefile.am.  <stenn@ntp.org>
278* upgrade to: autogen-5.18.16
279* upgrade to: libopts-42.1.17
280* upgrade to: autoconf-2.71
281* upgrade to: automake-1.16.15
282* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
283* Support OpenSSL-3.0
284
285---
286NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23)
287
288Focus: Security, Bug fixes
289
290Severity: MEDIUM
291
292This release fixes one vulnerability: Associations that use CMAC
293authentication between ntpd from versions 4.2.8p11/4.3.97 and
2944.2.8p14/4.3.100 will leak a small amount of memory for each packet.
295Eventually, ntpd will run out of memory and abort.
296
297It also fixes 13 other bugs.
298
299* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org>
300* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@>
301  - Thanks to Sylar Tao
302* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org>
303  - rewrite 'decodenetnum()' in terms of inet_pton
304* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
305  - limit number of receive buffers, with an iron reserve for refclocks
306* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org>
307* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org>
308* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org>
309  - integrated patch from Charles Claggett
310* [Bug 3659] Move definition of psl[] from ntp_config.h to
311  ntp_config.h <perlinger@ntp.org>
312* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org>
313* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org>
314  - fix by Gerry garvey
315* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org>
316  - thanks to Gerry Garvey
317* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org>
318  - patch by Gerry Garvey
319* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org>
320* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org>
321  - applied patch by Takao Abe
322
323---
324NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03)
325
326Focus: Security, Bug fixes, enhancements.
327
328Severity: MEDIUM
329
330This release fixes three vulnerabilities: a bug that causes causes an ntpd
331instance that is explicitly configured to override the default and allow
332ntpdc (mode 7) connections to be made to a server to read some uninitialized
333memory; fixes the case where an unmonitored ntpd using an unauthenticated
334association to its servers may be susceptible to a forged packet DoS attack;
335and fixes an attack against a client instance that uses a single
336unauthenticated time source.  It also fixes 46 other bugs and addresses
3374 other issues.
338
339* [Sec 3610] process_control() should bail earlier on short packets. stenn@
340  - Reported by Philippe Antoine
341* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org>
342  - Reported by Miroslav Lichvar
343* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org>
344  - Reported by Miroslav Lichvar
345* [Bug 3637] Emit the version of ntpd in saveconfig.  stenn@
346* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org>
347* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org>
348* [Bug 3634] Typo in discipline.html, reported by Jason Harrison.  stenn@
349* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence
350  - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org>
351* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org>
352  - integrated patch by Cy Schubert
353* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org>
354  - applied patch by Gerry Garvey
355* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org>
356  - applied patch by Gerry Garvey
357* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org>
358  - integrated patch by Richard Steedman
359* [Bug 3615] accelerate refclock startup <perlinger@ntp.org>
360* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org>
361  - Reported by Martin Burnicki
362* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org>
363  - Reported by Philippe Antoine
364* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org>
365  - officially document new "trust date" mode bit for NMEA driver
366  - restore the (previously undocumented) "trust date" feature lost with [bug 3577]
367* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org>
368  - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter'
369* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org>
370  - removed ffs() and fls() prototypes as per Brian Utterback
371* [Bug 3604] Wrong param byte order passing into record_raw_stats() in
372	ntp_io.c <perlinger@ntp.org>
373  - fixed byte and paramter order as suggested by wei6410@sina.com
374* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org>
375* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org>
376  - added padding as suggested by John Paul Adrian Glaubitz
377* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org>
378* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org>
379* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org>
380* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org>
381  - stdout+stderr are set to line buffered during test setup now
382* [Bug 3583] synchronization error <perlinger@ntp.org>
383  - set clock to base date if system time is before that limit
384* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org>
385* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org>
386  - Reported by Paulo Neves
387* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org>
388  - also updates for refclock_nmea.c and refclock_jupiter.c
389* [Bug 3576] New GPS date function API <perlinger@ntp.org>
390* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org>
391* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org>
392* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org>
393  - sidekick: service port resolution in 'ntpdate'
394* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org>
395  - applied patch by Douglas Royds
396* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org>
397* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org>
398  - applied patch by Gerry Garvey
399* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org>
400  - try to harden 'decodenetnum()' against 'getaddrinfo()' errors
401  - fix wrong cond-compile tests in unit tests
402* [Bug 3517] Reducing build noise <perlinger@ntp.org>
403* [Bug 3516] Require tooling from this decade <perlinger@ntp.org>
404  - patch by Philipp Prindeville
405* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org>
406  - patch by Philipp Prindeville
407* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org>
408  - patch by Philipp Prindeville
409* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org>
410  - partial application of patch by Philipp Prindeville
411* [Bug 3491] Signed values of LFP datatypes should always display a sign
412  - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org>
413* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org>
414  - applied (modified) patch by Richard Steedman
415* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org>
416  - applied patch by Gerry Garvey (with minor formatting changes)
417* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org>
418  - applied patch by Miroslav Lichvar
419* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network
420  <perlinger@ntp.org>
421* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user
422             is specified with -u <perlinger@ntp.org>
423  - monitor daemon child startup & propagate exit codes
424* [Bug 1433] runtime check whether the kernel really supports capabilities
425  - (modified) patch by Kurt Roeckx <perlinger@ntp.org>
426* Clean up sntp/networking.c:sendpkt() error message.  <stenn@ntp.org>
427* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org>
428* Startup log improvements. <stenn@ntp.org>
429* Update the copyright year.
430
431---
432NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
433
434Focus: Security, Bug fixes, enhancements.
435
436Severity: MEDIUM
437
438This release fixes a bug that allows an attacker with access to an
439explicitly trusted source to send a crafted malicious mode 6 (ntpq)
440packet that can trigger a NULL pointer dereference, crashing ntpd.
441It also provides 17 other bugfixes and 1 other improvement:
442
443* [Sec 3565] Crafted null dereference attack in authenticated
444	     mode 6 packet <perlinger@ntp.org>
445  - reported by Magnus Stubman
446* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
447  - applied patch by Ian Lepore
448* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
449  - isolate and fix linux/windows specific code issue
450* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
451  - provide better function for incremental string formatting
452* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
453  - applied patch by Gerry Garvey
454* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
455  - original finding by Gerry Garvey, additional cleanup needed
456* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
457  - patch by Christous Zoulas
458* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
459  - finding by Chen Jiabin, plus another one by me
460* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
461  - applied patch by Maciej Szmigiero
462* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
463  - applied patch by Andre Charbonneau
464* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
465  - applied patch by Baruch Siach
466* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
467  - applied patch by Baruch Siach
468* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
469  - refactored handling of GPS era based on 'tos basedate' for
470    parse (TSIP) and JUPITER clocks
471* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
472  - patch by Daniel J. Luke; this does not fix a potential linker
473    regression issue on MacOS.
474* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
475  anomaly <perlinger@ntp.org>, reported by GGarvey.
476  - --enable-bug3527-fix support by HStenn
477* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
478  - applied patch by Gerry Garvey
479* [Bug 3471] Check for openssl/[ch]mac.h.  <perlinger@ntp.org>
480  - added missing check, reported by Reinhard Max <perlinger@ntp.org>
481* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
482  - this is a variant of [bug 3558] and should be fixed with it
483* Implement 'configure --disable-signalled-io'
484
485--
486NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
487
488Focus: Security, Bug fixes, enhancements.
489
490Severity: MEDIUM
491
492This release fixes a "hole" in the noepeer capability introduced to ntpd
493in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
494ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
495
496* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
497
498* [Sec 3012] Fix a hole in the new "noepeer" processing.
499
500* Bug Fixes:
501 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
502 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
503            other TrustedBSD platforms
504 - applied patch by Ian Lepore <perlinger@ntp.org>
505 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
506 - changed interaction with SCM to signal pending startup
507 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
508 - applied patch by Gerry Garvey
509 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
510 - applied patch by Gerry Garvey
511 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
512 - rework of ntpq 'nextvar()' key/value parsing
513 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
514 - applied patch by Gerry Garvey (with mods)
515 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
516 - applied patch by Gerry Garvey
517 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
518 - applied patch by Gerry Garvey (with mods)
519 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
520 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
521 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
522 - applied patch by Gerry Garvey
523 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
524 - applied patch by Gerry Garvey
525 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
526 - add #define ENABLE_CMAC support in configure.  HStenn.
527 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
528 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
529 - patch by Stephen Friedl
530 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
531 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
532 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
533 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
534 - initial patch by Hal Murray; also fixed refclock_report() trouble
535 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
536 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
537 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
538 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
539 - applied patch by Gerry Garvey
540 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
541 - applied patch by Gerry Garvey
542 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
543 with modifications
544 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
545 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
546 - applied patch by Miroslav Lichvar
547 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
548 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
549 - integrated patch by  Reinhard Max
550 [Bug 2821] minor build issues <perlinger@ntp.org>
551 - applied patches by Christos Zoulas, including real bug fixes
552 html/authopt.html: cleanup, from <stenn@ntp.org>
553 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
554 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
555
556--
557NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
558
559Focus: Security, Bug fixes, enhancements.
560
561Severity: MEDIUM
562
563This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
564vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
565provides 65 other non-security fixes and improvements:
566
567* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
568	association (LOW/MED)
569   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
570   References: Sec 3454 / CVE-2018-7185 / VU#961909
571   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
572   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
573	2.9 and 6.8.
574   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
575	score between 2.6 and 3.1
576   Summary:
577	The NTP Protocol allows for both non-authenticated and
578	authenticated associations, in client/server, symmetric (peer),
579	and several broadcast modes. In addition to the basic NTP
580	operational modes, symmetric mode and broadcast servers can
581	support an interleaved mode of operation. In ntp-4.2.8p4 a bug
582	was inadvertently introduced into the protocol engine that
583	allows a non-authenticated zero-origin (reset) packet to reset
584	an authenticated interleaved peer association. If an attacker
585	can send a packet with a zero-origin timestamp and the source
586	IP address of the "other side" of an interleaved association,
587	the 'victim' ntpd will reset its association. The attacker must
588	continue sending these packets in order to maintain the
589	disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
590	interleave mode could be entered dynamically. As of ntp-4.2.8p7,
591	interleaved mode must be explicitly configured/enabled.
592   Mitigation:
593	Implement BCP-38.
594	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
595	    or the NTP Public Services Project Download Page.
596	If you are unable to upgrade to 4.2.8p11 or later and have
597	    'peer HOST xleave' lines in your ntp.conf file, remove the
598	    'xleave' option.
599	Have enough sources of time.
600	Properly monitor your ntpd instances.
601	If ntpd stops running, auto-restart it without -g .
602   Credit:
603   	This weakness was discovered by Miroslav Lichvar of Red Hat.
604
605* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
606	state (LOW/MED)
607   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
608   References: Sec 3453 / CVE-2018-7184 / VU#961909
609   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
610   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
611	Could score between 2.9 and 6.8.
612   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
613	Could score between 2.6 and 6.0.
614   Summary:
615   	The fix for NtpBug2952 was incomplete, and while it fixed one
616	problem it created another.  Specifically, it drops bad packets
617	before updating the "received" timestamp.  This means a
618	third-party can inject a packet with a zero-origin timestamp,
619	meaning the sender wants to reset the association, and the
620	transmit timestamp in this bogus packet will be saved as the
621	most recent "received" timestamp.  The real remote peer does
622	not know this value and this will disrupt the association until
623	the association resets.
624   Mitigation:
625	Implement BCP-38.
626	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
627	    or the NTP Public Services Project Download Page.
628	Use authentication with 'peer' mode.
629	Have enough sources of time.
630	Properly monitor your ntpd instances.
631	If ntpd stops running, auto-restart it without -g .
632   Credit:
633   	This weakness was discovered by Miroslav Lichvar of Red Hat.
634
635* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
636	peering (LOW)
637   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
638   References: Sec 3415 / CVE-2018-7170 / VU#961909
639   	       Sec 3012 / CVE-2016-1549 / VU#718152
640   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
641   	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
642   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
643   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
644   Summary:
645	ntpd can be vulnerable to Sybil attacks.  If a system is set up to
646	use a trustedkey and if one is not using the feature introduced in
647	ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
648	specify which IPs can serve time, a malicious authenticated peer
649	-- i.e. one where the attacker knows the private symmetric key --
650	can create arbitrarily-many ephemeral associations in order to win
651	the clock selection of ntpd and modify a victim's clock.  Three
652	additional protections are offered in ntp-4.2.8p11.  One is the
653	new 'noepeer' directive, which disables symmetric passive
654	ephemeral peering. Another is the new 'ippeerlimit' directive,
655	which limits the number of peers that can be created from an IP.
656	The third extends the functionality of the 4th field in the
657	ntp.keys file to include specifying a subnet range.
658   Mitigation:
659	Implement BCP-38.
660	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
661	    or the NTP Public Services Project Download Page.
662	Use the 'noepeer' directive to prohibit symmetric passive
663	    ephemeral associations.
664	Use the 'ippeerlimit' directive to limit the number of peers
665	    that can be created from an IP.
666	Use the 4th argument in the ntp.keys file to limit the IPs and
667	    subnets that can be time servers.
668	Have enough sources of time.
669	Properly monitor your ntpd instances.
670	If ntpd stops running, auto-restart it without -g .
671   Credit:
672	This weakness was reported as Bug 3012 by Matthew Van Gundy of
673	Cisco ASIG, and separately by Stefan Moser as Bug 3415.
674
675* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
676   Date Resolved: 27 Feb 2018
677   References: Sec 3414 / CVE-2018-7183 / VU#961909
678   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
679   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
680   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
681   Summary:
682   	ntpq is a monitoring and control program for ntpd.  decodearr()
683	is an internal function of ntpq that is used to -- wait for it --
684	decode an array in a response string when formatted data is being
685	displayed.  This is a problem in affected versions of ntpq if a
686	maliciously-altered ntpd returns an array result that will trip this
687	bug, or if a bad actor is able to read an ntpq request on its way to
688	a remote ntpd server and forge and send a response before the remote
689	ntpd sends its response.  It's potentially possible that the
690	malicious data could become injectable/executable code.
691   Mitigation:
692	Implement BCP-38.
693	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
694	    or the NTP Public Services Project Download Page.
695   Credit:
696	This weakness was discovered by Michael Macnair of Thales e-Security.
697
698* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
699	behavior and information leak (Info/Medium)
700   Date Resolved: 27 Feb 2018
701   References: Sec 3412 / CVE-2018-7182 / VU#961909
702   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
703   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
704   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
705	0.0 if C:N
706   Summary:
707	ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
708	A malicious mode 6 packet can be sent to an ntpd instance, and
709	if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
710	cause ctl_getitem() to read past the end of its buffer.
711   Mitigation:
712	Implement BCP-38.
713	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
714	    or the NTP Public Services Project Download Page.
715	Have enough sources of time.
716	Properly monitor your ntpd instances.
717	If ntpd stops running, auto-restart it without -g .
718   Credit:
719   	This weakness was discovered by Yihan Lian of Qihoo 360.
720
721* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
722   Also see Bug 3415, above.
723   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
724   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
725   References: Sec 3012 / CVE-2016-1549 / VU#718152
726   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
727	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
728   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
729   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
730   Summary:
731	ntpd can be vulnerable to Sybil attacks.  If a system is set up
732	to use a trustedkey and if one is not using the feature
733	introduced in ntp-4.2.8p6 allowing an optional 4th field in the
734	ntp.keys file to specify which IPs can serve time, a malicious
735	authenticated peer -- i.e. one where the attacker knows the
736	private symmetric key -- can create arbitrarily-many ephemeral
737	associations in order to win the clock selection of ntpd and
738	modify a victim's clock.  Two additional protections are
739	offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
740	disables symmetric passive ephemeral peering. The other extends
741	the functionality of the 4th field in the ntp.keys file to
742	include specifying a subnet range.
743   Mitigation:
744	Implement BCP-38.
745	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
746	    the NTP Public Services Project Download Page.
747	Use the 'noepeer' directive to prohibit symmetric passive
748	    ephemeral associations.
749	Use the 'ippeerlimit' directive to limit the number of peer
750	    associations from an IP.
751	Use the 4th argument in the ntp.keys file to limit the IPs
752	    and subnets that can be time servers.
753	Properly monitor your ntpd instances.
754   Credit:
755   	This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
756
757* Bug fixes:
758 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
759 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
760 - applied patch by Sean Haugh
761 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
762 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
763 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
764 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
765 - refactoring the MAC code, too
766 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
767 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
768 - applied patch by ggarvey
769 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
770 - applied patch by ggarvey (with minor mods)
771 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
772 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
773 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
774 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
775 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
776 - fixed several issues with hash algos in ntpd, sntp, ntpq,
777   ntpdc and the test suites <perlinger@ntp.org>
778 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
779 - initial patch by Daniel Pouzzner
780 [Bug 3423] QNX adjtime() implementation error checking is
781 wrong <perlinger@ntp.org>
782 [Bug 3417] ntpq ifstats packet counters can be negative
783 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
784 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
785 - raised receive buffer size to 1200 <perlinger@ntp.org>
786 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
787 analysis tool. <abe@ntp.org>
788 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
789 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
790 - fix/drop assumptions on OpenSSL libs directory layout
791 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
792 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
793 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
794 - patch contributed by Alexander Bluhm
795 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
796 rework of formatting & data transfer stuff in 'ntp_control.c'
797 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
798 [Bug 3394] Leap second deletion does not work on ntpd clients
799 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
800 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
801 - increased mimimum stack size to 32kB <perlinger@ntp.org>
802 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
803 - reverted handling of PPS kernel consumer to 4.2.6 behavior
804 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
805 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
806 [Bug 3016] wrong error position reported for bad ":config pool"
807 - fixed location counter & ntpq output <perlinger@ntp.org>
808 [Bug 2900] libntp build order problem.  HStenn.
809 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
810 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
811 perlinger@ntp.org
812 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
813 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
814 Use strlcpy() to copy strings, not memcpy().  HStenn.
815 Typos.  HStenn.
816 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
817 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
818 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
819 Fix trivial warnings from 'make check'. perlinger@ntp.org
820 Fix bug in the override portion of the compiler hardening macro. HStenn.
821 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
822 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
823 sntp: tweak key file logging.  HStenn.
824 sntp: pkt_output(): Improve debug output.  HStenn.
825 update-leap: updates from Paul McMath.
826 When using pkg-config, report --modversion.  HStenn.
827 Clean up libevent configure checks.  HStenn.
828 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
829 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
830 authistrustedip() - use it in more places.  HStenn, JPerlinger.
831 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
832 Update ntp.keys .../N documentation.  HStenn.
833 Distribute testconf.yml.  HStenn.
834 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
835 Rename the configuration flag fifo variables.  HStenn.
836 Improve saveconfig output.  HStenn.
837 Decode restrict flags on receive() debug output.  HStenn.
838 Decode interface flags on receive() debug output.  HStenn.
839 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
840 Update the documentation in ntp.conf.def .  HStenn.
841 restrictions() must return restrict flags and ippeerlimit.  HStenn.
842 Update ntpq peer documentation to describe the 'p' type.  HStenn.
843 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
844 Provide dump_restricts() for debugging.  HStenn.
845 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
846
847* Other items:
848
849* update-leap needs the following perl modules:
850	Net::SSLeay
851	IO::Socket::SSL
852
853* New sysstats variables: sys_lamport, sys_tsrounding
854See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
855sys_lamport counts the number of observed Lamport violations, while
856sys_tsrounding counts observed timestamp rounding events.
857
858* New ntp.conf items:
859
860- restrict ... noepeer
861- restrict ... ippeerlimit N
862
863The 'noepeer' directive will disallow all ephemeral/passive peer
864requests.
865
866The 'ippeerlimit' directive limits the number of time associations
867for each IP in the designated set of addresses.  This limit does not
868apply to explicitly-configured associations.  A value of -1, the current
869default, means an unlimited number of associations may connect from a
870single IP.  0 means "none", etc.  Ordinarily the only way multiple
871associations would come from the same IP would be if the remote side
872was using a proxy.  But a trusted machine might become compromised,
873in which case an attacker might spin up multiple authenticated sessions
874from different ports.  This directive should be helpful in this case.
875
876* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
877field may contain a /subnetbits specification, which identifies  the
878scope of IPs that may use this key.  This IP/subnet restriction can be
879used to limit the IPs that may use the key in most all situations where
880a key is used.
881--
882NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
883
884Focus: Security, Bug fixes, enhancements.
885
886Severity: MEDIUM
887
888This release fixes 5 medium-, 6 low-, and 4 informational-severity
889vulnerabilities, and provides 15 other non-security fixes and improvements:
890
891* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
892   Date Resolved: 21 Mar 2017
893   References: Sec 3389 / CVE-2017-6464 / VU#325339
894   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
895	ntp-4.3.0 up to, but not including ntp-4.3.94.
896   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
897   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
898   Summary:
899	A vulnerability found in the NTP server makes it possible for an
900	authenticated remote user to crash ntpd via a malformed mode
901	configuration directive.
902   Mitigation:
903	Implement BCP-38.
904	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
905	    the NTP Public Services Project Download Page
906	Properly monitor your ntpd instances, and auto-restart
907	    ntpd (without -g) if it stops running.
908   Credit:
909	This weakness was discovered by Cure53.
910
911* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
912    Date Resolved: 21 Mar 2017
913    References: Sec 3388 / CVE-2017-6462 / VU#325339
914    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
915    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
916    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
917    Summary:
918	There is a potential for a buffer overflow in the legacy Datum
919	Programmable Time Server refclock driver.  Here the packets are
920	processed from the /dev/datum device and handled in
921	datum_pts_receive().  Since an attacker would be required to
922	somehow control a malicious /dev/datum device, this does not
923	appear to be a practical attack and renders this issue "Low" in
924	terms of severity.
925   Mitigation:
926	If you have a Datum reference clock installed and think somebody
927	    may maliciously change the device, upgrade to 4.2.8p10, or
928	    later, from the NTP Project Download Page or the NTP Public
929	    Services Project Download Page
930	Properly monitor your ntpd instances, and auto-restart
931	    ntpd (without -g) if it stops running.
932   Credit:
933	This weakness was discovered by Cure53.
934
935* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
936   Date Resolved: 21 Mar 2017
937   References: Sec 3387 / CVE-2017-6463 / VU#325339
938   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
939	ntp-4.3.0 up to, but not including ntp-4.3.94.
940   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
941   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
942   Summary:
943	A vulnerability found in the NTP server allows an authenticated
944	remote attacker to crash the daemon by sending an invalid setting
945	via the :config directive.  The unpeer option expects a number or
946	an address as an argument.  In case the value is "0", a
947	segmentation fault occurs.
948   Mitigation:
949	Implement BCP-38.
950	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
951	    or the NTP Public Services Project Download Page
952	Properly monitor your ntpd instances, and auto-restart
953	    ntpd (without -g) if it stops running.
954   Credit:
955	This weakness was discovered by Cure53.
956
957* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
958   Date Resolved: 21 Mar 2017
959   References: Sec 3386
960   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
961	ntp-4.3.0 up to, but not including ntp-4.3.94.
962   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
963   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
964   Summary:
965	The NTP Mode 6 monitoring and control client, ntpq, uses the
966	function ntpq_stripquotes() to remove quotes and escape characters
967	from a given string.  According to the documentation, the function
968	is supposed to return the number of copied bytes but due to
969	incorrect pointer usage this value is always zero.  Although the
970	return value of this function is never used in the code, this
971	flaw could lead to a vulnerability in the future.  Since relying
972	on wrong return values when performing memory operations is a
973	dangerous practice, it is recommended to return the correct value
974	in accordance with the documentation pertinent to the code.
975   Mitigation:
976	Implement BCP-38.
977	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
978	    or the NTP Public Services Project Download Page
979	Properly monitor your ntpd instances, and auto-restart
980	    ntpd (without -g) if it stops running.
981   Credit:
982	This weakness was discovered by Cure53.
983
984* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
985   Date Resolved: 21 Mar 2017
986   References: Sec 3385
987   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
988	ntp-4.3.0 up to, but not including ntp-4.3.94.
989   Summary:
990	NTP makes use of several wrappers around the standard heap memory
991	allocation functions that are provided by libc.  This is mainly
992	done to introduce additional safety checks concentrated on
993	several goals.  First, they seek to ensure that memory is not
994	accidentally freed, secondly they verify that a correct amount
995	is always allocated and, thirdly, that allocation failures are
996	correctly handled.  There is an additional implementation for
997	scenarios where memory for a specific amount of items of the
998	same size needs to be allocated.  The handling can be found in
999	the oreallocarray() function for which a further number-of-elements
1000	parameter needs to be provided.  Although no considerable threat
1001	was identified as tied to a lack of use of this function, it is
1002	recommended to correctly apply oreallocarray() as a preferred
1003	option across all of the locations where it is possible.
1004   Mitigation:
1005	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1006	    or the NTP Public Services Project Download Page
1007   Credit:
1008	This weakness was discovered by Cure53.
1009
1010* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
1011	PPSAPI ONLY) (Low)
1012   Date Resolved: 21 Mar 2017
1013   References: Sec 3384 / CVE-2017-6455 / VU#325339
1014   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
1015	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
1016	including ntp-4.3.94.
1017   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1018   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1019   Summary:
1020	The Windows NT port has the added capability to preload DLLs
1021	defined in the inherited global local environment variable
1022	PPSAPI_DLLS.  The code contained within those libraries is then
1023	called from the NTPD service, usually running with elevated
1024	privileges. Depending on how securely the machine is setup and
1025	configured, if ntpd is configured to use the PPSAPI under Windows
1026	this can easily lead to a code injection.
1027   Mitigation:
1028	Implement BCP-38.
1029	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1030	    or the NTP Public Services Project Download Page
1031   Credit:
1032   This weakness was discovered by Cure53.
1033
1034* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
1035	installer ONLY) (Low)
1036   Date Resolved: 21 Mar 2017
1037   References: Sec 3383 / CVE-2017-6452 / VU#325339
1038   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
1039	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
1040	to, but not including ntp-4.3.94.
1041   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1042   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1043   Summary:
1044	The Windows installer for NTP calls strcat(), blindly appending
1045	the string passed to the stack buffer in the addSourceToRegistry()
1046	function.  The stack buffer is 70 bytes smaller than the buffer
1047	in the calling main() function.  Together with the initially
1048	copied Registry path, the combination causes a stack buffer
1049	overflow and effectively overwrites the stack frame.  The
1050	passed application path is actually limited to 256 bytes by the
1051	operating system, but this is not sufficient to assure that the
1052	affected stack buffer is consistently protected against
1053	overflowing at all times.
1054   Mitigation:
1055	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1056	or the NTP Public Services Project Download Page
1057   Credit:
1058	This weakness was discovered by Cure53.
1059
1060* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
1061	installer ONLY) (Low)
1062   Date Resolved: 21 Mar 2017
1063   References: Sec 3382 / CVE-2017-6459 / VU#325339
1064   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
1065	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
1066	up to, but not including ntp-4.3.94.
1067   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1068   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1069   Summary:
1070	The Windows installer for NTP calls strcpy() with an argument
1071	that specifically contains multiple null bytes.  strcpy() only
1072	copies a single terminating null character into the target
1073	buffer instead of copying the required double null bytes in the
1074	addKeysToRegistry() function.  As a consequence, a garbage
1075	registry entry can be created.  The additional arsize parameter
1076	is erroneously set to contain two null bytes and the following
1077	call to RegSetValueEx() claims to be passing in a multi-string
1078	value, though this may not be true.
1079   Mitigation:
1080	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1081	    or the NTP Public Services Project Download Page
1082   Credit:
1083	This weakness was discovered by Cure53.
1084
1085* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
1086   References: Sec 3381
1087   Summary:
1088	The report says: Statically included external projects
1089	potentially introduce several problems and the issue of having
1090	extensive amounts of code that is "dead" in the resulting binary
1091	must clearly be pointed out.  The unnecessary unused code may or
1092	may not contain bugs and, quite possibly, might be leveraged for
1093	code-gadget-based branch-flow redirection exploits.  Analogically,
1094	having source trees statically included as well means a failure
1095	in taking advantage of the free feature for periodical updates.
1096	This solution is offered by the system's Package Manager. The
1097	three libraries identified are libisc, libevent, and libopts.
1098   Resolution:
1099	For libisc, we already only use a portion of the original library.
1100	We've found and fixed bugs in the original implementation (and
1101	offered the patches to ISC), and plan to see what has changed
1102	since we last upgraded the code.  libisc is generally not
1103	installed, and when it it we usually only see the static libisc.a
1104	file installed.  Until we know for sure that the bugs we've found
1105	and fixed are fixed upstream, we're better off with the copy we
1106	are using.
1107
1108        Version 1 of libevent was the only production version available
1109	until recently, and we've been requiring version 2 for a long time.
1110	But if the build system has at least version 2 of libevent
1111	installed, we'll use the version that is installed on the system.
1112	Otherwise, we provide a copy of libevent that we know works.
1113
1114        libopts is provided by GNU AutoGen, and that library and package
1115	undergoes frequent API version updates.  The version of autogen
1116	used to generate the tables for the code must match the API
1117	version in libopts.  AutoGen can be ... difficult to build and
1118	install, and very few developers really need it.  So we have it
1119	on our build and development machines, and we provide the
1120	specific version of the libopts code in the distribution to make
1121	sure that the proper API version of libopts is available.
1122
1123        As for the point about there being code in these libraries that
1124	NTP doesn't use, OK.  But other packages used these libraries as
1125	well, and it is reasonable to assume that other people are paying
1126	attention to security and code quality issues for the overall
1127	libraries.  It takes significant resources to analyze and
1128	customize these libraries to only include what we need, and to
1129	date we believe the cost of this effort does not justify the benefit.
1130   Credit:
1131	This issue was discovered by Cure53.
1132
1133* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
1134   Date Resolved: 21 Mar 2017
1135   References: Sec 3380
1136   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1137   	ntp-4.3.0 up to, but not including ntp-4.3.94.
1138   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
1139   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
1140   Summary:
1141	There is a fencepost error in a "recovery branch" of the code for
1142	the Oncore GPS receiver if the communication link to the ONCORE
1143	is weak / distorted and the decoding doesn't work.
1144   Mitigation:
1145        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
1146	    the NTP Public Services Project Download Page
1147        Properly monitor your ntpd instances, and auto-restart
1148	    ntpd (without -g) if it stops running.
1149   Credit:
1150	This weakness was discovered by Cure53.
1151
1152* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
1153   Date Resolved: 21 Mar 2017
1154   References: Sec 3379 / CVE-2017-6458 / VU#325339
1155   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1156	ntp-4.3.0 up to, but not including ntp-4.3.94.
1157   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
1158   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1159   Summary:
1160	ntpd makes use of different wrappers around ctl_putdata() to
1161	create name/value ntpq (mode 6) response strings.  For example,
1162	ctl_putstr() is usually used to send string data (variable names
1163	or string data).  The formatting code was missing a length check
1164	for variable names.  If somebody explicitly created any unusually
1165	long variable names in ntpd (longer than 200-512 bytes, depending
1166	on the type of variable), then if any of these variables are
1167	added to the response list it would overflow a buffer.
1168   Mitigation:
1169	Implement BCP-38.
1170	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1171	    or the NTP Public Services Project Download Page
1172	If you don't want to upgrade, then don't setvar variable names
1173	    longer than 200-512 bytes in your ntp.conf file.
1174	Properly monitor your ntpd instances, and auto-restart
1175	    ntpd (without -g) if it stops running.
1176   Credit:
1177	This weakness was discovered by Cure53.
1178
1179* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
1180   Date Resolved: 21 Mar 2017
1181   References: Sec 3378 / CVE-2017-6451 / VU#325339
1182   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1183	ntp-4.3.0 up to, but not including ntp-4.3.94.
1184   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
1185   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1186   Summary:
1187	The legacy MX4200 refclock is only built if is specifically
1188	enabled, and furthermore additional code changes are required to
1189	compile and use it.  But it uses the libc functions snprintf()
1190	and vsnprintf() incorrectly, which can lead to an out-of-bounds
1191	memory write due to an improper handling of the return value of
1192	snprintf()/vsnprintf().  Since the return value is used as an
1193	iterator and it can be larger than the buffer's size, it is
1194	possible for the iterator to point somewhere outside of the
1195	allocated buffer space.  This results in an out-of-bound memory
1196	write.  This behavior can be leveraged to overwrite a saved
1197	instruction pointer on the stack and gain control over the
1198	execution flow.  During testing it was not possible to identify
1199	any malicious usage for this vulnerability.  Specifically, no
1200	way for an attacker to exploit this vulnerability was ultimately
1201	unveiled.  However, it has the potential to be exploited, so the
1202	code should be fixed.
1203   Mitigation, if you have a Magnavox MX4200 refclock:
1204	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1205	    or the NTP Public Services Project Download Page.
1206	Properly monitor your ntpd instances, and auto-restart
1207	    ntpd (without -g) if it stops running.
1208   Credit:
1209	This weakness was discovered by Cure53.
1210
1211* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
1212	malicious ntpd (Medium)
1213   Date Resolved: 21 Mar 2017
1214   References: Sec 3377 / CVE-2017-6460 / VU#325339
1215   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
1216	ntp-4.3.0 up to, but not including ntp-4.3.94.
1217   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1218   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1219   Summary:
1220	A stack buffer overflow in ntpq can be triggered by a malicious
1221	ntpd server when ntpq requests the restriction list from the server.
1222	This is due to a missing length check in the reslist() function.
1223	It occurs whenever the function parses the server's response and
1224	encounters a flagstr variable of an excessive length.  The string
1225	will be copied into a fixed-size buffer, leading to an overflow on
1226	the function's stack-frame.  Note well that this problem requires
1227	a malicious server, and affects ntpq, not ntpd.
1228   Mitigation:
1229	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1230	    or the NTP Public Services Project Download Page
1231	If you can't upgrade your version of ntpq then if you want to know
1232	    the reslist of an instance of ntpd that you do not control,
1233	    know that if the target ntpd is malicious that it can send back
1234	    a response that intends to crash your ntpq process.
1235   Credit:
1236	This weakness was discovered by Cure53.
1237
1238* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
1239   Date Resolved: 21 Mar 2017
1240   References: Sec 3376
1241   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1242	ntp-4.3.0 up to, but not including ntp-4.3.94.
1243   CVSS2: N/A
1244   CVSS3: N/A
1245   Summary:
1246	The build process for NTP has not, by default, provided compile
1247	or link flags to offer "hardened" security options.  Package
1248	maintainers have always been able to provide hardening security
1249	flags for their builds.  As of ntp-4.2.8p10, the NTP build
1250	system has a way to provide OS-specific hardening flags.  Please
1251	note that this is still not a really great solution because it
1252	is specific to NTP builds.  It's inefficient to have every
1253	package supply, track and maintain this information for every
1254	target build.  It would be much better if there was a common way
1255	for OSes to provide this information in a way that arbitrary
1256	packages could benefit from it.
1257   Mitigation:
1258	Implement BCP-38.
1259	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1260	    or the NTP Public Services Project Download Page
1261	Properly monitor your ntpd instances, and auto-restart
1262	    ntpd (without -g) if it stops running.
1263   Credit:
1264	This weakness was reported by Cure53.
1265
1266* 0rigin DoS (Medium)
1267   Date Resolved: 21 Mar 2017
1268   References: Sec 3361 / CVE-2016-9042 / VU#325339
1269   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
1270   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
1271   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
1272   Summary:
1273	An exploitable denial of service vulnerability exists in the
1274	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
1275	crafted unauthenticated network packet can be used to reset the
1276	expected origin timestamp for target peers.  Legitimate replies
1277	from targeted peers will fail the origin timestamp check (TEST2)
1278	causing the reply to be dropped and creating a denial of service
1279	condition.  This vulnerability can only be exploited if the
1280	attacker can spoof all of the servers.
1281   Mitigation:
1282	Implement BCP-38.
1283	Configure enough servers/peers that an attacker cannot target
1284	    all of your time sources.
1285	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1286	    or the NTP Public Services Project Download Page
1287	Properly monitor your ntpd instances, and auto-restart
1288	    ntpd (without -g) if it stops running.
1289   Credit:
1290	This weakness was discovered by Matthew Van Gundy of Cisco.
1291
1292Other fixes:
1293
1294* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
1295* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
1296  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
1297* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
1298* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
1299  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
1300  - original patch by Majdi S. Abbas
1301* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
1302* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
1303  - initial patch by Christos Zoulas
1304* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
1305  - move loader API from 'inline' to proper source
1306  - augment pathless dlls with absolute path to NTPD
1307  - use 'msyslog()' instead of 'printf() 'for reporting trouble
1308* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
1309  - applied patch by Matthew Van Gundy
1310* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
1311  - applied some of the patches provided by Havard. Not all of them
1312    still match the current code base, and I did not touch libopt.
1313* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
1314  - applied patch by Reinhard Max. See bugzilla for limitations.
1315* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
1316  - fixed dependency inversion from [Bug 2837]
1317* [Bug 2896] Nothing happens if minsane < maxclock < minclock
1318  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
1319* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
1320  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
1321* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
1322  - Fixed these and some more locations of this pattern.
1323    Probably din't get them all, though. <perlinger@ntp.org>
1324* Update copyright year.
1325
1326--
1327(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
1328
1329* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
1330  - added missed changeset for automatic openssl lib detection
1331  - fixed some minor warning issues
1332* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
1333* configure.ac cleanup.  stenn@ntp.org
1334* openssl configure cleanup.  stenn@ntp.org
1335
1336--
1337NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
1338
1339Focus: Security, Bug fixes, enhancements.
1340
1341Severity: HIGH
1342
1343In addition to bug fixes and enhancements, this release fixes the
1344following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
13455 low-severity vulnerabilities, and provides 28 other non-security
1346fixes and improvements:
1347
1348* Trap crash
1349   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1350   References: Sec 3119 / CVE-2016-9311 / VU#633847
1351   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1352   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1353   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
1354   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
1355   Summary:
1356	ntpd does not enable trap service by default. If trap service
1357	has been explicitly enabled, an attacker can send a specially
1358	crafted packet to cause a null pointer dereference that will
1359	crash ntpd, resulting in a denial of service.
1360   Mitigation:
1361        Implement BCP-38.
1362	Use "restrict default noquery ..." in your ntp.conf file. Only
1363	    allow mode 6 queries from trusted networks and hosts.
1364        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1365	    or the NTP Public Services Project Download Page
1366        Properly monitor your ntpd instances, and auto-restart ntpd
1367	    (without -g) if it stops running.
1368   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1369
1370* Mode 6 information disclosure and DDoS vector
1371   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1372   References: Sec 3118 / CVE-2016-9310 / VU#633847
1373   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1374	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1375   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1376   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1377   Summary:
1378	An exploitable configuration modification vulnerability exists
1379	in the control mode (mode 6) functionality of ntpd. If, against
1380	long-standing BCP recommendations, "restrict default noquery ..."
1381	is not specified, a specially crafted control mode packet can set
1382	ntpd traps, providing information disclosure and DDoS
1383	amplification, and unset ntpd traps, disabling legitimate
1384	monitoring. A remote, unauthenticated, network attacker can
1385	trigger this vulnerability.
1386   Mitigation:
1387        Implement BCP-38.
1388	Use "restrict default noquery ..." in your ntp.conf file.
1389        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1390	    or the NTP Public Services Project Download Page
1391        Properly monitor your ntpd instances, and auto-restart ntpd
1392	    (without -g) if it stops running.
1393   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1394
1395* Broadcast Mode Replay Prevention DoS
1396   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1397   References: Sec 3114 / CVE-2016-7427 / VU#633847
1398   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1399	ntp-4.3.90 up to, but not including ntp-4.3.94.
1400   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1401   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1402   Summary:
1403	The broadcast mode of NTP is expected to only be used in a
1404	trusted network. If the broadcast network is accessible to an
1405	attacker, a potentially exploitable denial of service
1406	vulnerability in ntpd's broadcast mode replay prevention
1407	functionality can be abused. An attacker with access to the NTP
1408	broadcast domain can periodically inject specially crafted
1409	broadcast mode NTP packets into the broadcast domain which,
1410	while being logged by ntpd, can cause ntpd to reject broadcast
1411	mode packets from legitimate NTP broadcast servers.
1412   Mitigation:
1413        Implement BCP-38.
1414        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1415	    or the NTP Public Services Project Download Page
1416        Properly monitor your ntpd instances, and auto-restart ntpd
1417	    (without -g) if it stops running.
1418   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1419
1420* Broadcast Mode Poll Interval Enforcement DoS
1421   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1422   References: Sec 3113 / CVE-2016-7428 / VU#633847
1423   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1424	ntp-4.3.90 up to, but not including ntp-4.3.94
1425   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1426   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1427   Summary:
1428	The broadcast mode of NTP is expected to only be used in a
1429	trusted network. If the broadcast network is accessible to an
1430	attacker, a potentially exploitable denial of service
1431	vulnerability in ntpd's broadcast mode poll interval enforcement
1432	functionality can be abused. To limit abuse, ntpd restricts the
1433	rate at which each broadcast association will process incoming
1434	packets. ntpd will reject broadcast mode packets that arrive
1435	before the poll interval specified in the preceding broadcast
1436	packet expires. An attacker with access to the NTP broadcast
1437	domain can send specially crafted broadcast mode NTP packets to
1438	the broadcast domain which, while being logged by ntpd, will
1439	cause ntpd to reject broadcast mode packets from legitimate NTP
1440	broadcast servers.
1441   Mitigation:
1442        Implement BCP-38.
1443        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1444	    or the NTP Public Services Project Download Page
1445        Properly monitor your ntpd instances, and auto-restart ntpd
1446	    (without -g) if it stops running.
1447   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1448
1449* Windows: ntpd DoS by oversized UDP packet
1450   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1451   References: Sec 3110 / CVE-2016-9312 / VU#633847
1452   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
1453	and ntp-4.3.0 up to, but not including ntp-4.3.94.
1454   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1455   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1456   Summary:
1457	If a vulnerable instance of ntpd on Windows receives a crafted
1458	malicious packet that is "too big", ntpd will stop working.
1459   Mitigation:
1460        Implement BCP-38.
1461        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1462	    or the NTP Public Services Project Download Page
1463        Properly monitor your ntpd instances, and auto-restart ntpd
1464	    (without -g) if it stops running.
1465   Credit: This weakness was discovered by Robert Pajak of ABB.
1466
1467* 0rigin (zero origin) issues
1468   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1469   References: Sec 3102 / CVE-2016-7431 / VU#633847
1470   Affects: ntp-4.2.8p8, and ntp-4.3.93.
1471   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
1472   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1473   Summary:
1474	Zero Origin timestamp problems were fixed by Bug 2945 in
1475	ntp-4.2.8p6. However, subsequent timestamp validation checks
1476	introduced a regression in the handling of some Zero origin
1477	timestamp checks.
1478   Mitigation:
1479        Implement BCP-38.
1480        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1481	    or the NTP Public Services Project Download Page
1482        Properly monitor your ntpd instances, and auto-restart ntpd
1483	    (without -g) if it stops running.
1484   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
1485	Malhotra of Boston University.
1486
1487* read_mru_list() does inadequate incoming packet checks
1488   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1489   References: Sec 3082 / CVE-2016-7434 / VU#633847
1490   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
1491	ntp-4.3.0 up to, but not including ntp-4.3.94.
1492   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1493   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1494   Summary:
1495	If ntpd is configured to allow mrulist query requests from a
1496	server that sends a crafted malicious packet, ntpd will crash
1497	on receipt of that crafted malicious mrulist query packet.
1498   Mitigation:
1499	Only allow mrulist query packets from trusted hosts.
1500        Implement BCP-38.
1501        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1502	    or the NTP Public Services Project Download Page
1503        Properly monitor your ntpd instances, and auto-restart ntpd
1504	    (without -g) if it stops running.
1505   Credit: This weakness was discovered by Magnus Stubman.
1506
1507* Attack on interface selection
1508   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1509   References: Sec 3072 / CVE-2016-7429 / VU#633847
1510   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1511	ntp-4.3.0 up to, but not including ntp-4.3.94
1512   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1513   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1514   Summary:
1515	When ntpd receives a server response on a socket that corresponds
1516	to a different interface than was used for the request, the peer
1517	structure is updated to use the interface for new requests. If
1518	ntpd is running on a host with multiple interfaces in separate
1519	networks and the operating system doesn't check source address in
1520	received packets (e.g. rp_filter on Linux is set to 0), an
1521	attacker that knows the address of the source can send a packet
1522	with spoofed source address which will cause ntpd to select wrong
1523	interface for the source and prevent it from sending new requests
1524	until the list of interfaces is refreshed, which happens on
1525	routing changes or every 5 minutes by default. If the attack is
1526	repeated often enough (once per second), ntpd will not be able to
1527	synchronize with the source.
1528   Mitigation:
1529        Implement BCP-38.
1530        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1531	    or the NTP Public Services Project Download Page
1532	If you are going to configure your OS to disable source address
1533	    checks, also configure your firewall configuration to control
1534	    what interfaces can receive packets from what networks.
1535        Properly monitor your ntpd instances, and auto-restart ntpd
1536	    (without -g) if it stops running.
1537   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1538
1539* Client rate limiting and server responses
1540   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1541   References: Sec 3071 / CVE-2016-7426 / VU#633847
1542   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
1543	ntp-4.3.0 up to, but not including ntp-4.3.94
1544   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1545   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1546   Summary:
1547	When ntpd is configured with rate limiting for all associations
1548	(restrict default limited in ntp.conf), the limits are applied
1549	also to responses received from its configured sources. An
1550	attacker who knows the sources (e.g., from an IPv4 refid in
1551	server response) and knows the system is (mis)configured in this
1552	way can periodically send packets with spoofed source address to
1553	keep the rate limiting activated and prevent ntpd from accepting
1554	valid responses from its sources.
1555
1556	While this blanket rate limiting can be useful to prevent
1557	brute-force attacks on the origin timestamp, it allows this DoS
1558	attack. Similarly, it allows the attacker to prevent mobilization
1559	of ephemeral associations.
1560   Mitigation:
1561        Implement BCP-38.
1562        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1563	    or the NTP Public Services Project Download Page
1564        Properly monitor your ntpd instances, and auto-restart ntpd
1565	    (without -g) if it stops running.
1566   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1567
1568* Fix for bug 2085 broke initial sync calculations
1569   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1570   References: Sec 3067 / CVE-2016-7433 / VU#633847
1571   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1572	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
1573	root-distance calculation in general is incorrect in all versions
1574	of ntp-4 until this release.
1575   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
1576   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
1577   Summary:
1578	Bug 2085 described a condition where the root delay was included
1579	twice, causing the jitter value to be higher than expected. Due
1580	to a misinterpretation of a small-print variable in The Book, the
1581	fix for this problem was incorrect, resulting in a root distance
1582	that did not include the peer dispersion. The calculations and
1583	formulae have been reviewed and reconciled, and the code has been
1584	updated accordingly.
1585   Mitigation:
1586        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1587	    or the NTP Public Services Project Download Page
1588        Properly monitor your ntpd instances, and auto-restart ntpd
1589	    (without -g) if it stops running.
1590   Credit: This weakness was discovered independently by Brian Utterback of
1591	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
1592
1593Other fixes:
1594
1595* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
1596* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
1597* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
1598  - moved retry decision where it belongs. <perlinger@ntp.org>
1599* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
1600  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
1601* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
1602* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
1603  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
1604* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
1605  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
1606  - added shim layer for SSL API calls with issues (both directions)
1607* [Bug 3089] Serial Parser does not work anymore for hopfser like device
1608  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
1609* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
1610* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
1611  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
1612* [Bug 3067] Root distance calculation needs improvement.  HStenn
1613* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
1614  - PPS-HACK works again.
1615* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
1616  - applied patch by Brian Utterback <brian.utterback@oracle.com>
1617* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
1618* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
1619  <perlinger@ntp.org>
1620  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
1621* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
1622  - Patch provided by Kuramatsu.
1623* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
1624  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
1625* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
1626* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
1627* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
1628* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
1629  - fixed GPS week expansion to work based on build date. Special thanks
1630    to Craig Leres for initial patch and testing.
1631* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
1632  - fixed Makefile.am <perlinger@ntp.org>
1633* [Bug 2689] ATOM driver processes last PPS pulse at startup,
1634             even if it is very old <perlinger@ntp.org>
1635  - make sure PPS source is alive before processing samples
1636  - improve stability close to the 500ms phase jump (phase gate)
1637* Fix typos in include/ntp.h.
1638* Shim X509_get_signature_nid() if needed
1639* git author attribution cleanup
1640* bk ignore file cleanup
1641* remove locks in Windows IO, use rpc-like thread synchronisation instead
1642
1643---
1644NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
1645
1646Focus: Security, Bug fixes, enhancements.
1647
1648Severity: HIGH
1649
1650In addition to bug fixes and enhancements, this release fixes the
1651following 1 high- and 4 low-severity vulnerabilities:
1652
1653* CRYPTO_NAK crash
1654   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1655   References: Sec 3046 / CVE-2016-4957 / VU#321640
1656   Affects: ntp-4.2.8p7, and ntp-4.3.92.
1657   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1658   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1659   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
1660	could cause ntpd to crash.
1661   Mitigation:
1662        Implement BCP-38.
1663        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1664	    or the NTP Public Services Project Download Page
1665        If you cannot upgrade from 4.2.8p7, the only other alternatives
1666	    are to patch your code or filter CRYPTO_NAK packets.
1667        Properly monitor your ntpd instances, and auto-restart ntpd
1668	    (without -g) if it stops running.
1669   Credit: This weakness was discovered by Nicolas Edet of Cisco.
1670
1671* Bad authentication demobilizes ephemeral associations
1672   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1673   References: Sec 3045 / CVE-2016-4953 / VU#321640
1674   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1675	ntp-4.3.0 up to, but not including ntp-4.3.93.
1676   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1677   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1678   Summary: An attacker who knows the origin timestamp and can send a
1679	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
1680	target before any other response is sent can demobilize that
1681	association.
1682   Mitigation:
1683	Implement BCP-38.
1684	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1685	    or the NTP Public Services Project Download Page
1686	Properly monitor your ntpd instances.
1687	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1688
1689* Processing spoofed server packets
1690   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1691   References: Sec 3044 / CVE-2016-4954 / VU#321640
1692   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1693	ntp-4.3.0 up to, but not including ntp-4.3.93.
1694   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1695   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1696   Summary: An attacker who is able to spoof packets with correct origin
1697	timestamps from enough servers before the expected response
1698	packets arrive at the target machine can affect some peer
1699	variables and, for example, cause a false leap indication to be set.
1700   Mitigation:
1701	Implement BCP-38.
1702	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1703	    or the NTP Public Services Project Download Page
1704	Properly monitor your ntpd instances.
1705   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
1706
1707* Autokey association reset
1708   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1709   References: Sec 3043 / CVE-2016-4955 / VU#321640
1710   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1711	ntp-4.3.0 up to, but not including ntp-4.3.93.
1712   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1713   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1714   Summary: An attacker who is able to spoof a packet with a correct
1715	origin timestamp before the expected response packet arrives at
1716	the target machine can send a CRYPTO_NAK or a bad MAC and cause
1717	the association's peer variables to be cleared. If this can be
1718	done often enough, it will prevent that association from working.
1719   Mitigation:
1720	Implement BCP-38.
1721	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1722	    or the NTP Public Services Project Download Page
1723	Properly monitor your ntpd instances.
1724   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1725
1726* Broadcast interleave
1727   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1728   References: Sec 3042 / CVE-2016-4956 / VU#321640
1729   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1730   	ntp-4.3.0 up to, but not including ntp-4.3.93.
1731   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1732   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1733   Summary: The fix for NtpBug2978 does not cover broadcast associations,
1734   	so broadcast clients can be triggered to flip into interleave mode.
1735   Mitigation:
1736	Implement BCP-38.
1737	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1738	    or the NTP Public Services Project Download Page
1739	Properly monitor your ntpd instances.
1740   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1741
1742Other fixes:
1743* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
1744  - provide build environment
1745  - 'wint_t' and 'struct timespec' defined by VS2015
1746  - fixed print()/scanf() format issues
1747* [Bug 3052] Add a .gitignore file.  Edmund Wong.
1748* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
1749* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
1750  JPerlinger, HStenn.
1751* Fix typo in ntp-wait and plot_summary.  HStenn.
1752* Make sure we have an "author" file for git imports.  HStenn.
1753* Update the sntp problem tests for MacOS.  HStenn.
1754
1755---
1756NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
1757
1758Focus: Security, Bug fixes, enhancements.
1759
1760Severity: MEDIUM
1761
1762When building NTP from source, there is a new configure option
1763available, --enable-dynamic-interleave.  More information on this below.
1764
1765Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
1766versions of ntp.  These events have almost certainly happened in the
1767past, it's just that they were silently counted and not logged.  With
1768the increasing awareness around security, we feel it's better to clearly
1769log these events to help detect abusive behavior.  This increased
1770logging can also help detect other problems, too.
1771
1772In addition to bug fixes and enhancements, this release fixes the
1773following 9 low- and medium-severity vulnerabilities:
1774
1775* Improve NTP security against buffer comparison timing attacks,
1776  AKA: authdecrypt-timing
1777   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1778   References: Sec 2879 / CVE-2016-1550
1779   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1780	4.3.0 up to, but not including 4.3.92
1781   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
1782   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1783   Summary: Packet authentication tests have been performed using
1784	memcmp() or possibly bcmp(), and it is potentially possible
1785	for a local or perhaps LAN-based attacker to send a packet with
1786	an authentication payload and indirectly observe how much of
1787	the digest has matched.
1788   Mitigation:
1789	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1790	    or the NTP Public Services Project Download Page.
1791	Properly monitor your ntpd instances.
1792   Credit: This weakness was discovered independently by Loganaden
1793   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
1794
1795* Zero origin timestamp bypass: Additional KoD checks.
1796   References: Sec 2945 / Sec 2901 / CVE-2015-8138
1797   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1798   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
1799
1800* peer associations were broken by the fix for NtpBug2899
1801   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1802   References: Sec 2952 / CVE-2015-7704
1803   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1804   	4.3.0 up to, but not including 4.3.92
1805   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1806   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
1807   	associations did not address all of the issues.
1808   Mitigation:
1809        Implement BCP-38.
1810        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1811	    or the NTP Public Services Project Download Page
1812        If you can't upgrade, use "server" associations instead of
1813	    "peer" associations.
1814        Monitor your ntpd instances.
1815   Credit: This problem was discovered by Michael Tatarinov.
1816
1817* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
1818   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1819   References: Sec 3007 / CVE-2016-1547 / VU#718152
1820   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1821	4.3.0 up to, but not including 4.3.92
1822   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1823   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1824   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
1825	off-path attacker can cause a preemptable client association to
1826	be demobilized by sending a crypto NAK packet to a victim client
1827	with a spoofed source address of an existing associated peer.
1828	This is true even if authentication is enabled.
1829
1830	Furthermore, if the attacker keeps sending crypto NAK packets,
1831	for example one every second, the victim never has a chance to
1832	reestablish the association and synchronize time with that
1833	legitimate server.
1834
1835	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
1836	stringent checks are performed on incoming packets, but there
1837	are still ways to exploit this vulnerability in versions before
1838	ntp-4.2.8p7.
1839   Mitigation:
1840	Implement BCP-38.
1841	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1842	    or the NTP Public Services Project Download Page
1843	Properly monitor your ntpd instances
1844   Credit: This weakness was discovered by Stephen Gray and
1845   	Matthew Van Gundy of Cisco ASIG.
1846
1847* ctl_getitem() return value not always checked
1848   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1849   References: Sec 3008 / CVE-2016-2519
1850   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1851	4.3.0 up to, but not including 4.3.92
1852   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1853   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1854   Summary: ntpq and ntpdc can be used to store and retrieve information
1855   	in ntpd. It is possible to store a data value that is larger
1856	than the size of the buffer that the ctl_getitem() function of
1857	ntpd uses to report the return value. If the length of the
1858	requested data value returned by ctl_getitem() is too large,
1859	the value NULL is returned instead. There are 2 cases where the
1860	return value from ctl_getitem() was not directly checked to make
1861	sure it's not NULL, but there are subsequent INSIST() checks
1862	that make sure the return value is not NULL. There are no data
1863	values ordinarily stored in ntpd that would exceed this buffer
1864	length. But if one has permission to store values and one stores
1865	a value that is "too large", then ntpd will abort if an attempt
1866	is made to read that oversized value.
1867    Mitigation:
1868        Implement BCP-38.
1869        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1870	    or the NTP Public Services Project Download Page
1871        Properly monitor your ntpd instances.
1872    Credit: This weakness was discovered by Yihan Lian of the Cloud
1873    	Security Team, Qihoo 360.
1874
1875* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
1876   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1877   References: Sec 3009 / CVE-2016-2518 / VU#718152
1878   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1879	4.3.0 up to, but not including 4.3.92
1880   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1881   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1882   Summary: Using a crafted packet to create a peer association with
1883   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
1884	out-of-bounds reference.
1885   Mitigation:
1886	Implement BCP-38.
1887	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1888	    or the NTP Public Services Project Download Page
1889	Properly monitor your ntpd instances
1890   Credit: This weakness was discovered by Yihan Lian of the Cloud
1891   	Security Team, Qihoo 360.
1892
1893* remote configuration trustedkey/requestkey/controlkey values are not
1894	properly validated
1895   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1896   References: Sec 3010 / CVE-2016-2517 / VU#718152
1897   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1898	4.3.0 up to, but not including 4.3.92
1899   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1900   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1901   Summary: If ntpd was expressly configured to allow for remote
1902   	configuration, a malicious user who knows the controlkey for
1903	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1904	can create a session with ntpd and then send a crafted packet to
1905	ntpd that will change the value of the trustedkey, controlkey,
1906	or requestkey to a value that will prevent any subsequent
1907	authentication with ntpd until ntpd is restarted.
1908   Mitigation:
1909	Implement BCP-38.
1910	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1911	    or the NTP Public Services Project Download Page
1912	Properly monitor your ntpd instances
1913   Credit: This weakness was discovered by Yihan Lian of the Cloud
1914   	Security Team, Qihoo 360.
1915
1916* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1917   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1918   References: Sec 3011 / CVE-2016-2516 / VU#718152
1919   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1920   	4.3.0 up to, but not including 4.3.92
1921   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1922   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1923   Summary: If ntpd was expressly configured to allow for remote
1924   	configuration, a malicious user who knows the controlkey for
1925	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1926	can create a session with ntpd and if an existing association is
1927	unconfigured using the same IP twice on the unconfig directive
1928	line, ntpd will abort.
1929   Mitigation:
1930	Implement BCP-38.
1931	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1932	    or the NTP Public Services Project Download Page
1933	Properly monitor your ntpd instances
1934   Credit: This weakness was discovered by Yihan Lian of the Cloud
1935   	Security Team, Qihoo 360.
1936
1937* Refclock impersonation vulnerability
1938   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1939   References: Sec 3020 / CVE-2016-1551
1940   Affects: On a very limited number of OSes, all NTP releases up to but
1941	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1942	By "very limited number of OSes" we mean no general-purpose OSes
1943	have yet been identified that have this vulnerability.
1944   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1945   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1946   Summary: While most OSes implement martian packet filtering in their
1947   	network stack, at least regarding 127.0.0.0/8, some will allow
1948	packets claiming to be from 127.0.0.0/8 that arrive over a
1949	physical network. On these OSes, if ntpd is configured to use a
1950	reference clock an attacker can inject packets over the network
1951	that look like they are coming from that reference clock.
1952   Mitigation:
1953        Implement martian packet filtering and BCP-38.
1954        Configure ntpd to use an adequate number of time sources.
1955        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1956	    or the NTP Public Services Project Download Page
1957        If you are unable to upgrade and if you are running an OS that
1958	    has this vulnerability, implement martian packet filters and
1959	    lobby your OS vendor to fix this problem, or run your
1960	    refclocks on computers that use OSes that are not vulnerable
1961	    to these attacks and have your vulnerable machines get their
1962	    time from protected resources.
1963        Properly monitor your ntpd instances.
1964   Credit: This weakness was discovered by Matt Street and others of
1965   	Cisco ASIG.
1966
1967The following issues were fixed in earlier releases and contain
1968improvements in 4.2.8p7:
1969
1970* Clients that receive a KoD should validate the origin timestamp field.
1971   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1972   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1973   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1974
1975* Skeleton key: passive server with trusted key can serve time.
1976   References: Sec 2936 / CVE-2015-7974
1977   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1978   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1979
1980Two other vulnerabilities have been reported, and the mitigations
1981for these are as follows:
1982
1983* Interleave-pivot
1984   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1985   References: Sec 2978 / CVE-2016-1548
1986   Affects: All ntp-4 releases.
1987   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1988   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1989   Summary: It is possible to change the time of an ntpd client or deny
1990   	service to an ntpd client by forcing it to change from basic
1991	client/server mode to interleaved symmetric mode. An attacker
1992	can spoof a packet from a legitimate ntpd server with an origin
1993	timestamp that matches the peer->dst timestamp recorded for that
1994	server. After making this switch, the client will reject all
1995	future legitimate server responses. It is possible to force the
1996	victim client to move time after the mode has been changed.
1997	ntpq gives no indication that the mode has been switched.
1998   Mitigation:
1999        Implement BCP-38.
2000        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
2001	    or the NTP Public Services Project Download Page.  These
2002	    versions will not dynamically "flip" into interleave mode
2003	    unless configured to do so.
2004        Properly monitor your ntpd instances.
2005   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
2006   	and separately by Jonathan Gardner of Cisco ASIG.
2007
2008* Sybil vulnerability: ephemeral association attack
2009   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
2010   References: Sec 3012 / CVE-2016-1549
2011   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
2012   	4.3.0 up to, but not including 4.3.92
2013   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
2014   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
2015   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
2016   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
2017	field in the ntp.keys file to specify which IPs can serve time,
2018	a malicious authenticated peer can create arbitrarily-many
2019	ephemeral associations in order to win the clock selection of
2020	ntpd and modify a victim's clock.
2021   Mitigation:
2022        Implement BCP-38.
2023        Use the 4th field in the ntp.keys file to specify which IPs
2024	    can be time servers.
2025        Properly monitor your ntpd instances.
2026   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2027
2028Other fixes:
2029
2030* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
2031  - fixed yet another race condition in the threaded resolver code.
2032* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
2033* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
2034  - integrated patches by Loganaden Velvidron <logan@ntp.org>
2035    with some modifications & unit tests
2036* [Bug 2960] async name resolution fixes for chroot() environments.
2037  Reinhard Max.
2038* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
2039* [Bug 2995] Fixes to compile on Windows
2040* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
2041* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
2042  - Patch provided by Ch. Weisgerber
2043* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
2044  - A change related to [Bug 2853] forbids trailing white space in
2045    remote config commands. perlinger@ntp.org
2046* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
2047  - report and patch from Aleksandr Kostikov.
2048  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
2049* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
2050  - fixed memory leak in access list (auth[read]keys.c)
2051  - refactored handling of key access lists (auth[read]keys.c)
2052  - reduced number of error branches (authreadkeys.c)
2053* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
2054* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
2055* [Bug 3031] ntp broadcastclient unable to synchronize to an server
2056             when the time of server changed. perlinger@ntp.org
2057  - Check the initial delay calculation and reject/unpeer the broadcast
2058    server if the delay exceeds 50ms. Retry again after the next
2059    broadcast packet.
2060* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
2061* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
2062* Update html/xleave.html documentation.  Harlan Stenn.
2063* Update ntp.conf documentation.  Harlan Stenn.
2064* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
2065* Fix typo in html/monopt.html.  Harlan Stenn.
2066* Add README.pullrequests.  Harlan Stenn.
2067* Cleanup to include/ntp.h.  Harlan Stenn.
2068
2069New option to 'configure':
2070
2071While looking in to the issues around Bug 2978, the "interleave pivot"
2072issue, it became clear that there are some intricate and unresolved
2073issues with interleave operations.  We also realized that the interleave
2074protocol was never added to the NTPv4 Standard, and it should have been.
2075
2076Interleave mode was first released in July of 2008, and can be engaged
2077in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
2078contain the 'xleave' option, which will expressly enable interlave mode
2079for that association.  Additionally, if a time packet arrives and is
2080found inconsistent with normal protocol behavior but has certain
2081characteristics that are compatible with interleave mode, NTP will
2082dynamically switch to interleave mode.  With sufficient knowledge, an
2083attacker can send a crafted forged packet to an NTP instance that
2084triggers only one side to enter interleaved mode.
2085
2086To prevent this attack until we can thoroughly document, describe,
2087fix, and test the dynamic interleave mode, we've added a new
2088'configure' option to the build process:
2089
2090 --enable-dynamic-interleave
2091
2092This option controls whether or not NTP will, if conditions are right,
2093engage dynamic interleave mode.  Dynamic interleave mode is disabled by
2094default in ntp-4.2.8p7.
2095
2096---
2097NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
2098
2099Focus: Security, Bug fixes, enhancements.
2100
2101Severity: MEDIUM
2102
2103In addition to bug fixes and enhancements, this release fixes the
2104following 1 low- and 8 medium-severity vulnerabilities:
2105
2106* Potential Infinite Loop in 'ntpq'
2107   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2108   References: Sec 2548 / CVE-2015-8158
2109   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2110	4.3.0 up to, but not including 4.3.90
2111   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2112   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
2113   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
2114	The loop's only stopping conditions are receiving a complete and
2115	correct response or hitting a small number of error conditions.
2116	If the packet contains incorrect values that don't trigger one of
2117	the error conditions, the loop continues to receive new packets.
2118	Note well, this is an attack against an instance of 'ntpq', not
2119	'ntpd', and this attack requires the attacker to do one of the
2120	following:
2121	* Own a malicious NTP server that the client trusts
2122	* Prevent a legitimate NTP server from sending packets to
2123	    the 'ntpq' client
2124	* MITM the 'ntpq' communications between the 'ntpq' client
2125	    and the NTP server
2126   Mitigation:
2127	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2128	or the NTP Public Services Project Download Page
2129   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
2130
2131* 0rigin: Zero Origin Timestamp Bypass
2132   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2133   References: Sec 2945 / CVE-2015-8138
2134   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2135	4.3.0 up to, but not including 4.3.90
2136   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
2137   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
2138	(3.7 - LOW if you score AC:L)
2139   Summary: To distinguish legitimate peer responses from forgeries, a
2140	client attempts to verify a response packet by ensuring that the
2141	origin timestamp in the packet matches the origin timestamp it
2142	transmitted in its last request.  A logic error exists that
2143	allows packets with an origin timestamp of zero to bypass this
2144	check whenever there is not an outstanding request to the server.
2145   Mitigation:
2146	Configure 'ntpd' to get time from multiple sources.
2147	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2148	    or the NTP Public Services Project Download Page.
2149	Monitor your 'ntpd' instances.
2150   Credit: This weakness was discovered by Matthey Van Gundy and
2151	Jonathan Gardner of Cisco ASIG.
2152
2153* Stack exhaustion in recursive traversal of restriction list
2154   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
2155   References: Sec 2940 / CVE-2015-7978
2156   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2157	4.3.0 up to, but not including 4.3.90
2158   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2159   Summary: An unauthenticated 'ntpdc reslist' command can cause a
2160   	segmentation fault in ntpd by exhausting the call stack.
2161   Mitigation:
2162	Implement BCP-38.
2163	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2164	    or the NTP Public Services Project Download Page.
2165	If you are unable to upgrade:
2166            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2167	    If you must enable mode 7:
2168		configure the use of a 'requestkey' to control who can
2169		    issue mode 7 requests.
2170		configure 'restrict noquery' to further limit mode 7
2171		    requests to trusted sources.
2172		Monitor your ntpd instances.
2173   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
2174
2175* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
2176   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2177   References: Sec 2942 / CVE-2015-7979
2178   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2179	4.3.0 up to, but not including 4.3.90
2180   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
2181   Summary: An off-path attacker can send broadcast packets with bad
2182	authentication (wrong key, mismatched key, incorrect MAC, etc)
2183	to broadcast clients. It is observed that the broadcast client
2184	tears down the association with the broadcast server upon
2185	receiving just one bad packet.
2186   Mitigation:
2187	Implement BCP-38.
2188	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2189	or the NTP Public Services Project Download Page.
2190	Monitor your 'ntpd' instances.
2191	If this sort of attack is an active problem for you, you have
2192	    deeper problems to investigate.  In this case also consider
2193	    having smaller NTP broadcast domains.
2194   Credit: This weakness was discovered by Aanchal Malhotra of Boston
2195   	University.
2196
2197* reslist NULL pointer dereference
2198   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2199   References: Sec 2939 / CVE-2015-7977
2200   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2201	4.3.0 up to, but not including 4.3.90
2202   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2203   Summary: An unauthenticated 'ntpdc reslist' command can cause a
2204	segmentation fault in ntpd by causing a NULL pointer dereference.
2205   Mitigation:
2206	Implement BCP-38.
2207	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
2208	the NTP Public Services Project Download Page.
2209	If you are unable to upgrade:
2210	    mode 7 is disabled by default.  Don't enable it.
2211	    If you must enable mode 7:
2212		configure the use of a 'requestkey' to control who can
2213		    issue mode 7 requests.
2214		configure 'restrict noquery' to further limit mode 7
2215		    requests to trusted sources.
2216	Monitor your ntpd instances.
2217   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
2218
2219* 'ntpq saveconfig' command allows dangerous characters in filenames.
2220   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2221   References: Sec 2938 / CVE-2015-7976
2222   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2223	4.3.0 up to, but not including 4.3.90
2224   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
2225   Summary: The ntpq saveconfig command does not do adequate filtering
2226   	of special characters from the supplied filename.
2227	Note well: The ability to use the saveconfig command is controlled
2228	by the 'restrict nomodify' directive, and the recommended default
2229	configuration is to disable this capability.  If the ability to
2230	execute a 'saveconfig' is required, it can easily (and should) be
2231	limited and restricted to a known small number of IP addresses.
2232   Mitigation:
2233	Implement BCP-38.
2234	use 'restrict default nomodify' in your 'ntp.conf' file.
2235	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
2236	If you are unable to upgrade:
2237	    build NTP with 'configure --disable-saveconfig' if you will
2238	    	never need this capability, or
2239	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
2240		careful about what IPs have the ability to send 'modify'
2241		requests to 'ntpd'.
2242	Monitor your ntpd instances.
2243	'saveconfig' requests are logged to syslog - monitor your syslog files.
2244   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
2245
2246* nextvar() missing length check in ntpq
2247   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2248   References: Sec 2937 / CVE-2015-7975
2249   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2250	4.3.0 up to, but not including 4.3.90
2251   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
2252	If you score A:C, this becomes 4.0.
2253   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
2254   Summary: ntpq may call nextvar() which executes a memcpy() into the
2255	name buffer without a proper length check against its maximum
2256	length of 256 bytes. Note well that we're taking about ntpq here.
2257	The usual worst-case effect of this vulnerability is that the
2258	specific instance of ntpq will crash and the person or process
2259	that did this will have stopped themselves.
2260   Mitigation:
2261	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2262	    or the NTP Public Services Project Download Page.
2263	If you are unable to upgrade:
2264	    If you have scripts that feed input to ntpq make sure there are
2265		some sanity checks on the input received from the "outside".
2266	    This is potentially more dangerous if ntpq is run as root.
2267   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
2268
2269* Skeleton Key: Any trusted key system can serve time
2270   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2271   References: Sec 2936 / CVE-2015-7974
2272   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2273	4.3.0 up to, but not including 4.3.90
2274   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
2275   Summary: Symmetric key encryption uses a shared trusted key. The
2276	reported title for this issue was "Missing key check allows
2277	impersonation between authenticated peers" and the report claimed
2278	"A key specified only for one server should only work to
2279	authenticate that server, other trusted keys should be refused."
2280	Except there has never been any correlation between this trusted
2281	key and server v. clients machines and there has never been any
2282	way to specify a key only for one server. We have treated this as
2283	an enhancement request, and ntp-4.2.8p6 includes other checks and
2284	tests to strengthen clients against attacks coming from broadcast
2285	servers.
2286   Mitigation:
2287	Implement BCP-38.
2288	If this scenario represents a real or a potential issue for you,
2289	    upgrade to 4.2.8p6, or later, from the NTP Project Download
2290	    Page or the NTP Public Services Project Download Page, and
2291	    use the new field in the ntp.keys file that specifies the list
2292	    of IPs that are allowed to serve time. Note that this alone
2293	    will not protect against time packets with forged source IP
2294	    addresses, however other changes in ntp-4.2.8p6 provide
2295	    significant mitigation against broadcast attacks. MITM attacks
2296	    are a different story.
2297	If you are unable to upgrade:
2298	    Don't use broadcast mode if you cannot monitor your client
2299	    	servers.
2300	    If you choose to use symmetric keys to authenticate time
2301	    	packets in a hostile environment where ephemeral time
2302		servers can be created, or if it is expected that malicious
2303		time servers will participate in an NTP broadcast domain,
2304		limit the number of participating systems that participate
2305		in the shared-key group.
2306	Monitor your ntpd instances.
2307   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
2308
2309* Deja Vu: Replay attack on authenticated broadcast mode
2310   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2311   References: Sec 2935 / CVE-2015-7973
2312   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2313   	4.3.0 up to, but not including 4.3.90
2314   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
2315   Summary: If an NTP network is configured for broadcast operations then
2316   	either a man-in-the-middle attacker or a malicious participant
2317	that has the same trusted keys as the victim can replay time packets.
2318   Mitigation:
2319	Implement BCP-38.
2320	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2321	    or the NTP Public Services Project Download Page.
2322	If you are unable to upgrade:
2323	    Don't use broadcast mode if you cannot monitor your client servers.
2324	Monitor your ntpd instances.
2325   Credit: This weakness was discovered by Aanchal Malhotra of Boston
2326	University.
2327
2328Other fixes:
2329
2330* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
2331* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
2332  - applied patch by shenpeng11@huawei.com with minor adjustments
2333* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
2334* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
2335* [Bug 2892] Several test cases assume IPv6 capabilities even when
2336             IPv6 is disabled in the build. perlinger@ntp.org
2337  - Found this already fixed, but validation led to cleanup actions.
2338* [Bug 2905] DNS lookups broken. perlinger@ntp.org
2339  - added limits to stack consumption, fixed some return code handling
2340* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2341  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2342  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
2343* [Bug 2980] reduce number of warnings. perlinger@ntp.org
2344  - integrated several patches from Havard Eidnes (he@uninett.no)
2345* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
2346  - implement 'auth_log2()' using integer bithack instead of float calculation
2347* Make leapsec_query debug messages less verbose.  Harlan Stenn.
2348
2349---
2350NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
2351
2352Focus: Security, Bug fixes, enhancements.
2353
2354Severity: MEDIUM
2355
2356In addition to bug fixes and enhancements, this release fixes the
2357following medium-severity vulnerability:
2358
2359* Small-step/big-step.  Close the panic gate earlier.
2360    References: Sec 2956, CVE-2015-5300
2361    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
2362	4.3.0 up to, but not including 4.3.78
2363    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
2364    Summary: If ntpd is always started with the -g option, which is
2365	common and against long-standing recommendation, and if at the
2366	moment ntpd is restarted an attacker can immediately respond to
2367	enough requests from enough sources trusted by the target, which
2368	is difficult and not common, there is a window of opportunity
2369	where the attacker can cause ntpd to set the time to an
2370	arbitrary value. Similarly, if an attacker is able to respond
2371	to enough requests from enough sources trusted by the target,
2372	the attacker can cause ntpd to abort and restart, at which
2373	point it can tell the target to set the time to an arbitrary
2374	value if and only if ntpd was re-started against long-standing
2375	recommendation with the -g flag, or if ntpd was not given the
2376	-g flag, the attacker can move the target system's time by at
2377	most 900 seconds' time per attack.
2378    Mitigation:
2379	Configure ntpd to get time from multiple sources.
2380	Upgrade to 4.2.8p5, or later, from the NTP Project Download
2381	    Page or the NTP Public Services Project Download Page
2382	As we've long documented, only use the -g option to ntpd in
2383	    cold-start situations.
2384	Monitor your ntpd instances.
2385    Credit: This weakness was discovered by Aanchal Malhotra,
2386	Isaac E. Cohen, and Sharon Goldberg at Boston University.
2387
2388    NOTE WELL: The -g flag disables the limit check on the panic_gate
2389	in ntpd, which is 900 seconds by default. The bug identified by
2390	the researchers at Boston University is that the panic_gate
2391	check was only re-enabled after the first change to the system
2392	clock that was greater than 128 milliseconds, by default. The
2393	correct behavior is that the panic_gate check should be
2394	re-enabled after any initial time correction.
2395
2396	If an attacker is able to inject consistent but erroneous time
2397	responses to your systems via the network or "over the air",
2398	perhaps by spoofing radio, cellphone, or navigation satellite
2399	transmissions, they are in a great position to affect your
2400	system's clock. There comes a point where your very best
2401	defenses include:
2402
2403	    Configure ntpd to get time from multiple sources.
2404	    Monitor your ntpd instances.
2405
2406Other fixes:
2407
2408* Coverity submission process updated from Coverity 5 to Coverity 7.
2409  The NTP codebase has been undergoing regular Coverity scans on an
2410  ongoing basis since 2006.  As part of our recent upgrade from
2411  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
2412  the newly-written Unity test programs.  These were fixed.
2413* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
2414* [Bug 2887] stratum -1 config results as showing value 99
2415  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
2416* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
2417* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
2418* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
2419  - applied patch by Christos Zoulas.  perlinger@ntp.org
2420* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
2421* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
2422  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
2423  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
2424* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
2425  - accept key file only if there are no parsing errors
2426  - fixed size_t/u_int format clash
2427  - fixed wrong use of 'strlcpy'
2428* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
2429* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
2430  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
2431  - promote use of 'size_t' for values that express a size
2432  - use ptr-to-const for read-only arguments
2433  - make sure SOCKET values are not truncated (win32-specific)
2434  - format string fixes
2435* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
2436* [Bug 2967] ntpdate command suffers an assertion failure
2437  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
2438* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
2439              lots of clients. perlinger@ntp.org
2440* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2441  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2442* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
2443* Unity test cleanup.  Harlan Stenn.
2444* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
2445* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
2446* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
2447* Quiet a warning from clang.  Harlan Stenn.
2448
2449---
2450NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
2451
2452Focus: Security, Bug fixes, enhancements.
2453
2454Severity: MEDIUM
2455
2456In addition to bug fixes and enhancements, this release fixes the
2457following 13 low- and medium-severity vulnerabilities:
2458
2459* Incomplete vallen (value length) checks in ntp_crypto.c, leading
2460  to potential crashes or potential code injection/information leakage.
2461
2462    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
2463    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2464    	and 4.3.0 up to, but not including 4.3.77
2465    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2466    Summary: The fix for CVE-2014-9750 was incomplete in that there were
2467    	certain code paths where a packet with particular autokey operations
2468	that contained malicious data was not always being completely
2469	validated. Receipt of these packets can cause ntpd to crash.
2470    Mitigation:
2471        Don't use autokey.
2472	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2473	    Page or the NTP Public Services Project Download Page
2474	Monitor your ntpd instances.
2475	Credit: This weakness was discovered by Tenable Network Security.
2476
2477* Clients that receive a KoD should validate the origin timestamp field.
2478
2479    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
2480    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2481	and 4.3.0 up to, but not including 4.3.77
2482    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
2483    Summary: An ntpd client that honors Kiss-of-Death responses will honor
2484    	KoD messages that have been forged by an attacker, causing it to
2485	delay or stop querying its servers for time updates. Also, an
2486	attacker can forge packets that claim to be from the target and
2487	send them to servers often enough that a server that implements
2488	KoD rate limiting will send the target machine a KoD response to
2489	attempt to reduce the rate of incoming packets, or it may also
2490	trigger a firewall block at the server for packets from the target
2491	machine. For either of these attacks to succeed, the attacker must
2492	know what servers the target is communicating with. An attacker
2493	can be anywhere on the Internet and can frequently learn the
2494	identity of the target's time source by sending the target a
2495	time query.
2496    Mitigation:
2497        Implement BCP-38.
2498	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
2499	    or the NTP Public Services Project Download Page
2500	If you can't upgrade, restrict who can query ntpd to learn who
2501	    its servers are, and what IPs are allowed to ask your system
2502	    for the time. This mitigation is heavy-handed.
2503	Monitor your ntpd instances.
2504    Note:
2505    	4.2.8p4 protects against the first attack. For the second attack,
2506    	all we can do is warn when it is happening, which we do in 4.2.8p4.
2507    Credit: This weakness was discovered by Aanchal Malhotra,
2508    	Issac E. Cohen, and Sharon Goldberg of Boston University.
2509
2510* configuration directives to change "pidfile" and "driftfile" should
2511  only be allowed locally.
2512
2513  References: Sec 2902 / CVE-2015-5196
2514  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2515	and 4.3.0 up to, but not including 4.3.77
2516   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
2517   Summary: If ntpd is configured to allow for remote configuration,
2518	and if the (possibly spoofed) source IP address is allowed to
2519	send remote configuration requests, and if the attacker knows
2520	the remote configuration password, it's possible for an attacker
2521	to use the "pidfile" or "driftfile" directives to potentially
2522	overwrite other files.
2523   Mitigation:
2524	Implement BCP-38.
2525	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2526	    Page or the NTP Public Services Project Download Page
2527	If you cannot upgrade, don't enable remote configuration.
2528	If you must enable remote configuration and cannot upgrade,
2529	    remote configuration of NTF's ntpd requires:
2530	    - an explicitly configured trustedkey, and you should also
2531	    	configure a controlkey.
2532	    - access from a permitted IP. You choose the IPs.
2533	    - authentication. Don't disable it. Practice secure key safety.
2534	Monitor your ntpd instances.
2535   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
2536
2537* Slow memory leak in CRYPTO_ASSOC
2538
2539  References: Sec 2909 / CVE-2015-7701
2540  Affects: All ntp-4 releases that use autokey up to, but not
2541    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2542  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
2543  	4.6 otherwise
2544  Summary: If ntpd is configured to use autokey, then an attacker can
2545	send packets to ntpd that will, after several days of ongoing
2546	attack, cause it to run out of memory.
2547  Mitigation:
2548	Don't use autokey.
2549	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2550	    Page or the NTP Public Services Project Download Page
2551	Monitor your ntpd instances.
2552  Credit: This weakness was discovered by Tenable Network Security.
2553
2554* mode 7 loop counter underrun
2555
2556  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
2557  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2558  	and 4.3.0 up to, but not including 4.3.77
2559  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2560  Summary: If ntpd is configured to enable mode 7 packets, and if the
2561	use of mode 7 packets is not properly protected thru the use of
2562	the available mode 7 authentication and restriction mechanisms,
2563	and if the (possibly spoofed) source IP address is allowed to
2564	send mode 7 queries, then an attacker can send a crafted packet
2565	to ntpd that will cause it to crash.
2566  Mitigation:
2567	Implement BCP-38.
2568	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2569	    Page or the NTP Public Services Project Download Page.
2570	      If you are unable to upgrade:
2571	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2572	If you must enable mode 7:
2573	    configure the use of a requestkey to control who can issue
2574		mode 7 requests.
2575	    configure restrict noquery to further limit mode 7 requests
2576		to trusted sources.
2577	Monitor your ntpd instances.
2578Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
2579
2580* memory corruption in password store
2581
2582  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
2583  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2584  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
2585  Summary: If ntpd is configured to allow remote configuration, and if
2586	the (possibly spoofed) source IP address is allowed to send
2587	remote configuration requests, and if the attacker knows the
2588	remote configuration password or if ntpd was configured to
2589	disable authentication, then an attacker can send a set of
2590	packets to ntpd that may cause a crash or theoretically
2591	perform a code injection attack.
2592  Mitigation:
2593	Implement BCP-38.
2594	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2595	    Page or the NTP Public Services Project Download Page.
2596	If you are unable to upgrade, remote configuration of NTF's
2597	    ntpd requires:
2598		an explicitly configured "trusted" key. Only configure
2599			this if you need it.
2600		access from a permitted IP address. You choose the IPs.
2601		authentication. Don't disable it. Practice secure key safety.
2602	Monitor your ntpd instances.
2603  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2604
2605* Infinite loop if extended logging enabled and the logfile and
2606  keyfile are the same.
2607
2608    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
2609    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2610	and 4.3.0 up to, but not including 4.3.77
2611    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2612    Summary: If ntpd is configured to allow remote configuration, and if
2613	the (possibly spoofed) source IP address is allowed to send
2614	remote configuration requests, and if the attacker knows the
2615	remote configuration password or if ntpd was configured to
2616	disable authentication, then an attacker can send a set of
2617	packets to ntpd that will cause it to crash and/or create a
2618	potentially huge log file. Specifically, the attacker could
2619	enable extended logging, point the key file at the log file,
2620	and cause what amounts to an infinite loop.
2621    Mitigation:
2622	Implement BCP-38.
2623	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2624	    Page or the NTP Public Services Project Download Page.
2625	If you are unable to upgrade, remote configuration of NTF's ntpd
2626	  requires:
2627            an explicitly configured "trusted" key. Only configure this
2628	    	if you need it.
2629            access from a permitted IP address. You choose the IPs.
2630            authentication. Don't disable it. Practice secure key safety.
2631        Monitor your ntpd instances.
2632    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2633
2634* Potential path traversal vulnerability in the config file saving of
2635  ntpd on VMS.
2636
2637  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
2638  Affects: All ntp-4 releases running under VMS up to, but not
2639	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2640  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
2641  Summary: If ntpd is configured to allow remote configuration, and if
2642	the (possibly spoofed) IP address is allowed to send remote
2643	configuration requests, and if the attacker knows the remote
2644	configuration password or if ntpd was configured to disable
2645	authentication, then an attacker can send a set of packets to
2646	ntpd that may cause ntpd to overwrite files.
2647  Mitigation:
2648	Implement BCP-38.
2649	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2650	    Page or the NTP Public Services Project Download Page.
2651	If you are unable to upgrade, remote configuration of NTF's ntpd
2652	    requires:
2653		an explicitly configured "trusted" key. Only configure
2654			this if you need it.
2655		access from permitted IP addresses. You choose the IPs.
2656		authentication. Don't disable it. Practice key security safety.
2657        Monitor your ntpd instances.
2658    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2659
2660* ntpq atoascii() potential memory corruption
2661
2662  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
2663  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
2664	and 4.3.0 up to, but not including 4.3.77
2665  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
2666  Summary: If an attacker can figure out the precise moment that ntpq
2667	is listening for data and the port number it is listening on or
2668	if the attacker can provide a malicious instance ntpd that
2669	victims will connect to then an attacker can send a set of
2670	crafted mode 6 response packets that, if received by ntpq,
2671	can cause ntpq to crash.
2672  Mitigation:
2673	Implement BCP-38.
2674	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2675	    Page or the NTP Public Services Project Download Page.
2676	If you are unable to upgrade and you run ntpq against a server
2677	    and ntpq crashes, try again using raw mode. Build or get a
2678	    patched ntpq and see if that fixes the problem. Report new
2679	    bugs in ntpq or abusive servers appropriately.
2680	If you use ntpq in scripts, make sure ntpq does what you expect
2681	    in your scripts.
2682  Credit: This weakness was discovered by Yves Younan and
2683  	Aleksander Nikolich of Cisco Talos.
2684
2685* Invalid length data provided by a custom refclock driver could cause
2686  a buffer overflow.
2687
2688  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
2689  Affects: Potentially all ntp-4 releases running up to, but not
2690	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2691	that have custom refclocks
2692  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
2693	5.9 unusual worst case
2694  Summary: A negative value for the datalen parameter will overflow a
2695	data buffer. NTF's ntpd driver implementations always set this
2696	value to 0 and are therefore not vulnerable to this weakness.
2697	If you are running a custom refclock driver in ntpd and that
2698	driver supplies a negative value for datalen (no custom driver
2699	of even minimal competence would do this) then ntpd would
2700	overflow a data buffer. It is even hypothetically possible
2701	in this case that instead of simply crashing ntpd the attacker
2702	could effect a code injection attack.
2703  Mitigation:
2704	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2705	    Page or the NTP Public Services Project Download Page.
2706	If you are unable to upgrade:
2707		If you are running custom refclock drivers, make sure
2708			the signed datalen value is either zero or positive.
2709	Monitor your ntpd instances.
2710  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2711
2712* Password Length Memory Corruption Vulnerability
2713
2714  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
2715  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2716  	4.3.0 up to, but not including 4.3.77
2717  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
2718  	1.7 usual case, 6.8, worst case
2719  Summary: If ntpd is configured to allow remote configuration, and if
2720	the (possibly spoofed) source IP address is allowed to send
2721	remote configuration requests, and if the attacker knows the
2722	remote configuration password or if ntpd was (foolishly)
2723	configured to disable authentication, then an attacker can
2724	send a set of packets to ntpd that may cause it to crash,
2725	with the hypothetical possibility of a small code injection.
2726  Mitigation:
2727	Implement BCP-38.
2728	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2729	    Page or the NTP Public Services Project Download Page.
2730	If you are unable to upgrade, remote configuration of NTF's
2731	    ntpd requires:
2732		an explicitly configured "trusted" key. Only configure
2733			this if you need it.
2734		access from a permitted IP address. You choose the IPs.
2735		authentication. Don't disable it. Practice secure key safety.
2736	Monitor your ntpd instances.
2737  Credit: This weakness was discovered by Yves Younan and
2738  	Aleksander Nikolich of Cisco Talos.
2739
2740* decodenetnum() will ASSERT botch instead of returning FAIL on some
2741  bogus values.
2742
2743  References: Sec 2922 / CVE-2015-7855
2744  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2745	4.3.0 up to, but not including 4.3.77
2746  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2747  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
2748	an unusually long data value where a network address is expected,
2749	the decodenetnum() function will abort with an assertion failure
2750	instead of simply returning a failure condition.
2751  Mitigation:
2752	Implement BCP-38.
2753	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2754	    Page or the NTP Public Services Project Download Page.
2755	If you are unable to upgrade:
2756		mode 7 is disabled by default. Don't enable it.
2757		Use restrict noquery to limit who can send mode 6
2758			and mode 7 requests.
2759		Configure and use the controlkey and requestkey
2760			authentication directives to limit who can
2761			send mode 6 and mode 7 requests.
2762	Monitor your ntpd instances.
2763  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
2764
2765* NAK to the Future: Symmetric association authentication bypass via
2766  crypto-NAK.
2767
2768  References: Sec 2941 / CVE-2015-7871
2769  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
2770  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
2771  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
2772  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
2773	from unauthenticated ephemeral symmetric peers by bypassing the
2774	authentication required to mobilize peer associations. This
2775	vulnerability appears to have been introduced in ntp-4.2.5p186
2776	when the code handling mobilization of new passive symmetric
2777	associations (lines 1103-1165) was refactored.
2778  Mitigation:
2779	Implement BCP-38.
2780	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2781	    Page or the NTP Public Services Project Download Page.
2782	If you are unable to upgrade:
2783		Apply the patch to the bottom of the "authentic" check
2784			block around line 1136 of ntp_proto.c.
2785	Monitor your ntpd instances.
2786  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2787
2788Backward-Incompatible changes:
2789* [Bug 2817] Default on Linux is now "rlimit memlock -1".
2790  While the general default of 32M is still the case, under Linux
2791  the default value has been changed to -1 (do not lock ntpd into
2792  memory).  A value of 0 means "lock ntpd into memory with whatever
2793  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
2794  value in it, that value will continue to be used.
2795
2796* [Bug 2886] Misspelling: "outlyer" should be "outlier".
2797  If you've written a script that looks for this case in, say, the
2798  output of ntpq, you probably want to change your regex matches
2799  from 'outlyer' to 'outl[iy]er'.
2800
2801New features in this release:
2802* 'rlimit memlock' now has finer-grained control.  A value of -1 means
2803  "don't lock ntpd into memore".  This is the default for Linux boxes.
2804  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
2805  the value is the number of megabytes of memory to lock.  The default
2806  is 32 megabytes.
2807
2808* The old Google Test framework has been replaced with a new framework,
2809  based on http://www.throwtheswitch.org/unity/ .
2810
2811Bug Fixes and Improvements:
2812* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
2813  privileges and limiting resources in NTPD removes the need to link
2814  forcefully against 'libgcc_s' which does not always work. J.Perlinger
2815* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
2816* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
2817* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
2818* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
2819* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
2820* [Bug 2849] Systems with more than one default route may never
2821  synchronize.  Brian Utterback.  Note that this patch might need to
2822  be reverted once Bug 2043 has been fixed.
2823* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
2824* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
2825* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
2826* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
2827* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
2828* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
2829  be configured for the distribution targets.  Harlan Stenn.
2830* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
2831* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
2832* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
2833* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
2834* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
2835* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
2836* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
2837* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
2838* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
2839* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
2840* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
2841* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
2842* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
2843* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
2844* sntp/tests/ function parameter list cleanup.  Damir Tomić.
2845* tests/libntp/ function parameter list cleanup.  Damir Tomić.
2846* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
2847* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
2848* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
2849* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
2850* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
2851* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2852  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
2853  formatting; first declaration, then code (C90); deleted unnecessary comments;
2854  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
2855* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
2856  fix formatting, cleanup. Tomasz Flendrich
2857* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
2858  Tomasz Flendrich
2859* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
2860  fix formatting. Tomasz Flendrich
2861* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
2862* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
2863* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
2864  Tomasz Flendrich
2865* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
2866* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
2867* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
2868* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
2869* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
2870* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
2871* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
2872fixed formatting. Tomasz Flendrich
2873* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
2874  removed unnecessary comments, cleanup. Tomasz Flendrich
2875* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
2876  comments, cleanup. Tomasz Flendrich
2877* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
2878  Tomasz Flendrich
2879* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2880* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2881* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2882  Tomasz Flendrich
2883* sntp/tests/kodDatabase.c added consts, deleted empty function,
2884  fixed formatting. Tomasz Flendrich
2885* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2886* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2887  fixed formatting, deleted unused variable. Tomasz Flendrich
2888* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2889  Tomasz Flendrich
2890* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2891  fixed formatting. Tomasz Flendrich
2892* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2893  the order of includes, fixed formatting, removed unnecessary comments.
2894  Tomasz Flendrich
2895* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2896* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2897  made one function do its job, deleted unnecessary prints, fixed formatting.
2898  Tomasz Flendrich
2899* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2900* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2901* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2902* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2903* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2904* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2905* Don't build sntp/libevent/sample/.  Harlan Stenn.
2906* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2907* br-flock: --enable-local-libevent.  Harlan Stenn.
2908* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2909* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2910* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2911* Code cleanup.  Harlan Stenn.
2912* libntp/icom.c: Typo fix.  Harlan Stenn.
2913* util/ntptime.c: initialization nit.  Harlan Stenn.
2914* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2915* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2916* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2917  Tomasz Flendrich
2918* Changed progname to be const in many files - now it's consistent. Tomasz
2919  Flendrich
2920* Typo fix for GCC warning suppression.  Harlan Stenn.
2921* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2922* Added declarations to all Unity tests, and did minor fixes to them.
2923  Reduced the number of warnings by half. Damir Tomić.
2924* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2925  with the latest Unity updates from Mark. Damir Tomić.
2926* Retire google test - phase I.  Harlan Stenn.
2927* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2928* Update the NEWS file.  Harlan Stenn.
2929* Autoconf cleanup.  Harlan Stenn.
2930* Unit test dist cleanup. Harlan Stenn.
2931* Cleanup various test Makefile.am files.  Harlan Stenn.
2932* Pthread autoconf macro cleanup.  Harlan Stenn.
2933* Fix progname definition in unity runner scripts.  Harlan Stenn.
2934* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2935* Update the patch for bug 2817.  Harlan Stenn.
2936* More updates for bug 2817.  Harlan Stenn.
2937* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2938* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2939* Adding missing MCAST protection.  Harlan Stenn.
2940* Disable certain test programs on certain platforms.  Harlan Stenn.
2941* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2942* build system tweaks.  Harlan Stenn.
2943
2944---
2945NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2946
2947Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2948
2949Severity: MEDIUM
2950
2951Security Fix:
2952
2953* [Sec 2853] Crafted remote config packet can crash some versions of
2954  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2955
2956Under specific circumstances an attacker can send a crafted packet to
2957cause a vulnerable ntpd instance to crash. This requires each of the
2958following to be true:
2959
29601) ntpd set up to allow remote configuration (not allowed by default), and
29612) knowledge of the configuration password, and
29623) access to a computer entrusted to perform remote configuration.
2963
2964This vulnerability is considered low-risk.
2965
2966New features in this release:
2967
2968Optional (disabled by default) support to have ntpd provide smeared
2969leap second time.  A specially built and configured ntpd will only
2970offer smeared time in response to client packets.  These response
2971packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2972of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2973format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2974information.
2975
2976   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2977   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2978
2979We've imported the Unity test framework, and have begun converting
2980the existing google-test items to this new framework.  If you want
2981to write new tests or change old ones, you'll need to have ruby
2982installed.  You don't need ruby to run the test suite.
2983
2984Bug Fixes and Improvements:
2985
2986* CID 739725: Fix a rare resource leak in libevent/listener.c.
2987* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2988* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2989* CID 1269537: Clean up a line of dead code in getShmTime().
2990* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2991* [Bug 2590] autogen-5.18.5.
2992* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2993  of 'limited'.
2994* [Bug 2650] fix includefile processing.
2995* [Bug 2745] ntpd -x steps clock on leap second
2996   Fixed an initial-value problem that caused misbehaviour in absence of
2997   any leapsecond information.
2998   Do leap second stepping only of the step adjustment is beyond the
2999   proper jump distance limit and step correction is allowed at all.
3000* [Bug 2750] build for Win64
3001  Building for 32bit of loopback ppsapi needs def file
3002* [Bug 2776] Improve ntpq's 'help keytype'.
3003* [Bug 2778] Implement "apeers"  ntpq command to include associd.
3004* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
3005* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
3006  interface is ignored as long as this flag is not set since the
3007  interface is not usable (e.g., no link).
3008* [Bug 2794] Clean up kernel clock status reports.
3009* [Bug 2800] refclock_true.c true_debug() can't open debug log because
3010  of incompatible open/fdopen parameters.
3011* [Bug 2804] install-local-data assumes GNU 'find' semantics.
3012* [Bug 2805] ntpd fails to join multicast group.
3013* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
3014* [Bug 2808] GPSD_JSON driver enhancements, step 1.
3015  Fix crash during cleanup if GPS device not present and char device.
3016  Increase internal token buffer to parse all JSON data, even SKY.
3017  Defer logging of errors during driver init until the first unit is
3018  started, so the syslog is not cluttered when the driver is not used.
3019  Various improvements, see http://bugs.ntp.org/2808 for details.
3020  Changed libjsmn to a more recent version.
3021* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
3022* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
3023* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
3024* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
3025* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
3026* [Bug 2824] Convert update-leap to perl. (also see 2769)
3027* [Bug 2825] Quiet file installation in html/ .
3028* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
3029   NTPD transfers the current TAI (instead of an announcement) now.
3030   This might still needed improvement.
3031   Update autokey data ASAP when 'sys_tai' changes.
3032   Fix unit test that was broken by changes for autokey update.
3033   Avoid potential signature length issue and use DPRINTF where possible
3034     in ntp_crypto.c.
3035* [Bug 2832] refclock_jjy.c supports the TDC-300.
3036* [Bug 2834] Correct a broken html tag in html/refclock.html
3037* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
3038  robust, and require 2 consecutive timestamps to be consistent.
3039* [Bug 2837] Allow a configurable DSCP value.
3040* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
3041* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
3042* [Bug 2842] Bug in mdoc2man.
3043* [Bug 2843] make check fails on 4.3.36
3044   Fixed compiler warnings about numeric range overflow
3045   (The original topic was fixed in a byplay to bug#2830)
3046* [Bug 2845] Harden memory allocation in ntpd.
3047* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
3048* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
3049* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
3050* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
3051* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
3052* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
3053* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
3054* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
3055* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
3056* html/drivers/driver22.html: typo fix.  Harlan Stenn.
3057* refidsmear test cleanup.  Tomasz Flendrich.
3058* refidsmear function support and tests.  Harlan Stenn.
3059* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
3060  something that was only in the 4.2.6 sntp.  Harlan Stenn.
3061* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
3062  Damir Tomić
3063* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
3064  Damir Tomić
3065* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
3066  Damir Tomić
3067* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
3068* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
3069* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
3070  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
3071  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
3072  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
3073  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
3074  Damir Tomić
3075* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
3076  networking.c, keyFile.c, utilities.cpp, sntptest.h,
3077  fileHandlingTest.h. Damir Tomić
3078* Initial support for experimental leap smear code.  Harlan Stenn.
3079* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
3080* Report select() debug messages at debug level 3 now.
3081* sntp/scripts/genLocInfo: treat raspbian as debian.
3082* Unity test framework fixes.
3083  ** Requires ruby for changes to tests.
3084* Initial support for PACKAGE_VERSION tests.
3085* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
3086* tests/bug-2803/Makefile.am must distribute bug-2803.h.
3087* Add an assert to the ntpq ifstats code.
3088* Clean up the RLIMIT_STACK code.
3089* Improve the ntpq documentation around the controlkey keyid.
3090* ntpq.c cleanup.
3091* Windows port build cleanup.
3092
3093---
3094NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
3095
3096Focus: Security and Bug fixes, enhancements.
3097
3098Severity: MEDIUM
3099
3100In addition to bug fixes and enhancements, this release fixes the
3101following medium-severity vulnerabilities involving private key
3102authentication:
3103
3104* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
3105
3106    References: Sec 2779 / CVE-2015-1798 / VU#374268
3107    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
3108	including ntp-4.2.8p2 where the installation uses symmetric keys
3109	to authenticate remote associations.
3110    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
3111    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
3112    Summary: When ntpd is configured to use a symmetric key to authenticate
3113	a remote NTP server/peer, it checks if the NTP message
3114	authentication code (MAC) in received packets is valid, but not if
3115	there actually is any MAC included. Packets without a MAC are
3116	accepted as if they had a valid MAC. This allows a MITM attacker to
3117	send false packets that are accepted by the client/peer without
3118	having to know the symmetric key. The attacker needs to know the
3119	transmit timestamp of the client to match it in the forged reply
3120	and the false reply needs to reach the client before the genuine
3121	reply from the server. The attacker doesn't necessarily need to be
3122	relaying the packets between the client and the server.
3123
3124	Authentication using autokey doesn't have this problem as there is
3125	a check that requires the key ID to be larger than NTP_MAXKEY,
3126	which fails for packets without a MAC.
3127    Mitigation:
3128        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
3129	or the NTP Public Services Project Download Page
3130        Configure ntpd with enough time sources and monitor it properly.
3131    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
3132
3133* [Sec 2781] Authentication doesn't protect symmetric associations against
3134  DoS attacks.
3135
3136    References: Sec 2781 / CVE-2015-1799 / VU#374268
3137    Affects: All NTP releases starting with at least xntp3.3wy up to but
3138	not including ntp-4.2.8p2 where the installation uses symmetric
3139	key authentication.
3140    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
3141    Note: the CVSS base Score for this issue could be 4.3 or lower, and
3142	it could be higher than 5.4.
3143    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
3144    Summary: An attacker knowing that NTP hosts A and B are peering with
3145	each other (symmetric association) can send a packet to host A
3146	with source address of B which will set the NTP state variables
3147	on A to the values sent by the attacker. Host A will then send
3148	on its next poll to B a packet with originate timestamp that
3149	doesn't match the transmit timestamp of B and the packet will
3150	be dropped. If the attacker does this periodically for both
3151	hosts, they won't be able to synchronize to each other. This is
3152	a known denial-of-service attack, described at
3153	https://www.eecis.udel.edu/~mills/onwire.html .
3154
3155	According to the document the NTP authentication is supposed to
3156	protect symmetric associations against this attack, but that
3157	doesn't seem to be the case. The state variables are updated even
3158	when authentication fails and the peers are sending packets with
3159	originate timestamps that don't match the transmit timestamps on
3160	the receiving side.
3161
3162	This seems to be a very old problem, dating back to at least
3163	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
3164	specifications, so other NTP implementations with support for
3165	symmetric associations and authentication may be vulnerable too.
3166	An update to the NTP RFC to correct this error is in-process.
3167    Mitigation:
3168        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
3169	or the NTP Public Services Project Download Page
3170        Note that for users of autokey, this specific style of MITM attack
3171	is simply a long-known potential problem.
3172        Configure ntpd with appropriate time sources and monitor ntpd.
3173	Alert your staff if problems are detected.
3174    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
3175
3176* New script: update-leap
3177The update-leap script will verify and if necessary, update the
3178leap-second definition file.
3179It requires the following commands in order to work:
3180
3181	wget logger tr sed shasum
3182
3183Some may choose to run this from cron.  It needs more portability testing.
3184
3185Bug Fixes and Improvements:
3186
3187* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
3188* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
3189* [Bug 2346] "graceful termination" signals do not do peer cleanup.
3190* [Bug 2728] See if C99-style structure initialization works.
3191* [Bug 2747] Upgrade libevent to 2.1.5-beta.
3192* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
3193* [Bug 2751] jitter.h has stale copies of l_fp macros.
3194* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
3195* [Bug 2757] Quiet compiler warnings.
3196* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
3197* [Bug 2763] Allow different thresholds for forward and backward steps.
3198* [Bug 2766] ntp-keygen output files should not be world-readable.
3199* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
3200* [Bug 2771] nonvolatile value is documented in wrong units.
3201* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
3202* [Bug 2774] Unreasonably verbose printout - leap pending/warning
3203* [Bug 2775] ntp-keygen.c fails to compile under Windows.
3204* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
3205  Removed non-ASCII characters from some copyright comments.
3206  Removed trailing whitespace.
3207  Updated definitions for Meinberg clocks from current Meinberg header files.
3208  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
3209  Account for updated definitions pulled from Meinberg header files.
3210  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
3211  Replaced some constant numbers by defines from ntp_calendar.h
3212  Modified creation of parse-specific variables for Meinberg devices
3213  in gps16x_message().
3214  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
3215  Modified mbg_tm_str() which now expexts an additional parameter controlling
3216  if the time status shall be printed.
3217* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
3218* [Sec 2781] Authentication doesn't protect symmetric associations against
3219  DoS attacks.
3220* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
3221* [Bug 2789] Quiet compiler warnings from libevent.
3222* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
3223  pause briefly before measuring system clock precision to yield
3224  correct results.
3225* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
3226* Use predefined function types for parse driver functions
3227  used to set up function pointers.
3228  Account for changed prototype of parse_inp_fnc_t functions.
3229  Cast parse conversion results to appropriate types to avoid
3230  compiler warnings.
3231  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
3232  when called with pointers to different types.
3233
3234---
3235NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
3236
3237Focus: Security and Bug fixes, enhancements.
3238
3239Severity: HIGH
3240
3241In addition to bug fixes and enhancements, this release fixes the
3242following high-severity vulnerabilities:
3243
3244* vallen is not validated in several places in ntp_crypto.c, leading
3245  to a potential information leak or possibly a crash
3246
3247    References: Sec 2671 / CVE-2014-9297 / VU#852879
3248    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
3249    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3250    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
3251    Summary: The vallen packet value is not validated in several code
3252             paths in ntp_crypto.c which can lead to information leakage
3253	     or perhaps a crash of the ntpd process.
3254    Mitigation - any of:
3255	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
3256		or the NTP Public Services Project Download Page.
3257	Disable Autokey Authentication by removing, or commenting out,
3258		all configuration directives beginning with the "crypto"
3259		keyword in your ntp.conf file.
3260    Credit: This vulnerability was discovered by Stephen Roettger of the
3261    	Google Security Team, with additional cases found by Sebastian
3262	Krahmer of the SUSE Security Team and Harlan Stenn of Network
3263	Time Foundation.
3264
3265* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
3266  can be bypassed.
3267
3268    References: Sec 2672 / CVE-2014-9298 / VU#852879
3269    Affects: All NTP4 releases before 4.2.8p1, under at least some
3270	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
3271    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
3272    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
3273    Summary: While available kernels will prevent 127.0.0.1 addresses
3274	from "appearing" on non-localhost IPv4 interfaces, some kernels
3275	do not offer the same protection for ::1 source addresses on
3276	IPv6 interfaces. Since NTP's access control is based on source
3277	address and localhost addresses generally have no restrictions,
3278	an attacker can send malicious control and configuration packets
3279	by spoofing ::1 addresses from the outside. Note Well: This is
3280	not really a bug in NTP, it's a problem with some OSes. If you
3281	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
3282	ACL restrictions on any application can be bypassed!
3283    Mitigation:
3284        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
3285	or the NTP Public Services Project Download Page
3286        Install firewall rules to block packets claiming to come from
3287	::1 from inappropriate network interfaces.
3288    Credit: This vulnerability was discovered by Stephen Roettger of
3289	the Google Security Team.
3290
3291Additionally, over 30 bugfixes and improvements were made to the codebase.
3292See the ChangeLog for more information.
3293
3294---
3295NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
3296
3297Focus: Security and Bug fixes, enhancements.
3298
3299Severity: HIGH
3300
3301In addition to bug fixes and enhancements, this release fixes the
3302following high-severity vulnerabilities:
3303
3304************************** vv NOTE WELL vv *****************************
3305
3306The vulnerabilities listed below can be significantly mitigated by
3307following the BCP of putting
3308
3309 restrict default ... noquery
3310
3311in the ntp.conf file.  With the exception of:
3312
3313   receive(): missing return on error
3314   References: Sec 2670 / CVE-2014-9296 / VU#852879
3315
3316below (which is a limited-risk vulnerability), none of the recent
3317vulnerabilities listed below can be exploited if the source IP is
3318restricted from sending a 'query'-class packet by your ntp.conf file.
3319
3320************************** ^^ NOTE WELL ^^ *****************************
3321
3322* Weak default key in config_auth().
3323
3324  References: [Sec 2665] / CVE-2014-9293 / VU#852879
3325  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3326  Vulnerable Versions: all releases prior to 4.2.7p11
3327  Date Resolved: 28 Jan 2010
3328
3329  Summary: If no 'auth' key is set in the configuration file, ntpd
3330	would generate a random key on the fly.  There were two
3331	problems with this: 1) the generated key was 31 bits in size,
3332	and 2) it used the (now weak) ntp_random() function, which was
3333	seeded with a 32-bit value and could only provide 32 bits of
3334	entropy.  This was sufficient back in the late 1990s when the
3335	code was written.  Not today.
3336
3337  Mitigation - any of:
3338	- Upgrade to 4.2.7p11 or later.
3339	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3340
3341  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
3342  	of the Google Security Team.
3343
3344* Non-cryptographic random number generator with weak seed used by
3345  ntp-keygen to generate symmetric keys.
3346
3347  References: [Sec 2666] / CVE-2014-9294 / VU#852879
3348  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3349  Vulnerable Versions: All NTP4 releases before 4.2.7p230
3350  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
3351
3352  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
3353  	prepare a random number generator that was of good quality back
3354	in the late 1990s. The random numbers produced was then used to
3355	generate symmetric keys. In ntp-4.2.8 we use a current-technology
3356	cryptographic random number generator, either RAND_bytes from
3357	OpenSSL, or arc4random().
3358
3359  Mitigation - any of:
3360  	- Upgrade to 4.2.7p230 or later.
3361	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3362
3363  Credit:  This vulnerability was discovered in ntp-4.2.6 by
3364  	Stephen Roettger of the Google Security Team.
3365
3366* Buffer overflow in crypto_recv()
3367
3368  References: Sec 2667 / CVE-2014-9295 / VU#852879
3369  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3370  Versions: All releases before 4.2.8
3371  Date Resolved: Stable (4.2.8) 18 Dec 2014
3372
3373  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
3374  	file contains a 'crypto pw ...' directive) a remote attacker
3375	can send a carefully crafted packet that can overflow a stack
3376	buffer and potentially allow malicious code to be executed
3377	with the privilege level of the ntpd process.
3378
3379  Mitigation - any of:
3380  	- Upgrade to 4.2.8, or later, or
3381	- Disable Autokey Authentication by removing, or commenting out,
3382	  all configuration directives beginning with the crypto keyword
3383	  in your ntp.conf file.
3384
3385  Credit: This vulnerability was discovered by Stephen Roettger of the
3386  	Google Security Team.
3387
3388* Buffer overflow in ctl_putdata()
3389
3390  References: Sec 2668 / CVE-2014-9295 / VU#852879
3391  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3392  Versions: All NTP4 releases before 4.2.8
3393  Date Resolved: Stable (4.2.8) 18 Dec 2014
3394
3395  Summary: A remote attacker can send a carefully crafted packet that
3396  	can overflow a stack buffer and potentially allow malicious
3397	code to be executed with the privilege level of the ntpd process.
3398
3399  Mitigation - any of:
3400  	- Upgrade to 4.2.8, or later.
3401	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3402
3403  Credit: This vulnerability was discovered by Stephen Roettger of the
3404  	Google Security Team.
3405
3406* Buffer overflow in configure()
3407
3408  References: Sec 2669 / CVE-2014-9295 / VU#852879
3409  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3410  Versions: All NTP4 releases before 4.2.8
3411  Date Resolved: Stable (4.2.8) 18 Dec 2014
3412
3413  Summary: A remote attacker can send a carefully crafted packet that
3414	can overflow a stack buffer and potentially allow malicious
3415	code to be executed with the privilege level of the ntpd process.
3416
3417  Mitigation - any of:
3418  	- Upgrade to 4.2.8, or later.
3419	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3420
3421  Credit: This vulnerability was discovered by Stephen Roettger of the
3422	Google Security Team.
3423
3424* receive(): missing return on error
3425
3426  References: Sec 2670 / CVE-2014-9296 / VU#852879
3427  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
3428  Versions: All NTP4 releases before 4.2.8
3429  Date Resolved: Stable (4.2.8) 18 Dec 2014
3430
3431  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
3432  	the code path where an error was detected, which meant
3433	processing did not stop when a specific rare error occurred.
3434	We haven't found a way for this bug to affect system integrity.
3435	If there is no way to affect system integrity the base CVSS
3436	score for this bug is 0. If there is one avenue through which
3437	system integrity can be partially affected, the base score
3438	becomes a 5. If system integrity can be partially affected
3439	via all three integrity metrics, the CVSS base score become 7.5.
3440
3441  Mitigation - any of:
3442        - Upgrade to 4.2.8, or later,
3443        - Remove or comment out all configuration directives
3444	  beginning with the crypto keyword in your ntp.conf file.
3445
3446  Credit: This vulnerability was discovered by Stephen Roettger of the
3447  	Google Security Team.
3448
3449See http://support.ntp.org/security for more information.
3450
3451New features / changes in this release:
3452
3453Important Changes
3454
3455* Internal NTP Era counters
3456
3457The internal counters that track the "era" (range of years) we are in
3458rolls over every 136 years'.  The current "era" started at the stroke of
3459midnight on 1 Jan 1900, and ends just before the stroke of midnight on
34601 Jan 2036.
3461In the past, we have used the "midpoint" of the  range to decide which
3462era we were in.  Given the longevity of some products, it became clear
3463that it would be more functional to "look back" less, and "look forward"
3464more.  We now compile a timestamp into the ntpd executable and when we
3465get a timestamp we us the "built-on" to tell us what era we are in.
3466This check "looks back" 10 years, and "looks forward" 126 years.
3467
3468* ntpdc responses disabled by default
3469
3470Dave Hart writes:
3471
3472For a long time, ntpq and its mostly text-based mode 6 (control)
3473protocol have been preferred over ntpdc and its mode 7 (private
3474request) protocol for runtime queries and configuration.  There has
3475been a goal of deprecating ntpdc, previously held back by numerous
3476capabilities exposed by ntpdc with no ntpq equivalent.  I have been
3477adding commands to ntpq to cover these cases, and I believe I've
3478covered them all, though I've not compared command-by-command
3479recently.
3480
3481As I've said previously, the binary mode 7 protocol involves a lot of
3482hand-rolled structure layout and byte-swapping code in both ntpd and
3483ntpdc which is hard to get right.  As ntpd grows and changes, the
3484changes are difficult to expose via ntpdc while maintaining forward
3485and backward compatibility between ntpdc and ntpd.  In contrast,
3486ntpq's text-based, label=value approach involves more code reuse and
3487allows compatible changes without extra work in most cases.
3488
3489Mode 7 has always been defined as vendor/implementation-specific while
3490mode 6 is described in RFC 1305 and intended to be open to interoperate
3491with other implementations.  There is an early draft of an updated
3492mode 6 description that likely will join the other NTPv4 RFCs
3493eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
3494
3495For these reasons, ntpd 4.2.7p230 by default disables processing of
3496ntpdc queries, reducing ntpd's attack surface and functionally
3497deprecating ntpdc.  If you are in the habit of using ntpdc for certain
3498operations, please try the ntpq equivalent.  If there's no equivalent,
3499please open a bug report at http://bugs.ntp.org./
3500
3501In addition to the above, over 1100 issues have been resolved between
3502the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
3503lists these.
3504
3505---
3506NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
3507
3508Focus: Bug fixes
3509
3510Severity: Medium
3511
3512This is a recommended upgrade.
3513
3514This release updates sys_rootdisp and sys_jitter calculations to match the
3515RFC specification, fixes a potential IPv6 address matching error for the
3516"nic" and "interface" configuration directives, suppresses the creation of
3517extraneous ephemeral associations for certain broadcastclient and
3518multicastclient configurations, cleans up some ntpq display issues, and
3519includes improvements to orphan mode, minor bugs fixes and code clean-ups.
3520
3521New features / changes in this release:
3522
3523ntpd
3524
3525 * Updated "nic" and "interface" IPv6 address handling to prevent
3526   mismatches with localhost [::1] and wildcard [::] which resulted from
3527   using the address/prefix format (e.g. fe80::/64)
3528 * Fix orphan mode stratum incorrectly counting to infinity
3529 * Orphan parent selection metric updated to includes missing ntohl()
3530 * Non-printable stratum 16 refid no longer sent to ntp
3531 * Duplicate ephemeral associations suppressed for broadcastclient and
3532   multicastclient without broadcastdelay
3533 * Exclude undetermined sys_refid from use in loopback TEST12
3534 * Exclude MODE_SERVER responses from KoD rate limiting
3535 * Include root delay in clock_update() sys_rootdisp calculations
3536 * get_systime() updated to exclude sys_residual offset (which only
3537   affected bits "below" sys_tick, the precision threshold)
3538 * sys.peer jitter weighting corrected in sys_jitter calculation
3539
3540ntpq
3541
3542 * -n option extended to include the billboard "server" column
3543 * IPv6 addresses in the local column truncated to prevent overruns
3544
3545---
3546NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
3547
3548Focus: Bug fixes and portability improvements
3549
3550Severity: Medium
3551
3552This is a recommended upgrade.
3553
3554This release includes build infrastructure updates, code
3555clean-ups, minor bug fixes, fixes for a number of minor
3556ref-clock issues, and documentation revisions.
3557
3558Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
3559
3560New features / changes in this release:
3561
3562Build system
3563
3564* Fix checking for struct rtattr
3565* Update config.guess and config.sub for AIX
3566* Upgrade required version of autogen and libopts for building
3567  from our source code repository
3568
3569ntpd
3570
3571* Back-ported several fixes for Coverity warnings from ntp-dev
3572* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
3573* Allow "logconfig =allall" configuration directive
3574* Bind tentative IPv6 addresses on Linux
3575* Correct WWVB/Spectracom driver to timestamp CR instead of LF
3576* Improved tally bit handling to prevent incorrect ntpq peer status reports
3577* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
3578  candidate list unless they are designated a "prefer peer"
3579* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
3580  selection during the 'tos orphanwait' period
3581* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
3582  drivers
3583* Improved support of the Parse Refclock trusttime flag in Meinberg mode
3584* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
3585* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
3586  clock slew on Microsoft Windows
3587* Code cleanup in libntpq
3588
3589ntpdc
3590
3591* Fix timerstats reporting
3592
3593ntpdate
3594
3595* Reduce time required to set clock
3596* Allow a timeout greater than 2 seconds
3597
3598sntp
3599
3600* Backward incompatible command-line option change:
3601  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
3602
3603Documentation
3604
3605* Update html2man. Fix some tags in the .html files
3606* Distribute ntp-wait.html
3607
3608---
3609NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
3610
3611Focus: Bug fixes and portability improvements
3612
3613Severity: Medium
3614
3615This is a recommended upgrade.
3616
3617This release includes build infrastructure updates, code
3618clean-ups, minor bug fixes, fixes for a number of minor
3619ref-clock issues, and documentation revisions.
3620
3621Portability improvements in this release affect AIX, Atari FreeMiNT,
3622FreeBSD4, Linux and Microsoft Windows.
3623
3624New features / changes in this release:
3625
3626Build system
3627* Use lsb_release to get information about Linux distributions.
3628* 'test' is in /usr/bin (instead of /bin) on some systems.
3629* Basic sanity checks for the ChangeLog file.
3630* Source certain build files with ./filename for systems without . in PATH.
3631* IRIX portability fix.
3632* Use a single copy of the "libopts" code.
3633* autogen/libopts upgrade.
3634* configure.ac m4 quoting cleanup.
3635
3636ntpd
3637* Do not bind to IN6_IFF_ANYCAST addresses.
3638* Log the reason for exiting under Windows.
3639* Multicast fixes for Windows.
3640* Interpolation fixes for Windows.
3641* IPv4 and IPv6 Multicast fixes.
3642* Manycast solicitation fixes and general repairs.
3643* JJY refclock cleanup.
3644* NMEA refclock improvements.
3645* Oncore debug message cleanup.
3646* Palisade refclock now builds under Linux.
3647* Give RAWDCF more baud rates.
3648* Support Truetime Satellite clocks under Windows.
3649* Support Arbiter 1093C Satellite clocks under Windows.
3650* Make sure that the "filegen" configuration command defaults to "enable".
3651* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
3652* Prohibit 'includefile' directive in remote configuration command.
3653* Fix 'nic' interface bindings.
3654* Fix the way we link with openssl if openssl is installed in the base
3655  system.
3656
3657ntp-keygen
3658* Fix -V coredump.
3659* OpenSSL version display cleanup.
3660
3661ntpdc
3662* Many counters should be treated as unsigned.
3663
3664ntpdate
3665* Do not ignore replies with equal receive and transmit timestamps.
3666
3667ntpq
3668* libntpq warning cleanup.
3669
3670ntpsnmpd
3671* Correct SNMP type for "precision" and "resolution".
3672* Update the MIB from the draft version to RFC-5907.
3673
3674sntp
3675* Display timezone offset when showing time for sntp in the local
3676  timezone.
3677* Pay proper attention to RATE KoD packets.
3678* Fix a miscalculation of the offset.
3679* Properly parse empty lines in the key file.
3680* Logging cleanup.
3681* Use tv_usec correctly in set_time().
3682* Documentation cleanup.
3683
3684---
3685NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
3686
3687Focus: Bug fixes and portability improvements
3688
3689Severity: Medium
3690
3691This is a recommended upgrade.
3692
3693This release includes build infrastructure updates, code
3694clean-ups, minor bug fixes, fixes for a number of minor
3695ref-clock issues, improved KOD handling, OpenSSL related
3696updates and documentation revisions.
3697
3698Portability improvements in this release affect Irix, Linux,
3699Mac OS, Microsoft Windows, OpenBSD and QNX6
3700
3701New features / changes in this release:
3702
3703ntpd
3704* Range syntax for the trustedkey configuration directive
3705* Unified IPv4 and IPv6 restrict lists
3706
3707ntpdate
3708* Rate limiting and KOD handling
3709
3710ntpsnmpd
3711* default connection to net-snmpd via a unix-domain socket
3712* command-line 'socket name' option
3713
3714ntpq / ntpdc
3715* support for the "passwd ..." syntax
3716* key-type specific password prompts
3717
3718sntp
3719* MD5 authentication of an ntpd
3720* Broadcast and crypto
3721* OpenSSL support
3722
3723---
3724NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
3725
3726Focus: Bug fixes, portability fixes, and documentation improvements
3727
3728Severity: Medium
3729
3730This is a recommended upgrade.
3731
3732---
3733NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3734
3735Focus: enhancements and bug fixes.
3736
3737---
3738NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3739
3740Focus: Security Fixes
3741
3742Severity: HIGH
3743
3744This release fixes the following high-severity vulnerability:
3745
3746* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
3747
3748  See http://support.ntp.org/security for more information.
3749
3750  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
3751  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
3752  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
3753  request or a mode 7 error response from an address which is not listed
3754  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
3755  reply with a mode 7 error response (and log a message).  In this case:
3756
3757	* If an attacker spoofs the source address of ntpd host A in a
3758	  mode 7 response packet sent to ntpd host B, both A and B will
3759	  continuously send each other error responses, for as long as
3760	  those packets get through.
3761
3762	* If an attacker spoofs an address of ntpd host A in a mode 7
3763	  response packet sent to ntpd host A, A will respond to itself
3764	  endlessly, consuming CPU and logging excessively.
3765
3766  Credit for finding this vulnerability goes to Robin Park and Dmitri
3767  Vinokurov of Alcatel-Lucent.
3768
3769THIS IS A STRONGLY RECOMMENDED UPGRADE.
3770
3771---
3772ntpd now syncs to refclocks right away.
3773
3774Backward-Incompatible changes:
3775
3776ntpd no longer accepts '-v name' or '-V name' to define internal variables.
3777Use '--var name' or '--dvar name' instead. (Bug 817)
3778
3779---
3780NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
3781
3782Focus: Security and Bug Fixes
3783
3784Severity: HIGH
3785
3786This release fixes the following high-severity vulnerability:
3787
3788* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
3789
3790  See http://support.ntp.org/security for more information.
3791
3792  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
3793  line) then a carefully crafted packet sent to the machine will cause
3794  a buffer overflow and possible execution of injected code, running
3795  with the privileges of the ntpd process (often root).
3796
3797  Credit for finding this vulnerability goes to Chris Ries of CMU.
3798
3799This release fixes the following low-severity vulnerabilities:
3800
3801* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
3802  Credit for finding this vulnerability goes to Geoff Keating of Apple.
3803
3804* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
3805  Credit for finding this issue goes to Dave Hart.
3806
3807This release fixes a number of bugs and adds some improvements:
3808
3809* Improved logging
3810* Fix many compiler warnings
3811* Many fixes and improvements for Windows
3812* Adds support for AIX 6.1
3813* Resolves some issues under MacOS X and Solaris
3814
3815THIS IS A STRONGLY RECOMMENDED UPGRADE.
3816
3817---
3818NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
3819
3820Focus: Security Fix
3821
3822Severity: Low
3823
3824This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
3825the OpenSSL library relating to the incorrect checking of the return
3826value of EVP_VerifyFinal function.
3827
3828Credit for finding this issue goes to the Google Security Team for
3829finding the original issue with OpenSSL, and to ocert.org for finding
3830the problem in NTP and telling us about it.
3831
3832This is a recommended upgrade.
3833---
3834NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
3835
3836Focus: Minor Bugfixes
3837
3838This release fixes a number of Windows-specific ntpd bugs and
3839platform-independent ntpdate bugs. A logging bugfix has been applied
3840to the ONCORE driver.
3841
3842The "dynamic" keyword and is now obsolete and deferred binding to local
3843interfaces is the new default. The minimum time restriction for the
3844interface update interval has been dropped.
3845
3846A number of minor build system and documentation fixes are included.
3847
3848This is a recommended upgrade for Windows.
3849
3850---
3851NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
3852
3853Focus: Minor Bugfixes
3854
3855This release updates certain copyright information, fixes several display
3856bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
3857shutdown in the parse refclock driver, removes some lint from the code,
3858stops accessing certain buffers immediately after they were freed, fixes
3859a problem with non-command-line specification of -6, and allows the loopback
3860interface to share addresses with other interfaces.
3861
3862---
3863NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
3864
3865Focus: Minor Bugfixes
3866
3867This release fixes a bug in Windows that made it difficult to
3868terminate ntpd under windows.
3869This is a recommended upgrade for Windows.
3870
3871---
3872NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
3873
3874Focus: Minor Bugfixes
3875
3876This release fixes a multicast mode authentication problem,
3877an error in NTP packet handling on Windows that could lead to
3878ntpd crashing, and several other minor bugs. Handling of
3879multicast interfaces and logging configuration were improved.
3880The required versions of autogen and libopts were incremented.
3881This is a recommended upgrade for Windows and multicast users.
3882
3883---
3884NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3885
3886Focus: enhancements and bug fixes.
3887
3888Dynamic interface rescanning was added to simplify the use of ntpd in
3889conjunction with DHCP. GNU AutoGen is used for its command-line options
3890processing. Separate PPS devices are supported for PARSE refclocks, MD5
3891signatures are now provided for the release files. Drivers have been
3892added for some new ref-clocks and have been removed for some older
3893ref-clocks. This release also includes other improvements, documentation
3894and bug fixes.
3895
3896K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3897C support.
3898
3899---
3900NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3901
3902Focus: enhancements and bug fixes.
3903---
3904NTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06)
3905
3906Focus: Bug fixes
3907
3908Severity: HIGH (for people running 4.2.8p16)
3909
3910This release:
3911
3912- fixes 3 bugs, including a regression
3913- adds new unit tests
3914
3915Details below:
3916
3917* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
3918             event_sync.  Reported by Edward McGuire.  <hart@ntp.org>
3919* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
3920             <hart@ntp.org>  Miroslav Lichvar identified regression in 4.2.8p16.
3921* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
3922             4.2.8p15 or earlier.  Reported by Matt Nordhoff, thanks to
3923	     Miroslav Lichvar and Matt for rapid testing and identifying the
3924	     problem. <hart@ntp.org>
3925* Add tests/libntp/digests.c to catch regressions reading keys file or with
3926  symmetric authentication digest output.
3927
3928---
3929NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30)
3930
3931Focus: Security, Bug fixes
3932
3933Severity: LOW
3934
3935This release:
3936
3937- fixes 4 vulnerabilities (3 LOW and 1 None severity),
3938- fixes 46 bugs
3939- includes 15 general improvements
3940- adds support for OpenSSL-3.0
3941
3942Details below:
3943
3944* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
3945* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
3946             hypothetical input buffer overflow. Reported by ... stenn@
3947* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
3948  - solved numerically instead of using string manipulation
3949* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
3950             <stenn@ntp.org>
3951* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
3952* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
3953* [Bug 3814] First poll delay of new or cleared associations miscalculated.
3954             <hart@ntp.org>
3955* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
3956             OpenSSL 3.  Reported by rmsh1216@163.com <hart@ntp.org>
3957* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
3958* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
3959* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
3960* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
3961             disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
3962* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
3963  - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
3964* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
3965  - Report and patch by Yuezhen LUAN <wei6410@sina.com>.
3966* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
3967* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
3968             <hart@ntp.org>
3969* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
3970* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
3971  - Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
3972* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
3973* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
3974* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
3975* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
3976             Philippe De Muyter <phdm@macqel.be>
3977* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
3978  - openssl applink needed again for openSSL-1.1.1
3979* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
3980             Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
3981* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
3982  - command line options override config statements where applicable
3983  - make initial frequency settings idempotent and reversible
3984  - make sure kernel PLL gets a recovered drift componsation
3985* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
3986* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
3987  - misleading title; essentially a request to ignore the receiver status.
3988    Added a mode bit for this. <perlinger@ntp.org>
3989* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
3990  - original patch by Richard Schmidt, with mods & unit test fixes
3991* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
3992  - implement/wrap 'realpath()' to resolve symlinks in device names
3993* [Bug 3691] Buffer Overflow reading GPSD output
3994  - original patch by matt<ntpbr@mattcorallo.com>
3995  - increased max PDU size to 4k to avoid truncation
3996* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
3997  - patch by Frank Kardel
3998* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
3999  - ntp{q,dc} now use the same password processing as ntpd does in the key
4000    file, so having a binary secret >= 11 bytes is possible for all keys.
4001    (This is a different approach to the problem than suggested)
4002* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
4003* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
4004  - patch by Gerry Garvey
4005* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
4006  - original patch by Gerry Garvey
4007* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
4008  - original patch by Gerry Garvey
4009* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
4010  - applied patches by Gerry Garvey
4011* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
4012* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
4013  - idea+patch by Gerry Garvey
4014* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
4015* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
4016  - follow-up: fix inverted sense in check, reset shortfall counter
4017* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
4018* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
4019  - fixed bug identified by Edward McGuire <perlinger@ntp.org>
4020* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
4021  - applied patch by Gerry Garvey
4022* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org>
4023  - backport from -dev, plus some more work on warnings for unchecked results
4024* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
4025             Reported by Israel G. Lugo. <hart@ntp.org>
4026* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
4027* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
4028             Integrated patch from Brian Utterback. <hart@ntp.org>
4029* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
4030* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
4031* Use correct rounding in mstolfp(). perlinger/hart
4032* M_ADDF should use u_int32.  <hart@ntp.org>
4033* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
4034* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
4035* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
4036* If DEBUG is enabled, the startup banner now says that debug assertions
4037  are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
4038* syslog valid incoming KoDs.  <stenn@ntp.org>
4039* Rename a poorly-named variable.  <stenn@ntp.org>
4040* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
4041* Use https in the AC_INIT URLs in configure.ac.  <stenn@ntp.org>
4042* Implement NTP_FUNC_REALPATH.  <stenn@ntp.org>
4043* Lose a gmake construct in ntpd/Makefile.am.  <stenn@ntp.org>
4044* upgrade to: autogen-5.18.16
4045* upgrade to: libopts-42.1.17
4046* upgrade to: autoconf-2.71
4047* upgrade to: automake-1.16.15
4048* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
4049* Support OpenSSL-3.0
4050
4051---
4052NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23)
4053
4054Focus: Security, Bug fixes
4055
4056Severity: MEDIUM
4057
4058This release fixes one vulnerability: Associations that use CMAC
4059authentication between ntpd from versions 4.2.8p11/4.3.97 and
40604.2.8p14/4.3.100 will leak a small amount of memory for each packet.
4061Eventually, ntpd will run out of memory and abort.
4062
4063It also fixes 13 other bugs.
4064
4065* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org>
4066* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@>
4067  - Thanks to Sylar Tao
4068* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org>
4069  - rewrite 'decodenetnum()' in terms of inet_pton
4070* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
4071  - limit number of receive buffers, with an iron reserve for refclocks
4072* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org>
4073* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org>
4074* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org>
4075  - integrated patch from Charles Claggett
4076* [Bug 3659] Move definition of psl[] from ntp_config.h to
4077  ntp_config.h <perlinger@ntp.org>
4078* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org>
4079* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org>
4080  - fix by Gerry garvey
4081* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org>
4082  - thanks to Gerry Garvey
4083* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org>
4084  - patch by Gerry Garvey
4085* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org>
4086* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org>
4087  - applied patch by Takao Abe
4088
4089---
4090NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03)
4091
4092Focus: Security, Bug fixes, enhancements.
4093
4094Severity: MEDIUM
4095
4096This release fixes three vulnerabilities: a bug that causes causes an ntpd
4097instance that is explicitly configured to override the default and allow
4098ntpdc (mode 7) connections to be made to a server to read some uninitialized
4099memory; fixes the case where an unmonitored ntpd using an unauthenticated
4100association to its servers may be susceptible to a forged packet DoS attack;
4101and fixes an attack against a client instance that uses a single
4102unauthenticated time source.  It also fixes 46 other bugs and addresses
41034 other issues.
4104
4105* [Sec 3610] process_control() should bail earlier on short packets. stenn@
4106  - Reported by Philippe Antoine
4107* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org>
4108  - Reported by Miroslav Lichvar
4109* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org>
4110  - Reported by Miroslav Lichvar
4111* [Bug 3637] Emit the version of ntpd in saveconfig.  stenn@
4112* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org>
4113* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org>
4114* [Bug 3634] Typo in discipline.html, reported by Jason Harrison.  stenn@
4115* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence
4116  - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org>
4117* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org>
4118  - integrated patch by Cy Schubert
4119* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org>
4120  - applied patch by Gerry Garvey
4121* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org>
4122  - applied patch by Gerry Garvey
4123* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org>
4124  - integrated patch by Richard Steedman
4125* [Bug 3615] accelerate refclock startup <perlinger@ntp.org>
4126* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org>
4127  - Reported by Martin Burnicki
4128* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org>
4129  - Reported by Philippe Antoine
4130* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org>
4131  - officially document new "trust date" mode bit for NMEA driver
4132  - restore the (previously undocumented) "trust date" feature lost with [bug 3577]
4133* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org>
4134  - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter'
4135* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org>
4136  - removed ffs() and fls() prototypes as per Brian Utterback
4137* [Bug 3604] Wrong param byte order passing into record_raw_stats() in
4138	ntp_io.c <perlinger@ntp.org>
4139  - fixed byte and paramter order as suggested by wei6410@sina.com
4140* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org>
4141* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org>
4142  - added padding as suggested by John Paul Adrian Glaubitz
4143* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org>
4144* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org>
4145* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org>
4146* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org>
4147  - stdout+stderr are set to line buffered during test setup now
4148* [Bug 3583] synchronization error <perlinger@ntp.org>
4149  - set clock to base date if system time is before that limit
4150* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org>
4151* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org>
4152  - Reported by Paulo Neves
4153* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org>
4154  - also updates for refclock_nmea.c and refclock_jupiter.c
4155* [Bug 3576] New GPS date function API <perlinger@ntp.org>
4156* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org>
4157* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org>
4158* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org>
4159  - sidekick: service port resolution in 'ntpdate'
4160* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org>
4161  - applied patch by Douglas Royds
4162* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org>
4163* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org>
4164  - applied patch by Gerry Garvey
4165* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org>
4166  - try to harden 'decodenetnum()' against 'getaddrinfo()' errors
4167  - fix wrong cond-compile tests in unit tests
4168* [Bug 3517] Reducing build noise <perlinger@ntp.org>
4169* [Bug 3516] Require tooling from this decade <perlinger@ntp.org>
4170  - patch by Philipp Prindeville
4171* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org>
4172  - patch by Philipp Prindeville
4173* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org>
4174  - patch by Philipp Prindeville
4175* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org>
4176  - partial application of patch by Philipp Prindeville
4177* [Bug 3491] Signed values of LFP datatypes should always display a sign
4178  - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org>
4179* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org>
4180  - applied (modified) patch by Richard Steedman
4181* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org>
4182  - applied patch by Gerry Garvey (with minor formatting changes)
4183* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org>
4184  - applied patch by Miroslav Lichvar
4185* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network
4186  <perlinger@ntp.org>
4187* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user
4188             is specified with -u <perlinger@ntp.org>
4189  - monitor daemon child startup & propagate exit codes
4190* [Bug 1433] runtime check whether the kernel really supports capabilities
4191  - (modified) patch by Kurt Roeckx <perlinger@ntp.org>
4192* Clean up sntp/networking.c:sendpkt() error message.  <stenn@ntp.org>
4193* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org>
4194* Startup log improvements. <stenn@ntp.org>
4195* Update the copyright year.
4196
4197---
4198NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
4199
4200Focus: Security, Bug fixes, enhancements.
4201
4202Severity: MEDIUM
4203
4204This release fixes a bug that allows an attacker with access to an
4205explicitly trusted source to send a crafted malicious mode 6 (ntpq)
4206packet that can trigger a NULL pointer dereference, crashing ntpd.
4207It also provides 17 other bugfixes and 1 other improvement:
4208
4209* [Sec 3565] Crafted null dereference attack in authenticated
4210	     mode 6 packet <perlinger@ntp.org>
4211  - reported by Magnus Stubman
4212* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
4213  - applied patch by Ian Lepore
4214* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
4215  - isolate and fix linux/windows specific code issue
4216* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
4217  - provide better function for incremental string formatting
4218* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
4219  - applied patch by Gerry Garvey
4220* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
4221  - original finding by Gerry Garvey, additional cleanup needed
4222* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
4223  - patch by Christous Zoulas
4224* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
4225  - finding by Chen Jiabin, plus another one by me
4226* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
4227  - applied patch by Maciej Szmigiero
4228* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
4229  - applied patch by Andre Charbonneau
4230* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
4231  - applied patch by Baruch Siach
4232* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
4233  - applied patch by Baruch Siach
4234* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
4235  - refactored handling of GPS era based on 'tos basedate' for
4236    parse (TSIP) and JUPITER clocks
4237* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
4238  - patch by Daniel J. Luke; this does not fix a potential linker
4239    regression issue on MacOS.
4240* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
4241  anomaly <perlinger@ntp.org>, reported by GGarvey.
4242  - --enable-bug3527-fix support by HStenn
4243* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
4244  - applied patch by Gerry Garvey
4245* [Bug 3471] Check for openssl/[ch]mac.h.  <perlinger@ntp.org>
4246  - added missing check, reported by Reinhard Max <perlinger@ntp.org>
4247* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
4248  - this is a variant of [bug 3558] and should be fixed with it
4249* Implement 'configure --disable-signalled-io'
4250
4251--
4252NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
4253
4254Focus: Security, Bug fixes, enhancements.
4255
4256Severity: MEDIUM
4257
4258This release fixes a "hole" in the noepeer capability introduced to ntpd
4259in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
4260ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
4261
4262* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
4263
4264* [Sec 3012] Fix a hole in the new "noepeer" processing.
4265
4266* Bug Fixes:
4267 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
4268 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
4269            other TrustedBSD platforms
4270 - applied patch by Ian Lepore <perlinger@ntp.org>
4271 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
4272 - changed interaction with SCM to signal pending startup
4273 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
4274 - applied patch by Gerry Garvey
4275 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
4276 - applied patch by Gerry Garvey
4277 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
4278 - rework of ntpq 'nextvar()' key/value parsing
4279 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
4280 - applied patch by Gerry Garvey (with mods)
4281 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
4282 - applied patch by Gerry Garvey
4283 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
4284 - applied patch by Gerry Garvey (with mods)
4285 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
4286 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
4287 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
4288 - applied patch by Gerry Garvey
4289 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
4290 - applied patch by Gerry Garvey
4291 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
4292 - add #define ENABLE_CMAC support in configure.  HStenn.
4293 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
4294 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
4295 - patch by Stephen Friedl
4296 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
4297 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
4298 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
4299 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
4300 - initial patch by Hal Murray; also fixed refclock_report() trouble
4301 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
4302 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
4303 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
4304 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
4305 - applied patch by Gerry Garvey
4306 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
4307 - applied patch by Gerry Garvey
4308 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
4309 with modifications
4310 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
4311 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
4312 - applied patch by Miroslav Lichvar
4313 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
4314 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
4315 - integrated patch by  Reinhard Max
4316 [Bug 2821] minor build issues <perlinger@ntp.org>
4317 - applied patches by Christos Zoulas, including real bug fixes
4318 html/authopt.html: cleanup, from <stenn@ntp.org>
4319 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
4320 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
4321
4322--
4323NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
4324
4325Focus: Security, Bug fixes, enhancements.
4326
4327Severity: MEDIUM
4328
4329This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
4330vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
4331provides 65 other non-security fixes and improvements:
4332
4333* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
4334	association (LOW/MED)
4335   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4336   References: Sec 3454 / CVE-2018-7185 / VU#961909
4337   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
4338   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
4339	2.9 and 6.8.
4340   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
4341	score between 2.6 and 3.1
4342   Summary:
4343	The NTP Protocol allows for both non-authenticated and
4344	authenticated associations, in client/server, symmetric (peer),
4345	and several broadcast modes. In addition to the basic NTP
4346	operational modes, symmetric mode and broadcast servers can
4347	support an interleaved mode of operation. In ntp-4.2.8p4 a bug
4348	was inadvertently introduced into the protocol engine that
4349	allows a non-authenticated zero-origin (reset) packet to reset
4350	an authenticated interleaved peer association. If an attacker
4351	can send a packet with a zero-origin timestamp and the source
4352	IP address of the "other side" of an interleaved association,
4353	the 'victim' ntpd will reset its association. The attacker must
4354	continue sending these packets in order to maintain the
4355	disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
4356	interleave mode could be entered dynamically. As of ntp-4.2.8p7,
4357	interleaved mode must be explicitly configured/enabled.
4358   Mitigation:
4359	Implement BCP-38.
4360	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
4361	    or the NTP Public Services Project Download Page.
4362	If you are unable to upgrade to 4.2.8p11 or later and have
4363	    'peer HOST xleave' lines in your ntp.conf file, remove the
4364	    'xleave' option.
4365	Have enough sources of time.
4366	Properly monitor your ntpd instances.
4367	If ntpd stops running, auto-restart it without -g .
4368   Credit:
4369   	This weakness was discovered by Miroslav Lichvar of Red Hat.
4370
4371* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
4372	state (LOW/MED)
4373   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4374   References: Sec 3453 / CVE-2018-7184 / VU#961909
4375   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
4376   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
4377	Could score between 2.9 and 6.8.
4378   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4379	Could score between 2.6 and 6.0.
4380   Summary:
4381   	The fix for NtpBug2952 was incomplete, and while it fixed one
4382	problem it created another.  Specifically, it drops bad packets
4383	before updating the "received" timestamp.  This means a
4384	third-party can inject a packet with a zero-origin timestamp,
4385	meaning the sender wants to reset the association, and the
4386	transmit timestamp in this bogus packet will be saved as the
4387	most recent "received" timestamp.  The real remote peer does
4388	not know this value and this will disrupt the association until
4389	the association resets.
4390   Mitigation:
4391	Implement BCP-38.
4392	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4393	    or the NTP Public Services Project Download Page.
4394	Use authentication with 'peer' mode.
4395	Have enough sources of time.
4396	Properly monitor your ntpd instances.
4397	If ntpd stops running, auto-restart it without -g .
4398   Credit:
4399   	This weakness was discovered by Miroslav Lichvar of Red Hat.
4400
4401* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
4402	peering (LOW)
4403   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4404   References: Sec 3415 / CVE-2018-7170 / VU#961909
4405   	       Sec 3012 / CVE-2016-1549 / VU#718152
4406   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4407   	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
4408   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
4409   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4410   Summary:
4411	ntpd can be vulnerable to Sybil attacks.  If a system is set up to
4412	use a trustedkey and if one is not using the feature introduced in
4413	ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
4414	specify which IPs can serve time, a malicious authenticated peer
4415	-- i.e. one where the attacker knows the private symmetric key --
4416	can create arbitrarily-many ephemeral associations in order to win
4417	the clock selection of ntpd and modify a victim's clock.  Three
4418	additional protections are offered in ntp-4.2.8p11.  One is the
4419	new 'noepeer' directive, which disables symmetric passive
4420	ephemeral peering. Another is the new 'ippeerlimit' directive,
4421	which limits the number of peers that can be created from an IP.
4422	The third extends the functionality of the 4th field in the
4423	ntp.keys file to include specifying a subnet range.
4424   Mitigation:
4425	Implement BCP-38.
4426	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4427	    or the NTP Public Services Project Download Page.
4428	Use the 'noepeer' directive to prohibit symmetric passive
4429	    ephemeral associations.
4430	Use the 'ippeerlimit' directive to limit the number of peers
4431	    that can be created from an IP.
4432	Use the 4th argument in the ntp.keys file to limit the IPs and
4433	    subnets that can be time servers.
4434	Have enough sources of time.
4435	Properly monitor your ntpd instances.
4436	If ntpd stops running, auto-restart it without -g .
4437   Credit:
4438	This weakness was reported as Bug 3012 by Matthew Van Gundy of
4439	Cisco ASIG, and separately by Stefan Moser as Bug 3415.
4440
4441* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
4442   Date Resolved: 27 Feb 2018
4443   References: Sec 3414 / CVE-2018-7183 / VU#961909
4444   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
4445   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
4446   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
4447   Summary:
4448   	ntpq is a monitoring and control program for ntpd.  decodearr()
4449	is an internal function of ntpq that is used to -- wait for it --
4450	decode an array in a response string when formatted data is being
4451	displayed.  This is a problem in affected versions of ntpq if a
4452	maliciously-altered ntpd returns an array result that will trip this
4453	bug, or if a bad actor is able to read an ntpq request on its way to
4454	a remote ntpd server and forge and send a response before the remote
4455	ntpd sends its response.  It's potentially possible that the
4456	malicious data could become injectable/executable code.
4457   Mitigation:
4458	Implement BCP-38.
4459	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4460	    or the NTP Public Services Project Download Page.
4461   Credit:
4462	This weakness was discovered by Michael Macnair of Thales e-Security.
4463
4464* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
4465	behavior and information leak (Info/Medium)
4466   Date Resolved: 27 Feb 2018
4467   References: Sec 3412 / CVE-2018-7182 / VU#961909
4468   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
4469   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
4470   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4471	0.0 if C:N
4472   Summary:
4473	ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
4474	A malicious mode 6 packet can be sent to an ntpd instance, and
4475	if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
4476	cause ctl_getitem() to read past the end of its buffer.
4477   Mitigation:
4478	Implement BCP-38.
4479	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4480	    or the NTP Public Services Project Download Page.
4481	Have enough sources of time.
4482	Properly monitor your ntpd instances.
4483	If ntpd stops running, auto-restart it without -g .
4484   Credit:
4485   	This weakness was discovered by Yihan Lian of Qihoo 360.
4486
4487* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
4488   Also see Bug 3415, above.
4489   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
4490   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4491   References: Sec 3012 / CVE-2016-1549 / VU#718152
4492   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4493	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
4494   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
4495   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
4496   Summary:
4497	ntpd can be vulnerable to Sybil attacks.  If a system is set up
4498	to use a trustedkey and if one is not using the feature
4499	introduced in ntp-4.2.8p6 allowing an optional 4th field in the
4500	ntp.keys file to specify which IPs can serve time, a malicious
4501	authenticated peer -- i.e. one where the attacker knows the
4502	private symmetric key -- can create arbitrarily-many ephemeral
4503	associations in order to win the clock selection of ntpd and
4504	modify a victim's clock.  Two additional protections are
4505	offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
4506	disables symmetric passive ephemeral peering. The other extends
4507	the functionality of the 4th field in the ntp.keys file to
4508	include specifying a subnet range.
4509   Mitigation:
4510	Implement BCP-38.
4511	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
4512	    the NTP Public Services Project Download Page.
4513	Use the 'noepeer' directive to prohibit symmetric passive
4514	    ephemeral associations.
4515	Use the 'ippeerlimit' directive to limit the number of peer
4516	    associations from an IP.
4517	Use the 4th argument in the ntp.keys file to limit the IPs
4518	    and subnets that can be time servers.
4519	Properly monitor your ntpd instances.
4520   Credit:
4521   	This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
4522
4523* Bug fixes:
4524 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
4525 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
4526 - applied patch by Sean Haugh
4527 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
4528 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
4529 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
4530 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
4531 - refactoring the MAC code, too
4532 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
4533 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
4534 - applied patch by ggarvey
4535 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
4536 - applied patch by ggarvey (with minor mods)
4537 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
4538 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
4539 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
4540 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
4541 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
4542 - fixed several issues with hash algos in ntpd, sntp, ntpq,
4543   ntpdc and the test suites <perlinger@ntp.org>
4544 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
4545 - initial patch by Daniel Pouzzner
4546 [Bug 3423] QNX adjtime() implementation error checking is
4547 wrong <perlinger@ntp.org>
4548 [Bug 3417] ntpq ifstats packet counters can be negative
4549 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
4550 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
4551 - raised receive buffer size to 1200 <perlinger@ntp.org>
4552 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
4553 analysis tool. <abe@ntp.org>
4554 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
4555 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
4556 - fix/drop assumptions on OpenSSL libs directory layout
4557 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
4558 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
4559 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
4560 - patch contributed by Alexander Bluhm
4561 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
4562 rework of formatting & data transfer stuff in 'ntp_control.c'
4563 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
4564 [Bug 3394] Leap second deletion does not work on ntpd clients
4565 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
4566 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
4567 - increased mimimum stack size to 32kB <perlinger@ntp.org>
4568 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
4569 - reverted handling of PPS kernel consumer to 4.2.6 behavior
4570 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
4571 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
4572 [Bug 3016] wrong error position reported for bad ":config pool"
4573 - fixed location counter & ntpq output <perlinger@ntp.org>
4574 [Bug 2900] libntp build order problem.  HStenn.
4575 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
4576 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
4577 perlinger@ntp.org
4578 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
4579 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
4580 Use strlcpy() to copy strings, not memcpy().  HStenn.
4581 Typos.  HStenn.
4582 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
4583 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
4584 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
4585 Fix trivial warnings from 'make check'. perlinger@ntp.org
4586 Fix bug in the override portion of the compiler hardening macro. HStenn.
4587 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
4588 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
4589 sntp: tweak key file logging.  HStenn.
4590 sntp: pkt_output(): Improve debug output.  HStenn.
4591 update-leap: updates from Paul McMath.
4592 When using pkg-config, report --modversion.  HStenn.
4593 Clean up libevent configure checks.  HStenn.
4594 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
4595 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
4596 authistrustedip() - use it in more places.  HStenn, JPerlinger.
4597 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
4598 Update ntp.keys .../N documentation.  HStenn.
4599 Distribute testconf.yml.  HStenn.
4600 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
4601 Rename the configuration flag fifo variables.  HStenn.
4602 Improve saveconfig output.  HStenn.
4603 Decode restrict flags on receive() debug output.  HStenn.
4604 Decode interface flags on receive() debug output.  HStenn.
4605 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
4606 Update the documentation in ntp.conf.def .  HStenn.
4607 restrictions() must return restrict flags and ippeerlimit.  HStenn.
4608 Update ntpq peer documentation to describe the 'p' type.  HStenn.
4609 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
4610 Provide dump_restricts() for debugging.  HStenn.
4611 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
4612
4613* Other items:
4614
4615* update-leap needs the following perl modules:
4616	Net::SSLeay
4617	IO::Socket::SSL
4618
4619* New sysstats variables: sys_lamport, sys_tsrounding
4620See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
4621sys_lamport counts the number of observed Lamport violations, while
4622sys_tsrounding counts observed timestamp rounding events.
4623
4624* New ntp.conf items:
4625
4626- restrict ... noepeer
4627- restrict ... ippeerlimit N
4628
4629The 'noepeer' directive will disallow all ephemeral/passive peer
4630requests.
4631
4632The 'ippeerlimit' directive limits the number of time associations
4633for each IP in the designated set of addresses.  This limit does not
4634apply to explicitly-configured associations.  A value of -1, the current
4635default, means an unlimited number of associations may connect from a
4636single IP.  0 means "none", etc.  Ordinarily the only way multiple
4637associations would come from the same IP would be if the remote side
4638was using a proxy.  But a trusted machine might become compromised,
4639in which case an attacker might spin up multiple authenticated sessions
4640from different ports.  This directive should be helpful in this case.
4641
4642* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
4643field may contain a /subnetbits specification, which identifies  the
4644scope of IPs that may use this key.  This IP/subnet restriction can be
4645used to limit the IPs that may use the key in most all situations where
4646a key is used.
4647--
4648NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
4649
4650Focus: Security, Bug fixes, enhancements.
4651
4652Severity: MEDIUM
4653
4654This release fixes 5 medium-, 6 low-, and 4 informational-severity
4655vulnerabilities, and provides 15 other non-security fixes and improvements:
4656
4657* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
4658   Date Resolved: 21 Mar 2017
4659   References: Sec 3389 / CVE-2017-6464 / VU#325339
4660   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
4661	ntp-4.3.0 up to, but not including ntp-4.3.94.
4662   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
4663   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4664   Summary:
4665	A vulnerability found in the NTP server makes it possible for an
4666	authenticated remote user to crash ntpd via a malformed mode
4667	configuration directive.
4668   Mitigation:
4669	Implement BCP-38.
4670	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
4671	    the NTP Public Services Project Download Page
4672	Properly monitor your ntpd instances, and auto-restart
4673	    ntpd (without -g) if it stops running.
4674   Credit:
4675	This weakness was discovered by Cure53.
4676
4677* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
4678    Date Resolved: 21 Mar 2017
4679    References: Sec 3388 / CVE-2017-6462 / VU#325339
4680    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
4681    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
4682    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
4683    Summary:
4684	There is a potential for a buffer overflow in the legacy Datum
4685	Programmable Time Server refclock driver.  Here the packets are
4686	processed from the /dev/datum device and handled in
4687	datum_pts_receive().  Since an attacker would be required to
4688	somehow control a malicious /dev/datum device, this does not
4689	appear to be a practical attack and renders this issue "Low" in
4690	terms of severity.
4691   Mitigation:
4692	If you have a Datum reference clock installed and think somebody
4693	    may maliciously change the device, upgrade to 4.2.8p10, or
4694	    later, from the NTP Project Download Page or the NTP Public
4695	    Services Project Download Page
4696	Properly monitor your ntpd instances, and auto-restart
4697	    ntpd (without -g) if it stops running.
4698   Credit:
4699	This weakness was discovered by Cure53.
4700
4701* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
4702   Date Resolved: 21 Mar 2017
4703   References: Sec 3387 / CVE-2017-6463 / VU#325339
4704   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
4705	ntp-4.3.0 up to, but not including ntp-4.3.94.
4706   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
4707   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4708   Summary:
4709	A vulnerability found in the NTP server allows an authenticated
4710	remote attacker to crash the daemon by sending an invalid setting
4711	via the :config directive.  The unpeer option expects a number or
4712	an address as an argument.  In case the value is "0", a
4713	segmentation fault occurs.
4714   Mitigation:
4715	Implement BCP-38.
4716	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4717	    or the NTP Public Services Project Download Page
4718	Properly monitor your ntpd instances, and auto-restart
4719	    ntpd (without -g) if it stops running.
4720   Credit:
4721	This weakness was discovered by Cure53.
4722
4723* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
4724   Date Resolved: 21 Mar 2017
4725   References: Sec 3386
4726   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4727	ntp-4.3.0 up to, but not including ntp-4.3.94.
4728   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
4729   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
4730   Summary:
4731	The NTP Mode 6 monitoring and control client, ntpq, uses the
4732	function ntpq_stripquotes() to remove quotes and escape characters
4733	from a given string.  According to the documentation, the function
4734	is supposed to return the number of copied bytes but due to
4735	incorrect pointer usage this value is always zero.  Although the
4736	return value of this function is never used in the code, this
4737	flaw could lead to a vulnerability in the future.  Since relying
4738	on wrong return values when performing memory operations is a
4739	dangerous practice, it is recommended to return the correct value
4740	in accordance with the documentation pertinent to the code.
4741   Mitigation:
4742	Implement BCP-38.
4743	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4744	    or the NTP Public Services Project Download Page
4745	Properly monitor your ntpd instances, and auto-restart
4746	    ntpd (without -g) if it stops running.
4747   Credit:
4748	This weakness was discovered by Cure53.
4749
4750* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
4751   Date Resolved: 21 Mar 2017
4752   References: Sec 3385
4753   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4754	ntp-4.3.0 up to, but not including ntp-4.3.94.
4755   Summary:
4756	NTP makes use of several wrappers around the standard heap memory
4757	allocation functions that are provided by libc.  This is mainly
4758	done to introduce additional safety checks concentrated on
4759	several goals.  First, they seek to ensure that memory is not
4760	accidentally freed, secondly they verify that a correct amount
4761	is always allocated and, thirdly, that allocation failures are
4762	correctly handled.  There is an additional implementation for
4763	scenarios where memory for a specific amount of items of the
4764	same size needs to be allocated.  The handling can be found in
4765	the oreallocarray() function for which a further number-of-elements
4766	parameter needs to be provided.  Although no considerable threat
4767	was identified as tied to a lack of use of this function, it is
4768	recommended to correctly apply oreallocarray() as a preferred
4769	option across all of the locations where it is possible.
4770   Mitigation:
4771	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4772	    or the NTP Public Services Project Download Page
4773   Credit:
4774	This weakness was discovered by Cure53.
4775
4776* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
4777	PPSAPI ONLY) (Low)
4778   Date Resolved: 21 Mar 2017
4779   References: Sec 3384 / CVE-2017-6455 / VU#325339
4780   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
4781	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
4782	including ntp-4.3.94.
4783   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
4784   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4785   Summary:
4786	The Windows NT port has the added capability to preload DLLs
4787	defined in the inherited global local environment variable
4788	PPSAPI_DLLS.  The code contained within those libraries is then
4789	called from the NTPD service, usually running with elevated
4790	privileges. Depending on how securely the machine is setup and
4791	configured, if ntpd is configured to use the PPSAPI under Windows
4792	this can easily lead to a code injection.
4793   Mitigation:
4794	Implement BCP-38.
4795	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4796	    or the NTP Public Services Project Download Page
4797   Credit:
4798   This weakness was discovered by Cure53.
4799
4800* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
4801	installer ONLY) (Low)
4802   Date Resolved: 21 Mar 2017
4803   References: Sec 3383 / CVE-2017-6452 / VU#325339
4804   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
4805	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
4806	to, but not including ntp-4.3.94.
4807   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
4808   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
4809   Summary:
4810	The Windows installer for NTP calls strcat(), blindly appending
4811	the string passed to the stack buffer in the addSourceToRegistry()
4812	function.  The stack buffer is 70 bytes smaller than the buffer
4813	in the calling main() function.  Together with the initially
4814	copied Registry path, the combination causes a stack buffer
4815	overflow and effectively overwrites the stack frame.  The
4816	passed application path is actually limited to 256 bytes by the
4817	operating system, but this is not sufficient to assure that the
4818	affected stack buffer is consistently protected against
4819	overflowing at all times.
4820   Mitigation:
4821	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4822	or the NTP Public Services Project Download Page
4823   Credit:
4824	This weakness was discovered by Cure53.
4825
4826* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
4827	installer ONLY) (Low)
4828   Date Resolved: 21 Mar 2017
4829   References: Sec 3382 / CVE-2017-6459 / VU#325339
4830   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
4831	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
4832	up to, but not including ntp-4.3.94.
4833   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
4834   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
4835   Summary:
4836	The Windows installer for NTP calls strcpy() with an argument
4837	that specifically contains multiple null bytes.  strcpy() only
4838	copies a single terminating null character into the target
4839	buffer instead of copying the required double null bytes in the
4840	addKeysToRegistry() function.  As a consequence, a garbage
4841	registry entry can be created.  The additional arsize parameter
4842	is erroneously set to contain two null bytes and the following
4843	call to RegSetValueEx() claims to be passing in a multi-string
4844	value, though this may not be true.
4845   Mitigation:
4846	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4847	    or the NTP Public Services Project Download Page
4848   Credit:
4849	This weakness was discovered by Cure53.
4850
4851* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
4852   References: Sec 3381
4853   Summary:
4854	The report says: Statically included external projects
4855	potentially introduce several problems and the issue of having
4856	extensive amounts of code that is "dead" in the resulting binary
4857	must clearly be pointed out.  The unnecessary unused code may or
4858	may not contain bugs and, quite possibly, might be leveraged for
4859	code-gadget-based branch-flow redirection exploits.  Analogically,
4860	having source trees statically included as well means a failure
4861	in taking advantage of the free feature for periodical updates.
4862	This solution is offered by the system's Package Manager. The
4863	three libraries identified are libisc, libevent, and libopts.
4864   Resolution:
4865	For libisc, we already only use a portion of the original library.
4866	We've found and fixed bugs in the original implementation (and
4867	offered the patches to ISC), and plan to see what has changed
4868	since we last upgraded the code.  libisc is generally not
4869	installed, and when it it we usually only see the static libisc.a
4870	file installed.  Until we know for sure that the bugs we've found
4871	and fixed are fixed upstream, we're better off with the copy we
4872	are using.
4873
4874        Version 1 of libevent was the only production version available
4875	until recently, and we've been requiring version 2 for a long time.
4876	But if the build system has at least version 2 of libevent
4877	installed, we'll use the version that is installed on the system.
4878	Otherwise, we provide a copy of libevent that we know works.
4879
4880        libopts is provided by GNU AutoGen, and that library and package
4881	undergoes frequent API version updates.  The version of autogen
4882	used to generate the tables for the code must match the API
4883	version in libopts.  AutoGen can be ... difficult to build and
4884	install, and very few developers really need it.  So we have it
4885	on our build and development machines, and we provide the
4886	specific version of the libopts code in the distribution to make
4887	sure that the proper API version of libopts is available.
4888
4889        As for the point about there being code in these libraries that
4890	NTP doesn't use, OK.  But other packages used these libraries as
4891	well, and it is reasonable to assume that other people are paying
4892	attention to security and code quality issues for the overall
4893	libraries.  It takes significant resources to analyze and
4894	customize these libraries to only include what we need, and to
4895	date we believe the cost of this effort does not justify the benefit.
4896   Credit:
4897	This issue was discovered by Cure53.
4898
4899* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
4900   Date Resolved: 21 Mar 2017
4901   References: Sec 3380
4902   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4903   	ntp-4.3.0 up to, but not including ntp-4.3.94.
4904   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
4905   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
4906   Summary:
4907	There is a fencepost error in a "recovery branch" of the code for
4908	the Oncore GPS receiver if the communication link to the ONCORE
4909	is weak / distorted and the decoding doesn't work.
4910   Mitigation:
4911        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
4912	    the NTP Public Services Project Download Page
4913        Properly monitor your ntpd instances, and auto-restart
4914	    ntpd (without -g) if it stops running.
4915   Credit:
4916	This weakness was discovered by Cure53.
4917
4918* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
4919   Date Resolved: 21 Mar 2017
4920   References: Sec 3379 / CVE-2017-6458 / VU#325339
4921   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4922	ntp-4.3.0 up to, but not including ntp-4.3.94.
4923   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
4924   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4925   Summary:
4926	ntpd makes use of different wrappers around ctl_putdata() to
4927	create name/value ntpq (mode 6) response strings.  For example,
4928	ctl_putstr() is usually used to send string data (variable names
4929	or string data).  The formatting code was missing a length check
4930	for variable names.  If somebody explicitly created any unusually
4931	long variable names in ntpd (longer than 200-512 bytes, depending
4932	on the type of variable), then if any of these variables are
4933	added to the response list it would overflow a buffer.
4934   Mitigation:
4935	Implement BCP-38.
4936	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4937	    or the NTP Public Services Project Download Page
4938	If you don't want to upgrade, then don't setvar variable names
4939	    longer than 200-512 bytes in your ntp.conf file.
4940	Properly monitor your ntpd instances, and auto-restart
4941	    ntpd (without -g) if it stops running.
4942   Credit:
4943	This weakness was discovered by Cure53.
4944
4945* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
4946   Date Resolved: 21 Mar 2017
4947   References: Sec 3378 / CVE-2017-6451 / VU#325339
4948   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4949	ntp-4.3.0 up to, but not including ntp-4.3.94.
4950   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
4951   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
4952   Summary:
4953	The legacy MX4200 refclock is only built if is specifically
4954	enabled, and furthermore additional code changes are required to
4955	compile and use it.  But it uses the libc functions snprintf()
4956	and vsnprintf() incorrectly, which can lead to an out-of-bounds
4957	memory write due to an improper handling of the return value of
4958	snprintf()/vsnprintf().  Since the return value is used as an
4959	iterator and it can be larger than the buffer's size, it is
4960	possible for the iterator to point somewhere outside of the
4961	allocated buffer space.  This results in an out-of-bound memory
4962	write.  This behavior can be leveraged to overwrite a saved
4963	instruction pointer on the stack and gain control over the
4964	execution flow.  During testing it was not possible to identify
4965	any malicious usage for this vulnerability.  Specifically, no
4966	way for an attacker to exploit this vulnerability was ultimately
4967	unveiled.  However, it has the potential to be exploited, so the
4968	code should be fixed.
4969   Mitigation, if you have a Magnavox MX4200 refclock:
4970	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4971	    or the NTP Public Services Project Download Page.
4972	Properly monitor your ntpd instances, and auto-restart
4973	    ntpd (without -g) if it stops running.
4974   Credit:
4975	This weakness was discovered by Cure53.
4976
4977* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
4978	malicious ntpd (Medium)
4979   Date Resolved: 21 Mar 2017
4980   References: Sec 3377 / CVE-2017-6460 / VU#325339
4981   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
4982	ntp-4.3.0 up to, but not including ntp-4.3.94.
4983   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
4984   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4985   Summary:
4986	A stack buffer overflow in ntpq can be triggered by a malicious
4987	ntpd server when ntpq requests the restriction list from the server.
4988	This is due to a missing length check in the reslist() function.
4989	It occurs whenever the function parses the server's response and
4990	encounters a flagstr variable of an excessive length.  The string
4991	will be copied into a fixed-size buffer, leading to an overflow on
4992	the function's stack-frame.  Note well that this problem requires
4993	a malicious server, and affects ntpq, not ntpd.
4994   Mitigation:
4995	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4996	    or the NTP Public Services Project Download Page
4997	If you can't upgrade your version of ntpq then if you want to know
4998	    the reslist of an instance of ntpd that you do not control,
4999	    know that if the target ntpd is malicious that it can send back
5000	    a response that intends to crash your ntpq process.
5001   Credit:
5002	This weakness was discovered by Cure53.
5003
5004* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
5005   Date Resolved: 21 Mar 2017
5006   References: Sec 3376
5007   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
5008	ntp-4.3.0 up to, but not including ntp-4.3.94.
5009   CVSS2: N/A
5010   CVSS3: N/A
5011   Summary:
5012	The build process for NTP has not, by default, provided compile
5013	or link flags to offer "hardened" security options.  Package
5014	maintainers have always been able to provide hardening security
5015	flags for their builds.  As of ntp-4.2.8p10, the NTP build
5016	system has a way to provide OS-specific hardening flags.  Please
5017	note that this is still not a really great solution because it
5018	is specific to NTP builds.  It's inefficient to have every
5019	package supply, track and maintain this information for every
5020	target build.  It would be much better if there was a common way
5021	for OSes to provide this information in a way that arbitrary
5022	packages could benefit from it.
5023   Mitigation:
5024	Implement BCP-38.
5025	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
5026	    or the NTP Public Services Project Download Page
5027	Properly monitor your ntpd instances, and auto-restart
5028	    ntpd (without -g) if it stops running.
5029   Credit:
5030	This weakness was reported by Cure53.
5031
5032* 0rigin DoS (Medium)
5033   Date Resolved: 21 Mar 2017
5034   References: Sec 3361 / CVE-2016-9042 / VU#325339
5035   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
5036   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
5037   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
5038   Summary:
5039	An exploitable denial of service vulnerability exists in the
5040	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
5041	crafted unauthenticated network packet can be used to reset the
5042	expected origin timestamp for target peers.  Legitimate replies
5043	from targeted peers will fail the origin timestamp check (TEST2)
5044	causing the reply to be dropped and creating a denial of service
5045	condition.  This vulnerability can only be exploited if the
5046	attacker can spoof all of the servers.
5047   Mitigation:
5048	Implement BCP-38.
5049	Configure enough servers/peers that an attacker cannot target
5050	    all of your time sources.
5051	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
5052	    or the NTP Public Services Project Download Page
5053	Properly monitor your ntpd instances, and auto-restart
5054	    ntpd (without -g) if it stops running.
5055   Credit:
5056	This weakness was discovered by Matthew Van Gundy of Cisco.
5057
5058Other fixes:
5059
5060* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
5061* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
5062  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
5063* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
5064* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
5065  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
5066  - original patch by Majdi S. Abbas
5067* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
5068* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
5069  - initial patch by Christos Zoulas
5070* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
5071  - move loader API from 'inline' to proper source
5072  - augment pathless dlls with absolute path to NTPD
5073  - use 'msyslog()' instead of 'printf() 'for reporting trouble
5074* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
5075  - applied patch by Matthew Van Gundy
5076* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
5077  - applied some of the patches provided by Havard. Not all of them
5078    still match the current code base, and I did not touch libopt.
5079* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
5080  - applied patch by Reinhard Max. See bugzilla for limitations.
5081* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
5082  - fixed dependency inversion from [Bug 2837]
5083* [Bug 2896] Nothing happens if minsane < maxclock < minclock
5084  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
5085* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
5086  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
5087* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
5088  - Fixed these and some more locations of this pattern.
5089    Probably din't get them all, though. <perlinger@ntp.org>
5090* Update copyright year.
5091
5092--
5093(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
5094
5095* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
5096  - added missed changeset for automatic openssl lib detection
5097  - fixed some minor warning issues
5098* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
5099* configure.ac cleanup.  stenn@ntp.org
5100* openssl configure cleanup.  stenn@ntp.org
5101
5102--
5103NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
5104
5105Focus: Security, Bug fixes, enhancements.
5106
5107Severity: HIGH
5108
5109In addition to bug fixes and enhancements, this release fixes the
5110following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
51115 low-severity vulnerabilities, and provides 28 other non-security
5112fixes and improvements:
5113
5114* Trap crash
5115   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5116   References: Sec 3119 / CVE-2016-9311 / VU#633847
5117   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
5118   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
5119   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
5120   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
5121   Summary:
5122	ntpd does not enable trap service by default. If trap service
5123	has been explicitly enabled, an attacker can send a specially
5124	crafted packet to cause a null pointer dereference that will
5125	crash ntpd, resulting in a denial of service.
5126   Mitigation:
5127        Implement BCP-38.
5128	Use "restrict default noquery ..." in your ntp.conf file. Only
5129	    allow mode 6 queries from trusted networks and hosts.
5130        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5131	    or the NTP Public Services Project Download Page
5132        Properly monitor your ntpd instances, and auto-restart ntpd
5133	    (without -g) if it stops running.
5134   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5135
5136* Mode 6 information disclosure and DDoS vector
5137   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5138   References: Sec 3118 / CVE-2016-9310 / VU#633847
5139   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
5140	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
5141   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
5142   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5143   Summary:
5144	An exploitable configuration modification vulnerability exists
5145	in the control mode (mode 6) functionality of ntpd. If, against
5146	long-standing BCP recommendations, "restrict default noquery ..."
5147	is not specified, a specially crafted control mode packet can set
5148	ntpd traps, providing information disclosure and DDoS
5149	amplification, and unset ntpd traps, disabling legitimate
5150	monitoring. A remote, unauthenticated, network attacker can
5151	trigger this vulnerability.
5152   Mitigation:
5153        Implement BCP-38.
5154	Use "restrict default noquery ..." in your ntp.conf file.
5155        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5156	    or the NTP Public Services Project Download Page
5157        Properly monitor your ntpd instances, and auto-restart ntpd
5158	    (without -g) if it stops running.
5159   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5160
5161* Broadcast Mode Replay Prevention DoS
5162   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5163   References: Sec 3114 / CVE-2016-7427 / VU#633847
5164   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
5165	ntp-4.3.90 up to, but not including ntp-4.3.94.
5166   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
5167   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5168   Summary:
5169	The broadcast mode of NTP is expected to only be used in a
5170	trusted network. If the broadcast network is accessible to an
5171	attacker, a potentially exploitable denial of service
5172	vulnerability in ntpd's broadcast mode replay prevention
5173	functionality can be abused. An attacker with access to the NTP
5174	broadcast domain can periodically inject specially crafted
5175	broadcast mode NTP packets into the broadcast domain which,
5176	while being logged by ntpd, can cause ntpd to reject broadcast
5177	mode packets from legitimate NTP broadcast servers.
5178   Mitigation:
5179        Implement BCP-38.
5180        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5181	    or the NTP Public Services Project Download Page
5182        Properly monitor your ntpd instances, and auto-restart ntpd
5183	    (without -g) if it stops running.
5184   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5185
5186* Broadcast Mode Poll Interval Enforcement DoS
5187   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5188   References: Sec 3113 / CVE-2016-7428 / VU#633847
5189   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
5190	ntp-4.3.90 up to, but not including ntp-4.3.94
5191   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
5192   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5193   Summary:
5194	The broadcast mode of NTP is expected to only be used in a
5195	trusted network. If the broadcast network is accessible to an
5196	attacker, a potentially exploitable denial of service
5197	vulnerability in ntpd's broadcast mode poll interval enforcement
5198	functionality can be abused. To limit abuse, ntpd restricts the
5199	rate at which each broadcast association will process incoming
5200	packets. ntpd will reject broadcast mode packets that arrive
5201	before the poll interval specified in the preceding broadcast
5202	packet expires. An attacker with access to the NTP broadcast
5203	domain can send specially crafted broadcast mode NTP packets to
5204	the broadcast domain which, while being logged by ntpd, will
5205	cause ntpd to reject broadcast mode packets from legitimate NTP
5206	broadcast servers.
5207   Mitigation:
5208        Implement BCP-38.
5209        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5210	    or the NTP Public Services Project Download Page
5211        Properly monitor your ntpd instances, and auto-restart ntpd
5212	    (without -g) if it stops running.
5213   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5214
5215* Windows: ntpd DoS by oversized UDP packet
5216   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5217   References: Sec 3110 / CVE-2016-9312 / VU#633847
5218   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
5219	and ntp-4.3.0 up to, but not including ntp-4.3.94.
5220   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
5221   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5222   Summary:
5223	If a vulnerable instance of ntpd on Windows receives a crafted
5224	malicious packet that is "too big", ntpd will stop working.
5225   Mitigation:
5226        Implement BCP-38.
5227        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5228	    or the NTP Public Services Project Download Page
5229        Properly monitor your ntpd instances, and auto-restart ntpd
5230	    (without -g) if it stops running.
5231   Credit: This weakness was discovered by Robert Pajak of ABB.
5232
5233* 0rigin (zero origin) issues
5234   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5235   References: Sec 3102 / CVE-2016-7431 / VU#633847
5236   Affects: ntp-4.2.8p8, and ntp-4.3.93.
5237   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
5238   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5239   Summary:
5240	Zero Origin timestamp problems were fixed by Bug 2945 in
5241	ntp-4.2.8p6. However, subsequent timestamp validation checks
5242	introduced a regression in the handling of some Zero origin
5243	timestamp checks.
5244   Mitigation:
5245        Implement BCP-38.
5246        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5247	    or the NTP Public Services Project Download Page
5248        Properly monitor your ntpd instances, and auto-restart ntpd
5249	    (without -g) if it stops running.
5250   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
5251	Malhotra of Boston University.
5252
5253* read_mru_list() does inadequate incoming packet checks
5254   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5255   References: Sec 3082 / CVE-2016-7434 / VU#633847
5256   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
5257	ntp-4.3.0 up to, but not including ntp-4.3.94.
5258   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
5259   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5260   Summary:
5261	If ntpd is configured to allow mrulist query requests from a
5262	server that sends a crafted malicious packet, ntpd will crash
5263	on receipt of that crafted malicious mrulist query packet.
5264   Mitigation:
5265	Only allow mrulist query packets from trusted hosts.
5266        Implement BCP-38.
5267        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5268	    or the NTP Public Services Project Download Page
5269        Properly monitor your ntpd instances, and auto-restart ntpd
5270	    (without -g) if it stops running.
5271   Credit: This weakness was discovered by Magnus Stubman.
5272
5273* Attack on interface selection
5274   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5275   References: Sec 3072 / CVE-2016-7429 / VU#633847
5276   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
5277	ntp-4.3.0 up to, but not including ntp-4.3.94
5278   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
5279   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
5280   Summary:
5281	When ntpd receives a server response on a socket that corresponds
5282	to a different interface than was used for the request, the peer
5283	structure is updated to use the interface for new requests. If
5284	ntpd is running on a host with multiple interfaces in separate
5285	networks and the operating system doesn't check source address in
5286	received packets (e.g. rp_filter on Linux is set to 0), an
5287	attacker that knows the address of the source can send a packet
5288	with spoofed source address which will cause ntpd to select wrong
5289	interface for the source and prevent it from sending new requests
5290	until the list of interfaces is refreshed, which happens on
5291	routing changes or every 5 minutes by default. If the attack is
5292	repeated often enough (once per second), ntpd will not be able to
5293	synchronize with the source.
5294   Mitigation:
5295        Implement BCP-38.
5296        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5297	    or the NTP Public Services Project Download Page
5298	If you are going to configure your OS to disable source address
5299	    checks, also configure your firewall configuration to control
5300	    what interfaces can receive packets from what networks.
5301        Properly monitor your ntpd instances, and auto-restart ntpd
5302	    (without -g) if it stops running.
5303   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5304
5305* Client rate limiting and server responses
5306   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5307   References: Sec 3071 / CVE-2016-7426 / VU#633847
5308   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
5309	ntp-4.3.0 up to, but not including ntp-4.3.94
5310   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
5311   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
5312   Summary:
5313	When ntpd is configured with rate limiting for all associations
5314	(restrict default limited in ntp.conf), the limits are applied
5315	also to responses received from its configured sources. An
5316	attacker who knows the sources (e.g., from an IPv4 refid in
5317	server response) and knows the system is (mis)configured in this
5318	way can periodically send packets with spoofed source address to
5319	keep the rate limiting activated and prevent ntpd from accepting
5320	valid responses from its sources.
5321
5322	While this blanket rate limiting can be useful to prevent
5323	brute-force attacks on the origin timestamp, it allows this DoS
5324	attack. Similarly, it allows the attacker to prevent mobilization
5325	of ephemeral associations.
5326   Mitigation:
5327        Implement BCP-38.
5328        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5329	    or the NTP Public Services Project Download Page
5330        Properly monitor your ntpd instances, and auto-restart ntpd
5331	    (without -g) if it stops running.
5332   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5333
5334* Fix for bug 2085 broke initial sync calculations
5335   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5336   References: Sec 3067 / CVE-2016-7433 / VU#633847
5337   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
5338	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
5339	root-distance calculation in general is incorrect in all versions
5340	of ntp-4 until this release.
5341   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
5342   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
5343   Summary:
5344	Bug 2085 described a condition where the root delay was included
5345	twice, causing the jitter value to be higher than expected. Due
5346	to a misinterpretation of a small-print variable in The Book, the
5347	fix for this problem was incorrect, resulting in a root distance
5348	that did not include the peer dispersion. The calculations and
5349	formulae have been reviewed and reconciled, and the code has been
5350	updated accordingly.
5351   Mitigation:
5352        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5353	    or the NTP Public Services Project Download Page
5354        Properly monitor your ntpd instances, and auto-restart ntpd
5355	    (without -g) if it stops running.
5356   Credit: This weakness was discovered independently by Brian Utterback of
5357	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
5358
5359Other fixes:
5360
5361* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
5362* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
5363* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
5364  - moved retry decision where it belongs. <perlinger@ntp.org>
5365* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
5366  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
5367* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
5368* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
5369  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
5370* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
5371  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
5372  - added shim layer for SSL API calls with issues (both directions)
5373* [Bug 3089] Serial Parser does not work anymore for hopfser like device
5374  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
5375* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
5376* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
5377  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
5378* [Bug 3067] Root distance calculation needs improvement.  HStenn
5379* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
5380  - PPS-HACK works again.
5381* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
5382  - applied patch by Brian Utterback <brian.utterback@oracle.com>
5383* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
5384* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
5385  <perlinger@ntp.org>
5386  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
5387* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
5388  - Patch provided by Kuramatsu.
5389* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
5390  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
5391* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
5392* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
5393* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
5394* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
5395  - fixed GPS week expansion to work based on build date. Special thanks
5396    to Craig Leres for initial patch and testing.
5397* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
5398  - fixed Makefile.am <perlinger@ntp.org>
5399* [Bug 2689] ATOM driver processes last PPS pulse at startup,
5400             even if it is very old <perlinger@ntp.org>
5401  - make sure PPS source is alive before processing samples
5402  - improve stability close to the 500ms phase jump (phase gate)
5403* Fix typos in include/ntp.h.
5404* Shim X509_get_signature_nid() if needed
5405* git author attribution cleanup
5406* bk ignore file cleanup
5407* remove locks in Windows IO, use rpc-like thread synchronisation instead
5408
5409---
5410NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
5411
5412Focus: Security, Bug fixes, enhancements.
5413
5414Severity: HIGH
5415
5416In addition to bug fixes and enhancements, this release fixes the
5417following 1 high- and 4 low-severity vulnerabilities:
5418
5419* CRYPTO_NAK crash
5420   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5421   References: Sec 3046 / CVE-2016-4957 / VU#321640
5422   Affects: ntp-4.2.8p7, and ntp-4.3.92.
5423   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
5424   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5425   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
5426	could cause ntpd to crash.
5427   Mitigation:
5428        Implement BCP-38.
5429        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5430	    or the NTP Public Services Project Download Page
5431        If you cannot upgrade from 4.2.8p7, the only other alternatives
5432	    are to patch your code or filter CRYPTO_NAK packets.
5433        Properly monitor your ntpd instances, and auto-restart ntpd
5434	    (without -g) if it stops running.
5435   Credit: This weakness was discovered by Nicolas Edet of Cisco.
5436
5437* Bad authentication demobilizes ephemeral associations
5438   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5439   References: Sec 3045 / CVE-2016-4953 / VU#321640
5440   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5441	ntp-4.3.0 up to, but not including ntp-4.3.93.
5442   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5443   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5444   Summary: An attacker who knows the origin timestamp and can send a
5445	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
5446	target before any other response is sent can demobilize that
5447	association.
5448   Mitigation:
5449	Implement BCP-38.
5450	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5451	    or the NTP Public Services Project Download Page
5452	Properly monitor your ntpd instances.
5453	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5454
5455* Processing spoofed server packets
5456   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5457   References: Sec 3044 / CVE-2016-4954 / VU#321640
5458   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5459	ntp-4.3.0 up to, but not including ntp-4.3.93.
5460   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5461   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5462   Summary: An attacker who is able to spoof packets with correct origin
5463	timestamps from enough servers before the expected response
5464	packets arrive at the target machine can affect some peer
5465	variables and, for example, cause a false leap indication to be set.
5466   Mitigation:
5467	Implement BCP-38.
5468	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5469	    or the NTP Public Services Project Download Page
5470	Properly monitor your ntpd instances.
5471   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
5472
5473* Autokey association reset
5474   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5475   References: Sec 3043 / CVE-2016-4955 / VU#321640
5476   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5477	ntp-4.3.0 up to, but not including ntp-4.3.93.
5478   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5479   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5480   Summary: An attacker who is able to spoof a packet with a correct
5481	origin timestamp before the expected response packet arrives at
5482	the target machine can send a CRYPTO_NAK or a bad MAC and cause
5483	the association's peer variables to be cleared. If this can be
5484	done often enough, it will prevent that association from working.
5485   Mitigation:
5486	Implement BCP-38.
5487	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5488	    or the NTP Public Services Project Download Page
5489	Properly monitor your ntpd instances.
5490   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5491
5492* Broadcast interleave
5493   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5494   References: Sec 3042 / CVE-2016-4956 / VU#321640
5495   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5496   	ntp-4.3.0 up to, but not including ntp-4.3.93.
5497   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5498   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5499   Summary: The fix for NtpBug2978 does not cover broadcast associations,
5500   	so broadcast clients can be triggered to flip into interleave mode.
5501   Mitigation:
5502	Implement BCP-38.
5503	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5504	    or the NTP Public Services Project Download Page
5505	Properly monitor your ntpd instances.
5506   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5507
5508Other fixes:
5509* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
5510  - provide build environment
5511  - 'wint_t' and 'struct timespec' defined by VS2015
5512  - fixed print()/scanf() format issues
5513* [Bug 3052] Add a .gitignore file.  Edmund Wong.
5514* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
5515* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
5516  JPerlinger, HStenn.
5517* Fix typo in ntp-wait and plot_summary.  HStenn.
5518* Make sure we have an "author" file for git imports.  HStenn.
5519* Update the sntp problem tests for MacOS.  HStenn.
5520
5521---
5522NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
5523
5524Focus: Security, Bug fixes, enhancements.
5525
5526Severity: MEDIUM
5527
5528When building NTP from source, there is a new configure option
5529available, --enable-dynamic-interleave.  More information on this below.
5530
5531Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
5532versions of ntp.  These events have almost certainly happened in the
5533past, it's just that they were silently counted and not logged.  With
5534the increasing awareness around security, we feel it's better to clearly
5535log these events to help detect abusive behavior.  This increased
5536logging can also help detect other problems, too.
5537
5538In addition to bug fixes and enhancements, this release fixes the
5539following 9 low- and medium-severity vulnerabilities:
5540
5541* Improve NTP security against buffer comparison timing attacks,
5542  AKA: authdecrypt-timing
5543   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5544   References: Sec 2879 / CVE-2016-1550
5545   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5546	4.3.0 up to, but not including 4.3.92
5547   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
5548   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
5549   Summary: Packet authentication tests have been performed using
5550	memcmp() or possibly bcmp(), and it is potentially possible
5551	for a local or perhaps LAN-based attacker to send a packet with
5552	an authentication payload and indirectly observe how much of
5553	the digest has matched.
5554   Mitigation:
5555	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5556	    or the NTP Public Services Project Download Page.
5557	Properly monitor your ntpd instances.
5558   Credit: This weakness was discovered independently by Loganaden
5559   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
5560
5561* Zero origin timestamp bypass: Additional KoD checks.
5562   References: Sec 2945 / Sec 2901 / CVE-2015-8138
5563   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
5564   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
5565
5566* peer associations were broken by the fix for NtpBug2899
5567   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5568   References: Sec 2952 / CVE-2015-7704
5569   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5570   	4.3.0 up to, but not including 4.3.92
5571   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
5572   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
5573   	associations did not address all of the issues.
5574   Mitigation:
5575        Implement BCP-38.
5576        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5577	    or the NTP Public Services Project Download Page
5578        If you can't upgrade, use "server" associations instead of
5579	    "peer" associations.
5580        Monitor your ntpd instances.
5581   Credit: This problem was discovered by Michael Tatarinov.
5582
5583* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
5584   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5585   References: Sec 3007 / CVE-2016-1547 / VU#718152
5586   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5587	4.3.0 up to, but not including 4.3.92
5588   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
5589   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5590   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
5591	off-path attacker can cause a preemptable client association to
5592	be demobilized by sending a crypto NAK packet to a victim client
5593	with a spoofed source address of an existing associated peer.
5594	This is true even if authentication is enabled.
5595
5596	Furthermore, if the attacker keeps sending crypto NAK packets,
5597	for example one every second, the victim never has a chance to
5598	reestablish the association and synchronize time with that
5599	legitimate server.
5600
5601	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
5602	stringent checks are performed on incoming packets, but there
5603	are still ways to exploit this vulnerability in versions before
5604	ntp-4.2.8p7.
5605   Mitigation:
5606	Implement BCP-38.
5607	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5608	    or the NTP Public Services Project Download Page
5609	Properly monitor your ntpd instances
5610   Credit: This weakness was discovered by Stephen Gray and
5611   	Matthew Van Gundy of Cisco ASIG.
5612
5613* ctl_getitem() return value not always checked
5614   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5615   References: Sec 3008 / CVE-2016-2519
5616   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5617	4.3.0 up to, but not including 4.3.92
5618   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
5619   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5620   Summary: ntpq and ntpdc can be used to store and retrieve information
5621   	in ntpd. It is possible to store a data value that is larger
5622	than the size of the buffer that the ctl_getitem() function of
5623	ntpd uses to report the return value. If the length of the
5624	requested data value returned by ctl_getitem() is too large,
5625	the value NULL is returned instead. There are 2 cases where the
5626	return value from ctl_getitem() was not directly checked to make
5627	sure it's not NULL, but there are subsequent INSIST() checks
5628	that make sure the return value is not NULL. There are no data
5629	values ordinarily stored in ntpd that would exceed this buffer
5630	length. But if one has permission to store values and one stores
5631	a value that is "too large", then ntpd will abort if an attempt
5632	is made to read that oversized value.
5633    Mitigation:
5634        Implement BCP-38.
5635        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5636	    or the NTP Public Services Project Download Page
5637        Properly monitor your ntpd instances.
5638    Credit: This weakness was discovered by Yihan Lian of the Cloud
5639    	Security Team, Qihoo 360.
5640
5641* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
5642   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5643   References: Sec 3009 / CVE-2016-2518 / VU#718152
5644   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5645	4.3.0 up to, but not including 4.3.92
5646   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
5647   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
5648   Summary: Using a crafted packet to create a peer association with
5649   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
5650	out-of-bounds reference.
5651   Mitigation:
5652	Implement BCP-38.
5653	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5654	    or the NTP Public Services Project Download Page
5655	Properly monitor your ntpd instances
5656   Credit: This weakness was discovered by Yihan Lian of the Cloud
5657   	Security Team, Qihoo 360.
5658
5659* remote configuration trustedkey/requestkey/controlkey values are not
5660	properly validated
5661   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5662   References: Sec 3010 / CVE-2016-2517 / VU#718152
5663   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5664	4.3.0 up to, but not including 4.3.92
5665   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
5666   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5667   Summary: If ntpd was expressly configured to allow for remote
5668   	configuration, a malicious user who knows the controlkey for
5669	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
5670	can create a session with ntpd and then send a crafted packet to
5671	ntpd that will change the value of the trustedkey, controlkey,
5672	or requestkey to a value that will prevent any subsequent
5673	authentication with ntpd until ntpd is restarted.
5674   Mitigation:
5675	Implement BCP-38.
5676	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5677	    or the NTP Public Services Project Download Page
5678	Properly monitor your ntpd instances
5679   Credit: This weakness was discovered by Yihan Lian of the Cloud
5680   	Security Team, Qihoo 360.
5681
5682* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
5683   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5684   References: Sec 3011 / CVE-2016-2516 / VU#718152
5685   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5686   	4.3.0 up to, but not including 4.3.92
5687   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
5688   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5689   Summary: If ntpd was expressly configured to allow for remote
5690   	configuration, a malicious user who knows the controlkey for
5691	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
5692	can create a session with ntpd and if an existing association is
5693	unconfigured using the same IP twice on the unconfig directive
5694	line, ntpd will abort.
5695   Mitigation:
5696	Implement BCP-38.
5697	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5698	    or the NTP Public Services Project Download Page
5699	Properly monitor your ntpd instances
5700   Credit: This weakness was discovered by Yihan Lian of the Cloud
5701   	Security Team, Qihoo 360.
5702
5703* Refclock impersonation vulnerability
5704   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5705   References: Sec 3020 / CVE-2016-1551
5706   Affects: On a very limited number of OSes, all NTP releases up to but
5707	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
5708	By "very limited number of OSes" we mean no general-purpose OSes
5709	have yet been identified that have this vulnerability.
5710   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
5711   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
5712   Summary: While most OSes implement martian packet filtering in their
5713   	network stack, at least regarding 127.0.0.0/8, some will allow
5714	packets claiming to be from 127.0.0.0/8 that arrive over a
5715	physical network. On these OSes, if ntpd is configured to use a
5716	reference clock an attacker can inject packets over the network
5717	that look like they are coming from that reference clock.
5718   Mitigation:
5719        Implement martian packet filtering and BCP-38.
5720        Configure ntpd to use an adequate number of time sources.
5721        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5722	    or the NTP Public Services Project Download Page
5723        If you are unable to upgrade and if you are running an OS that
5724	    has this vulnerability, implement martian packet filters and
5725	    lobby your OS vendor to fix this problem, or run your
5726	    refclocks on computers that use OSes that are not vulnerable
5727	    to these attacks and have your vulnerable machines get their
5728	    time from protected resources.
5729        Properly monitor your ntpd instances.
5730   Credit: This weakness was discovered by Matt Street and others of
5731   	Cisco ASIG.
5732
5733The following issues were fixed in earlier releases and contain
5734improvements in 4.2.8p7:
5735
5736* Clients that receive a KoD should validate the origin timestamp field.
5737   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
5738   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
5739   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
5740
5741* Skeleton key: passive server with trusted key can serve time.
5742   References: Sec 2936 / CVE-2015-7974
5743   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
5744   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
5745
5746Two other vulnerabilities have been reported, and the mitigations
5747for these are as follows:
5748
5749* Interleave-pivot
5750   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5751   References: Sec 2978 / CVE-2016-1548
5752   Affects: All ntp-4 releases.
5753   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
5754   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
5755   Summary: It is possible to change the time of an ntpd client or deny
5756   	service to an ntpd client by forcing it to change from basic
5757	client/server mode to interleaved symmetric mode. An attacker
5758	can spoof a packet from a legitimate ntpd server with an origin
5759	timestamp that matches the peer->dst timestamp recorded for that
5760	server. After making this switch, the client will reject all
5761	future legitimate server responses. It is possible to force the
5762	victim client to move time after the mode has been changed.
5763	ntpq gives no indication that the mode has been switched.
5764   Mitigation:
5765        Implement BCP-38.
5766        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5767	    or the NTP Public Services Project Download Page.  These
5768	    versions will not dynamically "flip" into interleave mode
5769	    unless configured to do so.
5770        Properly monitor your ntpd instances.
5771   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
5772   	and separately by Jonathan Gardner of Cisco ASIG.
5773
5774* Sybil vulnerability: ephemeral association attack
5775   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5776   References: Sec 3012 / CVE-2016-1549
5777   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5778   	4.3.0 up to, but not including 4.3.92
5779   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
5780   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
5781   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
5782   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
5783	field in the ntp.keys file to specify which IPs can serve time,
5784	a malicious authenticated peer can create arbitrarily-many
5785	ephemeral associations in order to win the clock selection of
5786	ntpd and modify a victim's clock.
5787   Mitigation:
5788        Implement BCP-38.
5789        Use the 4th field in the ntp.keys file to specify which IPs
5790	    can be time servers.
5791        Properly monitor your ntpd instances.
5792   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
5793
5794Other fixes:
5795
5796* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
5797  - fixed yet another race condition in the threaded resolver code.
5798* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
5799* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
5800  - integrated patches by Loganaden Velvidron <logan@ntp.org>
5801    with some modifications & unit tests
5802* [Bug 2960] async name resolution fixes for chroot() environments.
5803  Reinhard Max.
5804* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
5805* [Bug 2995] Fixes to compile on Windows
5806* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
5807* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
5808  - Patch provided by Ch. Weisgerber
5809* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
5810  - A change related to [Bug 2853] forbids trailing white space in
5811    remote config commands. perlinger@ntp.org
5812* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
5813  - report and patch from Aleksandr Kostikov.
5814  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
5815* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
5816  - fixed memory leak in access list (auth[read]keys.c)
5817  - refactored handling of key access lists (auth[read]keys.c)
5818  - reduced number of error branches (authreadkeys.c)
5819* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
5820* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
5821* [Bug 3031] ntp broadcastclient unable to synchronize to an server
5822             when the time of server changed. perlinger@ntp.org
5823  - Check the initial delay calculation and reject/unpeer the broadcast
5824    server if the delay exceeds 50ms. Retry again after the next
5825    broadcast packet.
5826* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
5827* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
5828* Update html/xleave.html documentation.  Harlan Stenn.
5829* Update ntp.conf documentation.  Harlan Stenn.
5830* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
5831* Fix typo in html/monopt.html.  Harlan Stenn.
5832* Add README.pullrequests.  Harlan Stenn.
5833* Cleanup to include/ntp.h.  Harlan Stenn.
5834
5835New option to 'configure':
5836
5837While looking in to the issues around Bug 2978, the "interleave pivot"
5838issue, it became clear that there are some intricate and unresolved
5839issues with interleave operations.  We also realized that the interleave
5840protocol was never added to the NTPv4 Standard, and it should have been.
5841
5842Interleave mode was first released in July of 2008, and can be engaged
5843in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
5844contain the 'xleave' option, which will expressly enable interlave mode
5845for that association.  Additionally, if a time packet arrives and is
5846found inconsistent with normal protocol behavior but has certain
5847characteristics that are compatible with interleave mode, NTP will
5848dynamically switch to interleave mode.  With sufficient knowledge, an
5849attacker can send a crafted forged packet to an NTP instance that
5850triggers only one side to enter interleaved mode.
5851
5852To prevent this attack until we can thoroughly document, describe,
5853fix, and test the dynamic interleave mode, we've added a new
5854'configure' option to the build process:
5855
5856 --enable-dynamic-interleave
5857
5858This option controls whether or not NTP will, if conditions are right,
5859engage dynamic interleave mode.  Dynamic interleave mode is disabled by
5860default in ntp-4.2.8p7.
5861
5862---
5863NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
5864
5865Focus: Security, Bug fixes, enhancements.
5866
5867Severity: MEDIUM
5868
5869In addition to bug fixes and enhancements, this release fixes the
5870following 1 low- and 8 medium-severity vulnerabilities:
5871
5872* Potential Infinite Loop in 'ntpq'
5873   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5874   References: Sec 2548 / CVE-2015-8158
5875   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5876	4.3.0 up to, but not including 4.3.90
5877   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
5878   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
5879   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
5880	The loop's only stopping conditions are receiving a complete and
5881	correct response or hitting a small number of error conditions.
5882	If the packet contains incorrect values that don't trigger one of
5883	the error conditions, the loop continues to receive new packets.
5884	Note well, this is an attack against an instance of 'ntpq', not
5885	'ntpd', and this attack requires the attacker to do one of the
5886	following:
5887	* Own a malicious NTP server that the client trusts
5888	* Prevent a legitimate NTP server from sending packets to
5889	    the 'ntpq' client
5890	* MITM the 'ntpq' communications between the 'ntpq' client
5891	    and the NTP server
5892   Mitigation:
5893	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5894	or the NTP Public Services Project Download Page
5895   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
5896
5897* 0rigin: Zero Origin Timestamp Bypass
5898   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5899   References: Sec 2945 / CVE-2015-8138
5900   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5901	4.3.0 up to, but not including 4.3.90
5902   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
5903   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
5904	(3.7 - LOW if you score AC:L)
5905   Summary: To distinguish legitimate peer responses from forgeries, a
5906	client attempts to verify a response packet by ensuring that the
5907	origin timestamp in the packet matches the origin timestamp it
5908	transmitted in its last request.  A logic error exists that
5909	allows packets with an origin timestamp of zero to bypass this
5910	check whenever there is not an outstanding request to the server.
5911   Mitigation:
5912	Configure 'ntpd' to get time from multiple sources.
5913	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5914	    or the NTP Public Services Project Download Page.
5915	Monitor your 'ntpd' instances.
5916   Credit: This weakness was discovered by Matthey Van Gundy and
5917	Jonathan Gardner of Cisco ASIG.
5918
5919* Stack exhaustion in recursive traversal of restriction list
5920   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
5921   References: Sec 2940 / CVE-2015-7978
5922   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5923	4.3.0 up to, but not including 4.3.90
5924   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
5925   Summary: An unauthenticated 'ntpdc reslist' command can cause a
5926   	segmentation fault in ntpd by exhausting the call stack.
5927   Mitigation:
5928	Implement BCP-38.
5929	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5930	    or the NTP Public Services Project Download Page.
5931	If you are unable to upgrade:
5932            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
5933	    If you must enable mode 7:
5934		configure the use of a 'requestkey' to control who can
5935		    issue mode 7 requests.
5936		configure 'restrict noquery' to further limit mode 7
5937		    requests to trusted sources.
5938		Monitor your ntpd instances.
5939   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
5940
5941* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
5942   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5943   References: Sec 2942 / CVE-2015-7979
5944   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5945	4.3.0 up to, but not including 4.3.90
5946   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
5947   Summary: An off-path attacker can send broadcast packets with bad
5948	authentication (wrong key, mismatched key, incorrect MAC, etc)
5949	to broadcast clients. It is observed that the broadcast client
5950	tears down the association with the broadcast server upon
5951	receiving just one bad packet.
5952   Mitigation:
5953	Implement BCP-38.
5954	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5955	or the NTP Public Services Project Download Page.
5956	Monitor your 'ntpd' instances.
5957	If this sort of attack is an active problem for you, you have
5958	    deeper problems to investigate.  In this case also consider
5959	    having smaller NTP broadcast domains.
5960   Credit: This weakness was discovered by Aanchal Malhotra of Boston
5961   	University.
5962
5963* reslist NULL pointer dereference
5964   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5965   References: Sec 2939 / CVE-2015-7977
5966   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5967	4.3.0 up to, but not including 4.3.90
5968   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
5969   Summary: An unauthenticated 'ntpdc reslist' command can cause a
5970	segmentation fault in ntpd by causing a NULL pointer dereference.
5971   Mitigation:
5972	Implement BCP-38.
5973	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
5974	the NTP Public Services Project Download Page.
5975	If you are unable to upgrade:
5976	    mode 7 is disabled by default.  Don't enable it.
5977	    If you must enable mode 7:
5978		configure the use of a 'requestkey' to control who can
5979		    issue mode 7 requests.
5980		configure 'restrict noquery' to further limit mode 7
5981		    requests to trusted sources.
5982	Monitor your ntpd instances.
5983   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
5984
5985* 'ntpq saveconfig' command allows dangerous characters in filenames.
5986   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5987   References: Sec 2938 / CVE-2015-7976
5988   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5989	4.3.0 up to, but not including 4.3.90
5990   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
5991   Summary: The ntpq saveconfig command does not do adequate filtering
5992   	of special characters from the supplied filename.
5993	Note well: The ability to use the saveconfig command is controlled
5994	by the 'restrict nomodify' directive, and the recommended default
5995	configuration is to disable this capability.  If the ability to
5996	execute a 'saveconfig' is required, it can easily (and should) be
5997	limited and restricted to a known small number of IP addresses.
5998   Mitigation:
5999	Implement BCP-38.
6000	use 'restrict default nomodify' in your 'ntp.conf' file.
6001	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
6002	If you are unable to upgrade:
6003	    build NTP with 'configure --disable-saveconfig' if you will
6004	    	never need this capability, or
6005	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
6006		careful about what IPs have the ability to send 'modify'
6007		requests to 'ntpd'.
6008	Monitor your ntpd instances.
6009	'saveconfig' requests are logged to syslog - monitor your syslog files.
6010   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
6011
6012* nextvar() missing length check in ntpq
6013   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
6014   References: Sec 2937 / CVE-2015-7975
6015   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
6016	4.3.0 up to, but not including 4.3.90
6017   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
6018	If you score A:C, this becomes 4.0.
6019   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
6020   Summary: ntpq may call nextvar() which executes a memcpy() into the
6021	name buffer without a proper length check against its maximum
6022	length of 256 bytes. Note well that we're taking about ntpq here.
6023	The usual worst-case effect of this vulnerability is that the
6024	specific instance of ntpq will crash and the person or process
6025	that did this will have stopped themselves.
6026   Mitigation:
6027	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
6028	    or the NTP Public Services Project Download Page.
6029	If you are unable to upgrade:
6030	    If you have scripts that feed input to ntpq make sure there are
6031		some sanity checks on the input received from the "outside".
6032	    This is potentially more dangerous if ntpq is run as root.
6033   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
6034
6035* Skeleton Key: Any trusted key system can serve time
6036   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
6037   References: Sec 2936 / CVE-2015-7974
6038   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
6039	4.3.0 up to, but not including 4.3.90
6040   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
6041   Summary: Symmetric key encryption uses a shared trusted key. The
6042	reported title for this issue was "Missing key check allows
6043	impersonation between authenticated peers" and the report claimed
6044	"A key specified only for one server should only work to
6045	authenticate that server, other trusted keys should be refused."
6046	Except there has never been any correlation between this trusted
6047	key and server v. clients machines and there has never been any
6048	way to specify a key only for one server. We have treated this as
6049	an enhancement request, and ntp-4.2.8p6 includes other checks and
6050	tests to strengthen clients against attacks coming from broadcast
6051	servers.
6052   Mitigation:
6053	Implement BCP-38.
6054	If this scenario represents a real or a potential issue for you,
6055	    upgrade to 4.2.8p6, or later, from the NTP Project Download
6056	    Page or the NTP Public Services Project Download Page, and
6057	    use the new field in the ntp.keys file that specifies the list
6058	    of IPs that are allowed to serve time. Note that this alone
6059	    will not protect against time packets with forged source IP
6060	    addresses, however other changes in ntp-4.2.8p6 provide
6061	    significant mitigation against broadcast attacks. MITM attacks
6062	    are a different story.
6063	If you are unable to upgrade:
6064	    Don't use broadcast mode if you cannot monitor your client
6065	    	servers.
6066	    If you choose to use symmetric keys to authenticate time
6067	    	packets in a hostile environment where ephemeral time
6068		servers can be created, or if it is expected that malicious
6069		time servers will participate in an NTP broadcast domain,
6070		limit the number of participating systems that participate
6071		in the shared-key group.
6072	Monitor your ntpd instances.
6073   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
6074
6075* Deja Vu: Replay attack on authenticated broadcast mode
6076   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
6077   References: Sec 2935 / CVE-2015-7973
6078   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
6079   	4.3.0 up to, but not including 4.3.90
6080   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
6081   Summary: If an NTP network is configured for broadcast operations then
6082   	either a man-in-the-middle attacker or a malicious participant
6083	that has the same trusted keys as the victim can replay time packets.
6084   Mitigation:
6085	Implement BCP-38.
6086	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
6087	    or the NTP Public Services Project Download Page.
6088	If you are unable to upgrade:
6089	    Don't use broadcast mode if you cannot monitor your client servers.
6090	Monitor your ntpd instances.
6091   Credit: This weakness was discovered by Aanchal Malhotra of Boston
6092	University.
6093
6094Other fixes:
6095
6096* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
6097* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
6098  - applied patch by shenpeng11@huawei.com with minor adjustments
6099* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
6100* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
6101* [Bug 2892] Several test cases assume IPv6 capabilities even when
6102             IPv6 is disabled in the build. perlinger@ntp.org
6103  - Found this already fixed, but validation led to cleanup actions.
6104* [Bug 2905] DNS lookups broken. perlinger@ntp.org
6105  - added limits to stack consumption, fixed some return code handling
6106* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
6107  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
6108  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
6109* [Bug 2980] reduce number of warnings. perlinger@ntp.org
6110  - integrated several patches from Havard Eidnes (he@uninett.no)
6111* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
6112  - implement 'auth_log2()' using integer bithack instead of float calculation
6113* Make leapsec_query debug messages less verbose.  Harlan Stenn.
6114
6115---
6116NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
6117
6118Focus: Security, Bug fixes, enhancements.
6119
6120Severity: MEDIUM
6121
6122In addition to bug fixes and enhancements, this release fixes the
6123following medium-severity vulnerability:
6124
6125* Small-step/big-step.  Close the panic gate earlier.
6126    References: Sec 2956, CVE-2015-5300
6127    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
6128	4.3.0 up to, but not including 4.3.78
6129    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
6130    Summary: If ntpd is always started with the -g option, which is
6131	common and against long-standing recommendation, and if at the
6132	moment ntpd is restarted an attacker can immediately respond to
6133	enough requests from enough sources trusted by the target, which
6134	is difficult and not common, there is a window of opportunity
6135	where the attacker can cause ntpd to set the time to an
6136	arbitrary value. Similarly, if an attacker is able to respond
6137	to enough requests from enough sources trusted by the target,
6138	the attacker can cause ntpd to abort and restart, at which
6139	point it can tell the target to set the time to an arbitrary
6140	value if and only if ntpd was re-started against long-standing
6141	recommendation with the -g flag, or if ntpd was not given the
6142	-g flag, the attacker can move the target system's time by at
6143	most 900 seconds' time per attack.
6144    Mitigation:
6145	Configure ntpd to get time from multiple sources.
6146	Upgrade to 4.2.8p5, or later, from the NTP Project Download
6147	    Page or the NTP Public Services Project Download Page
6148	As we've long documented, only use the -g option to ntpd in
6149	    cold-start situations.
6150	Monitor your ntpd instances.
6151    Credit: This weakness was discovered by Aanchal Malhotra,
6152	Isaac E. Cohen, and Sharon Goldberg at Boston University.
6153
6154    NOTE WELL: The -g flag disables the limit check on the panic_gate
6155	in ntpd, which is 900 seconds by default. The bug identified by
6156	the researchers at Boston University is that the panic_gate
6157	check was only re-enabled after the first change to the system
6158	clock that was greater than 128 milliseconds, by default. The
6159	correct behavior is that the panic_gate check should be
6160	re-enabled after any initial time correction.
6161
6162	If an attacker is able to inject consistent but erroneous time
6163	responses to your systems via the network or "over the air",
6164	perhaps by spoofing radio, cellphone, or navigation satellite
6165	transmissions, they are in a great position to affect your
6166	system's clock. There comes a point where your very best
6167	defenses include:
6168
6169	    Configure ntpd to get time from multiple sources.
6170	    Monitor your ntpd instances.
6171
6172Other fixes:
6173
6174* Coverity submission process updated from Coverity 5 to Coverity 7.
6175  The NTP codebase has been undergoing regular Coverity scans on an
6176  ongoing basis since 2006.  As part of our recent upgrade from
6177  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
6178  the newly-written Unity test programs.  These were fixed.
6179* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
6180* [Bug 2887] stratum -1 config results as showing value 99
6181  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
6182* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
6183* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
6184* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
6185  - applied patch by Christos Zoulas.  perlinger@ntp.org
6186* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
6187* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
6188  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
6189  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
6190* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
6191  - accept key file only if there are no parsing errors
6192  - fixed size_t/u_int format clash
6193  - fixed wrong use of 'strlcpy'
6194* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
6195* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
6196  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
6197  - promote use of 'size_t' for values that express a size
6198  - use ptr-to-const for read-only arguments
6199  - make sure SOCKET values are not truncated (win32-specific)
6200  - format string fixes
6201* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
6202* [Bug 2967] ntpdate command suffers an assertion failure
6203  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
6204* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
6205              lots of clients. perlinger@ntp.org
6206* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
6207  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
6208* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
6209* Unity test cleanup.  Harlan Stenn.
6210* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
6211* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
6212* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
6213* Quiet a warning from clang.  Harlan Stenn.
6214
6215---
6216NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
6217
6218Focus: Security, Bug fixes, enhancements.
6219
6220Severity: MEDIUM
6221
6222In addition to bug fixes and enhancements, this release fixes the
6223following 13 low- and medium-severity vulnerabilities:
6224
6225* Incomplete vallen (value length) checks in ntp_crypto.c, leading
6226  to potential crashes or potential code injection/information leakage.
6227
6228    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
6229    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6230    	and 4.3.0 up to, but not including 4.3.77
6231    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
6232    Summary: The fix for CVE-2014-9750 was incomplete in that there were
6233    	certain code paths where a packet with particular autokey operations
6234	that contained malicious data was not always being completely
6235	validated. Receipt of these packets can cause ntpd to crash.
6236    Mitigation:
6237        Don't use autokey.
6238	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6239	    Page or the NTP Public Services Project Download Page
6240	Monitor your ntpd instances.
6241	Credit: This weakness was discovered by Tenable Network Security.
6242
6243* Clients that receive a KoD should validate the origin timestamp field.
6244
6245    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
6246    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6247	and 4.3.0 up to, but not including 4.3.77
6248    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
6249    Summary: An ntpd client that honors Kiss-of-Death responses will honor
6250    	KoD messages that have been forged by an attacker, causing it to
6251	delay or stop querying its servers for time updates. Also, an
6252	attacker can forge packets that claim to be from the target and
6253	send them to servers often enough that a server that implements
6254	KoD rate limiting will send the target machine a KoD response to
6255	attempt to reduce the rate of incoming packets, or it may also
6256	trigger a firewall block at the server for packets from the target
6257	machine. For either of these attacks to succeed, the attacker must
6258	know what servers the target is communicating with. An attacker
6259	can be anywhere on the Internet and can frequently learn the
6260	identity of the target's time source by sending the target a
6261	time query.
6262    Mitigation:
6263        Implement BCP-38.
6264	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
6265	    or the NTP Public Services Project Download Page
6266	If you can't upgrade, restrict who can query ntpd to learn who
6267	    its servers are, and what IPs are allowed to ask your system
6268	    for the time. This mitigation is heavy-handed.
6269	Monitor your ntpd instances.
6270    Note:
6271    	4.2.8p4 protects against the first attack. For the second attack,
6272    	all we can do is warn when it is happening, which we do in 4.2.8p4.
6273    Credit: This weakness was discovered by Aanchal Malhotra,
6274    	Issac E. Cohen, and Sharon Goldberg of Boston University.
6275
6276* configuration directives to change "pidfile" and "driftfile" should
6277  only be allowed locally.
6278
6279  References: Sec 2902 / CVE-2015-5196
6280  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6281	and 4.3.0 up to, but not including 4.3.77
6282   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
6283   Summary: If ntpd is configured to allow for remote configuration,
6284	and if the (possibly spoofed) source IP address is allowed to
6285	send remote configuration requests, and if the attacker knows
6286	the remote configuration password, it's possible for an attacker
6287	to use the "pidfile" or "driftfile" directives to potentially
6288	overwrite other files.
6289   Mitigation:
6290	Implement BCP-38.
6291	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6292	    Page or the NTP Public Services Project Download Page
6293	If you cannot upgrade, don't enable remote configuration.
6294	If you must enable remote configuration and cannot upgrade,
6295	    remote configuration of NTF's ntpd requires:
6296	    - an explicitly configured trustedkey, and you should also
6297	    	configure a controlkey.
6298	    - access from a permitted IP. You choose the IPs.
6299	    - authentication. Don't disable it. Practice secure key safety.
6300	Monitor your ntpd instances.
6301   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
6302
6303* Slow memory leak in CRYPTO_ASSOC
6304
6305  References: Sec 2909 / CVE-2015-7701
6306  Affects: All ntp-4 releases that use autokey up to, but not
6307    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6308  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
6309  	4.6 otherwise
6310  Summary: If ntpd is configured to use autokey, then an attacker can
6311	send packets to ntpd that will, after several days of ongoing
6312	attack, cause it to run out of memory.
6313  Mitigation:
6314	Don't use autokey.
6315	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6316	    Page or the NTP Public Services Project Download Page
6317	Monitor your ntpd instances.
6318  Credit: This weakness was discovered by Tenable Network Security.
6319
6320* mode 7 loop counter underrun
6321
6322  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
6323  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6324  	and 4.3.0 up to, but not including 4.3.77
6325  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
6326  Summary: If ntpd is configured to enable mode 7 packets, and if the
6327	use of mode 7 packets is not properly protected thru the use of
6328	the available mode 7 authentication and restriction mechanisms,
6329	and if the (possibly spoofed) source IP address is allowed to
6330	send mode 7 queries, then an attacker can send a crafted packet
6331	to ntpd that will cause it to crash.
6332  Mitigation:
6333	Implement BCP-38.
6334	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6335	    Page or the NTP Public Services Project Download Page.
6336	      If you are unable to upgrade:
6337	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
6338	If you must enable mode 7:
6339	    configure the use of a requestkey to control who can issue
6340		mode 7 requests.
6341	    configure restrict noquery to further limit mode 7 requests
6342		to trusted sources.
6343	Monitor your ntpd instances.
6344Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
6345
6346* memory corruption in password store
6347
6348  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
6349  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6350  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
6351  Summary: If ntpd is configured to allow remote configuration, and if
6352	the (possibly spoofed) source IP address is allowed to send
6353	remote configuration requests, and if the attacker knows the
6354	remote configuration password or if ntpd was configured to
6355	disable authentication, then an attacker can send a set of
6356	packets to ntpd that may cause a crash or theoretically
6357	perform a code injection attack.
6358  Mitigation:
6359	Implement BCP-38.
6360	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6361	    Page or the NTP Public Services Project Download Page.
6362	If you are unable to upgrade, remote configuration of NTF's
6363	    ntpd requires:
6364		an explicitly configured "trusted" key. Only configure
6365			this if you need it.
6366		access from a permitted IP address. You choose the IPs.
6367		authentication. Don't disable it. Practice secure key safety.
6368	Monitor your ntpd instances.
6369  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6370
6371* Infinite loop if extended logging enabled and the logfile and
6372  keyfile are the same.
6373
6374    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
6375    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6376	and 4.3.0 up to, but not including 4.3.77
6377    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
6378    Summary: If ntpd is configured to allow remote configuration, and if
6379	the (possibly spoofed) source IP address is allowed to send
6380	remote configuration requests, and if the attacker knows the
6381	remote configuration password or if ntpd was configured to
6382	disable authentication, then an attacker can send a set of
6383	packets to ntpd that will cause it to crash and/or create a
6384	potentially huge log file. Specifically, the attacker could
6385	enable extended logging, point the key file at the log file,
6386	and cause what amounts to an infinite loop.
6387    Mitigation:
6388	Implement BCP-38.
6389	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6390	    Page or the NTP Public Services Project Download Page.
6391	If you are unable to upgrade, remote configuration of NTF's ntpd
6392	  requires:
6393            an explicitly configured "trusted" key. Only configure this
6394	    	if you need it.
6395            access from a permitted IP address. You choose the IPs.
6396            authentication. Don't disable it. Practice secure key safety.
6397        Monitor your ntpd instances.
6398    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6399
6400* Potential path traversal vulnerability in the config file saving of
6401  ntpd on VMS.
6402
6403  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
6404  Affects: All ntp-4 releases running under VMS up to, but not
6405	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6406  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
6407  Summary: If ntpd is configured to allow remote configuration, and if
6408	the (possibly spoofed) IP address is allowed to send remote
6409	configuration requests, and if the attacker knows the remote
6410	configuration password or if ntpd was configured to disable
6411	authentication, then an attacker can send a set of packets to
6412	ntpd that may cause ntpd to overwrite files.
6413  Mitigation:
6414	Implement BCP-38.
6415	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6416	    Page or the NTP Public Services Project Download Page.
6417	If you are unable to upgrade, remote configuration of NTF's ntpd
6418	    requires:
6419		an explicitly configured "trusted" key. Only configure
6420			this if you need it.
6421		access from permitted IP addresses. You choose the IPs.
6422		authentication. Don't disable it. Practice key security safety.
6423        Monitor your ntpd instances.
6424    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6425
6426* ntpq atoascii() potential memory corruption
6427
6428  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
6429  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
6430	and 4.3.0 up to, but not including 4.3.77
6431  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
6432  Summary: If an attacker can figure out the precise moment that ntpq
6433	is listening for data and the port number it is listening on or
6434	if the attacker can provide a malicious instance ntpd that
6435	victims will connect to then an attacker can send a set of
6436	crafted mode 6 response packets that, if received by ntpq,
6437	can cause ntpq to crash.
6438  Mitigation:
6439	Implement BCP-38.
6440	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6441	    Page or the NTP Public Services Project Download Page.
6442	If you are unable to upgrade and you run ntpq against a server
6443	    and ntpq crashes, try again using raw mode. Build or get a
6444	    patched ntpq and see if that fixes the problem. Report new
6445	    bugs in ntpq or abusive servers appropriately.
6446	If you use ntpq in scripts, make sure ntpq does what you expect
6447	    in your scripts.
6448  Credit: This weakness was discovered by Yves Younan and
6449  	Aleksander Nikolich of Cisco Talos.
6450
6451* Invalid length data provided by a custom refclock driver could cause
6452  a buffer overflow.
6453
6454  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
6455  Affects: Potentially all ntp-4 releases running up to, but not
6456	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6457	that have custom refclocks
6458  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
6459	5.9 unusual worst case
6460  Summary: A negative value for the datalen parameter will overflow a
6461	data buffer. NTF's ntpd driver implementations always set this
6462	value to 0 and are therefore not vulnerable to this weakness.
6463	If you are running a custom refclock driver in ntpd and that
6464	driver supplies a negative value for datalen (no custom driver
6465	of even minimal competence would do this) then ntpd would
6466	overflow a data buffer. It is even hypothetically possible
6467	in this case that instead of simply crashing ntpd the attacker
6468	could effect a code injection attack.
6469  Mitigation:
6470	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6471	    Page or the NTP Public Services Project Download Page.
6472	If you are unable to upgrade:
6473		If you are running custom refclock drivers, make sure
6474			the signed datalen value is either zero or positive.
6475	Monitor your ntpd instances.
6476  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6477
6478* Password Length Memory Corruption Vulnerability
6479
6480  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
6481  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
6482  	4.3.0 up to, but not including 4.3.77
6483  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
6484  	1.7 usual case, 6.8, worst case
6485  Summary: If ntpd is configured to allow remote configuration, and if
6486	the (possibly spoofed) source IP address is allowed to send
6487	remote configuration requests, and if the attacker knows the
6488	remote configuration password or if ntpd was (foolishly)
6489	configured to disable authentication, then an attacker can
6490	send a set of packets to ntpd that may cause it to crash,
6491	with the hypothetical possibility of a small code injection.
6492  Mitigation:
6493	Implement BCP-38.
6494	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6495	    Page or the NTP Public Services Project Download Page.
6496	If you are unable to upgrade, remote configuration of NTF's
6497	    ntpd requires:
6498		an explicitly configured "trusted" key. Only configure
6499			this if you need it.
6500		access from a permitted IP address. You choose the IPs.
6501		authentication. Don't disable it. Practice secure key safety.
6502	Monitor your ntpd instances.
6503  Credit: This weakness was discovered by Yves Younan and
6504  	Aleksander Nikolich of Cisco Talos.
6505
6506* decodenetnum() will ASSERT botch instead of returning FAIL on some
6507  bogus values.
6508
6509  References: Sec 2922 / CVE-2015-7855
6510  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
6511	4.3.0 up to, but not including 4.3.77
6512  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
6513  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
6514	an unusually long data value where a network address is expected,
6515	the decodenetnum() function will abort with an assertion failure
6516	instead of simply returning a failure condition.
6517  Mitigation:
6518	Implement BCP-38.
6519	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6520	    Page or the NTP Public Services Project Download Page.
6521	If you are unable to upgrade:
6522		mode 7 is disabled by default. Don't enable it.
6523		Use restrict noquery to limit who can send mode 6
6524			and mode 7 requests.
6525		Configure and use the controlkey and requestkey
6526			authentication directives to limit who can
6527			send mode 6 and mode 7 requests.
6528	Monitor your ntpd instances.
6529  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
6530
6531* NAK to the Future: Symmetric association authentication bypass via
6532  crypto-NAK.
6533
6534  References: Sec 2941 / CVE-2015-7871
6535  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
6536  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
6537  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
6538  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
6539	from unauthenticated ephemeral symmetric peers by bypassing the
6540	authentication required to mobilize peer associations. This
6541	vulnerability appears to have been introduced in ntp-4.2.5p186
6542	when the code handling mobilization of new passive symmetric
6543	associations (lines 1103-1165) was refactored.
6544  Mitigation:
6545	Implement BCP-38.
6546	Upgrade to 4.2.8p4, or later, from the NTP Project Download
6547	    Page or the NTP Public Services Project Download Page.
6548	If you are unable to upgrade:
6549		Apply the patch to the bottom of the "authentic" check
6550			block around line 1136 of ntp_proto.c.
6551	Monitor your ntpd instances.
6552  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
6553
6554Backward-Incompatible changes:
6555* [Bug 2817] Default on Linux is now "rlimit memlock -1".
6556  While the general default of 32M is still the case, under Linux
6557  the default value has been changed to -1 (do not lock ntpd into
6558  memory).  A value of 0 means "lock ntpd into memory with whatever
6559  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
6560  value in it, that value will continue to be used.
6561
6562* [Bug 2886] Misspelling: "outlyer" should be "outlier".
6563  If you've written a script that looks for this case in, say, the
6564  output of ntpq, you probably want to change your regex matches
6565  from 'outlyer' to 'outl[iy]er'.
6566
6567New features in this release:
6568* 'rlimit memlock' now has finer-grained control.  A value of -1 means
6569  "don't lock ntpd into memore".  This is the default for Linux boxes.
6570  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
6571  the value is the number of megabytes of memory to lock.  The default
6572  is 32 megabytes.
6573
6574* The old Google Test framework has been replaced with a new framework,
6575  based on http://www.throwtheswitch.org/unity/ .
6576
6577Bug Fixes and Improvements:
6578* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
6579  privileges and limiting resources in NTPD removes the need to link
6580  forcefully against 'libgcc_s' which does not always work. J.Perlinger
6581* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
6582* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
6583* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
6584* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
6585* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
6586* [Bug 2849] Systems with more than one default route may never
6587  synchronize.  Brian Utterback.  Note that this patch might need to
6588  be reverted once Bug 2043 has been fixed.
6589* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
6590* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
6591* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
6592* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
6593* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
6594* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
6595  be configured for the distribution targets.  Harlan Stenn.
6596* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
6597* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
6598* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
6599* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
6600* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
6601* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
6602* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
6603* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
6604* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
6605* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
6606* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
6607* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
6608* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
6609* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
6610* sntp/tests/ function parameter list cleanup.  Damir Tomić.
6611* tests/libntp/ function parameter list cleanup.  Damir Tomić.
6612* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
6613* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
6614* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
6615* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
6616* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
6617* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
6618  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
6619  formatting; first declaration, then code (C90); deleted unnecessary comments;
6620  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
6621* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
6622  fix formatting, cleanup. Tomasz Flendrich
6623* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
6624  Tomasz Flendrich
6625* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
6626  fix formatting. Tomasz Flendrich
6627* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
6628* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
6629* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
6630  Tomasz Flendrich
6631* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
6632* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
6633* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
6634* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
6635* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
6636* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
6637* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
6638fixed formatting. Tomasz Flendrich
6639* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
6640  removed unnecessary comments, cleanup. Tomasz Flendrich
6641* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
6642  comments, cleanup. Tomasz Flendrich
6643* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
6644  Tomasz Flendrich
6645* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
6646* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
6647* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
6648  Tomasz Flendrich
6649* sntp/tests/kodDatabase.c added consts, deleted empty function,
6650  fixed formatting. Tomasz Flendrich
6651* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
6652* sntp/tests/packetHandling.c is now using proper Unity's assertions,
6653  fixed formatting, deleted unused variable. Tomasz Flendrich
6654* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
6655  Tomasz Flendrich
6656* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
6657  fixed formatting. Tomasz Flendrich
6658* sntp/tests/utilities.c is now using proper Unity's assertions, changed
6659  the order of includes, fixed formatting, removed unnecessary comments.
6660  Tomasz Flendrich
6661* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
6662* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
6663  made one function do its job, deleted unnecessary prints, fixed formatting.
6664  Tomasz Flendrich
6665* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
6666* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
6667* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
6668* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
6669* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
6670* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
6671* Don't build sntp/libevent/sample/.  Harlan Stenn.
6672* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
6673* br-flock: --enable-local-libevent.  Harlan Stenn.
6674* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
6675* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
6676* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
6677* Code cleanup.  Harlan Stenn.
6678* libntp/icom.c: Typo fix.  Harlan Stenn.
6679* util/ntptime.c: initialization nit.  Harlan Stenn.
6680* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
6681* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
6682* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
6683  Tomasz Flendrich
6684* Changed progname to be const in many files - now it's consistent. Tomasz
6685  Flendrich
6686* Typo fix for GCC warning suppression.  Harlan Stenn.
6687* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
6688* Added declarations to all Unity tests, and did minor fixes to them.
6689  Reduced the number of warnings by half. Damir Tomić.
6690* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
6691  with the latest Unity updates from Mark. Damir Tomić.
6692* Retire google test - phase I.  Harlan Stenn.
6693* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
6694* Update the NEWS file.  Harlan Stenn.
6695* Autoconf cleanup.  Harlan Stenn.
6696* Unit test dist cleanup. Harlan Stenn.
6697* Cleanup various test Makefile.am files.  Harlan Stenn.
6698* Pthread autoconf macro cleanup.  Harlan Stenn.
6699* Fix progname definition in unity runner scripts.  Harlan Stenn.
6700* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
6701* Update the patch for bug 2817.  Harlan Stenn.
6702* More updates for bug 2817.  Harlan Stenn.
6703* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
6704* gcc on older HPUX may need +allowdups.  Harlan Stenn.
6705* Adding missing MCAST protection.  Harlan Stenn.
6706* Disable certain test programs on certain platforms.  Harlan Stenn.
6707* Implement --enable-problem-tests (on by default).  Harlan Stenn.
6708* build system tweaks.  Harlan Stenn.
6709
6710---
6711NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
6712
6713Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
6714
6715Severity: MEDIUM
6716
6717Security Fix:
6718
6719* [Sec 2853] Crafted remote config packet can crash some versions of
6720  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
6721
6722Under specific circumstances an attacker can send a crafted packet to
6723cause a vulnerable ntpd instance to crash. This requires each of the
6724following to be true:
6725
67261) ntpd set up to allow remote configuration (not allowed by default), and
67272) knowledge of the configuration password, and
67283) access to a computer entrusted to perform remote configuration.
6729
6730This vulnerability is considered low-risk.
6731
6732New features in this release:
6733
6734Optional (disabled by default) support to have ntpd provide smeared
6735leap second time.  A specially built and configured ntpd will only
6736offer smeared time in response to client packets.  These response
6737packets will also contain a "refid" of 254.a.b.c, where the 24 bits
6738of a, b, and c encode the amount of smear in a 2:22 integer:fraction
6739format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
6740information.
6741
6742   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
6743   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
6744
6745We've imported the Unity test framework, and have begun converting
6746the existing google-test items to this new framework.  If you want
6747to write new tests or change old ones, you'll need to have ruby
6748installed.  You don't need ruby to run the test suite.
6749
6750Bug Fixes and Improvements:
6751
6752* CID 739725: Fix a rare resource leak in libevent/listener.c.
6753* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
6754* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
6755* CID 1269537: Clean up a line of dead code in getShmTime().
6756* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
6757* [Bug 2590] autogen-5.18.5.
6758* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
6759  of 'limited'.
6760* [Bug 2650] fix includefile processing.
6761* [Bug 2745] ntpd -x steps clock on leap second
6762   Fixed an initial-value problem that caused misbehaviour in absence of
6763   any leapsecond information.
6764   Do leap second stepping only of the step adjustment is beyond the
6765   proper jump distance limit and step correction is allowed at all.
6766* [Bug 2750] build for Win64
6767  Building for 32bit of loopback ppsapi needs def file
6768* [Bug 2776] Improve ntpq's 'help keytype'.
6769* [Bug 2778] Implement "apeers"  ntpq command to include associd.
6770* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
6771* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
6772  interface is ignored as long as this flag is not set since the
6773  interface is not usable (e.g., no link).
6774* [Bug 2794] Clean up kernel clock status reports.
6775* [Bug 2800] refclock_true.c true_debug() can't open debug log because
6776  of incompatible open/fdopen parameters.
6777* [Bug 2804] install-local-data assumes GNU 'find' semantics.
6778* [Bug 2805] ntpd fails to join multicast group.
6779* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
6780* [Bug 2808] GPSD_JSON driver enhancements, step 1.
6781  Fix crash during cleanup if GPS device not present and char device.
6782  Increase internal token buffer to parse all JSON data, even SKY.
6783  Defer logging of errors during driver init until the first unit is
6784  started, so the syslog is not cluttered when the driver is not used.
6785  Various improvements, see http://bugs.ntp.org/2808 for details.
6786  Changed libjsmn to a more recent version.
6787* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
6788* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
6789* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
6790* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
6791* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
6792* [Bug 2824] Convert update-leap to perl. (also see 2769)
6793* [Bug 2825] Quiet file installation in html/ .
6794* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
6795   NTPD transfers the current TAI (instead of an announcement) now.
6796   This might still needed improvement.
6797   Update autokey data ASAP when 'sys_tai' changes.
6798   Fix unit test that was broken by changes for autokey update.
6799   Avoid potential signature length issue and use DPRINTF where possible
6800     in ntp_crypto.c.
6801* [Bug 2832] refclock_jjy.c supports the TDC-300.
6802* [Bug 2834] Correct a broken html tag in html/refclock.html
6803* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
6804  robust, and require 2 consecutive timestamps to be consistent.
6805* [Bug 2837] Allow a configurable DSCP value.
6806* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
6807* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
6808* [Bug 2842] Bug in mdoc2man.
6809* [Bug 2843] make check fails on 4.3.36
6810   Fixed compiler warnings about numeric range overflow
6811   (The original topic was fixed in a byplay to bug#2830)
6812* [Bug 2845] Harden memory allocation in ntpd.
6813* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
6814* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
6815* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
6816* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
6817* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
6818* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
6819* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
6820* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
6821* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
6822* html/drivers/driver22.html: typo fix.  Harlan Stenn.
6823* refidsmear test cleanup.  Tomasz Flendrich.
6824* refidsmear function support and tests.  Harlan Stenn.
6825* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
6826  something that was only in the 4.2.6 sntp.  Harlan Stenn.
6827* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
6828  Damir Tomić
6829* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
6830  Damir Tomić
6831* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
6832  Damir Tomić
6833* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
6834* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
6835* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
6836  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
6837  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
6838  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
6839  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
6840  Damir Tomić
6841* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
6842  networking.c, keyFile.c, utilities.cpp, sntptest.h,
6843  fileHandlingTest.h. Damir Tomić
6844* Initial support for experimental leap smear code.  Harlan Stenn.
6845* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
6846* Report select() debug messages at debug level 3 now.
6847* sntp/scripts/genLocInfo: treat raspbian as debian.
6848* Unity test framework fixes.
6849  ** Requires ruby for changes to tests.
6850* Initial support for PACKAGE_VERSION tests.
6851* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
6852* tests/bug-2803/Makefile.am must distribute bug-2803.h.
6853* Add an assert to the ntpq ifstats code.
6854* Clean up the RLIMIT_STACK code.
6855* Improve the ntpq documentation around the controlkey keyid.
6856* ntpq.c cleanup.
6857* Windows port build cleanup.
6858
6859---
6860NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
6861
6862Focus: Security and Bug fixes, enhancements.
6863
6864Severity: MEDIUM
6865
6866In addition to bug fixes and enhancements, this release fixes the
6867following medium-severity vulnerabilities involving private key
6868authentication:
6869
6870* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
6871
6872    References: Sec 2779 / CVE-2015-1798 / VU#374268
6873    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
6874	including ntp-4.2.8p2 where the installation uses symmetric keys
6875	to authenticate remote associations.
6876    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
6877    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
6878    Summary: When ntpd is configured to use a symmetric key to authenticate
6879	a remote NTP server/peer, it checks if the NTP message
6880	authentication code (MAC) in received packets is valid, but not if
6881	there actually is any MAC included. Packets without a MAC are
6882	accepted as if they had a valid MAC. This allows a MITM attacker to
6883	send false packets that are accepted by the client/peer without
6884	having to know the symmetric key. The attacker needs to know the
6885	transmit timestamp of the client to match it in the forged reply
6886	and the false reply needs to reach the client before the genuine
6887	reply from the server. The attacker doesn't necessarily need to be
6888	relaying the packets between the client and the server.
6889
6890	Authentication using autokey doesn't have this problem as there is
6891	a check that requires the key ID to be larger than NTP_MAXKEY,
6892	which fails for packets without a MAC.
6893    Mitigation:
6894        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
6895	or the NTP Public Services Project Download Page
6896        Configure ntpd with enough time sources and monitor it properly.
6897    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
6898
6899* [Sec 2781] Authentication doesn't protect symmetric associations against
6900  DoS attacks.
6901
6902    References: Sec 2781 / CVE-2015-1799 / VU#374268
6903    Affects: All NTP releases starting with at least xntp3.3wy up to but
6904	not including ntp-4.2.8p2 where the installation uses symmetric
6905	key authentication.
6906    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
6907    Note: the CVSS base Score for this issue could be 4.3 or lower, and
6908	it could be higher than 5.4.
6909    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
6910    Summary: An attacker knowing that NTP hosts A and B are peering with
6911	each other (symmetric association) can send a packet to host A
6912	with source address of B which will set the NTP state variables
6913	on A to the values sent by the attacker. Host A will then send
6914	on its next poll to B a packet with originate timestamp that
6915	doesn't match the transmit timestamp of B and the packet will
6916	be dropped. If the attacker does this periodically for both
6917	hosts, they won't be able to synchronize to each other. This is
6918	a known denial-of-service attack, described at
6919	https://www.eecis.udel.edu/~mills/onwire.html .
6920
6921	According to the document the NTP authentication is supposed to
6922	protect symmetric associations against this attack, but that
6923	doesn't seem to be the case. The state variables are updated even
6924	when authentication fails and the peers are sending packets with
6925	originate timestamps that don't match the transmit timestamps on
6926	the receiving side.
6927
6928	This seems to be a very old problem, dating back to at least
6929	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
6930	specifications, so other NTP implementations with support for
6931	symmetric associations and authentication may be vulnerable too.
6932	An update to the NTP RFC to correct this error is in-process.
6933    Mitigation:
6934        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
6935	or the NTP Public Services Project Download Page
6936        Note that for users of autokey, this specific style of MITM attack
6937	is simply a long-known potential problem.
6938        Configure ntpd with appropriate time sources and monitor ntpd.
6939	Alert your staff if problems are detected.
6940    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
6941
6942* New script: update-leap
6943The update-leap script will verify and if necessary, update the
6944leap-second definition file.
6945It requires the following commands in order to work:
6946
6947	wget logger tr sed shasum
6948
6949Some may choose to run this from cron.  It needs more portability testing.
6950
6951Bug Fixes and Improvements:
6952
6953* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
6954* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
6955* [Bug 2346] "graceful termination" signals do not do peer cleanup.
6956* [Bug 2728] See if C99-style structure initialization works.
6957* [Bug 2747] Upgrade libevent to 2.1.5-beta.
6958* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
6959* [Bug 2751] jitter.h has stale copies of l_fp macros.
6960* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
6961* [Bug 2757] Quiet compiler warnings.
6962* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
6963* [Bug 2763] Allow different thresholds for forward and backward steps.
6964* [Bug 2766] ntp-keygen output files should not be world-readable.
6965* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
6966* [Bug 2771] nonvolatile value is documented in wrong units.
6967* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
6968* [Bug 2774] Unreasonably verbose printout - leap pending/warning
6969* [Bug 2775] ntp-keygen.c fails to compile under Windows.
6970* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
6971  Removed non-ASCII characters from some copyright comments.
6972  Removed trailing whitespace.
6973  Updated definitions for Meinberg clocks from current Meinberg header files.
6974  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
6975  Account for updated definitions pulled from Meinberg header files.
6976  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
6977  Replaced some constant numbers by defines from ntp_calendar.h
6978  Modified creation of parse-specific variables for Meinberg devices
6979  in gps16x_message().
6980  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
6981  Modified mbg_tm_str() which now expexts an additional parameter controlling
6982  if the time status shall be printed.
6983* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
6984* [Sec 2781] Authentication doesn't protect symmetric associations against
6985  DoS attacks.
6986* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
6987* [Bug 2789] Quiet compiler warnings from libevent.
6988* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
6989  pause briefly before measuring system clock precision to yield
6990  correct results.
6991* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
6992* Use predefined function types for parse driver functions
6993  used to set up function pointers.
6994  Account for changed prototype of parse_inp_fnc_t functions.
6995  Cast parse conversion results to appropriate types to avoid
6996  compiler warnings.
6997  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
6998  when called with pointers to different types.
6999
7000---
7001NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
7002
7003Focus: Security and Bug fixes, enhancements.
7004
7005Severity: HIGH
7006
7007In addition to bug fixes and enhancements, this release fixes the
7008following high-severity vulnerabilities:
7009
7010* vallen is not validated in several places in ntp_crypto.c, leading
7011  to a potential information leak or possibly a crash
7012
7013    References: Sec 2671 / CVE-2014-9297 / VU#852879
7014    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
7015    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7016    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
7017    Summary: The vallen packet value is not validated in several code
7018             paths in ntp_crypto.c which can lead to information leakage
7019	     or perhaps a crash of the ntpd process.
7020    Mitigation - any of:
7021	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
7022		or the NTP Public Services Project Download Page.
7023	Disable Autokey Authentication by removing, or commenting out,
7024		all configuration directives beginning with the "crypto"
7025		keyword in your ntp.conf file.
7026    Credit: This vulnerability was discovered by Stephen Roettger of the
7027    	Google Security Team, with additional cases found by Sebastian
7028	Krahmer of the SUSE Security Team and Harlan Stenn of Network
7029	Time Foundation.
7030
7031* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
7032  can be bypassed.
7033
7034    References: Sec 2672 / CVE-2014-9298 / VU#852879
7035    Affects: All NTP4 releases before 4.2.8p1, under at least some
7036	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
7037    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
7038    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
7039    Summary: While available kernels will prevent 127.0.0.1 addresses
7040	from "appearing" on non-localhost IPv4 interfaces, some kernels
7041	do not offer the same protection for ::1 source addresses on
7042	IPv6 interfaces. Since NTP's access control is based on source
7043	address and localhost addresses generally have no restrictions,
7044	an attacker can send malicious control and configuration packets
7045	by spoofing ::1 addresses from the outside. Note Well: This is
7046	not really a bug in NTP, it's a problem with some OSes. If you
7047	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
7048	ACL restrictions on any application can be bypassed!
7049    Mitigation:
7050        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
7051	or the NTP Public Services Project Download Page
7052        Install firewall rules to block packets claiming to come from
7053	::1 from inappropriate network interfaces.
7054    Credit: This vulnerability was discovered by Stephen Roettger of
7055	the Google Security Team.
7056
7057Additionally, over 30 bugfixes and improvements were made to the codebase.
7058See the ChangeLog for more information.
7059
7060---
7061NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
7062
7063Focus: Security and Bug fixes, enhancements.
7064
7065Severity: HIGH
7066
7067In addition to bug fixes and enhancements, this release fixes the
7068following high-severity vulnerabilities:
7069
7070************************** vv NOTE WELL vv *****************************
7071
7072The vulnerabilities listed below can be significantly mitigated by
7073following the BCP of putting
7074
7075 restrict default ... noquery
7076
7077in the ntp.conf file.  With the exception of:
7078
7079   receive(): missing return on error
7080   References: Sec 2670 / CVE-2014-9296 / VU#852879
7081
7082below (which is a limited-risk vulnerability), none of the recent
7083vulnerabilities listed below can be exploited if the source IP is
7084restricted from sending a 'query'-class packet by your ntp.conf file.
7085
7086************************** ^^ NOTE WELL ^^ *****************************
7087
7088* Weak default key in config_auth().
7089
7090  References: [Sec 2665] / CVE-2014-9293 / VU#852879
7091  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
7092  Vulnerable Versions: all releases prior to 4.2.7p11
7093  Date Resolved: 28 Jan 2010
7094
7095  Summary: If no 'auth' key is set in the configuration file, ntpd
7096	would generate a random key on the fly.  There were two
7097	problems with this: 1) the generated key was 31 bits in size,
7098	and 2) it used the (now weak) ntp_random() function, which was
7099	seeded with a 32-bit value and could only provide 32 bits of
7100	entropy.  This was sufficient back in the late 1990s when the
7101	code was written.  Not today.
7102
7103  Mitigation - any of:
7104	- Upgrade to 4.2.7p11 or later.
7105	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7106
7107  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
7108  	of the Google Security Team.
7109
7110* Non-cryptographic random number generator with weak seed used by
7111  ntp-keygen to generate symmetric keys.
7112
7113  References: [Sec 2666] / CVE-2014-9294 / VU#852879
7114  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
7115  Vulnerable Versions: All NTP4 releases before 4.2.7p230
7116  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
7117
7118  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
7119  	prepare a random number generator that was of good quality back
7120	in the late 1990s. The random numbers produced was then used to
7121	generate symmetric keys. In ntp-4.2.8 we use a current-technology
7122	cryptographic random number generator, either RAND_bytes from
7123	OpenSSL, or arc4random().
7124
7125  Mitigation - any of:
7126  	- Upgrade to 4.2.7p230 or later.
7127	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7128
7129  Credit:  This vulnerability was discovered in ntp-4.2.6 by
7130  	Stephen Roettger of the Google Security Team.
7131
7132* Buffer overflow in crypto_recv()
7133
7134  References: Sec 2667 / CVE-2014-9295 / VU#852879
7135  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7136  Versions: All releases before 4.2.8
7137  Date Resolved: Stable (4.2.8) 18 Dec 2014
7138
7139  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
7140  	file contains a 'crypto pw ...' directive) a remote attacker
7141	can send a carefully crafted packet that can overflow a stack
7142	buffer and potentially allow malicious code to be executed
7143	with the privilege level of the ntpd process.
7144
7145  Mitigation - any of:
7146  	- Upgrade to 4.2.8, or later, or
7147	- Disable Autokey Authentication by removing, or commenting out,
7148	  all configuration directives beginning with the crypto keyword
7149	  in your ntp.conf file.
7150
7151  Credit: This vulnerability was discovered by Stephen Roettger of the
7152  	Google Security Team.
7153
7154* Buffer overflow in ctl_putdata()
7155
7156  References: Sec 2668 / CVE-2014-9295 / VU#852879
7157  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7158  Versions: All NTP4 releases before 4.2.8
7159  Date Resolved: Stable (4.2.8) 18 Dec 2014
7160
7161  Summary: A remote attacker can send a carefully crafted packet that
7162  	can overflow a stack buffer and potentially allow malicious
7163	code to be executed with the privilege level of the ntpd process.
7164
7165  Mitigation - any of:
7166  	- Upgrade to 4.2.8, or later.
7167	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7168
7169  Credit: This vulnerability was discovered by Stephen Roettger of the
7170  	Google Security Team.
7171
7172* Buffer overflow in configure()
7173
7174  References: Sec 2669 / CVE-2014-9295 / VU#852879
7175  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7176  Versions: All NTP4 releases before 4.2.8
7177  Date Resolved: Stable (4.2.8) 18 Dec 2014
7178
7179  Summary: A remote attacker can send a carefully crafted packet that
7180	can overflow a stack buffer and potentially allow malicious
7181	code to be executed with the privilege level of the ntpd process.
7182
7183  Mitigation - any of:
7184  	- Upgrade to 4.2.8, or later.
7185	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7186
7187  Credit: This vulnerability was discovered by Stephen Roettger of the
7188	Google Security Team.
7189
7190* receive(): missing return on error
7191
7192  References: Sec 2670 / CVE-2014-9296 / VU#852879
7193  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
7194  Versions: All NTP4 releases before 4.2.8
7195  Date Resolved: Stable (4.2.8) 18 Dec 2014
7196
7197  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
7198  	the code path where an error was detected, which meant
7199	processing did not stop when a specific rare error occurred.
7200	We haven't found a way for this bug to affect system integrity.
7201	If there is no way to affect system integrity the base CVSS
7202	score for this bug is 0. If there is one avenue through which
7203	system integrity can be partially affected, the base score
7204	becomes a 5. If system integrity can be partially affected
7205	via all three integrity metrics, the CVSS base score become 7.5.
7206
7207  Mitigation - any of:
7208        - Upgrade to 4.2.8, or later,
7209        - Remove or comment out all configuration directives
7210	  beginning with the crypto keyword in your ntp.conf file.
7211
7212  Credit: This vulnerability was discovered by Stephen Roettger of the
7213  	Google Security Team.
7214
7215See http://support.ntp.org/security for more information.
7216
7217New features / changes in this release:
7218
7219Important Changes
7220
7221* Internal NTP Era counters
7222
7223The internal counters that track the "era" (range of years) we are in
7224rolls over every 136 years'.  The current "era" started at the stroke of
7225midnight on 1 Jan 1900, and ends just before the stroke of midnight on
72261 Jan 2036.
7227In the past, we have used the "midpoint" of the  range to decide which
7228era we were in.  Given the longevity of some products, it became clear
7229that it would be more functional to "look back" less, and "look forward"
7230more.  We now compile a timestamp into the ntpd executable and when we
7231get a timestamp we us the "built-on" to tell us what era we are in.
7232This check "looks back" 10 years, and "looks forward" 126 years.
7233
7234* ntpdc responses disabled by default
7235
7236Dave Hart writes:
7237
7238For a long time, ntpq and its mostly text-based mode 6 (control)
7239protocol have been preferred over ntpdc and its mode 7 (private
7240request) protocol for runtime queries and configuration.  There has
7241been a goal of deprecating ntpdc, previously held back by numerous
7242capabilities exposed by ntpdc with no ntpq equivalent.  I have been
7243adding commands to ntpq to cover these cases, and I believe I've
7244covered them all, though I've not compared command-by-command
7245recently.
7246
7247As I've said previously, the binary mode 7 protocol involves a lot of
7248hand-rolled structure layout and byte-swapping code in both ntpd and
7249ntpdc which is hard to get right.  As ntpd grows and changes, the
7250changes are difficult to expose via ntpdc while maintaining forward
7251and backward compatibility between ntpdc and ntpd.  In contrast,
7252ntpq's text-based, label=value approach involves more code reuse and
7253allows compatible changes without extra work in most cases.
7254
7255Mode 7 has always been defined as vendor/implementation-specific while
7256mode 6 is described in RFC 1305 and intended to be open to interoperate
7257with other implementations.  There is an early draft of an updated
7258mode 6 description that likely will join the other NTPv4 RFCs
7259eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
7260
7261For these reasons, ntpd 4.2.7p230 by default disables processing of
7262ntpdc queries, reducing ntpd's attack surface and functionally
7263deprecating ntpdc.  If you are in the habit of using ntpdc for certain
7264operations, please try the ntpq equivalent.  If there's no equivalent,
7265please open a bug report at http://bugs.ntp.org./
7266
7267In addition to the above, over 1100 issues have been resolved between
7268the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
7269lists these.
7270
7271---
7272NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
7273
7274Focus: Bug fixes
7275
7276Severity: Medium
7277
7278This is a recommended upgrade.
7279
7280This release updates sys_rootdisp and sys_jitter calculations to match the
7281RFC specification, fixes a potential IPv6 address matching error for the
7282"nic" and "interface" configuration directives, suppresses the creation of
7283extraneous ephemeral associations for certain broadcastclient and
7284multicastclient configurations, cleans up some ntpq display issues, and
7285includes improvements to orphan mode, minor bugs fixes and code clean-ups.
7286
7287New features / changes in this release:
7288
7289ntpd
7290
7291 * Updated "nic" and "interface" IPv6 address handling to prevent
7292   mismatches with localhost [::1] and wildcard [::] which resulted from
7293   using the address/prefix format (e.g. fe80::/64)
7294 * Fix orphan mode stratum incorrectly counting to infinity
7295 * Orphan parent selection metric updated to includes missing ntohl()
7296 * Non-printable stratum 16 refid no longer sent to ntp
7297 * Duplicate ephemeral associations suppressed for broadcastclient and
7298   multicastclient without broadcastdelay
7299 * Exclude undetermined sys_refid from use in loopback TEST12
7300 * Exclude MODE_SERVER responses from KoD rate limiting
7301 * Include root delay in clock_update() sys_rootdisp calculations
7302 * get_systime() updated to exclude sys_residual offset (which only
7303   affected bits "below" sys_tick, the precision threshold)
7304 * sys.peer jitter weighting corrected in sys_jitter calculation
7305
7306ntpq
7307
7308 * -n option extended to include the billboard "server" column
7309 * IPv6 addresses in the local column truncated to prevent overruns
7310
7311---
7312NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
7313
7314Focus: Bug fixes and portability improvements
7315
7316Severity: Medium
7317
7318This is a recommended upgrade.
7319
7320This release includes build infrastructure updates, code
7321clean-ups, minor bug fixes, fixes for a number of minor
7322ref-clock issues, and documentation revisions.
7323
7324Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
7325
7326New features / changes in this release:
7327
7328Build system
7329
7330* Fix checking for struct rtattr
7331* Update config.guess and config.sub for AIX
7332* Upgrade required version of autogen and libopts for building
7333  from our source code repository
7334
7335ntpd
7336
7337* Back-ported several fixes for Coverity warnings from ntp-dev
7338* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
7339* Allow "logconfig =allall" configuration directive
7340* Bind tentative IPv6 addresses on Linux
7341* Correct WWVB/Spectracom driver to timestamp CR instead of LF
7342* Improved tally bit handling to prevent incorrect ntpq peer status reports
7343* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
7344  candidate list unless they are designated a "prefer peer"
7345* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
7346  selection during the 'tos orphanwait' period
7347* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
7348  drivers
7349* Improved support of the Parse Refclock trusttime flag in Meinberg mode
7350* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
7351* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
7352  clock slew on Microsoft Windows
7353* Code cleanup in libntpq
7354
7355ntpdc
7356
7357* Fix timerstats reporting
7358
7359ntpdate
7360
7361* Reduce time required to set clock
7362* Allow a timeout greater than 2 seconds
7363
7364sntp
7365
7366* Backward incompatible command-line option change:
7367  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
7368
7369Documentation
7370
7371* Update html2man. Fix some tags in the .html files
7372* Distribute ntp-wait.html
7373
7374---
7375NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
7376
7377Focus: Bug fixes and portability improvements
7378
7379Severity: Medium
7380
7381This is a recommended upgrade.
7382
7383This release includes build infrastructure updates, code
7384clean-ups, minor bug fixes, fixes for a number of minor
7385ref-clock issues, and documentation revisions.
7386
7387Portability improvements in this release affect AIX, Atari FreeMiNT,
7388FreeBSD4, Linux and Microsoft Windows.
7389
7390New features / changes in this release:
7391
7392Build system
7393* Use lsb_release to get information about Linux distributions.
7394* 'test' is in /usr/bin (instead of /bin) on some systems.
7395* Basic sanity checks for the ChangeLog file.
7396* Source certain build files with ./filename for systems without . in PATH.
7397* IRIX portability fix.
7398* Use a single copy of the "libopts" code.
7399* autogen/libopts upgrade.
7400* configure.ac m4 quoting cleanup.
7401
7402ntpd
7403* Do not bind to IN6_IFF_ANYCAST addresses.
7404* Log the reason for exiting under Windows.
7405* Multicast fixes for Windows.
7406* Interpolation fixes for Windows.
7407* IPv4 and IPv6 Multicast fixes.
7408* Manycast solicitation fixes and general repairs.
7409* JJY refclock cleanup.
7410* NMEA refclock improvements.
7411* Oncore debug message cleanup.
7412* Palisade refclock now builds under Linux.
7413* Give RAWDCF more baud rates.
7414* Support Truetime Satellite clocks under Windows.
7415* Support Arbiter 1093C Satellite clocks under Windows.
7416* Make sure that the "filegen" configuration command defaults to "enable".
7417* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
7418* Prohibit 'includefile' directive in remote configuration command.
7419* Fix 'nic' interface bindings.
7420* Fix the way we link with openssl if openssl is installed in the base
7421  system.
7422
7423ntp-keygen
7424* Fix -V coredump.
7425* OpenSSL version display cleanup.
7426
7427ntpdc
7428* Many counters should be treated as unsigned.
7429
7430ntpdate
7431* Do not ignore replies with equal receive and transmit timestamps.
7432
7433ntpq
7434* libntpq warning cleanup.
7435
7436ntpsnmpd
7437* Correct SNMP type for "precision" and "resolution".
7438* Update the MIB from the draft version to RFC-5907.
7439
7440sntp
7441* Display timezone offset when showing time for sntp in the local
7442  timezone.
7443* Pay proper attention to RATE KoD packets.
7444* Fix a miscalculation of the offset.
7445* Properly parse empty lines in the key file.
7446* Logging cleanup.
7447* Use tv_usec correctly in set_time().
7448* Documentation cleanup.
7449
7450---
7451NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
7452
7453Focus: Bug fixes and portability improvements
7454
7455Severity: Medium
7456
7457This is a recommended upgrade.
7458
7459This release includes build infrastructure updates, code
7460clean-ups, minor bug fixes, fixes for a number of minor
7461ref-clock issues, improved KOD handling, OpenSSL related
7462updates and documentation revisions.
7463
7464Portability improvements in this release affect Irix, Linux,
7465Mac OS, Microsoft Windows, OpenBSD and QNX6
7466
7467New features / changes in this release:
7468
7469ntpd
7470* Range syntax for the trustedkey configuration directive
7471* Unified IPv4 and IPv6 restrict lists
7472
7473ntpdate
7474* Rate limiting and KOD handling
7475
7476ntpsnmpd
7477* default connection to net-snmpd via a unix-domain socket
7478* command-line 'socket name' option
7479
7480ntpq / ntpdc
7481* support for the "passwd ..." syntax
7482* key-type specific password prompts
7483
7484sntp
7485* MD5 authentication of an ntpd
7486* Broadcast and crypto
7487* OpenSSL support
7488
7489---
7490NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
7491
7492Focus: Bug fixes, portability fixes, and documentation improvements
7493
7494Severity: Medium
7495
7496This is a recommended upgrade.
7497
7498---
7499NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
7500
7501Focus: enhancements and bug fixes.
7502
7503---
7504NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
7505
7506Focus: Security Fixes
7507
7508Severity: HIGH
7509
7510This release fixes the following high-severity vulnerability:
7511
7512* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
7513
7514  See http://support.ntp.org/security for more information.
7515
7516  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
7517  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
7518  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
7519  request or a mode 7 error response from an address which is not listed
7520  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
7521  reply with a mode 7 error response (and log a message).  In this case:
7522
7523	* If an attacker spoofs the source address of ntpd host A in a
7524	  mode 7 response packet sent to ntpd host B, both A and B will
7525	  continuously send each other error responses, for as long as
7526	  those packets get through.
7527
7528	* If an attacker spoofs an address of ntpd host A in a mode 7
7529	  response packet sent to ntpd host A, A will respond to itself
7530	  endlessly, consuming CPU and logging excessively.
7531
7532  Credit for finding this vulnerability goes to Robin Park and Dmitri
7533  Vinokurov of Alcatel-Lucent.
7534
7535THIS IS A STRONGLY RECOMMENDED UPGRADE.
7536
7537---
7538ntpd now syncs to refclocks right away.
7539
7540Backward-Incompatible changes:
7541
7542ntpd no longer accepts '-v name' or '-V name' to define internal variables.
7543Use '--var name' or '--dvar name' instead. (Bug 817)
7544
7545---
7546NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
7547
7548Focus: Security and Bug Fixes
7549
7550Severity: HIGH
7551
7552This release fixes the following high-severity vulnerability:
7553
7554* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
7555
7556  See http://support.ntp.org/security for more information.
7557
7558  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
7559  line) then a carefully crafted packet sent to the machine will cause
7560  a buffer overflow and possible execution of injected code, running
7561  with the privileges of the ntpd process (often root).
7562
7563  Credit for finding this vulnerability goes to Chris Ries of CMU.
7564
7565This release fixes the following low-severity vulnerabilities:
7566
7567* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
7568  Credit for finding this vulnerability goes to Geoff Keating of Apple.
7569
7570* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
7571  Credit for finding this issue goes to Dave Hart.
7572
7573This release fixes a number of bugs and adds some improvements:
7574
7575* Improved logging
7576* Fix many compiler warnings
7577* Many fixes and improvements for Windows
7578* Adds support for AIX 6.1
7579* Resolves some issues under MacOS X and Solaris
7580
7581THIS IS A STRONGLY RECOMMENDED UPGRADE.
7582
7583---
7584NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
7585
7586Focus: Security Fix
7587
7588Severity: Low
7589
7590This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
7591the OpenSSL library relating to the incorrect checking of the return
7592value of EVP_VerifyFinal function.
7593
7594Credit for finding this issue goes to the Google Security Team for
7595finding the original issue with OpenSSL, and to ocert.org for finding
7596the problem in NTP and telling us about it.
7597
7598This is a recommended upgrade.
7599---
7600NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
7601
7602Focus: Minor Bugfixes
7603
7604This release fixes a number of Windows-specific ntpd bugs and
7605platform-independent ntpdate bugs. A logging bugfix has been applied
7606to the ONCORE driver.
7607
7608The "dynamic" keyword and is now obsolete and deferred binding to local
7609interfaces is the new default. The minimum time restriction for the
7610interface update interval has been dropped.
7611
7612A number of minor build system and documentation fixes are included.
7613
7614This is a recommended upgrade for Windows.
7615
7616---
7617NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
7618
7619Focus: Minor Bugfixes
7620
7621This release updates certain copyright information, fixes several display
7622bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
7623shutdown in the parse refclock driver, removes some lint from the code,
7624stops accessing certain buffers immediately after they were freed, fixes
7625a problem with non-command-line specification of -6, and allows the loopback
7626interface to share addresses with other interfaces.
7627
7628---
7629NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
7630
7631Focus: Minor Bugfixes
7632
7633This release fixes a bug in Windows that made it difficult to
7634terminate ntpd under windows.
7635This is a recommended upgrade for Windows.
7636
7637---
7638NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
7639
7640Focus: Minor Bugfixes
7641
7642This release fixes a multicast mode authentication problem,
7643an error in NTP packet handling on Windows that could lead to
7644ntpd crashing, and several other minor bugs. Handling of
7645multicast interfaces and logging configuration were improved.
7646The required versions of autogen and libopts were incremented.
7647This is a recommended upgrade for Windows and multicast users.
7648
7649---
7650NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
7651
7652Focus: enhancements and bug fixes.
7653
7654Dynamic interface rescanning was added to simplify the use of ntpd in
7655conjunction with DHCP. GNU AutoGen is used for its command-line options
7656processing. Separate PPS devices are supported for PARSE refclocks, MD5
7657signatures are now provided for the release files. Drivers have been
7658added for some new ref-clocks and have been removed for some older
7659ref-clocks. This release also includes other improvements, documentation
7660and bug fixes.
7661
7662K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
7663C support.
7664
7665---
7666NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
7667
7668Focus: enhancements and bug fixes.
7669