xref: /freebsd/contrib/ntp/NEWS (revision a0b9e2e854027e6ff61fb075a1309dbc71c42b54)
1---
2NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23)
3
4Focus: Security, Bug fixes
5
6Severity: MEDIUM
7
8This release fixes one vulnerability: Associations that use CMAC
9authentication between ntpd from versions 4.2.8p11/4.3.97 and
104.2.8p14/4.3.100 will leak a small amount of memory for each packet.
11Eventually, ntpd will run out of memory and abort.
12
13It also fixes 13 other bugs.
14
15* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org>
16* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@>
17  - Thanks to Sylar Tao
18* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org>
19  - rewrite 'decodenetnum()' in terms of inet_pton
20* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
21  - limit number of receive buffers, with an iron reserve for refclocks
22* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org>
23* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org>
24* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org>
25  - integrated patch from Charles Claggett
26* [Bug 3659] Move definition of psl[] from ntp_config.h to
27  ntp_config.h <perlinger@ntp.org>
28* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org>
29* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org>
30  - fix by Gerry garvey
31* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org>
32  - thanks to Gerry Garvey
33* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org>
34  - patch by Gerry Garvey
35* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org>
36* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org>
37  - applied patch by Takao Abe
38
39---
40NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03)
41
42Focus: Security, Bug fixes, enhancements.
43
44Severity: MEDIUM
45
46This release fixes three vulnerabilities: a bug that causes causes an ntpd
47instance that is explicitly configured to override the default and allow
48ntpdc (mode 7) connections to be made to a server to read some uninitialized
49memory; fixes the case where an unmonitored ntpd using an unauthenticated
50association to its servers may be susceptible to a forged packet DoS attack;
51and fixes an attack against a client instance that uses a single
52unauthenticated time source.  It also fixes 46 other bugs and addresses
534 other issues.
54
55* [Sec 3610] process_control() should bail earlier on short packets. stenn@
56  - Reported by Philippe Antoine
57* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org>
58  - Reported by Miroslav Lichvar
59* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org>
60  - Reported by Miroslav Lichvar
61* [Bug 3637] Emit the version of ntpd in saveconfig.  stenn@
62* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org>
63* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org>
64* [Bug 3634] Typo in discipline.html, reported by Jason Harrison.  stenn@
65* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence
66  - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org>
67* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org>
68  - integrated patch by Cy Schubert
69* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org>
70  - applied patch by Gerry Garvey
71* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org>
72  - applied patch by Gerry Garvey
73* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org>
74  - integrated patch by Richard Steedman
75* [Bug 3615] accelerate refclock startup <perlinger@ntp.org>
76* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org>
77  - Reported by Martin Burnicki
78* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org>
79  - Reported by Philippe Antoine
80* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org>
81  - officially document new "trust date" mode bit for NMEA driver
82  - restore the (previously undocumented) "trust date" feature lost with [bug 3577]
83* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org>
84  - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter'
85* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org>
86  - removed ffs() and fls() prototypes as per Brian Utterback
87* [Bug 3604] Wrong param byte order passing into record_raw_stats() in
88	ntp_io.c <perlinger@ntp.org>
89  - fixed byte and paramter order as suggested by wei6410@sina.com
90* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org>
91* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org>
92  - added padding as suggested by John Paul Adrian Glaubitz
93* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org>
94* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org>
95* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org>
96* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org>
97  - stdout+stderr are set to line buffered during test setup now
98* [Bug 3583] synchronization error <perlinger@ntp.org>
99  - set clock to base date if system time is before that limit
100* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org>
101* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org>
102  - Reported by Paulo Neves
103* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org>
104  - also updates for refclock_nmea.c and refclock_jupiter.c
105* [Bug 3576] New GPS date function API <perlinger@ntp.org>
106* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org>
107* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org>
108* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org>
109  - sidekick: service port resolution in 'ntpdate'
110* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org>
111  - applied patch by Douglas Royds
112* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org>
113* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org>
114  - applied patch by Gerry Garvey
115* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org>
116  - try to harden 'decodenetnum()' against 'getaddrinfo()' errors
117  - fix wrong cond-compile tests in unit tests
118* [Bug 3517] Reducing build noise <perlinger@ntp.org>
119* [Bug 3516] Require tooling from this decade <perlinger@ntp.org>
120  - patch by Philipp Prindeville
121* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org>
122  - patch by Philipp Prindeville
123* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org>
124  - patch by Philipp Prindeville
125* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org>
126  - partial application of patch by Philipp Prindeville
127* [Bug 3491] Signed values of LFP datatypes should always display a sign
128  - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org>
129* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org>
130  - applied (modified) patch by Richard Steedman
131* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org>
132  - applied patch by Gerry Garvey (with minor formatting changes)
133* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org>
134  - applied patch by Miroslav Lichvar
135* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network
136  <perlinger@ntp.org>
137* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user
138             is specified with -u <perlinger@ntp.org>
139  - monitor daemon child startup & propagate exit codes
140* [Bug 1433] runtime check whether the kernel really supports capabilities
141  - (modified) patch by Kurt Roeckx <perlinger@ntp.org>
142* Clean up sntp/networking.c:sendpkt() error message.  <stenn@ntp.org>
143* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org>
144* Startup log improvements. <stenn@ntp.org>
145* Update the copyright year.
146
147---
148NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
149
150Focus: Security, Bug fixes, enhancements.
151
152Severity: MEDIUM
153
154This release fixes a bug that allows an attacker with access to an
155explicitly trusted source to send a crafted malicious mode 6 (ntpq)
156packet that can trigger a NULL pointer dereference, crashing ntpd.
157It also provides 17 other bugfixes and 1 other improvement:
158
159* [Sec 3565] Crafted null dereference attack in authenticated
160	     mode 6 packet <perlinger@ntp.org>
161  - reported by Magnus Stubman
162* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
163  - applied patch by Ian Lepore
164* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
165  - isolate and fix linux/windows specific code issue
166* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
167  - provide better function for incremental string formatting
168* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
169  - applied patch by Gerry Garvey
170* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
171  - original finding by Gerry Garvey, additional cleanup needed
172* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
173  - patch by Christous Zoulas
174* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
175  - finding by Chen Jiabin, plus another one by me
176* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
177  - applied patch by Maciej Szmigiero
178* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
179  - applied patch by Andre Charbonneau
180* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
181  - applied patch by Baruch Siach
182* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
183  - applied patch by Baruch Siach
184* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
185  - refactored handling of GPS era based on 'tos basedate' for
186    parse (TSIP) and JUPITER clocks
187* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
188  - patch by Daniel J. Luke; this does not fix a potential linker
189    regression issue on MacOS.
190* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
191  anomaly <perlinger@ntp.org>, reported by GGarvey.
192  - --enable-bug3527-fix support by HStenn
193* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
194  - applied patch by Gerry Garvey
195* [Bug 3471] Check for openssl/[ch]mac.h.  <perlinger@ntp.org>
196  - added missing check, reported by Reinhard Max <perlinger@ntp.org>
197* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
198  - this is a variant of [bug 3558] and should be fixed with it
199* Implement 'configure --disable-signalled-io'
200
201--
202NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
203
204Focus: Security, Bug fixes, enhancements.
205
206Severity: MEDIUM
207
208This release fixes a "hole" in the noepeer capability introduced to ntpd
209in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
210ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
211
212* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
213
214* [Sec 3012] Fix a hole in the new "noepeer" processing.
215
216* Bug Fixes:
217 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
218 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
219            other TrustedBSD platforms
220 - applied patch by Ian Lepore <perlinger@ntp.org>
221 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
222 - changed interaction with SCM to signal pending startup
223 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
224 - applied patch by Gerry Garvey
225 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
226 - applied patch by Gerry Garvey
227 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
228 - rework of ntpq 'nextvar()' key/value parsing
229 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
230 - applied patch by Gerry Garvey (with mods)
231 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
232 - applied patch by Gerry Garvey
233 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
234 - applied patch by Gerry Garvey (with mods)
235 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
236 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
237 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
238 - applied patch by Gerry Garvey
239 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
240 - applied patch by Gerry Garvey
241 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
242 - add #define ENABLE_CMAC support in configure.  HStenn.
243 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
244 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
245 - patch by Stephen Friedl
246 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
247 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
248 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
249 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
250 - initial patch by Hal Murray; also fixed refclock_report() trouble
251 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
252 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
253 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
254 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
255 - applied patch by Gerry Garvey
256 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
257 - applied patch by Gerry Garvey
258 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
259 with modifications
260 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
261 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
262 - applied patch by Miroslav Lichvar
263 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
264 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
265 - integrated patch by  Reinhard Max
266 [Bug 2821] minor build issues <perlinger@ntp.org>
267 - applied patches by Christos Zoulas, including real bug fixes
268 html/authopt.html: cleanup, from <stenn@ntp.org>
269 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
270 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
271
272--
273NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
274
275Focus: Security, Bug fixes, enhancements.
276
277Severity: MEDIUM
278
279This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
280vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
281provides 65 other non-security fixes and improvements:
282
283* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
284	association (LOW/MED)
285   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
286   References: Sec 3454 / CVE-2018-7185 / VU#961909
287   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
288   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
289	2.9 and 6.8.
290   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
291	score between 2.6 and 3.1
292   Summary:
293	The NTP Protocol allows for both non-authenticated and
294	authenticated associations, in client/server, symmetric (peer),
295	and several broadcast modes. In addition to the basic NTP
296	operational modes, symmetric mode and broadcast servers can
297	support an interleaved mode of operation. In ntp-4.2.8p4 a bug
298	was inadvertently introduced into the protocol engine that
299	allows a non-authenticated zero-origin (reset) packet to reset
300	an authenticated interleaved peer association. If an attacker
301	can send a packet with a zero-origin timestamp and the source
302	IP address of the "other side" of an interleaved association,
303	the 'victim' ntpd will reset its association. The attacker must
304	continue sending these packets in order to maintain the
305	disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
306	interleave mode could be entered dynamically. As of ntp-4.2.8p7,
307	interleaved mode must be explicitly configured/enabled.
308   Mitigation:
309	Implement BCP-38.
310	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
311	    or the NTP Public Services Project Download Page.
312	If you are unable to upgrade to 4.2.8p11 or later and have
313	    'peer HOST xleave' lines in your ntp.conf file, remove the
314	    'xleave' option.
315	Have enough sources of time.
316	Properly monitor your ntpd instances.
317	If ntpd stops running, auto-restart it without -g .
318   Credit:
319   	This weakness was discovered by Miroslav Lichvar of Red Hat.
320
321* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
322	state (LOW/MED)
323   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
324   References: Sec 3453 / CVE-2018-7184 / VU#961909
325   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
326   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
327	Could score between 2.9 and 6.8.
328   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
329	Could score between 2.6 and 6.0.
330   Summary:
331   	The fix for NtpBug2952 was incomplete, and while it fixed one
332	problem it created another.  Specifically, it drops bad packets
333	before updating the "received" timestamp.  This means a
334	third-party can inject a packet with a zero-origin timestamp,
335	meaning the sender wants to reset the association, and the
336	transmit timestamp in this bogus packet will be saved as the
337	most recent "received" timestamp.  The real remote peer does
338	not know this value and this will disrupt the association until
339	the association resets.
340   Mitigation:
341	Implement BCP-38.
342	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
343	    or the NTP Public Services Project Download Page.
344	Use authentication with 'peer' mode.
345	Have enough sources of time.
346	Properly monitor your ntpd instances.
347	If ntpd stops running, auto-restart it without -g .
348   Credit:
349   	This weakness was discovered by Miroslav Lichvar of Red Hat.
350
351* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
352	peering (LOW)
353   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
354   References: Sec 3415 / CVE-2018-7170 / VU#961909
355   	       Sec 3012 / CVE-2016-1549 / VU#718152
356   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
357   	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
358   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
359   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
360   Summary:
361	ntpd can be vulnerable to Sybil attacks.  If a system is set up to
362	use a trustedkey and if one is not using the feature introduced in
363	ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
364	specify which IPs can serve time, a malicious authenticated peer
365	-- i.e. one where the attacker knows the private symmetric key --
366	can create arbitrarily-many ephemeral associations in order to win
367	the clock selection of ntpd and modify a victim's clock.  Three
368	additional protections are offered in ntp-4.2.8p11.  One is the
369	new 'noepeer' directive, which disables symmetric passive
370	ephemeral peering. Another is the new 'ippeerlimit' directive,
371	which limits the number of peers that can be created from an IP.
372	The third extends the functionality of the 4th field in the
373	ntp.keys file to include specifying a subnet range.
374   Mitigation:
375	Implement BCP-38.
376	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
377	    or the NTP Public Services Project Download Page.
378	Use the 'noepeer' directive to prohibit symmetric passive
379	    ephemeral associations.
380	Use the 'ippeerlimit' directive to limit the number of peers
381	    that can be created from an IP.
382	Use the 4th argument in the ntp.keys file to limit the IPs and
383	    subnets that can be time servers.
384	Have enough sources of time.
385	Properly monitor your ntpd instances.
386	If ntpd stops running, auto-restart it without -g .
387   Credit:
388	This weakness was reported as Bug 3012 by Matthew Van Gundy of
389	Cisco ASIG, and separately by Stefan Moser as Bug 3415.
390
391* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
392   Date Resolved: 27 Feb 2018
393   References: Sec 3414 / CVE-2018-7183 / VU#961909
394   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
395   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
396   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
397   Summary:
398   	ntpq is a monitoring and control program for ntpd.  decodearr()
399	is an internal function of ntpq that is used to -- wait for it --
400	decode an array in a response string when formatted data is being
401	displayed.  This is a problem in affected versions of ntpq if a
402	maliciously-altered ntpd returns an array result that will trip this
403	bug, or if a bad actor is able to read an ntpq request on its way to
404	a remote ntpd server and forge and send a response before the remote
405	ntpd sends its response.  It's potentially possible that the
406	malicious data could become injectable/executable code.
407   Mitigation:
408	Implement BCP-38.
409	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
410	    or the NTP Public Services Project Download Page.
411   Credit:
412	This weakness was discovered by Michael Macnair of Thales e-Security.
413
414* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
415	behavior and information leak (Info/Medium)
416   Date Resolved: 27 Feb 2018
417   References: Sec 3412 / CVE-2018-7182 / VU#961909
418   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
419   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
420   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
421	0.0 if C:N
422   Summary:
423	ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
424	A malicious mode 6 packet can be sent to an ntpd instance, and
425	if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
426	cause ctl_getitem() to read past the end of its buffer.
427   Mitigation:
428	Implement BCP-38.
429	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
430	    or the NTP Public Services Project Download Page.
431	Have enough sources of time.
432	Properly monitor your ntpd instances.
433	If ntpd stops running, auto-restart it without -g .
434   Credit:
435   	This weakness was discovered by Yihan Lian of Qihoo 360.
436
437* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
438   Also see Bug 3415, above.
439   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
440   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
441   References: Sec 3012 / CVE-2016-1549 / VU#718152
442   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
443	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
444   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
445   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
446   Summary:
447	ntpd can be vulnerable to Sybil attacks.  If a system is set up
448	to use a trustedkey and if one is not using the feature
449	introduced in ntp-4.2.8p6 allowing an optional 4th field in the
450	ntp.keys file to specify which IPs can serve time, a malicious
451	authenticated peer -- i.e. one where the attacker knows the
452	private symmetric key -- can create arbitrarily-many ephemeral
453	associations in order to win the clock selection of ntpd and
454	modify a victim's clock.  Two additional protections are
455	offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
456	disables symmetric passive ephemeral peering. The other extends
457	the functionality of the 4th field in the ntp.keys file to
458	include specifying a subnet range.
459   Mitigation:
460	Implement BCP-38.
461	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
462	    the NTP Public Services Project Download Page.
463	Use the 'noepeer' directive to prohibit symmetric passive
464	    ephemeral associations.
465	Use the 'ippeerlimit' directive to limit the number of peer
466	    associations from an IP.
467	Use the 4th argument in the ntp.keys file to limit the IPs
468	    and subnets that can be time servers.
469	Properly monitor your ntpd instances.
470   Credit:
471   	This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
472
473* Bug fixes:
474 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
475 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
476 - applied patch by Sean Haugh
477 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
478 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
479 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
480 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
481 - refactoring the MAC code, too
482 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
483 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
484 - applied patch by ggarvey
485 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
486 - applied patch by ggarvey (with minor mods)
487 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
488 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
489 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
490 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
491 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
492 - fixed several issues with hash algos in ntpd, sntp, ntpq,
493   ntpdc and the test suites <perlinger@ntp.org>
494 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
495 - initial patch by Daniel Pouzzner
496 [Bug 3423] QNX adjtime() implementation error checking is
497 wrong <perlinger@ntp.org>
498 [Bug 3417] ntpq ifstats packet counters can be negative
499 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
500 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
501 - raised receive buffer size to 1200 <perlinger@ntp.org>
502 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
503 analysis tool. <abe@ntp.org>
504 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
505 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
506 - fix/drop assumptions on OpenSSL libs directory layout
507 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
508 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
509 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
510 - patch contributed by Alexander Bluhm
511 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
512 rework of formatting & data transfer stuff in 'ntp_control.c'
513 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
514 [Bug 3394] Leap second deletion does not work on ntpd clients
515 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
516 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
517 - increased mimimum stack size to 32kB <perlinger@ntp.org>
518 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
519 - reverted handling of PPS kernel consumer to 4.2.6 behavior
520 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
521 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
522 [Bug 3016] wrong error position reported for bad ":config pool"
523 - fixed location counter & ntpq output <perlinger@ntp.org>
524 [Bug 2900] libntp build order problem.  HStenn.
525 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
526 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
527 perlinger@ntp.org
528 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
529 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
530 Use strlcpy() to copy strings, not memcpy().  HStenn.
531 Typos.  HStenn.
532 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
533 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
534 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
535 Fix trivial warnings from 'make check'. perlinger@ntp.org
536 Fix bug in the override portion of the compiler hardening macro. HStenn.
537 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
538 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
539 sntp: tweak key file logging.  HStenn.
540 sntp: pkt_output(): Improve debug output.  HStenn.
541 update-leap: updates from Paul McMath.
542 When using pkg-config, report --modversion.  HStenn.
543 Clean up libevent configure checks.  HStenn.
544 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
545 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
546 authistrustedip() - use it in more places.  HStenn, JPerlinger.
547 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
548 Update ntp.keys .../N documentation.  HStenn.
549 Distribute testconf.yml.  HStenn.
550 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
551 Rename the configuration flag fifo variables.  HStenn.
552 Improve saveconfig output.  HStenn.
553 Decode restrict flags on receive() debug output.  HStenn.
554 Decode interface flags on receive() debug output.  HStenn.
555 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
556 Update the documentation in ntp.conf.def .  HStenn.
557 restrictions() must return restrict flags and ippeerlimit.  HStenn.
558 Update ntpq peer documentation to describe the 'p' type.  HStenn.
559 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
560 Provide dump_restricts() for debugging.  HStenn.
561 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
562
563* Other items:
564
565* update-leap needs the following perl modules:
566	Net::SSLeay
567	IO::Socket::SSL
568
569* New sysstats variables: sys_lamport, sys_tsrounding
570See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
571sys_lamport counts the number of observed Lamport violations, while
572sys_tsrounding counts observed timestamp rounding events.
573
574* New ntp.conf items:
575
576- restrict ... noepeer
577- restrict ... ippeerlimit N
578
579The 'noepeer' directive will disallow all ephemeral/passive peer
580requests.
581
582The 'ippeerlimit' directive limits the number of time associations
583for each IP in the designated set of addresses.  This limit does not
584apply to explicitly-configured associations.  A value of -1, the current
585default, means an unlimited number of associations may connect from a
586single IP.  0 means "none", etc.  Ordinarily the only way multiple
587associations would come from the same IP would be if the remote side
588was using a proxy.  But a trusted machine might become compromised,
589in which case an attacker might spin up multiple authenticated sessions
590from different ports.  This directive should be helpful in this case.
591
592* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
593field may contain a /subnetbits specification, which identifies  the
594scope of IPs that may use this key.  This IP/subnet restriction can be
595used to limit the IPs that may use the key in most all situations where
596a key is used.
597--
598NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
599
600Focus: Security, Bug fixes, enhancements.
601
602Severity: MEDIUM
603
604This release fixes 5 medium-, 6 low-, and 4 informational-severity
605vulnerabilities, and provides 15 other non-security fixes and improvements:
606
607* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
608   Date Resolved: 21 Mar 2017
609   References: Sec 3389 / CVE-2017-6464 / VU#325339
610   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
611	ntp-4.3.0 up to, but not including ntp-4.3.94.
612   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
613   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
614   Summary:
615	A vulnerability found in the NTP server makes it possible for an
616	authenticated remote user to crash ntpd via a malformed mode
617	configuration directive.
618   Mitigation:
619	Implement BCP-38.
620	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
621	    the NTP Public Services Project Download Page
622	Properly monitor your ntpd instances, and auto-restart
623	    ntpd (without -g) if it stops running.
624   Credit:
625	This weakness was discovered by Cure53.
626
627* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
628    Date Resolved: 21 Mar 2017
629    References: Sec 3388 / CVE-2017-6462 / VU#325339
630    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
631    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
632    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
633    Summary:
634	There is a potential for a buffer overflow in the legacy Datum
635	Programmable Time Server refclock driver.  Here the packets are
636	processed from the /dev/datum device and handled in
637	datum_pts_receive().  Since an attacker would be required to
638	somehow control a malicious /dev/datum device, this does not
639	appear to be a practical attack and renders this issue "Low" in
640	terms of severity.
641   Mitigation:
642	If you have a Datum reference clock installed and think somebody
643	    may maliciously change the device, upgrade to 4.2.8p10, or
644	    later, from the NTP Project Download Page or the NTP Public
645	    Services Project Download Page
646	Properly monitor your ntpd instances, and auto-restart
647	    ntpd (without -g) if it stops running.
648   Credit:
649	This weakness was discovered by Cure53.
650
651* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
652   Date Resolved: 21 Mar 2017
653   References: Sec 3387 / CVE-2017-6463 / VU#325339
654   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
655	ntp-4.3.0 up to, but not including ntp-4.3.94.
656   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
657   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
658   Summary:
659	A vulnerability found in the NTP server allows an authenticated
660	remote attacker to crash the daemon by sending an invalid setting
661	via the :config directive.  The unpeer option expects a number or
662	an address as an argument.  In case the value is "0", a
663	segmentation fault occurs.
664   Mitigation:
665	Implement BCP-38.
666	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
667	    or the NTP Public Services Project Download Page
668	Properly monitor your ntpd instances, and auto-restart
669	    ntpd (without -g) if it stops running.
670   Credit:
671	This weakness was discovered by Cure53.
672
673* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
674   Date Resolved: 21 Mar 2017
675   References: Sec 3386
676   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
677	ntp-4.3.0 up to, but not including ntp-4.3.94.
678   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
679   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
680   Summary:
681	The NTP Mode 6 monitoring and control client, ntpq, uses the
682	function ntpq_stripquotes() to remove quotes and escape characters
683	from a given string.  According to the documentation, the function
684	is supposed to return the number of copied bytes but due to
685	incorrect pointer usage this value is always zero.  Although the
686	return value of this function is never used in the code, this
687	flaw could lead to a vulnerability in the future.  Since relying
688	on wrong return values when performing memory operations is a
689	dangerous practice, it is recommended to return the correct value
690	in accordance with the documentation pertinent to the code.
691   Mitigation:
692	Implement BCP-38.
693	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
694	    or the NTP Public Services Project Download Page
695	Properly monitor your ntpd instances, and auto-restart
696	    ntpd (without -g) if it stops running.
697   Credit:
698	This weakness was discovered by Cure53.
699
700* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
701   Date Resolved: 21 Mar 2017
702   References: Sec 3385
703   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
704	ntp-4.3.0 up to, but not including ntp-4.3.94.
705   Summary:
706	NTP makes use of several wrappers around the standard heap memory
707	allocation functions that are provided by libc.  This is mainly
708	done to introduce additional safety checks concentrated on
709	several goals.  First, they seek to ensure that memory is not
710	accidentally freed, secondly they verify that a correct amount
711	is always allocated and, thirdly, that allocation failures are
712	correctly handled.  There is an additional implementation for
713	scenarios where memory for a specific amount of items of the
714	same size needs to be allocated.  The handling can be found in
715	the oreallocarray() function for which a further number-of-elements
716	parameter needs to be provided.  Although no considerable threat
717	was identified as tied to a lack of use of this function, it is
718	recommended to correctly apply oreallocarray() as a preferred
719	option across all of the locations where it is possible.
720   Mitigation:
721	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
722	    or the NTP Public Services Project Download Page
723   Credit:
724	This weakness was discovered by Cure53.
725
726* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
727	PPSAPI ONLY) (Low)
728   Date Resolved: 21 Mar 2017
729   References: Sec 3384 / CVE-2017-6455 / VU#325339
730   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
731	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
732	including ntp-4.3.94.
733   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
734   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
735   Summary:
736	The Windows NT port has the added capability to preload DLLs
737	defined in the inherited global local environment variable
738	PPSAPI_DLLS.  The code contained within those libraries is then
739	called from the NTPD service, usually running with elevated
740	privileges. Depending on how securely the machine is setup and
741	configured, if ntpd is configured to use the PPSAPI under Windows
742	this can easily lead to a code injection.
743   Mitigation:
744	Implement BCP-38.
745	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
746	    or the NTP Public Services Project Download Page
747   Credit:
748   This weakness was discovered by Cure53.
749
750* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
751	installer ONLY) (Low)
752   Date Resolved: 21 Mar 2017
753   References: Sec 3383 / CVE-2017-6452 / VU#325339
754   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
755	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
756	to, but not including ntp-4.3.94.
757   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
758   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
759   Summary:
760	The Windows installer for NTP calls strcat(), blindly appending
761	the string passed to the stack buffer in the addSourceToRegistry()
762	function.  The stack buffer is 70 bytes smaller than the buffer
763	in the calling main() function.  Together with the initially
764	copied Registry path, the combination causes a stack buffer
765	overflow and effectively overwrites the stack frame.  The
766	passed application path is actually limited to 256 bytes by the
767	operating system, but this is not sufficient to assure that the
768	affected stack buffer is consistently protected against
769	overflowing at all times.
770   Mitigation:
771	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
772	or the NTP Public Services Project Download Page
773   Credit:
774	This weakness was discovered by Cure53.
775
776* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
777	installer ONLY) (Low)
778   Date Resolved: 21 Mar 2017
779   References: Sec 3382 / CVE-2017-6459 / VU#325339
780   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
781	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
782	up to, but not including ntp-4.3.94.
783   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
784   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
785   Summary:
786	The Windows installer for NTP calls strcpy() with an argument
787	that specifically contains multiple null bytes.  strcpy() only
788	copies a single terminating null character into the target
789	buffer instead of copying the required double null bytes in the
790	addKeysToRegistry() function.  As a consequence, a garbage
791	registry entry can be created.  The additional arsize parameter
792	is erroneously set to contain two null bytes and the following
793	call to RegSetValueEx() claims to be passing in a multi-string
794	value, though this may not be true.
795   Mitigation:
796	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
797	    or the NTP Public Services Project Download Page
798   Credit:
799	This weakness was discovered by Cure53.
800
801* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
802   References: Sec 3381
803   Summary:
804	The report says: Statically included external projects
805	potentially introduce several problems and the issue of having
806	extensive amounts of code that is "dead" in the resulting binary
807	must clearly be pointed out.  The unnecessary unused code may or
808	may not contain bugs and, quite possibly, might be leveraged for
809	code-gadget-based branch-flow redirection exploits.  Analogically,
810	having source trees statically included as well means a failure
811	in taking advantage of the free feature for periodical updates.
812	This solution is offered by the system's Package Manager. The
813	three libraries identified are libisc, libevent, and libopts.
814   Resolution:
815	For libisc, we already only use a portion of the original library.
816	We've found and fixed bugs in the original implementation (and
817	offered the patches to ISC), and plan to see what has changed
818	since we last upgraded the code.  libisc is generally not
819	installed, and when it it we usually only see the static libisc.a
820	file installed.  Until we know for sure that the bugs we've found
821	and fixed are fixed upstream, we're better off with the copy we
822	are using.
823
824        Version 1 of libevent was the only production version available
825	until recently, and we've been requiring version 2 for a long time.
826	But if the build system has at least version 2 of libevent
827	installed, we'll use the version that is installed on the system.
828	Otherwise, we provide a copy of libevent that we know works.
829
830        libopts is provided by GNU AutoGen, and that library and package
831	undergoes frequent API version updates.  The version of autogen
832	used to generate the tables for the code must match the API
833	version in libopts.  AutoGen can be ... difficult to build and
834	install, and very few developers really need it.  So we have it
835	on our build and development machines, and we provide the
836	specific version of the libopts code in the distribution to make
837	sure that the proper API version of libopts is available.
838
839        As for the point about there being code in these libraries that
840	NTP doesn't use, OK.  But other packages used these libraries as
841	well, and it is reasonable to assume that other people are paying
842	attention to security and code quality issues for the overall
843	libraries.  It takes significant resources to analyze and
844	customize these libraries to only include what we need, and to
845	date we believe the cost of this effort does not justify the benefit.
846   Credit:
847	This issue was discovered by Cure53.
848
849* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
850   Date Resolved: 21 Mar 2017
851   References: Sec 3380
852   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
853   	ntp-4.3.0 up to, but not including ntp-4.3.94.
854   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
855   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
856   Summary:
857	There is a fencepost error in a "recovery branch" of the code for
858	the Oncore GPS receiver if the communication link to the ONCORE
859	is weak / distorted and the decoding doesn't work.
860   Mitigation:
861        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
862	    the NTP Public Services Project Download Page
863        Properly monitor your ntpd instances, and auto-restart
864	    ntpd (without -g) if it stops running.
865   Credit:
866	This weakness was discovered by Cure53.
867
868* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
869   Date Resolved: 21 Mar 2017
870   References: Sec 3379 / CVE-2017-6458 / VU#325339
871   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
872	ntp-4.3.0 up to, but not including ntp-4.3.94.
873   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
874   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
875   Summary:
876	ntpd makes use of different wrappers around ctl_putdata() to
877	create name/value ntpq (mode 6) response strings.  For example,
878	ctl_putstr() is usually used to send string data (variable names
879	or string data).  The formatting code was missing a length check
880	for variable names.  If somebody explicitly created any unusually
881	long variable names in ntpd (longer than 200-512 bytes, depending
882	on the type of variable), then if any of these variables are
883	added to the response list it would overflow a buffer.
884   Mitigation:
885	Implement BCP-38.
886	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
887	    or the NTP Public Services Project Download Page
888	If you don't want to upgrade, then don't setvar variable names
889	    longer than 200-512 bytes in your ntp.conf file.
890	Properly monitor your ntpd instances, and auto-restart
891	    ntpd (without -g) if it stops running.
892   Credit:
893	This weakness was discovered by Cure53.
894
895* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
896   Date Resolved: 21 Mar 2017
897   References: Sec 3378 / CVE-2017-6451 / VU#325339
898   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
899	ntp-4.3.0 up to, but not including ntp-4.3.94.
900   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
901   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
902   Summary:
903	The legacy MX4200 refclock is only built if is specifically
904	enabled, and furthermore additional code changes are required to
905	compile and use it.  But it uses the libc functions snprintf()
906	and vsnprintf() incorrectly, which can lead to an out-of-bounds
907	memory write due to an improper handling of the return value of
908	snprintf()/vsnprintf().  Since the return value is used as an
909	iterator and it can be larger than the buffer's size, it is
910	possible for the iterator to point somewhere outside of the
911	allocated buffer space.  This results in an out-of-bound memory
912	write.  This behavior can be leveraged to overwrite a saved
913	instruction pointer on the stack and gain control over the
914	execution flow.  During testing it was not possible to identify
915	any malicious usage for this vulnerability.  Specifically, no
916	way for an attacker to exploit this vulnerability was ultimately
917	unveiled.  However, it has the potential to be exploited, so the
918	code should be fixed.
919   Mitigation, if you have a Magnavox MX4200 refclock:
920	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
921	    or the NTP Public Services Project Download Page.
922	Properly monitor your ntpd instances, and auto-restart
923	    ntpd (without -g) if it stops running.
924   Credit:
925	This weakness was discovered by Cure53.
926
927* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
928	malicious ntpd (Medium)
929   Date Resolved: 21 Mar 2017
930   References: Sec 3377 / CVE-2017-6460 / VU#325339
931   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
932	ntp-4.3.0 up to, but not including ntp-4.3.94.
933   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
934   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
935   Summary:
936	A stack buffer overflow in ntpq can be triggered by a malicious
937	ntpd server when ntpq requests the restriction list from the server.
938	This is due to a missing length check in the reslist() function.
939	It occurs whenever the function parses the server's response and
940	encounters a flagstr variable of an excessive length.  The string
941	will be copied into a fixed-size buffer, leading to an overflow on
942	the function's stack-frame.  Note well that this problem requires
943	a malicious server, and affects ntpq, not ntpd.
944   Mitigation:
945	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
946	    or the NTP Public Services Project Download Page
947	If you can't upgrade your version of ntpq then if you want to know
948	    the reslist of an instance of ntpd that you do not control,
949	    know that if the target ntpd is malicious that it can send back
950	    a response that intends to crash your ntpq process.
951   Credit:
952	This weakness was discovered by Cure53.
953
954* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
955   Date Resolved: 21 Mar 2017
956   References: Sec 3376
957   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
958	ntp-4.3.0 up to, but not including ntp-4.3.94.
959   CVSS2: N/A
960   CVSS3: N/A
961   Summary:
962	The build process for NTP has not, by default, provided compile
963	or link flags to offer "hardened" security options.  Package
964	maintainers have always been able to provide hardening security
965	flags for their builds.  As of ntp-4.2.8p10, the NTP build
966	system has a way to provide OS-specific hardening flags.  Please
967	note that this is still not a really great solution because it
968	is specific to NTP builds.  It's inefficient to have every
969	package supply, track and maintain this information for every
970	target build.  It would be much better if there was a common way
971	for OSes to provide this information in a way that arbitrary
972	packages could benefit from it.
973   Mitigation:
974	Implement BCP-38.
975	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
976	    or the NTP Public Services Project Download Page
977	Properly monitor your ntpd instances, and auto-restart
978	    ntpd (without -g) if it stops running.
979   Credit:
980	This weakness was reported by Cure53.
981
982* 0rigin DoS (Medium)
983   Date Resolved: 21 Mar 2017
984   References: Sec 3361 / CVE-2016-9042 / VU#325339
985   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
986   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
987   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
988   Summary:
989	An exploitable denial of service vulnerability exists in the
990	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
991	crafted unauthenticated network packet can be used to reset the
992	expected origin timestamp for target peers.  Legitimate replies
993	from targeted peers will fail the origin timestamp check (TEST2)
994	causing the reply to be dropped and creating a denial of service
995	condition.  This vulnerability can only be exploited if the
996	attacker can spoof all of the servers.
997   Mitigation:
998	Implement BCP-38.
999	Configure enough servers/peers that an attacker cannot target
1000	    all of your time sources.
1001	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1002	    or the NTP Public Services Project Download Page
1003	Properly monitor your ntpd instances, and auto-restart
1004	    ntpd (without -g) if it stops running.
1005   Credit:
1006	This weakness was discovered by Matthew Van Gundy of Cisco.
1007
1008Other fixes:
1009
1010* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
1011* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
1012  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
1013* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
1014* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
1015  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
1016  - original patch by Majdi S. Abbas
1017* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
1018* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
1019  - initial patch by Christos Zoulas
1020* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
1021  - move loader API from 'inline' to proper source
1022  - augment pathless dlls with absolute path to NTPD
1023  - use 'msyslog()' instead of 'printf() 'for reporting trouble
1024* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
1025  - applied patch by Matthew Van Gundy
1026* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
1027  - applied some of the patches provided by Havard. Not all of them
1028    still match the current code base, and I did not touch libopt.
1029* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
1030  - applied patch by Reinhard Max. See bugzilla for limitations.
1031* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
1032  - fixed dependency inversion from [Bug 2837]
1033* [Bug 2896] Nothing happens if minsane < maxclock < minclock
1034  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
1035* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
1036  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
1037* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
1038  - Fixed these and some more locations of this pattern.
1039    Probably din't get them all, though. <perlinger@ntp.org>
1040* Update copyright year.
1041
1042--
1043(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
1044
1045* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
1046  - added missed changeset for automatic openssl lib detection
1047  - fixed some minor warning issues
1048* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
1049* configure.ac cleanup.  stenn@ntp.org
1050* openssl configure cleanup.  stenn@ntp.org
1051
1052--
1053NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
1054
1055Focus: Security, Bug fixes, enhancements.
1056
1057Severity: HIGH
1058
1059In addition to bug fixes and enhancements, this release fixes the
1060following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
10615 low-severity vulnerabilities, and provides 28 other non-security
1062fixes and improvements:
1063
1064* Trap crash
1065   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1066   References: Sec 3119 / CVE-2016-9311 / VU#633847
1067   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1068   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1069   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
1070   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
1071   Summary:
1072	ntpd does not enable trap service by default. If trap service
1073	has been explicitly enabled, an attacker can send a specially
1074	crafted packet to cause a null pointer dereference that will
1075	crash ntpd, resulting in a denial of service.
1076   Mitigation:
1077        Implement BCP-38.
1078	Use "restrict default noquery ..." in your ntp.conf file. Only
1079	    allow mode 6 queries from trusted networks and hosts.
1080        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1081	    or the NTP Public Services Project Download Page
1082        Properly monitor your ntpd instances, and auto-restart ntpd
1083	    (without -g) if it stops running.
1084   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1085
1086* Mode 6 information disclosure and DDoS vector
1087   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1088   References: Sec 3118 / CVE-2016-9310 / VU#633847
1089   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1090	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1091   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1092   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1093   Summary:
1094	An exploitable configuration modification vulnerability exists
1095	in the control mode (mode 6) functionality of ntpd. If, against
1096	long-standing BCP recommendations, "restrict default noquery ..."
1097	is not specified, a specially crafted control mode packet can set
1098	ntpd traps, providing information disclosure and DDoS
1099	amplification, and unset ntpd traps, disabling legitimate
1100	monitoring. A remote, unauthenticated, network attacker can
1101	trigger this vulnerability.
1102   Mitigation:
1103        Implement BCP-38.
1104	Use "restrict default noquery ..." in your ntp.conf file.
1105        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1106	    or the NTP Public Services Project Download Page
1107        Properly monitor your ntpd instances, and auto-restart ntpd
1108	    (without -g) if it stops running.
1109   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1110
1111* Broadcast Mode Replay Prevention DoS
1112   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1113   References: Sec 3114 / CVE-2016-7427 / VU#633847
1114   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1115	ntp-4.3.90 up to, but not including ntp-4.3.94.
1116   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1117   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1118   Summary:
1119	The broadcast mode of NTP is expected to only be used in a
1120	trusted network. If the broadcast network is accessible to an
1121	attacker, a potentially exploitable denial of service
1122	vulnerability in ntpd's broadcast mode replay prevention
1123	functionality can be abused. An attacker with access to the NTP
1124	broadcast domain can periodically inject specially crafted
1125	broadcast mode NTP packets into the broadcast domain which,
1126	while being logged by ntpd, can cause ntpd to reject broadcast
1127	mode packets from legitimate NTP broadcast servers.
1128   Mitigation:
1129        Implement BCP-38.
1130        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1131	    or the NTP Public Services Project Download Page
1132        Properly monitor your ntpd instances, and auto-restart ntpd
1133	    (without -g) if it stops running.
1134   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1135
1136* Broadcast Mode Poll Interval Enforcement DoS
1137   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1138   References: Sec 3113 / CVE-2016-7428 / VU#633847
1139   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1140	ntp-4.3.90 up to, but not including ntp-4.3.94
1141   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1142   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1143   Summary:
1144	The broadcast mode of NTP is expected to only be used in a
1145	trusted network. If the broadcast network is accessible to an
1146	attacker, a potentially exploitable denial of service
1147	vulnerability in ntpd's broadcast mode poll interval enforcement
1148	functionality can be abused. To limit abuse, ntpd restricts the
1149	rate at which each broadcast association will process incoming
1150	packets. ntpd will reject broadcast mode packets that arrive
1151	before the poll interval specified in the preceding broadcast
1152	packet expires. An attacker with access to the NTP broadcast
1153	domain can send specially crafted broadcast mode NTP packets to
1154	the broadcast domain which, while being logged by ntpd, will
1155	cause ntpd to reject broadcast mode packets from legitimate NTP
1156	broadcast servers.
1157   Mitigation:
1158        Implement BCP-38.
1159        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1160	    or the NTP Public Services Project Download Page
1161        Properly monitor your ntpd instances, and auto-restart ntpd
1162	    (without -g) if it stops running.
1163   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1164
1165* Windows: ntpd DoS by oversized UDP packet
1166   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1167   References: Sec 3110 / CVE-2016-9312 / VU#633847
1168   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
1169	and ntp-4.3.0 up to, but not including ntp-4.3.94.
1170   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1171   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1172   Summary:
1173	If a vulnerable instance of ntpd on Windows receives a crafted
1174	malicious packet that is "too big", ntpd will stop working.
1175   Mitigation:
1176        Implement BCP-38.
1177        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1178	    or the NTP Public Services Project Download Page
1179        Properly monitor your ntpd instances, and auto-restart ntpd
1180	    (without -g) if it stops running.
1181   Credit: This weakness was discovered by Robert Pajak of ABB.
1182
1183* 0rigin (zero origin) issues
1184   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1185   References: Sec 3102 / CVE-2016-7431 / VU#633847
1186   Affects: ntp-4.2.8p8, and ntp-4.3.93.
1187   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
1188   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1189   Summary:
1190	Zero Origin timestamp problems were fixed by Bug 2945 in
1191	ntp-4.2.8p6. However, subsequent timestamp validation checks
1192	introduced a regression in the handling of some Zero origin
1193	timestamp checks.
1194   Mitigation:
1195        Implement BCP-38.
1196        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1197	    or the NTP Public Services Project Download Page
1198        Properly monitor your ntpd instances, and auto-restart ntpd
1199	    (without -g) if it stops running.
1200   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
1201	Malhotra of Boston University.
1202
1203* read_mru_list() does inadequate incoming packet checks
1204   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1205   References: Sec 3082 / CVE-2016-7434 / VU#633847
1206   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
1207	ntp-4.3.0 up to, but not including ntp-4.3.94.
1208   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1209   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1210   Summary:
1211	If ntpd is configured to allow mrulist query requests from a
1212	server that sends a crafted malicious packet, ntpd will crash
1213	on receipt of that crafted malicious mrulist query packet.
1214   Mitigation:
1215	Only allow mrulist query packets from trusted hosts.
1216        Implement BCP-38.
1217        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1218	    or the NTP Public Services Project Download Page
1219        Properly monitor your ntpd instances, and auto-restart ntpd
1220	    (without -g) if it stops running.
1221   Credit: This weakness was discovered by Magnus Stubman.
1222
1223* Attack on interface selection
1224   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1225   References: Sec 3072 / CVE-2016-7429 / VU#633847
1226   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1227	ntp-4.3.0 up to, but not including ntp-4.3.94
1228   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1229   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1230   Summary:
1231	When ntpd receives a server response on a socket that corresponds
1232	to a different interface than was used for the request, the peer
1233	structure is updated to use the interface for new requests. If
1234	ntpd is running on a host with multiple interfaces in separate
1235	networks and the operating system doesn't check source address in
1236	received packets (e.g. rp_filter on Linux is set to 0), an
1237	attacker that knows the address of the source can send a packet
1238	with spoofed source address which will cause ntpd to select wrong
1239	interface for the source and prevent it from sending new requests
1240	until the list of interfaces is refreshed, which happens on
1241	routing changes or every 5 minutes by default. If the attack is
1242	repeated often enough (once per second), ntpd will not be able to
1243	synchronize with the source.
1244   Mitigation:
1245        Implement BCP-38.
1246        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1247	    or the NTP Public Services Project Download Page
1248	If you are going to configure your OS to disable source address
1249	    checks, also configure your firewall configuration to control
1250	    what interfaces can receive packets from what networks.
1251        Properly monitor your ntpd instances, and auto-restart ntpd
1252	    (without -g) if it stops running.
1253   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1254
1255* Client rate limiting and server responses
1256   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1257   References: Sec 3071 / CVE-2016-7426 / VU#633847
1258   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
1259	ntp-4.3.0 up to, but not including ntp-4.3.94
1260   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1261   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1262   Summary:
1263	When ntpd is configured with rate limiting for all associations
1264	(restrict default limited in ntp.conf), the limits are applied
1265	also to responses received from its configured sources. An
1266	attacker who knows the sources (e.g., from an IPv4 refid in
1267	server response) and knows the system is (mis)configured in this
1268	way can periodically send packets with spoofed source address to
1269	keep the rate limiting activated and prevent ntpd from accepting
1270	valid responses from its sources.
1271
1272	While this blanket rate limiting can be useful to prevent
1273	brute-force attacks on the origin timestamp, it allows this DoS
1274	attack. Similarly, it allows the attacker to prevent mobilization
1275	of ephemeral associations.
1276   Mitigation:
1277        Implement BCP-38.
1278        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1279	    or the NTP Public Services Project Download Page
1280        Properly monitor your ntpd instances, and auto-restart ntpd
1281	    (without -g) if it stops running.
1282   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1283
1284* Fix for bug 2085 broke initial sync calculations
1285   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1286   References: Sec 3067 / CVE-2016-7433 / VU#633847
1287   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1288	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
1289	root-distance calculation in general is incorrect in all versions
1290	of ntp-4 until this release.
1291   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
1292   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
1293   Summary:
1294	Bug 2085 described a condition where the root delay was included
1295	twice, causing the jitter value to be higher than expected. Due
1296	to a misinterpretation of a small-print variable in The Book, the
1297	fix for this problem was incorrect, resulting in a root distance
1298	that did not include the peer dispersion. The calculations and
1299	formulae have been reviewed and reconciled, and the code has been
1300	updated accordingly.
1301   Mitigation:
1302        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1303	    or the NTP Public Services Project Download Page
1304        Properly monitor your ntpd instances, and auto-restart ntpd
1305	    (without -g) if it stops running.
1306   Credit: This weakness was discovered independently by Brian Utterback of
1307	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
1308
1309Other fixes:
1310
1311* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
1312* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
1313* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
1314  - moved retry decision where it belongs. <perlinger@ntp.org>
1315* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
1316  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
1317* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
1318* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
1319  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
1320* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
1321  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
1322  - added shim layer for SSL API calls with issues (both directions)
1323* [Bug 3089] Serial Parser does not work anymore for hopfser like device
1324  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
1325* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
1326* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
1327  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
1328* [Bug 3067] Root distance calculation needs improvement.  HStenn
1329* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
1330  - PPS-HACK works again.
1331* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
1332  - applied patch by Brian Utterback <brian.utterback@oracle.com>
1333* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
1334* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
1335  <perlinger@ntp.org>
1336  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
1337* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
1338  - Patch provided by Kuramatsu.
1339* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
1340  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
1341* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
1342* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
1343* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
1344* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
1345  - fixed GPS week expansion to work based on build date. Special thanks
1346    to Craig Leres for initial patch and testing.
1347* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
1348  - fixed Makefile.am <perlinger@ntp.org>
1349* [Bug 2689] ATOM driver processes last PPS pulse at startup,
1350             even if it is very old <perlinger@ntp.org>
1351  - make sure PPS source is alive before processing samples
1352  - improve stability close to the 500ms phase jump (phase gate)
1353* Fix typos in include/ntp.h.
1354* Shim X509_get_signature_nid() if needed
1355* git author attribution cleanup
1356* bk ignore file cleanup
1357* remove locks in Windows IO, use rpc-like thread synchronisation instead
1358
1359---
1360NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
1361
1362Focus: Security, Bug fixes, enhancements.
1363
1364Severity: HIGH
1365
1366In addition to bug fixes and enhancements, this release fixes the
1367following 1 high- and 4 low-severity vulnerabilities:
1368
1369* CRYPTO_NAK crash
1370   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1371   References: Sec 3046 / CVE-2016-4957 / VU#321640
1372   Affects: ntp-4.2.8p7, and ntp-4.3.92.
1373   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1374   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1375   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
1376	could cause ntpd to crash.
1377   Mitigation:
1378        Implement BCP-38.
1379        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1380	    or the NTP Public Services Project Download Page
1381        If you cannot upgrade from 4.2.8p7, the only other alternatives
1382	    are to patch your code or filter CRYPTO_NAK packets.
1383        Properly monitor your ntpd instances, and auto-restart ntpd
1384	    (without -g) if it stops running.
1385   Credit: This weakness was discovered by Nicolas Edet of Cisco.
1386
1387* Bad authentication demobilizes ephemeral associations
1388   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1389   References: Sec 3045 / CVE-2016-4953 / VU#321640
1390   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1391	ntp-4.3.0 up to, but not including ntp-4.3.93.
1392   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1393   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1394   Summary: An attacker who knows the origin timestamp and can send a
1395	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
1396	target before any other response is sent can demobilize that
1397	association.
1398   Mitigation:
1399	Implement BCP-38.
1400	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1401	    or the NTP Public Services Project Download Page
1402	Properly monitor your ntpd instances.
1403	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1404
1405* Processing spoofed server packets
1406   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1407   References: Sec 3044 / CVE-2016-4954 / VU#321640
1408   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1409	ntp-4.3.0 up to, but not including ntp-4.3.93.
1410   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1411   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1412   Summary: An attacker who is able to spoof packets with correct origin
1413	timestamps from enough servers before the expected response
1414	packets arrive at the target machine can affect some peer
1415	variables and, for example, cause a false leap indication to be set.
1416   Mitigation:
1417	Implement BCP-38.
1418	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1419	    or the NTP Public Services Project Download Page
1420	Properly monitor your ntpd instances.
1421   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
1422
1423* Autokey association reset
1424   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1425   References: Sec 3043 / CVE-2016-4955 / VU#321640
1426   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1427	ntp-4.3.0 up to, but not including ntp-4.3.93.
1428   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1429   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1430   Summary: An attacker who is able to spoof a packet with a correct
1431	origin timestamp before the expected response packet arrives at
1432	the target machine can send a CRYPTO_NAK or a bad MAC and cause
1433	the association's peer variables to be cleared. If this can be
1434	done often enough, it will prevent that association from working.
1435   Mitigation:
1436	Implement BCP-38.
1437	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1438	    or the NTP Public Services Project Download Page
1439	Properly monitor your ntpd instances.
1440   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1441
1442* Broadcast interleave
1443   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1444   References: Sec 3042 / CVE-2016-4956 / VU#321640
1445   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1446   	ntp-4.3.0 up to, but not including ntp-4.3.93.
1447   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1448   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1449   Summary: The fix for NtpBug2978 does not cover broadcast associations,
1450   	so broadcast clients can be triggered to flip into interleave mode.
1451   Mitigation:
1452	Implement BCP-38.
1453	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1454	    or the NTP Public Services Project Download Page
1455	Properly monitor your ntpd instances.
1456   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1457
1458Other fixes:
1459* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
1460  - provide build environment
1461  - 'wint_t' and 'struct timespec' defined by VS2015
1462  - fixed print()/scanf() format issues
1463* [Bug 3052] Add a .gitignore file.  Edmund Wong.
1464* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
1465* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
1466  JPerlinger, HStenn.
1467* Fix typo in ntp-wait and plot_summary.  HStenn.
1468* Make sure we have an "author" file for git imports.  HStenn.
1469* Update the sntp problem tests for MacOS.  HStenn.
1470
1471---
1472NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
1473
1474Focus: Security, Bug fixes, enhancements.
1475
1476Severity: MEDIUM
1477
1478When building NTP from source, there is a new configure option
1479available, --enable-dynamic-interleave.  More information on this below.
1480
1481Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
1482versions of ntp.  These events have almost certainly happened in the
1483past, it's just that they were silently counted and not logged.  With
1484the increasing awareness around security, we feel it's better to clearly
1485log these events to help detect abusive behavior.  This increased
1486logging can also help detect other problems, too.
1487
1488In addition to bug fixes and enhancements, this release fixes the
1489following 9 low- and medium-severity vulnerabilities:
1490
1491* Improve NTP security against buffer comparison timing attacks,
1492  AKA: authdecrypt-timing
1493   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1494   References: Sec 2879 / CVE-2016-1550
1495   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1496	4.3.0 up to, but not including 4.3.92
1497   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
1498   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1499   Summary: Packet authentication tests have been performed using
1500	memcmp() or possibly bcmp(), and it is potentially possible
1501	for a local or perhaps LAN-based attacker to send a packet with
1502	an authentication payload and indirectly observe how much of
1503	the digest has matched.
1504   Mitigation:
1505	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1506	    or the NTP Public Services Project Download Page.
1507	Properly monitor your ntpd instances.
1508   Credit: This weakness was discovered independently by Loganaden
1509   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
1510
1511* Zero origin timestamp bypass: Additional KoD checks.
1512   References: Sec 2945 / Sec 2901 / CVE-2015-8138
1513   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1514   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
1515
1516* peer associations were broken by the fix for NtpBug2899
1517   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1518   References: Sec 2952 / CVE-2015-7704
1519   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1520   	4.3.0 up to, but not including 4.3.92
1521   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1522   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
1523   	associations did not address all of the issues.
1524   Mitigation:
1525        Implement BCP-38.
1526        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1527	    or the NTP Public Services Project Download Page
1528        If you can't upgrade, use "server" associations instead of
1529	    "peer" associations.
1530        Monitor your ntpd instances.
1531   Credit: This problem was discovered by Michael Tatarinov.
1532
1533* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
1534   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1535   References: Sec 3007 / CVE-2016-1547 / VU#718152
1536   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1537	4.3.0 up to, but not including 4.3.92
1538   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1539   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1540   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
1541	off-path attacker can cause a preemptable client association to
1542	be demobilized by sending a crypto NAK packet to a victim client
1543	with a spoofed source address of an existing associated peer.
1544	This is true even if authentication is enabled.
1545
1546	Furthermore, if the attacker keeps sending crypto NAK packets,
1547	for example one every second, the victim never has a chance to
1548	reestablish the association and synchronize time with that
1549	legitimate server.
1550
1551	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
1552	stringent checks are performed on incoming packets, but there
1553	are still ways to exploit this vulnerability in versions before
1554	ntp-4.2.8p7.
1555   Mitigation:
1556	Implement BCP-38.
1557	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1558	    or the NTP Public Services Project Download Page
1559	Properly monitor your ntpd instances
1560   Credit: This weakness was discovered by Stephen Gray and
1561   	Matthew Van Gundy of Cisco ASIG.
1562
1563* ctl_getitem() return value not always checked
1564   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1565   References: Sec 3008 / CVE-2016-2519
1566   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1567	4.3.0 up to, but not including 4.3.92
1568   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1569   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1570   Summary: ntpq and ntpdc can be used to store and retrieve information
1571   	in ntpd. It is possible to store a data value that is larger
1572	than the size of the buffer that the ctl_getitem() function of
1573	ntpd uses to report the return value. If the length of the
1574	requested data value returned by ctl_getitem() is too large,
1575	the value NULL is returned instead. There are 2 cases where the
1576	return value from ctl_getitem() was not directly checked to make
1577	sure it's not NULL, but there are subsequent INSIST() checks
1578	that make sure the return value is not NULL. There are no data
1579	values ordinarily stored in ntpd that would exceed this buffer
1580	length. But if one has permission to store values and one stores
1581	a value that is "too large", then ntpd will abort if an attempt
1582	is made to read that oversized value.
1583    Mitigation:
1584        Implement BCP-38.
1585        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1586	    or the NTP Public Services Project Download Page
1587        Properly monitor your ntpd instances.
1588    Credit: This weakness was discovered by Yihan Lian of the Cloud
1589    	Security Team, Qihoo 360.
1590
1591* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
1592   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1593   References: Sec 3009 / CVE-2016-2518 / VU#718152
1594   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1595	4.3.0 up to, but not including 4.3.92
1596   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1597   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1598   Summary: Using a crafted packet to create a peer association with
1599   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
1600	out-of-bounds reference.
1601   Mitigation:
1602	Implement BCP-38.
1603	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1604	    or the NTP Public Services Project Download Page
1605	Properly monitor your ntpd instances
1606   Credit: This weakness was discovered by Yihan Lian of the Cloud
1607   	Security Team, Qihoo 360.
1608
1609* remote configuration trustedkey/requestkey/controlkey values are not
1610	properly validated
1611   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1612   References: Sec 3010 / CVE-2016-2517 / VU#718152
1613   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1614	4.3.0 up to, but not including 4.3.92
1615   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1616   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1617   Summary: If ntpd was expressly configured to allow for remote
1618   	configuration, a malicious user who knows the controlkey for
1619	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1620	can create a session with ntpd and then send a crafted packet to
1621	ntpd that will change the value of the trustedkey, controlkey,
1622	or requestkey to a value that will prevent any subsequent
1623	authentication with ntpd until ntpd is restarted.
1624   Mitigation:
1625	Implement BCP-38.
1626	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1627	    or the NTP Public Services Project Download Page
1628	Properly monitor your ntpd instances
1629   Credit: This weakness was discovered by Yihan Lian of the Cloud
1630   	Security Team, Qihoo 360.
1631
1632* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1633   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1634   References: Sec 3011 / CVE-2016-2516 / VU#718152
1635   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1636   	4.3.0 up to, but not including 4.3.92
1637   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1638   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1639   Summary: If ntpd was expressly configured to allow for remote
1640   	configuration, a malicious user who knows the controlkey for
1641	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1642	can create a session with ntpd and if an existing association is
1643	unconfigured using the same IP twice on the unconfig directive
1644	line, ntpd will abort.
1645   Mitigation:
1646	Implement BCP-38.
1647	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1648	    or the NTP Public Services Project Download Page
1649	Properly monitor your ntpd instances
1650   Credit: This weakness was discovered by Yihan Lian of the Cloud
1651   	Security Team, Qihoo 360.
1652
1653* Refclock impersonation vulnerability
1654   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1655   References: Sec 3020 / CVE-2016-1551
1656   Affects: On a very limited number of OSes, all NTP releases up to but
1657	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1658	By "very limited number of OSes" we mean no general-purpose OSes
1659	have yet been identified that have this vulnerability.
1660   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1661   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1662   Summary: While most OSes implement martian packet filtering in their
1663   	network stack, at least regarding 127.0.0.0/8, some will allow
1664	packets claiming to be from 127.0.0.0/8 that arrive over a
1665	physical network. On these OSes, if ntpd is configured to use a
1666	reference clock an attacker can inject packets over the network
1667	that look like they are coming from that reference clock.
1668   Mitigation:
1669        Implement martian packet filtering and BCP-38.
1670        Configure ntpd to use an adequate number of time sources.
1671        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1672	    or the NTP Public Services Project Download Page
1673        If you are unable to upgrade and if you are running an OS that
1674	    has this vulnerability, implement martian packet filters and
1675	    lobby your OS vendor to fix this problem, or run your
1676	    refclocks on computers that use OSes that are not vulnerable
1677	    to these attacks and have your vulnerable machines get their
1678	    time from protected resources.
1679        Properly monitor your ntpd instances.
1680   Credit: This weakness was discovered by Matt Street and others of
1681   	Cisco ASIG.
1682
1683The following issues were fixed in earlier releases and contain
1684improvements in 4.2.8p7:
1685
1686* Clients that receive a KoD should validate the origin timestamp field.
1687   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1688   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1689   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1690
1691* Skeleton key: passive server with trusted key can serve time.
1692   References: Sec 2936 / CVE-2015-7974
1693   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1694   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1695
1696Two other vulnerabilities have been reported, and the mitigations
1697for these are as follows:
1698
1699* Interleave-pivot
1700   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1701   References: Sec 2978 / CVE-2016-1548
1702   Affects: All ntp-4 releases.
1703   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1704   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1705   Summary: It is possible to change the time of an ntpd client or deny
1706   	service to an ntpd client by forcing it to change from basic
1707	client/server mode to interleaved symmetric mode. An attacker
1708	can spoof a packet from a legitimate ntpd server with an origin
1709	timestamp that matches the peer->dst timestamp recorded for that
1710	server. After making this switch, the client will reject all
1711	future legitimate server responses. It is possible to force the
1712	victim client to move time after the mode has been changed.
1713	ntpq gives no indication that the mode has been switched.
1714   Mitigation:
1715        Implement BCP-38.
1716        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1717	    or the NTP Public Services Project Download Page.  These
1718	    versions will not dynamically "flip" into interleave mode
1719	    unless configured to do so.
1720        Properly monitor your ntpd instances.
1721   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
1722   	and separately by Jonathan Gardner of Cisco ASIG.
1723
1724* Sybil vulnerability: ephemeral association attack
1725   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1726   References: Sec 3012 / CVE-2016-1549
1727   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1728   	4.3.0 up to, but not including 4.3.92
1729   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1730   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1731   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
1732   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
1733	field in the ntp.keys file to specify which IPs can serve time,
1734	a malicious authenticated peer can create arbitrarily-many
1735	ephemeral associations in order to win the clock selection of
1736	ntpd and modify a victim's clock.
1737   Mitigation:
1738        Implement BCP-38.
1739        Use the 4th field in the ntp.keys file to specify which IPs
1740	    can be time servers.
1741        Properly monitor your ntpd instances.
1742   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1743
1744Other fixes:
1745
1746* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
1747  - fixed yet another race condition in the threaded resolver code.
1748* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
1749* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
1750  - integrated patches by Loganaden Velvidron <logan@ntp.org>
1751    with some modifications & unit tests
1752* [Bug 2960] async name resolution fixes for chroot() environments.
1753  Reinhard Max.
1754* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
1755* [Bug 2995] Fixes to compile on Windows
1756* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
1757* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
1758  - Patch provided by Ch. Weisgerber
1759* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
1760  - A change related to [Bug 2853] forbids trailing white space in
1761    remote config commands. perlinger@ntp.org
1762* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
1763  - report and patch from Aleksandr Kostikov.
1764  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
1765* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
1766  - fixed memory leak in access list (auth[read]keys.c)
1767  - refactored handling of key access lists (auth[read]keys.c)
1768  - reduced number of error branches (authreadkeys.c)
1769* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
1770* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
1771* [Bug 3031] ntp broadcastclient unable to synchronize to an server
1772             when the time of server changed. perlinger@ntp.org
1773  - Check the initial delay calculation and reject/unpeer the broadcast
1774    server if the delay exceeds 50ms. Retry again after the next
1775    broadcast packet.
1776* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
1777* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
1778* Update html/xleave.html documentation.  Harlan Stenn.
1779* Update ntp.conf documentation.  Harlan Stenn.
1780* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
1781* Fix typo in html/monopt.html.  Harlan Stenn.
1782* Add README.pullrequests.  Harlan Stenn.
1783* Cleanup to include/ntp.h.  Harlan Stenn.
1784
1785New option to 'configure':
1786
1787While looking in to the issues around Bug 2978, the "interleave pivot"
1788issue, it became clear that there are some intricate and unresolved
1789issues with interleave operations.  We also realized that the interleave
1790protocol was never added to the NTPv4 Standard, and it should have been.
1791
1792Interleave mode was first released in July of 2008, and can be engaged
1793in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
1794contain the 'xleave' option, which will expressly enable interlave mode
1795for that association.  Additionally, if a time packet arrives and is
1796found inconsistent with normal protocol behavior but has certain
1797characteristics that are compatible with interleave mode, NTP will
1798dynamically switch to interleave mode.  With sufficient knowledge, an
1799attacker can send a crafted forged packet to an NTP instance that
1800triggers only one side to enter interleaved mode.
1801
1802To prevent this attack until we can thoroughly document, describe,
1803fix, and test the dynamic interleave mode, we've added a new
1804'configure' option to the build process:
1805
1806 --enable-dynamic-interleave
1807
1808This option controls whether or not NTP will, if conditions are right,
1809engage dynamic interleave mode.  Dynamic interleave mode is disabled by
1810default in ntp-4.2.8p7.
1811
1812---
1813NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
1814
1815Focus: Security, Bug fixes, enhancements.
1816
1817Severity: MEDIUM
1818
1819In addition to bug fixes and enhancements, this release fixes the
1820following 1 low- and 8 medium-severity vulnerabilities:
1821
1822* Potential Infinite Loop in 'ntpq'
1823   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1824   References: Sec 2548 / CVE-2015-8158
1825   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1826	4.3.0 up to, but not including 4.3.90
1827   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1828   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1829   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
1830	The loop's only stopping conditions are receiving a complete and
1831	correct response or hitting a small number of error conditions.
1832	If the packet contains incorrect values that don't trigger one of
1833	the error conditions, the loop continues to receive new packets.
1834	Note well, this is an attack against an instance of 'ntpq', not
1835	'ntpd', and this attack requires the attacker to do one of the
1836	following:
1837	* Own a malicious NTP server that the client trusts
1838	* Prevent a legitimate NTP server from sending packets to
1839	    the 'ntpq' client
1840	* MITM the 'ntpq' communications between the 'ntpq' client
1841	    and the NTP server
1842   Mitigation:
1843	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1844	or the NTP Public Services Project Download Page
1845   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1846
1847* 0rigin: Zero Origin Timestamp Bypass
1848   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1849   References: Sec 2945 / CVE-2015-8138
1850   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1851	4.3.0 up to, but not including 4.3.90
1852   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
1853   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1854	(3.7 - LOW if you score AC:L)
1855   Summary: To distinguish legitimate peer responses from forgeries, a
1856	client attempts to verify a response packet by ensuring that the
1857	origin timestamp in the packet matches the origin timestamp it
1858	transmitted in its last request.  A logic error exists that
1859	allows packets with an origin timestamp of zero to bypass this
1860	check whenever there is not an outstanding request to the server.
1861   Mitigation:
1862	Configure 'ntpd' to get time from multiple sources.
1863	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1864	    or the NTP Public Services Project Download Page.
1865	Monitor your 'ntpd' instances.
1866   Credit: This weakness was discovered by Matthey Van Gundy and
1867	Jonathan Gardner of Cisco ASIG.
1868
1869* Stack exhaustion in recursive traversal of restriction list
1870   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
1871   References: Sec 2940 / CVE-2015-7978
1872   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1873	4.3.0 up to, but not including 4.3.90
1874   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1875   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1876   	segmentation fault in ntpd by exhausting the call stack.
1877   Mitigation:
1878	Implement BCP-38.
1879	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1880	    or the NTP Public Services Project Download Page.
1881	If you are unable to upgrade:
1882            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1883	    If you must enable mode 7:
1884		configure the use of a 'requestkey' to control who can
1885		    issue mode 7 requests.
1886		configure 'restrict noquery' to further limit mode 7
1887		    requests to trusted sources.
1888		Monitor your ntpd instances.
1889   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
1890
1891* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
1892   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1893   References: Sec 2942 / CVE-2015-7979
1894   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1895	4.3.0 up to, but not including 4.3.90
1896   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
1897   Summary: An off-path attacker can send broadcast packets with bad
1898	authentication (wrong key, mismatched key, incorrect MAC, etc)
1899	to broadcast clients. It is observed that the broadcast client
1900	tears down the association with the broadcast server upon
1901	receiving just one bad packet.
1902   Mitigation:
1903	Implement BCP-38.
1904	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1905	or the NTP Public Services Project Download Page.
1906	Monitor your 'ntpd' instances.
1907	If this sort of attack is an active problem for you, you have
1908	    deeper problems to investigate.  In this case also consider
1909	    having smaller NTP broadcast domains.
1910   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1911   	University.
1912
1913* reslist NULL pointer dereference
1914   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1915   References: Sec 2939 / CVE-2015-7977
1916   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1917	4.3.0 up to, but not including 4.3.90
1918   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1919   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1920	segmentation fault in ntpd by causing a NULL pointer dereference.
1921   Mitigation:
1922	Implement BCP-38.
1923	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
1924	the NTP Public Services Project Download Page.
1925	If you are unable to upgrade:
1926	    mode 7 is disabled by default.  Don't enable it.
1927	    If you must enable mode 7:
1928		configure the use of a 'requestkey' to control who can
1929		    issue mode 7 requests.
1930		configure 'restrict noquery' to further limit mode 7
1931		    requests to trusted sources.
1932	Monitor your ntpd instances.
1933   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
1934
1935* 'ntpq saveconfig' command allows dangerous characters in filenames.
1936   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1937   References: Sec 2938 / CVE-2015-7976
1938   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1939	4.3.0 up to, but not including 4.3.90
1940   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
1941   Summary: The ntpq saveconfig command does not do adequate filtering
1942   	of special characters from the supplied filename.
1943	Note well: The ability to use the saveconfig command is controlled
1944	by the 'restrict nomodify' directive, and the recommended default
1945	configuration is to disable this capability.  If the ability to
1946	execute a 'saveconfig' is required, it can easily (and should) be
1947	limited and restricted to a known small number of IP addresses.
1948   Mitigation:
1949	Implement BCP-38.
1950	use 'restrict default nomodify' in your 'ntp.conf' file.
1951	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
1952	If you are unable to upgrade:
1953	    build NTP with 'configure --disable-saveconfig' if you will
1954	    	never need this capability, or
1955	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
1956		careful about what IPs have the ability to send 'modify'
1957		requests to 'ntpd'.
1958	Monitor your ntpd instances.
1959	'saveconfig' requests are logged to syslog - monitor your syslog files.
1960   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1961
1962* nextvar() missing length check in ntpq
1963   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1964   References: Sec 2937 / CVE-2015-7975
1965   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1966	4.3.0 up to, but not including 4.3.90
1967   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
1968	If you score A:C, this becomes 4.0.
1969   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
1970   Summary: ntpq may call nextvar() which executes a memcpy() into the
1971	name buffer without a proper length check against its maximum
1972	length of 256 bytes. Note well that we're taking about ntpq here.
1973	The usual worst-case effect of this vulnerability is that the
1974	specific instance of ntpq will crash and the person or process
1975	that did this will have stopped themselves.
1976   Mitigation:
1977	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1978	    or the NTP Public Services Project Download Page.
1979	If you are unable to upgrade:
1980	    If you have scripts that feed input to ntpq make sure there are
1981		some sanity checks on the input received from the "outside".
1982	    This is potentially more dangerous if ntpq is run as root.
1983   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
1984
1985* Skeleton Key: Any trusted key system can serve time
1986   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1987   References: Sec 2936 / CVE-2015-7974
1988   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1989	4.3.0 up to, but not including 4.3.90
1990   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
1991   Summary: Symmetric key encryption uses a shared trusted key. The
1992	reported title for this issue was "Missing key check allows
1993	impersonation between authenticated peers" and the report claimed
1994	"A key specified only for one server should only work to
1995	authenticate that server, other trusted keys should be refused."
1996	Except there has never been any correlation between this trusted
1997	key and server v. clients machines and there has never been any
1998	way to specify a key only for one server. We have treated this as
1999	an enhancement request, and ntp-4.2.8p6 includes other checks and
2000	tests to strengthen clients against attacks coming from broadcast
2001	servers.
2002   Mitigation:
2003	Implement BCP-38.
2004	If this scenario represents a real or a potential issue for you,
2005	    upgrade to 4.2.8p6, or later, from the NTP Project Download
2006	    Page or the NTP Public Services Project Download Page, and
2007	    use the new field in the ntp.keys file that specifies the list
2008	    of IPs that are allowed to serve time. Note that this alone
2009	    will not protect against time packets with forged source IP
2010	    addresses, however other changes in ntp-4.2.8p6 provide
2011	    significant mitigation against broadcast attacks. MITM attacks
2012	    are a different story.
2013	If you are unable to upgrade:
2014	    Don't use broadcast mode if you cannot monitor your client
2015	    	servers.
2016	    If you choose to use symmetric keys to authenticate time
2017	    	packets in a hostile environment where ephemeral time
2018		servers can be created, or if it is expected that malicious
2019		time servers will participate in an NTP broadcast domain,
2020		limit the number of participating systems that participate
2021		in the shared-key group.
2022	Monitor your ntpd instances.
2023   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
2024
2025* Deja Vu: Replay attack on authenticated broadcast mode
2026   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2027   References: Sec 2935 / CVE-2015-7973
2028   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2029   	4.3.0 up to, but not including 4.3.90
2030   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
2031   Summary: If an NTP network is configured for broadcast operations then
2032   	either a man-in-the-middle attacker or a malicious participant
2033	that has the same trusted keys as the victim can replay time packets.
2034   Mitigation:
2035	Implement BCP-38.
2036	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2037	    or the NTP Public Services Project Download Page.
2038	If you are unable to upgrade:
2039	    Don't use broadcast mode if you cannot monitor your client servers.
2040	Monitor your ntpd instances.
2041   Credit: This weakness was discovered by Aanchal Malhotra of Boston
2042	University.
2043
2044Other fixes:
2045
2046* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
2047* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
2048  - applied patch by shenpeng11@huawei.com with minor adjustments
2049* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
2050* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
2051* [Bug 2892] Several test cases assume IPv6 capabilities even when
2052             IPv6 is disabled in the build. perlinger@ntp.org
2053  - Found this already fixed, but validation led to cleanup actions.
2054* [Bug 2905] DNS lookups broken. perlinger@ntp.org
2055  - added limits to stack consumption, fixed some return code handling
2056* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2057  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2058  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
2059* [Bug 2980] reduce number of warnings. perlinger@ntp.org
2060  - integrated several patches from Havard Eidnes (he@uninett.no)
2061* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
2062  - implement 'auth_log2()' using integer bithack instead of float calculation
2063* Make leapsec_query debug messages less verbose.  Harlan Stenn.
2064
2065---
2066NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
2067
2068Focus: Security, Bug fixes, enhancements.
2069
2070Severity: MEDIUM
2071
2072In addition to bug fixes and enhancements, this release fixes the
2073following medium-severity vulnerability:
2074
2075* Small-step/big-step.  Close the panic gate earlier.
2076    References: Sec 2956, CVE-2015-5300
2077    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
2078	4.3.0 up to, but not including 4.3.78
2079    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
2080    Summary: If ntpd is always started with the -g option, which is
2081	common and against long-standing recommendation, and if at the
2082	moment ntpd is restarted an attacker can immediately respond to
2083	enough requests from enough sources trusted by the target, which
2084	is difficult and not common, there is a window of opportunity
2085	where the attacker can cause ntpd to set the time to an
2086	arbitrary value. Similarly, if an attacker is able to respond
2087	to enough requests from enough sources trusted by the target,
2088	the attacker can cause ntpd to abort and restart, at which
2089	point it can tell the target to set the time to an arbitrary
2090	value if and only if ntpd was re-started against long-standing
2091	recommendation with the -g flag, or if ntpd was not given the
2092	-g flag, the attacker can move the target system's time by at
2093	most 900 seconds' time per attack.
2094    Mitigation:
2095	Configure ntpd to get time from multiple sources.
2096	Upgrade to 4.2.8p5, or later, from the NTP Project Download
2097	    Page or the NTP Public Services Project Download Page
2098	As we've long documented, only use the -g option to ntpd in
2099	    cold-start situations.
2100	Monitor your ntpd instances.
2101    Credit: This weakness was discovered by Aanchal Malhotra,
2102	Isaac E. Cohen, and Sharon Goldberg at Boston University.
2103
2104    NOTE WELL: The -g flag disables the limit check on the panic_gate
2105	in ntpd, which is 900 seconds by default. The bug identified by
2106	the researchers at Boston University is that the panic_gate
2107	check was only re-enabled after the first change to the system
2108	clock that was greater than 128 milliseconds, by default. The
2109	correct behavior is that the panic_gate check should be
2110	re-enabled after any initial time correction.
2111
2112	If an attacker is able to inject consistent but erroneous time
2113	responses to your systems via the network or "over the air",
2114	perhaps by spoofing radio, cellphone, or navigation satellite
2115	transmissions, they are in a great position to affect your
2116	system's clock. There comes a point where your very best
2117	defenses include:
2118
2119	    Configure ntpd to get time from multiple sources.
2120	    Monitor your ntpd instances.
2121
2122Other fixes:
2123
2124* Coverity submission process updated from Coverity 5 to Coverity 7.
2125  The NTP codebase has been undergoing regular Coverity scans on an
2126  ongoing basis since 2006.  As part of our recent upgrade from
2127  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
2128  the newly-written Unity test programs.  These were fixed.
2129* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
2130* [Bug 2887] stratum -1 config results as showing value 99
2131  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
2132* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
2133* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
2134* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
2135  - applied patch by Christos Zoulas.  perlinger@ntp.org
2136* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
2137* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
2138  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
2139  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
2140* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
2141  - accept key file only if there are no parsing errors
2142  - fixed size_t/u_int format clash
2143  - fixed wrong use of 'strlcpy'
2144* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
2145* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
2146  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
2147  - promote use of 'size_t' for values that express a size
2148  - use ptr-to-const for read-only arguments
2149  - make sure SOCKET values are not truncated (win32-specific)
2150  - format string fixes
2151* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
2152* [Bug 2967] ntpdate command suffers an assertion failure
2153  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
2154* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
2155              lots of clients. perlinger@ntp.org
2156* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2157  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2158* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
2159* Unity test cleanup.  Harlan Stenn.
2160* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
2161* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
2162* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
2163* Quiet a warning from clang.  Harlan Stenn.
2164
2165---
2166NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
2167
2168Focus: Security, Bug fixes, enhancements.
2169
2170Severity: MEDIUM
2171
2172In addition to bug fixes and enhancements, this release fixes the
2173following 13 low- and medium-severity vulnerabilities:
2174
2175* Incomplete vallen (value length) checks in ntp_crypto.c, leading
2176  to potential crashes or potential code injection/information leakage.
2177
2178    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
2179    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2180    	and 4.3.0 up to, but not including 4.3.77
2181    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2182    Summary: The fix for CVE-2014-9750 was incomplete in that there were
2183    	certain code paths where a packet with particular autokey operations
2184	that contained malicious data was not always being completely
2185	validated. Receipt of these packets can cause ntpd to crash.
2186    Mitigation:
2187        Don't use autokey.
2188	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2189	    Page or the NTP Public Services Project Download Page
2190	Monitor your ntpd instances.
2191	Credit: This weakness was discovered by Tenable Network Security.
2192
2193* Clients that receive a KoD should validate the origin timestamp field.
2194
2195    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
2196    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2197	and 4.3.0 up to, but not including 4.3.77
2198    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
2199    Summary: An ntpd client that honors Kiss-of-Death responses will honor
2200    	KoD messages that have been forged by an attacker, causing it to
2201	delay or stop querying its servers for time updates. Also, an
2202	attacker can forge packets that claim to be from the target and
2203	send them to servers often enough that a server that implements
2204	KoD rate limiting will send the target machine a KoD response to
2205	attempt to reduce the rate of incoming packets, or it may also
2206	trigger a firewall block at the server for packets from the target
2207	machine. For either of these attacks to succeed, the attacker must
2208	know what servers the target is communicating with. An attacker
2209	can be anywhere on the Internet and can frequently learn the
2210	identity of the target's time source by sending the target a
2211	time query.
2212    Mitigation:
2213        Implement BCP-38.
2214	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
2215	    or the NTP Public Services Project Download Page
2216	If you can't upgrade, restrict who can query ntpd to learn who
2217	    its servers are, and what IPs are allowed to ask your system
2218	    for the time. This mitigation is heavy-handed.
2219	Monitor your ntpd instances.
2220    Note:
2221    	4.2.8p4 protects against the first attack. For the second attack,
2222    	all we can do is warn when it is happening, which we do in 4.2.8p4.
2223    Credit: This weakness was discovered by Aanchal Malhotra,
2224    	Issac E. Cohen, and Sharon Goldberg of Boston University.
2225
2226* configuration directives to change "pidfile" and "driftfile" should
2227  only be allowed locally.
2228
2229  References: Sec 2902 / CVE-2015-5196
2230  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2231	and 4.3.0 up to, but not including 4.3.77
2232   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
2233   Summary: If ntpd is configured to allow for remote configuration,
2234	and if the (possibly spoofed) source IP address is allowed to
2235	send remote configuration requests, and if the attacker knows
2236	the remote configuration password, it's possible for an attacker
2237	to use the "pidfile" or "driftfile" directives to potentially
2238	overwrite other files.
2239   Mitigation:
2240	Implement BCP-38.
2241	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2242	    Page or the NTP Public Services Project Download Page
2243	If you cannot upgrade, don't enable remote configuration.
2244	If you must enable remote configuration and cannot upgrade,
2245	    remote configuration of NTF's ntpd requires:
2246	    - an explicitly configured trustedkey, and you should also
2247	    	configure a controlkey.
2248	    - access from a permitted IP. You choose the IPs.
2249	    - authentication. Don't disable it. Practice secure key safety.
2250	Monitor your ntpd instances.
2251   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
2252
2253* Slow memory leak in CRYPTO_ASSOC
2254
2255  References: Sec 2909 / CVE-2015-7701
2256  Affects: All ntp-4 releases that use autokey up to, but not
2257    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2258  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
2259  	4.6 otherwise
2260  Summary: If ntpd is configured to use autokey, then an attacker can
2261	send packets to ntpd that will, after several days of ongoing
2262	attack, cause it to run out of memory.
2263  Mitigation:
2264	Don't use autokey.
2265	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2266	    Page or the NTP Public Services Project Download Page
2267	Monitor your ntpd instances.
2268  Credit: This weakness was discovered by Tenable Network Security.
2269
2270* mode 7 loop counter underrun
2271
2272  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
2273  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2274  	and 4.3.0 up to, but not including 4.3.77
2275  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2276  Summary: If ntpd is configured to enable mode 7 packets, and if the
2277	use of mode 7 packets is not properly protected thru the use of
2278	the available mode 7 authentication and restriction mechanisms,
2279	and if the (possibly spoofed) source IP address is allowed to
2280	send mode 7 queries, then an attacker can send a crafted packet
2281	to ntpd that will cause it to crash.
2282  Mitigation:
2283	Implement BCP-38.
2284	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2285	    Page or the NTP Public Services Project Download Page.
2286	      If you are unable to upgrade:
2287	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2288	If you must enable mode 7:
2289	    configure the use of a requestkey to control who can issue
2290		mode 7 requests.
2291	    configure restrict noquery to further limit mode 7 requests
2292		to trusted sources.
2293	Monitor your ntpd instances.
2294Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
2295
2296* memory corruption in password store
2297
2298  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
2299  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2300  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
2301  Summary: If ntpd is configured to allow remote configuration, and if
2302	the (possibly spoofed) source IP address is allowed to send
2303	remote configuration requests, and if the attacker knows the
2304	remote configuration password or if ntpd was configured to
2305	disable authentication, then an attacker can send a set of
2306	packets to ntpd that may cause a crash or theoretically
2307	perform a code injection attack.
2308  Mitigation:
2309	Implement BCP-38.
2310	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2311	    Page or the NTP Public Services Project Download Page.
2312	If you are unable to upgrade, remote configuration of NTF's
2313	    ntpd requires:
2314		an explicitly configured "trusted" key. Only configure
2315			this if you need it.
2316		access from a permitted IP address. You choose the IPs.
2317		authentication. Don't disable it. Practice secure key safety.
2318	Monitor your ntpd instances.
2319  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2320
2321* Infinite loop if extended logging enabled and the logfile and
2322  keyfile are the same.
2323
2324    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
2325    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2326	and 4.3.0 up to, but not including 4.3.77
2327    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2328    Summary: If ntpd is configured to allow remote configuration, and if
2329	the (possibly spoofed) source IP address is allowed to send
2330	remote configuration requests, and if the attacker knows the
2331	remote configuration password or if ntpd was configured to
2332	disable authentication, then an attacker can send a set of
2333	packets to ntpd that will cause it to crash and/or create a
2334	potentially huge log file. Specifically, the attacker could
2335	enable extended logging, point the key file at the log file,
2336	and cause what amounts to an infinite loop.
2337    Mitigation:
2338	Implement BCP-38.
2339	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2340	    Page or the NTP Public Services Project Download Page.
2341	If you are unable to upgrade, remote configuration of NTF's ntpd
2342	  requires:
2343            an explicitly configured "trusted" key. Only configure this
2344	    	if you need it.
2345            access from a permitted IP address. You choose the IPs.
2346            authentication. Don't disable it. Practice secure key safety.
2347        Monitor your ntpd instances.
2348    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2349
2350* Potential path traversal vulnerability in the config file saving of
2351  ntpd on VMS.
2352
2353  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
2354  Affects: All ntp-4 releases running under VMS up to, but not
2355	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2356  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
2357  Summary: If ntpd is configured to allow remote configuration, and if
2358	the (possibly spoofed) IP address is allowed to send remote
2359	configuration requests, and if the attacker knows the remote
2360	configuration password or if ntpd was configured to disable
2361	authentication, then an attacker can send a set of packets to
2362	ntpd that may cause ntpd to overwrite files.
2363  Mitigation:
2364	Implement BCP-38.
2365	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2366	    Page or the NTP Public Services Project Download Page.
2367	If you are unable to upgrade, remote configuration of NTF's ntpd
2368	    requires:
2369		an explicitly configured "trusted" key. Only configure
2370			this if you need it.
2371		access from permitted IP addresses. You choose the IPs.
2372		authentication. Don't disable it. Practice key security safety.
2373        Monitor your ntpd instances.
2374    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2375
2376* ntpq atoascii() potential memory corruption
2377
2378  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
2379  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
2380	and 4.3.0 up to, but not including 4.3.77
2381  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
2382  Summary: If an attacker can figure out the precise moment that ntpq
2383	is listening for data and the port number it is listening on or
2384	if the attacker can provide a malicious instance ntpd that
2385	victims will connect to then an attacker can send a set of
2386	crafted mode 6 response packets that, if received by ntpq,
2387	can cause ntpq to crash.
2388  Mitigation:
2389	Implement BCP-38.
2390	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2391	    Page or the NTP Public Services Project Download Page.
2392	If you are unable to upgrade and you run ntpq against a server
2393	    and ntpq crashes, try again using raw mode. Build or get a
2394	    patched ntpq and see if that fixes the problem. Report new
2395	    bugs in ntpq or abusive servers appropriately.
2396	If you use ntpq in scripts, make sure ntpq does what you expect
2397	    in your scripts.
2398  Credit: This weakness was discovered by Yves Younan and
2399  	Aleksander Nikolich of Cisco Talos.
2400
2401* Invalid length data provided by a custom refclock driver could cause
2402  a buffer overflow.
2403
2404  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
2405  Affects: Potentially all ntp-4 releases running up to, but not
2406	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2407	that have custom refclocks
2408  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
2409	5.9 unusual worst case
2410  Summary: A negative value for the datalen parameter will overflow a
2411	data buffer. NTF's ntpd driver implementations always set this
2412	value to 0 and are therefore not vulnerable to this weakness.
2413	If you are running a custom refclock driver in ntpd and that
2414	driver supplies a negative value for datalen (no custom driver
2415	of even minimal competence would do this) then ntpd would
2416	overflow a data buffer. It is even hypothetically possible
2417	in this case that instead of simply crashing ntpd the attacker
2418	could effect a code injection attack.
2419  Mitigation:
2420	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2421	    Page or the NTP Public Services Project Download Page.
2422	If you are unable to upgrade:
2423		If you are running custom refclock drivers, make sure
2424			the signed datalen value is either zero or positive.
2425	Monitor your ntpd instances.
2426  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2427
2428* Password Length Memory Corruption Vulnerability
2429
2430  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
2431  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2432  	4.3.0 up to, but not including 4.3.77
2433  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
2434  	1.7 usual case, 6.8, worst case
2435  Summary: If ntpd is configured to allow remote configuration, and if
2436	the (possibly spoofed) source IP address is allowed to send
2437	remote configuration requests, and if the attacker knows the
2438	remote configuration password or if ntpd was (foolishly)
2439	configured to disable authentication, then an attacker can
2440	send a set of packets to ntpd that may cause it to crash,
2441	with the hypothetical possibility of a small code injection.
2442  Mitigation:
2443	Implement BCP-38.
2444	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2445	    Page or the NTP Public Services Project Download Page.
2446	If you are unable to upgrade, remote configuration of NTF's
2447	    ntpd requires:
2448		an explicitly configured "trusted" key. Only configure
2449			this if you need it.
2450		access from a permitted IP address. You choose the IPs.
2451		authentication. Don't disable it. Practice secure key safety.
2452	Monitor your ntpd instances.
2453  Credit: This weakness was discovered by Yves Younan and
2454  	Aleksander Nikolich of Cisco Talos.
2455
2456* decodenetnum() will ASSERT botch instead of returning FAIL on some
2457  bogus values.
2458
2459  References: Sec 2922 / CVE-2015-7855
2460  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2461	4.3.0 up to, but not including 4.3.77
2462  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2463  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
2464	an unusually long data value where a network address is expected,
2465	the decodenetnum() function will abort with an assertion failure
2466	instead of simply returning a failure condition.
2467  Mitigation:
2468	Implement BCP-38.
2469	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2470	    Page or the NTP Public Services Project Download Page.
2471	If you are unable to upgrade:
2472		mode 7 is disabled by default. Don't enable it.
2473		Use restrict noquery to limit who can send mode 6
2474			and mode 7 requests.
2475		Configure and use the controlkey and requestkey
2476			authentication directives to limit who can
2477			send mode 6 and mode 7 requests.
2478	Monitor your ntpd instances.
2479  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
2480
2481* NAK to the Future: Symmetric association authentication bypass via
2482  crypto-NAK.
2483
2484  References: Sec 2941 / CVE-2015-7871
2485  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
2486  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
2487  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
2488  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
2489	from unauthenticated ephemeral symmetric peers by bypassing the
2490	authentication required to mobilize peer associations. This
2491	vulnerability appears to have been introduced in ntp-4.2.5p186
2492	when the code handling mobilization of new passive symmetric
2493	associations (lines 1103-1165) was refactored.
2494  Mitigation:
2495	Implement BCP-38.
2496	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2497	    Page or the NTP Public Services Project Download Page.
2498	If you are unable to upgrade:
2499		Apply the patch to the bottom of the "authentic" check
2500			block around line 1136 of ntp_proto.c.
2501	Monitor your ntpd instances.
2502  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2503
2504Backward-Incompatible changes:
2505* [Bug 2817] Default on Linux is now "rlimit memlock -1".
2506  While the general default of 32M is still the case, under Linux
2507  the default value has been changed to -1 (do not lock ntpd into
2508  memory).  A value of 0 means "lock ntpd into memory with whatever
2509  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
2510  value in it, that value will continue to be used.
2511
2512* [Bug 2886] Misspelling: "outlyer" should be "outlier".
2513  If you've written a script that looks for this case in, say, the
2514  output of ntpq, you probably want to change your regex matches
2515  from 'outlyer' to 'outl[iy]er'.
2516
2517New features in this release:
2518* 'rlimit memlock' now has finer-grained control.  A value of -1 means
2519  "don't lock ntpd into memore".  This is the default for Linux boxes.
2520  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
2521  the value is the number of megabytes of memory to lock.  The default
2522  is 32 megabytes.
2523
2524* The old Google Test framework has been replaced with a new framework,
2525  based on http://www.throwtheswitch.org/unity/ .
2526
2527Bug Fixes and Improvements:
2528* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
2529  privileges and limiting resources in NTPD removes the need to link
2530  forcefully against 'libgcc_s' which does not always work. J.Perlinger
2531* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
2532* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
2533* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
2534* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
2535* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
2536* [Bug 2849] Systems with more than one default route may never
2537  synchronize.  Brian Utterback.  Note that this patch might need to
2538  be reverted once Bug 2043 has been fixed.
2539* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
2540* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
2541* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
2542* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
2543* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
2544* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
2545  be configured for the distribution targets.  Harlan Stenn.
2546* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
2547* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
2548* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
2549* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
2550* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
2551* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
2552* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
2553* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
2554* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
2555* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
2556* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
2557* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
2558* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
2559* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
2560* sntp/tests/ function parameter list cleanup.  Damir Tomić.
2561* tests/libntp/ function parameter list cleanup.  Damir Tomić.
2562* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
2563* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
2564* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
2565* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
2566* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
2567* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2568  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
2569  formatting; first declaration, then code (C90); deleted unnecessary comments;
2570  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
2571* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
2572  fix formatting, cleanup. Tomasz Flendrich
2573* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
2574  Tomasz Flendrich
2575* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
2576  fix formatting. Tomasz Flendrich
2577* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
2578* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
2579* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
2580  Tomasz Flendrich
2581* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
2582* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
2583* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
2584* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
2585* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
2586* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
2587* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
2588fixed formatting. Tomasz Flendrich
2589* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
2590  removed unnecessary comments, cleanup. Tomasz Flendrich
2591* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
2592  comments, cleanup. Tomasz Flendrich
2593* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
2594  Tomasz Flendrich
2595* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2596* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2597* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2598  Tomasz Flendrich
2599* sntp/tests/kodDatabase.c added consts, deleted empty function,
2600  fixed formatting. Tomasz Flendrich
2601* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2602* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2603  fixed formatting, deleted unused variable. Tomasz Flendrich
2604* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2605  Tomasz Flendrich
2606* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2607  fixed formatting. Tomasz Flendrich
2608* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2609  the order of includes, fixed formatting, removed unnecessary comments.
2610  Tomasz Flendrich
2611* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2612* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2613  made one function do its job, deleted unnecessary prints, fixed formatting.
2614  Tomasz Flendrich
2615* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2616* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2617* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2618* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2619* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2620* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2621* Don't build sntp/libevent/sample/.  Harlan Stenn.
2622* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2623* br-flock: --enable-local-libevent.  Harlan Stenn.
2624* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2625* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2626* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2627* Code cleanup.  Harlan Stenn.
2628* libntp/icom.c: Typo fix.  Harlan Stenn.
2629* util/ntptime.c: initialization nit.  Harlan Stenn.
2630* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2631* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2632* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2633  Tomasz Flendrich
2634* Changed progname to be const in many files - now it's consistent. Tomasz
2635  Flendrich
2636* Typo fix for GCC warning suppression.  Harlan Stenn.
2637* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2638* Added declarations to all Unity tests, and did minor fixes to them.
2639  Reduced the number of warnings by half. Damir Tomić.
2640* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2641  with the latest Unity updates from Mark. Damir Tomić.
2642* Retire google test - phase I.  Harlan Stenn.
2643* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2644* Update the NEWS file.  Harlan Stenn.
2645* Autoconf cleanup.  Harlan Stenn.
2646* Unit test dist cleanup. Harlan Stenn.
2647* Cleanup various test Makefile.am files.  Harlan Stenn.
2648* Pthread autoconf macro cleanup.  Harlan Stenn.
2649* Fix progname definition in unity runner scripts.  Harlan Stenn.
2650* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2651* Update the patch for bug 2817.  Harlan Stenn.
2652* More updates for bug 2817.  Harlan Stenn.
2653* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2654* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2655* Adding missing MCAST protection.  Harlan Stenn.
2656* Disable certain test programs on certain platforms.  Harlan Stenn.
2657* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2658* build system tweaks.  Harlan Stenn.
2659
2660---
2661NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2662
2663Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2664
2665Severity: MEDIUM
2666
2667Security Fix:
2668
2669* [Sec 2853] Crafted remote config packet can crash some versions of
2670  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2671
2672Under specific circumstances an attacker can send a crafted packet to
2673cause a vulnerable ntpd instance to crash. This requires each of the
2674following to be true:
2675
26761) ntpd set up to allow remote configuration (not allowed by default), and
26772) knowledge of the configuration password, and
26783) access to a computer entrusted to perform remote configuration.
2679
2680This vulnerability is considered low-risk.
2681
2682New features in this release:
2683
2684Optional (disabled by default) support to have ntpd provide smeared
2685leap second time.  A specially built and configured ntpd will only
2686offer smeared time in response to client packets.  These response
2687packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2688of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2689format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2690information.
2691
2692   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2693   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2694
2695We've imported the Unity test framework, and have begun converting
2696the existing google-test items to this new framework.  If you want
2697to write new tests or change old ones, you'll need to have ruby
2698installed.  You don't need ruby to run the test suite.
2699
2700Bug Fixes and Improvements:
2701
2702* CID 739725: Fix a rare resource leak in libevent/listener.c.
2703* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2704* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2705* CID 1269537: Clean up a line of dead code in getShmTime().
2706* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2707* [Bug 2590] autogen-5.18.5.
2708* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2709  of 'limited'.
2710* [Bug 2650] fix includefile processing.
2711* [Bug 2745] ntpd -x steps clock on leap second
2712   Fixed an initial-value problem that caused misbehaviour in absence of
2713   any leapsecond information.
2714   Do leap second stepping only of the step adjustment is beyond the
2715   proper jump distance limit and step correction is allowed at all.
2716* [Bug 2750] build for Win64
2717  Building for 32bit of loopback ppsapi needs def file
2718* [Bug 2776] Improve ntpq's 'help keytype'.
2719* [Bug 2778] Implement "apeers"  ntpq command to include associd.
2720* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
2721* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
2722  interface is ignored as long as this flag is not set since the
2723  interface is not usable (e.g., no link).
2724* [Bug 2794] Clean up kernel clock status reports.
2725* [Bug 2800] refclock_true.c true_debug() can't open debug log because
2726  of incompatible open/fdopen parameters.
2727* [Bug 2804] install-local-data assumes GNU 'find' semantics.
2728* [Bug 2805] ntpd fails to join multicast group.
2729* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
2730* [Bug 2808] GPSD_JSON driver enhancements, step 1.
2731  Fix crash during cleanup if GPS device not present and char device.
2732  Increase internal token buffer to parse all JSON data, even SKY.
2733  Defer logging of errors during driver init until the first unit is
2734  started, so the syslog is not cluttered when the driver is not used.
2735  Various improvements, see http://bugs.ntp.org/2808 for details.
2736  Changed libjsmn to a more recent version.
2737* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
2738* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
2739* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
2740* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
2741* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
2742* [Bug 2824] Convert update-leap to perl. (also see 2769)
2743* [Bug 2825] Quiet file installation in html/ .
2744* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
2745   NTPD transfers the current TAI (instead of an announcement) now.
2746   This might still needed improvement.
2747   Update autokey data ASAP when 'sys_tai' changes.
2748   Fix unit test that was broken by changes for autokey update.
2749   Avoid potential signature length issue and use DPRINTF where possible
2750     in ntp_crypto.c.
2751* [Bug 2832] refclock_jjy.c supports the TDC-300.
2752* [Bug 2834] Correct a broken html tag in html/refclock.html
2753* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
2754  robust, and require 2 consecutive timestamps to be consistent.
2755* [Bug 2837] Allow a configurable DSCP value.
2756* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
2757* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
2758* [Bug 2842] Bug in mdoc2man.
2759* [Bug 2843] make check fails on 4.3.36
2760   Fixed compiler warnings about numeric range overflow
2761   (The original topic was fixed in a byplay to bug#2830)
2762* [Bug 2845] Harden memory allocation in ntpd.
2763* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
2764* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
2765* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
2766* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
2767* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
2768* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
2769* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
2770* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
2771* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
2772* html/drivers/driver22.html: typo fix.  Harlan Stenn.
2773* refidsmear test cleanup.  Tomasz Flendrich.
2774* refidsmear function support and tests.  Harlan Stenn.
2775* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
2776  something that was only in the 4.2.6 sntp.  Harlan Stenn.
2777* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
2778  Damir Tomić
2779* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
2780  Damir Tomić
2781* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
2782  Damir Tomić
2783* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
2784* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
2785* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
2786  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2787  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
2788  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
2789  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
2790  Damir Tomić
2791* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
2792  networking.c, keyFile.c, utilities.cpp, sntptest.h,
2793  fileHandlingTest.h. Damir Tomić
2794* Initial support for experimental leap smear code.  Harlan Stenn.
2795* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
2796* Report select() debug messages at debug level 3 now.
2797* sntp/scripts/genLocInfo: treat raspbian as debian.
2798* Unity test framework fixes.
2799  ** Requires ruby for changes to tests.
2800* Initial support for PACKAGE_VERSION tests.
2801* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
2802* tests/bug-2803/Makefile.am must distribute bug-2803.h.
2803* Add an assert to the ntpq ifstats code.
2804* Clean up the RLIMIT_STACK code.
2805* Improve the ntpq documentation around the controlkey keyid.
2806* ntpq.c cleanup.
2807* Windows port build cleanup.
2808
2809---
2810NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
2811
2812Focus: Security and Bug fixes, enhancements.
2813
2814Severity: MEDIUM
2815
2816In addition to bug fixes and enhancements, this release fixes the
2817following medium-severity vulnerabilities involving private key
2818authentication:
2819
2820* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2821
2822    References: Sec 2779 / CVE-2015-1798 / VU#374268
2823    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
2824	including ntp-4.2.8p2 where the installation uses symmetric keys
2825	to authenticate remote associations.
2826    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2827    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2828    Summary: When ntpd is configured to use a symmetric key to authenticate
2829	a remote NTP server/peer, it checks if the NTP message
2830	authentication code (MAC) in received packets is valid, but not if
2831	there actually is any MAC included. Packets without a MAC are
2832	accepted as if they had a valid MAC. This allows a MITM attacker to
2833	send false packets that are accepted by the client/peer without
2834	having to know the symmetric key. The attacker needs to know the
2835	transmit timestamp of the client to match it in the forged reply
2836	and the false reply needs to reach the client before the genuine
2837	reply from the server. The attacker doesn't necessarily need to be
2838	relaying the packets between the client and the server.
2839
2840	Authentication using autokey doesn't have this problem as there is
2841	a check that requires the key ID to be larger than NTP_MAXKEY,
2842	which fails for packets without a MAC.
2843    Mitigation:
2844        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2845	or the NTP Public Services Project Download Page
2846        Configure ntpd with enough time sources and monitor it properly.
2847    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2848
2849* [Sec 2781] Authentication doesn't protect symmetric associations against
2850  DoS attacks.
2851
2852    References: Sec 2781 / CVE-2015-1799 / VU#374268
2853    Affects: All NTP releases starting with at least xntp3.3wy up to but
2854	not including ntp-4.2.8p2 where the installation uses symmetric
2855	key authentication.
2856    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2857    Note: the CVSS base Score for this issue could be 4.3 or lower, and
2858	it could be higher than 5.4.
2859    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2860    Summary: An attacker knowing that NTP hosts A and B are peering with
2861	each other (symmetric association) can send a packet to host A
2862	with source address of B which will set the NTP state variables
2863	on A to the values sent by the attacker. Host A will then send
2864	on its next poll to B a packet with originate timestamp that
2865	doesn't match the transmit timestamp of B and the packet will
2866	be dropped. If the attacker does this periodically for both
2867	hosts, they won't be able to synchronize to each other. This is
2868	a known denial-of-service attack, described at
2869	https://www.eecis.udel.edu/~mills/onwire.html .
2870
2871	According to the document the NTP authentication is supposed to
2872	protect symmetric associations against this attack, but that
2873	doesn't seem to be the case. The state variables are updated even
2874	when authentication fails and the peers are sending packets with
2875	originate timestamps that don't match the transmit timestamps on
2876	the receiving side.
2877
2878	This seems to be a very old problem, dating back to at least
2879	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
2880	specifications, so other NTP implementations with support for
2881	symmetric associations and authentication may be vulnerable too.
2882	An update to the NTP RFC to correct this error is in-process.
2883    Mitigation:
2884        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2885	or the NTP Public Services Project Download Page
2886        Note that for users of autokey, this specific style of MITM attack
2887	is simply a long-known potential problem.
2888        Configure ntpd with appropriate time sources and monitor ntpd.
2889	Alert your staff if problems are detected.
2890    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2891
2892* New script: update-leap
2893The update-leap script will verify and if necessary, update the
2894leap-second definition file.
2895It requires the following commands in order to work:
2896
2897	wget logger tr sed shasum
2898
2899Some may choose to run this from cron.  It needs more portability testing.
2900
2901Bug Fixes and Improvements:
2902
2903* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
2904* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
2905* [Bug 2346] "graceful termination" signals do not do peer cleanup.
2906* [Bug 2728] See if C99-style structure initialization works.
2907* [Bug 2747] Upgrade libevent to 2.1.5-beta.
2908* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
2909* [Bug 2751] jitter.h has stale copies of l_fp macros.
2910* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
2911* [Bug 2757] Quiet compiler warnings.
2912* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
2913* [Bug 2763] Allow different thresholds for forward and backward steps.
2914* [Bug 2766] ntp-keygen output files should not be world-readable.
2915* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
2916* [Bug 2771] nonvolatile value is documented in wrong units.
2917* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
2918* [Bug 2774] Unreasonably verbose printout - leap pending/warning
2919* [Bug 2775] ntp-keygen.c fails to compile under Windows.
2920* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
2921  Removed non-ASCII characters from some copyright comments.
2922  Removed trailing whitespace.
2923  Updated definitions for Meinberg clocks from current Meinberg header files.
2924  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
2925  Account for updated definitions pulled from Meinberg header files.
2926  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
2927  Replaced some constant numbers by defines from ntp_calendar.h
2928  Modified creation of parse-specific variables for Meinberg devices
2929  in gps16x_message().
2930  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
2931  Modified mbg_tm_str() which now expexts an additional parameter controlling
2932  if the time status shall be printed.
2933* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2934* [Sec 2781] Authentication doesn't protect symmetric associations against
2935  DoS attacks.
2936* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
2937* [Bug 2789] Quiet compiler warnings from libevent.
2938* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
2939  pause briefly before measuring system clock precision to yield
2940  correct results.
2941* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
2942* Use predefined function types for parse driver functions
2943  used to set up function pointers.
2944  Account for changed prototype of parse_inp_fnc_t functions.
2945  Cast parse conversion results to appropriate types to avoid
2946  compiler warnings.
2947  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
2948  when called with pointers to different types.
2949
2950---
2951NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
2952
2953Focus: Security and Bug fixes, enhancements.
2954
2955Severity: HIGH
2956
2957In addition to bug fixes and enhancements, this release fixes the
2958following high-severity vulnerabilities:
2959
2960* vallen is not validated in several places in ntp_crypto.c, leading
2961  to a potential information leak or possibly a crash
2962
2963    References: Sec 2671 / CVE-2014-9297 / VU#852879
2964    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
2965    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2966    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
2967    Summary: The vallen packet value is not validated in several code
2968             paths in ntp_crypto.c which can lead to information leakage
2969	     or perhaps a crash of the ntpd process.
2970    Mitigation - any of:
2971	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2972		or the NTP Public Services Project Download Page.
2973	Disable Autokey Authentication by removing, or commenting out,
2974		all configuration directives beginning with the "crypto"
2975		keyword in your ntp.conf file.
2976    Credit: This vulnerability was discovered by Stephen Roettger of the
2977    	Google Security Team, with additional cases found by Sebastian
2978	Krahmer of the SUSE Security Team and Harlan Stenn of Network
2979	Time Foundation.
2980
2981* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
2982  can be bypassed.
2983
2984    References: Sec 2672 / CVE-2014-9298 / VU#852879
2985    Affects: All NTP4 releases before 4.2.8p1, under at least some
2986	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
2987    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
2988    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
2989    Summary: While available kernels will prevent 127.0.0.1 addresses
2990	from "appearing" on non-localhost IPv4 interfaces, some kernels
2991	do not offer the same protection for ::1 source addresses on
2992	IPv6 interfaces. Since NTP's access control is based on source
2993	address and localhost addresses generally have no restrictions,
2994	an attacker can send malicious control and configuration packets
2995	by spoofing ::1 addresses from the outside. Note Well: This is
2996	not really a bug in NTP, it's a problem with some OSes. If you
2997	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
2998	ACL restrictions on any application can be bypassed!
2999    Mitigation:
3000        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
3001	or the NTP Public Services Project Download Page
3002        Install firewall rules to block packets claiming to come from
3003	::1 from inappropriate network interfaces.
3004    Credit: This vulnerability was discovered by Stephen Roettger of
3005	the Google Security Team.
3006
3007Additionally, over 30 bugfixes and improvements were made to the codebase.
3008See the ChangeLog for more information.
3009
3010---
3011NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
3012
3013Focus: Security and Bug fixes, enhancements.
3014
3015Severity: HIGH
3016
3017In addition to bug fixes and enhancements, this release fixes the
3018following high-severity vulnerabilities:
3019
3020************************** vv NOTE WELL vv *****************************
3021
3022The vulnerabilities listed below can be significantly mitigated by
3023following the BCP of putting
3024
3025 restrict default ... noquery
3026
3027in the ntp.conf file.  With the exception of:
3028
3029   receive(): missing return on error
3030   References: Sec 2670 / CVE-2014-9296 / VU#852879
3031
3032below (which is a limited-risk vulnerability), none of the recent
3033vulnerabilities listed below can be exploited if the source IP is
3034restricted from sending a 'query'-class packet by your ntp.conf file.
3035
3036************************** ^^ NOTE WELL ^^ *****************************
3037
3038* Weak default key in config_auth().
3039
3040  References: [Sec 2665] / CVE-2014-9293 / VU#852879
3041  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3042  Vulnerable Versions: all releases prior to 4.2.7p11
3043  Date Resolved: 28 Jan 2010
3044
3045  Summary: If no 'auth' key is set in the configuration file, ntpd
3046	would generate a random key on the fly.  There were two
3047	problems with this: 1) the generated key was 31 bits in size,
3048	and 2) it used the (now weak) ntp_random() function, which was
3049	seeded with a 32-bit value and could only provide 32 bits of
3050	entropy.  This was sufficient back in the late 1990s when the
3051	code was written.  Not today.
3052
3053  Mitigation - any of:
3054	- Upgrade to 4.2.7p11 or later.
3055	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3056
3057  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
3058  	of the Google Security Team.
3059
3060* Non-cryptographic random number generator with weak seed used by
3061  ntp-keygen to generate symmetric keys.
3062
3063  References: [Sec 2666] / CVE-2014-9294 / VU#852879
3064  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3065  Vulnerable Versions: All NTP4 releases before 4.2.7p230
3066  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
3067
3068  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
3069  	prepare a random number generator that was of good quality back
3070	in the late 1990s. The random numbers produced was then used to
3071	generate symmetric keys. In ntp-4.2.8 we use a current-technology
3072	cryptographic random number generator, either RAND_bytes from
3073	OpenSSL, or arc4random().
3074
3075  Mitigation - any of:
3076  	- Upgrade to 4.2.7p230 or later.
3077	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3078
3079  Credit:  This vulnerability was discovered in ntp-4.2.6 by
3080  	Stephen Roettger of the Google Security Team.
3081
3082* Buffer overflow in crypto_recv()
3083
3084  References: Sec 2667 / CVE-2014-9295 / VU#852879
3085  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3086  Versions: All releases before 4.2.8
3087  Date Resolved: Stable (4.2.8) 18 Dec 2014
3088
3089  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
3090  	file contains a 'crypto pw ...' directive) a remote attacker
3091	can send a carefully crafted packet that can overflow a stack
3092	buffer and potentially allow malicious code to be executed
3093	with the privilege level of the ntpd process.
3094
3095  Mitigation - any of:
3096  	- Upgrade to 4.2.8, or later, or
3097	- Disable Autokey Authentication by removing, or commenting out,
3098	  all configuration directives beginning with the crypto keyword
3099	  in your ntp.conf file.
3100
3101  Credit: This vulnerability was discovered by Stephen Roettger of the
3102  	Google Security Team.
3103
3104* Buffer overflow in ctl_putdata()
3105
3106  References: Sec 2668 / CVE-2014-9295 / VU#852879
3107  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3108  Versions: All NTP4 releases before 4.2.8
3109  Date Resolved: Stable (4.2.8) 18 Dec 2014
3110
3111  Summary: A remote attacker can send a carefully crafted packet that
3112  	can overflow a stack buffer and potentially allow malicious
3113	code to be executed with the privilege level of the ntpd process.
3114
3115  Mitigation - any of:
3116  	- Upgrade to 4.2.8, or later.
3117	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3118
3119  Credit: This vulnerability was discovered by Stephen Roettger of the
3120  	Google Security Team.
3121
3122* Buffer overflow in configure()
3123
3124  References: Sec 2669 / CVE-2014-9295 / VU#852879
3125  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3126  Versions: All NTP4 releases before 4.2.8
3127  Date Resolved: Stable (4.2.8) 18 Dec 2014
3128
3129  Summary: A remote attacker can send a carefully crafted packet that
3130	can overflow a stack buffer and potentially allow malicious
3131	code to be executed with the privilege level of the ntpd process.
3132
3133  Mitigation - any of:
3134  	- Upgrade to 4.2.8, or later.
3135	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3136
3137  Credit: This vulnerability was discovered by Stephen Roettger of the
3138	Google Security Team.
3139
3140* receive(): missing return on error
3141
3142  References: Sec 2670 / CVE-2014-9296 / VU#852879
3143  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
3144  Versions: All NTP4 releases before 4.2.8
3145  Date Resolved: Stable (4.2.8) 18 Dec 2014
3146
3147  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
3148  	the code path where an error was detected, which meant
3149	processing did not stop when a specific rare error occurred.
3150	We haven't found a way for this bug to affect system integrity.
3151	If there is no way to affect system integrity the base CVSS
3152	score for this bug is 0. If there is one avenue through which
3153	system integrity can be partially affected, the base score
3154	becomes a 5. If system integrity can be partially affected
3155	via all three integrity metrics, the CVSS base score become 7.5.
3156
3157  Mitigation - any of:
3158        - Upgrade to 4.2.8, or later,
3159        - Remove or comment out all configuration directives
3160	  beginning with the crypto keyword in your ntp.conf file.
3161
3162  Credit: This vulnerability was discovered by Stephen Roettger of the
3163  	Google Security Team.
3164
3165See http://support.ntp.org/security for more information.
3166
3167New features / changes in this release:
3168
3169Important Changes
3170
3171* Internal NTP Era counters
3172
3173The internal counters that track the "era" (range of years) we are in
3174rolls over every 136 years'.  The current "era" started at the stroke of
3175midnight on 1 Jan 1900, and ends just before the stroke of midnight on
31761 Jan 2036.
3177In the past, we have used the "midpoint" of the  range to decide which
3178era we were in.  Given the longevity of some products, it became clear
3179that it would be more functional to "look back" less, and "look forward"
3180more.  We now compile a timestamp into the ntpd executable and when we
3181get a timestamp we us the "built-on" to tell us what era we are in.
3182This check "looks back" 10 years, and "looks forward" 126 years.
3183
3184* ntpdc responses disabled by default
3185
3186Dave Hart writes:
3187
3188For a long time, ntpq and its mostly text-based mode 6 (control)
3189protocol have been preferred over ntpdc and its mode 7 (private
3190request) protocol for runtime queries and configuration.  There has
3191been a goal of deprecating ntpdc, previously held back by numerous
3192capabilities exposed by ntpdc with no ntpq equivalent.  I have been
3193adding commands to ntpq to cover these cases, and I believe I've
3194covered them all, though I've not compared command-by-command
3195recently.
3196
3197As I've said previously, the binary mode 7 protocol involves a lot of
3198hand-rolled structure layout and byte-swapping code in both ntpd and
3199ntpdc which is hard to get right.  As ntpd grows and changes, the
3200changes are difficult to expose via ntpdc while maintaining forward
3201and backward compatibility between ntpdc and ntpd.  In contrast,
3202ntpq's text-based, label=value approach involves more code reuse and
3203allows compatible changes without extra work in most cases.
3204
3205Mode 7 has always been defined as vendor/implementation-specific while
3206mode 6 is described in RFC 1305 and intended to be open to interoperate
3207with other implementations.  There is an early draft of an updated
3208mode 6 description that likely will join the other NTPv4 RFCs
3209eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
3210
3211For these reasons, ntpd 4.2.7p230 by default disables processing of
3212ntpdc queries, reducing ntpd's attack surface and functionally
3213deprecating ntpdc.  If you are in the habit of using ntpdc for certain
3214operations, please try the ntpq equivalent.  If there's no equivalent,
3215please open a bug report at http://bugs.ntp.org./
3216
3217In addition to the above, over 1100 issues have been resolved between
3218the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
3219lists these.
3220
3221---
3222NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
3223
3224Focus: Bug fixes
3225
3226Severity: Medium
3227
3228This is a recommended upgrade.
3229
3230This release updates sys_rootdisp and sys_jitter calculations to match the
3231RFC specification, fixes a potential IPv6 address matching error for the
3232"nic" and "interface" configuration directives, suppresses the creation of
3233extraneous ephemeral associations for certain broadcastclient and
3234multicastclient configurations, cleans up some ntpq display issues, and
3235includes improvements to orphan mode, minor bugs fixes and code clean-ups.
3236
3237New features / changes in this release:
3238
3239ntpd
3240
3241 * Updated "nic" and "interface" IPv6 address handling to prevent
3242   mismatches with localhost [::1] and wildcard [::] which resulted from
3243   using the address/prefix format (e.g. fe80::/64)
3244 * Fix orphan mode stratum incorrectly counting to infinity
3245 * Orphan parent selection metric updated to includes missing ntohl()
3246 * Non-printable stratum 16 refid no longer sent to ntp
3247 * Duplicate ephemeral associations suppressed for broadcastclient and
3248   multicastclient without broadcastdelay
3249 * Exclude undetermined sys_refid from use in loopback TEST12
3250 * Exclude MODE_SERVER responses from KoD rate limiting
3251 * Include root delay in clock_update() sys_rootdisp calculations
3252 * get_systime() updated to exclude sys_residual offset (which only
3253   affected bits "below" sys_tick, the precision threshold)
3254 * sys.peer jitter weighting corrected in sys_jitter calculation
3255
3256ntpq
3257
3258 * -n option extended to include the billboard "server" column
3259 * IPv6 addresses in the local column truncated to prevent overruns
3260
3261---
3262NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
3263
3264Focus: Bug fixes and portability improvements
3265
3266Severity: Medium
3267
3268This is a recommended upgrade.
3269
3270This release includes build infrastructure updates, code
3271clean-ups, minor bug fixes, fixes for a number of minor
3272ref-clock issues, and documentation revisions.
3273
3274Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
3275
3276New features / changes in this release:
3277
3278Build system
3279
3280* Fix checking for struct rtattr
3281* Update config.guess and config.sub for AIX
3282* Upgrade required version of autogen and libopts for building
3283  from our source code repository
3284
3285ntpd
3286
3287* Back-ported several fixes for Coverity warnings from ntp-dev
3288* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
3289* Allow "logconfig =allall" configuration directive
3290* Bind tentative IPv6 addresses on Linux
3291* Correct WWVB/Spectracom driver to timestamp CR instead of LF
3292* Improved tally bit handling to prevent incorrect ntpq peer status reports
3293* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
3294  candidate list unless they are designated a "prefer peer"
3295* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
3296  selection during the 'tos orphanwait' period
3297* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
3298  drivers
3299* Improved support of the Parse Refclock trusttime flag in Meinberg mode
3300* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
3301* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
3302  clock slew on Microsoft Windows
3303* Code cleanup in libntpq
3304
3305ntpdc
3306
3307* Fix timerstats reporting
3308
3309ntpdate
3310
3311* Reduce time required to set clock
3312* Allow a timeout greater than 2 seconds
3313
3314sntp
3315
3316* Backward incompatible command-line option change:
3317  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
3318
3319Documentation
3320
3321* Update html2man. Fix some tags in the .html files
3322* Distribute ntp-wait.html
3323
3324---
3325NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
3326
3327Focus: Bug fixes and portability improvements
3328
3329Severity: Medium
3330
3331This is a recommended upgrade.
3332
3333This release includes build infrastructure updates, code
3334clean-ups, minor bug fixes, fixes for a number of minor
3335ref-clock issues, and documentation revisions.
3336
3337Portability improvements in this release affect AIX, Atari FreeMiNT,
3338FreeBSD4, Linux and Microsoft Windows.
3339
3340New features / changes in this release:
3341
3342Build system
3343* Use lsb_release to get information about Linux distributions.
3344* 'test' is in /usr/bin (instead of /bin) on some systems.
3345* Basic sanity checks for the ChangeLog file.
3346* Source certain build files with ./filename for systems without . in PATH.
3347* IRIX portability fix.
3348* Use a single copy of the "libopts" code.
3349* autogen/libopts upgrade.
3350* configure.ac m4 quoting cleanup.
3351
3352ntpd
3353* Do not bind to IN6_IFF_ANYCAST addresses.
3354* Log the reason for exiting under Windows.
3355* Multicast fixes for Windows.
3356* Interpolation fixes for Windows.
3357* IPv4 and IPv6 Multicast fixes.
3358* Manycast solicitation fixes and general repairs.
3359* JJY refclock cleanup.
3360* NMEA refclock improvements.
3361* Oncore debug message cleanup.
3362* Palisade refclock now builds under Linux.
3363* Give RAWDCF more baud rates.
3364* Support Truetime Satellite clocks under Windows.
3365* Support Arbiter 1093C Satellite clocks under Windows.
3366* Make sure that the "filegen" configuration command defaults to "enable".
3367* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
3368* Prohibit 'includefile' directive in remote configuration command.
3369* Fix 'nic' interface bindings.
3370* Fix the way we link with openssl if openssl is installed in the base
3371  system.
3372
3373ntp-keygen
3374* Fix -V coredump.
3375* OpenSSL version display cleanup.
3376
3377ntpdc
3378* Many counters should be treated as unsigned.
3379
3380ntpdate
3381* Do not ignore replies with equal receive and transmit timestamps.
3382
3383ntpq
3384* libntpq warning cleanup.
3385
3386ntpsnmpd
3387* Correct SNMP type for "precision" and "resolution".
3388* Update the MIB from the draft version to RFC-5907.
3389
3390sntp
3391* Display timezone offset when showing time for sntp in the local
3392  timezone.
3393* Pay proper attention to RATE KoD packets.
3394* Fix a miscalculation of the offset.
3395* Properly parse empty lines in the key file.
3396* Logging cleanup.
3397* Use tv_usec correctly in set_time().
3398* Documentation cleanup.
3399
3400---
3401NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
3402
3403Focus: Bug fixes and portability improvements
3404
3405Severity: Medium
3406
3407This is a recommended upgrade.
3408
3409This release includes build infrastructure updates, code
3410clean-ups, minor bug fixes, fixes for a number of minor
3411ref-clock issues, improved KOD handling, OpenSSL related
3412updates and documentation revisions.
3413
3414Portability improvements in this release affect Irix, Linux,
3415Mac OS, Microsoft Windows, OpenBSD and QNX6
3416
3417New features / changes in this release:
3418
3419ntpd
3420* Range syntax for the trustedkey configuration directive
3421* Unified IPv4 and IPv6 restrict lists
3422
3423ntpdate
3424* Rate limiting and KOD handling
3425
3426ntpsnmpd
3427* default connection to net-snmpd via a unix-domain socket
3428* command-line 'socket name' option
3429
3430ntpq / ntpdc
3431* support for the "passwd ..." syntax
3432* key-type specific password prompts
3433
3434sntp
3435* MD5 authentication of an ntpd
3436* Broadcast and crypto
3437* OpenSSL support
3438
3439---
3440NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
3441
3442Focus: Bug fixes, portability fixes, and documentation improvements
3443
3444Severity: Medium
3445
3446This is a recommended upgrade.
3447
3448---
3449NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3450
3451Focus: enhancements and bug fixes.
3452
3453---
3454NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3455
3456Focus: Security Fixes
3457
3458Severity: HIGH
3459
3460This release fixes the following high-severity vulnerability:
3461
3462* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
3463
3464  See http://support.ntp.org/security for more information.
3465
3466  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
3467  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
3468  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
3469  request or a mode 7 error response from an address which is not listed
3470  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
3471  reply with a mode 7 error response (and log a message).  In this case:
3472
3473	* If an attacker spoofs the source address of ntpd host A in a
3474	  mode 7 response packet sent to ntpd host B, both A and B will
3475	  continuously send each other error responses, for as long as
3476	  those packets get through.
3477
3478	* If an attacker spoofs an address of ntpd host A in a mode 7
3479	  response packet sent to ntpd host A, A will respond to itself
3480	  endlessly, consuming CPU and logging excessively.
3481
3482  Credit for finding this vulnerability goes to Robin Park and Dmitri
3483  Vinokurov of Alcatel-Lucent.
3484
3485THIS IS A STRONGLY RECOMMENDED UPGRADE.
3486
3487---
3488ntpd now syncs to refclocks right away.
3489
3490Backward-Incompatible changes:
3491
3492ntpd no longer accepts '-v name' or '-V name' to define internal variables.
3493Use '--var name' or '--dvar name' instead. (Bug 817)
3494
3495---
3496NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
3497
3498Focus: Security and Bug Fixes
3499
3500Severity: HIGH
3501
3502This release fixes the following high-severity vulnerability:
3503
3504* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
3505
3506  See http://support.ntp.org/security for more information.
3507
3508  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
3509  line) then a carefully crafted packet sent to the machine will cause
3510  a buffer overflow and possible execution of injected code, running
3511  with the privileges of the ntpd process (often root).
3512
3513  Credit for finding this vulnerability goes to Chris Ries of CMU.
3514
3515This release fixes the following low-severity vulnerabilities:
3516
3517* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
3518  Credit for finding this vulnerability goes to Geoff Keating of Apple.
3519
3520* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
3521  Credit for finding this issue goes to Dave Hart.
3522
3523This release fixes a number of bugs and adds some improvements:
3524
3525* Improved logging
3526* Fix many compiler warnings
3527* Many fixes and improvements for Windows
3528* Adds support for AIX 6.1
3529* Resolves some issues under MacOS X and Solaris
3530
3531THIS IS A STRONGLY RECOMMENDED UPGRADE.
3532
3533---
3534NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
3535
3536Focus: Security Fix
3537
3538Severity: Low
3539
3540This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
3541the OpenSSL library relating to the incorrect checking of the return
3542value of EVP_VerifyFinal function.
3543
3544Credit for finding this issue goes to the Google Security Team for
3545finding the original issue with OpenSSL, and to ocert.org for finding
3546the problem in NTP and telling us about it.
3547
3548This is a recommended upgrade.
3549---
3550NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
3551
3552Focus: Minor Bugfixes
3553
3554This release fixes a number of Windows-specific ntpd bugs and
3555platform-independent ntpdate bugs. A logging bugfix has been applied
3556to the ONCORE driver.
3557
3558The "dynamic" keyword and is now obsolete and deferred binding to local
3559interfaces is the new default. The minimum time restriction for the
3560interface update interval has been dropped.
3561
3562A number of minor build system and documentation fixes are included.
3563
3564This is a recommended upgrade for Windows.
3565
3566---
3567NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
3568
3569Focus: Minor Bugfixes
3570
3571This release updates certain copyright information, fixes several display
3572bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
3573shutdown in the parse refclock driver, removes some lint from the code,
3574stops accessing certain buffers immediately after they were freed, fixes
3575a problem with non-command-line specification of -6, and allows the loopback
3576interface to share addresses with other interfaces.
3577
3578---
3579NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
3580
3581Focus: Minor Bugfixes
3582
3583This release fixes a bug in Windows that made it difficult to
3584terminate ntpd under windows.
3585This is a recommended upgrade for Windows.
3586
3587---
3588NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
3589
3590Focus: Minor Bugfixes
3591
3592This release fixes a multicast mode authentication problem,
3593an error in NTP packet handling on Windows that could lead to
3594ntpd crashing, and several other minor bugs. Handling of
3595multicast interfaces and logging configuration were improved.
3596The required versions of autogen and libopts were incremented.
3597This is a recommended upgrade for Windows and multicast users.
3598
3599---
3600NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3601
3602Focus: enhancements and bug fixes.
3603
3604Dynamic interface rescanning was added to simplify the use of ntpd in
3605conjunction with DHCP. GNU AutoGen is used for its command-line options
3606processing. Separate PPS devices are supported for PARSE refclocks, MD5
3607signatures are now provided for the release files. Drivers have been
3608added for some new ref-clocks and have been removed for some older
3609ref-clocks. This release also includes other improvements, documentation
3610and bug fixes.
3611
3612K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3613C support.
3614
3615---
3616NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3617
3618Focus: enhancements and bug fixes.
3619