xref: /freebsd/contrib/ntp/NEWS (revision a4dc509f723944821bcfcc52005ff87c9a5dee5b)
1---
2NTP 4.2.8p4
3
4Focus: Security, Bug fies, enhancements.
5
6Severity: MEDIUM
7
8In addition to bug fixes and enhancements, this release fixes the
9following 13 low- and medium-severity vulnerabilities:
10
11* Incomplete vallen (value length) checks in ntp_crypto.c, leading
12  to potential crashes or potential code injection/information leakage.
13
14    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
15    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
16    	and 4.3.0 up to, but not including 4.3.77
17    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
18    Summary: The fix for CVE-2014-9750 was incomplete in that there were
19    	certain code paths where a packet with particular autokey operations
20	that contained malicious data was not always being completely
21	validated. Receipt of these packets can cause ntpd to crash.
22    Mitigation:
23        Don't use autokey.
24	Upgrade to 4.2.8p4, or later, from the NTP Project Download
25	    Page or the NTP Public Services Project Download Page
26	Monitor your ntpd instances.
27	Credit: This weakness was discovered by Tenable Network Security.
28
29* Clients that receive a KoD should validate the origin timestamp field.
30
31    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
32    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
33	and 4.3.0 up to, but not including 4.3.77
34    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
35    Summary: An ntpd client that honors Kiss-of-Death responses will honor
36    	KoD messages that have been forged by an attacker, causing it to
37	delay or stop querying its servers for time updates. Also, an
38	attacker can forge packets that claim to be from the target and
39	send them to servers often enough that a server that implements
40	KoD rate limiting will send the target machine a KoD response to
41	attempt to reduce the rate of incoming packets, or it may also
42	trigger a firewall block at the server for packets from the target
43	machine. For either of these attacks to succeed, the attacker must
44	know what servers the target is communicating with. An attacker
45	can be anywhere on the Internet and can frequently learn the
46	identity of the target's time source by sending the target a
47	time query.
48    Mitigation:
49        Implement BCP-38.
50	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
51	    or the NTP Public Services Project Download Page
52	If you can't upgrade, restrict who can query ntpd to learn who
53	    its servers are, and what IPs are allowed to ask your system
54	    for the time. This mitigation is heavy-handed.
55	Monitor your ntpd instances.
56    Note:
57    	4.2.8p4 protects against the first attack. For the second attack,
58    	all we can do is warn when it is happening, which we do in 4.2.8p4.
59    Credit: This weakness was discovered by Aanchal Malhotra,
60    	Issac E. Cohen, and Sharon Goldberg of Boston University.
61
62* configuration directives to change "pidfile" and "driftfile" should
63  only be allowed locally.
64
65  References: Sec 2902 / CVE-2015-5196
66  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
67	and 4.3.0 up to, but not including 4.3.77
68   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
69   Summary: If ntpd is configured to allow for remote configuration,
70	and if the (possibly spoofed) source IP address is allowed to
71	send remote configuration requests, and if the attacker knows
72	the remote configuration password, it's possible for an attacker
73	to use the "pidfile" or "driftfile" directives to potentially
74	overwrite other files.
75   Mitigation:
76	Implement BCP-38.
77	Upgrade to 4.2.8p4, or later, from the NTP Project Download
78	    Page or the NTP Public Services Project Download Page
79	If you cannot upgrade, don't enable remote configuration.
80	If you must enable remote configuration and cannot upgrade,
81	    remote configuration of NTF's ntpd requires:
82	    - an explicitly configured trustedkey, and you should also
83	    	configure a controlkey.
84	    - access from a permitted IP. You choose the IPs.
85	    - authentication. Don't disable it. Practice secure key safety.
86	Monitor your ntpd instances.
87   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
88
89* Slow memory leak in CRYPTO_ASSOC
90
91  References: Sec 2909 / CVE-2015-7701
92  Affects: All ntp-4 releases that use autokey up to, but not
93    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
94  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
95  	4.6 otherwise
96  Summary: If ntpd is configured to use autokey, then an attacker can
97	send packets to ntpd that will, after several days of ongoing
98	attack, cause it to run out of memory.
99  Mitigation:
100	Don't use autokey.
101	Upgrade to 4.2.8p4, or later, from the NTP Project Download
102	    Page or the NTP Public Services Project Download Page
103	Monitor your ntpd instances.
104  Credit: This weakness was discovered by Tenable Network Security.
105
106* mode 7 loop counter underrun
107
108  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
109  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
110  	and 4.3.0 up to, but not including 4.3.77
111  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
112  Summary: If ntpd is configured to enable mode 7 packets, and if the
113	use of mode 7 packets is not properly protected thru the use of
114	the available mode 7 authentication and restriction mechanisms,
115	and if the (possibly spoofed) source IP address is allowed to
116	send mode 7 queries, then an attacker can send a crafted packet
117	to ntpd that will cause it to crash.
118  Mitigation:
119	Implement BCP-38.
120	Upgrade to 4.2.8p4, or later, from the NTP Project Download
121	    Page or the NTP Public Services Project Download Page.
122	      If you are unable to upgrade:
123	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
124	If you must enable mode 7:
125	    configure the use of a requestkey to control who can issue
126		mode 7 requests.
127	    configure restrict noquery to further limit mode 7 requests
128		to trusted sources.
129	Monitor your ntpd instances.
130Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
131
132* memory corruption in password store
133
134  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
135  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
136  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
137  Summary: If ntpd is configured to allow remote configuration, and if
138	the (possibly spoofed) source IP address is allowed to send
139	remote configuration requests, and if the attacker knows the
140	remote configuration password or if ntpd was configured to
141	disable authentication, then an attacker can send a set of
142	packets to ntpd that may cause a crash or theoretically
143	perform a code injection attack.
144  Mitigation:
145	Implement BCP-38.
146	Upgrade to 4.2.8p4, or later, from the NTP Project Download
147	    Page or the NTP Public Services Project Download Page.
148	If you are unable to upgrade, remote configuration of NTF's
149	    ntpd requires:
150		an explicitly configured "trusted" key. Only configure
151			this if you need it.
152		access from a permitted IP address. You choose the IPs.
153		authentication. Don't disable it. Practice secure key safety.
154	Monitor your ntpd instances.
155  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
156
157* Infinite loop if extended logging enabled and the logfile and
158  keyfile are the same.
159
160    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
161    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
162	and 4.3.0 up to, but not including 4.3.77
163    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
164    Summary: If ntpd is configured to allow remote configuration, and if
165	the (possibly spoofed) source IP address is allowed to send
166	remote configuration requests, and if the attacker knows the
167	remote configuration password or if ntpd was configured to
168	disable authentication, then an attacker can send a set of
169	packets to ntpd that will cause it to crash and/or create a
170	potentially huge log file. Specifically, the attacker could
171	enable extended logging, point the key file at the log file,
172	and cause what amounts to an infinite loop.
173    Mitigation:
174	Implement BCP-38.
175	Upgrade to 4.2.8p4, or later, from the NTP Project Download
176	    Page or the NTP Public Services Project Download Page.
177	If you are unable to upgrade, remote configuration of NTF's ntpd
178	  requires:
179            an explicitly configured "trusted" key. Only configure this
180	    	if you need it.
181            access from a permitted IP address. You choose the IPs.
182            authentication. Don't disable it. Practice secure key safety.
183        Monitor your ntpd instances.
184    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
185
186* Potential path traversal vulnerability in the config file saving of
187  ntpd on VMS.
188
189  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
190  Affects: All ntp-4 releases running under VMS up to, but not
191	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
192  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
193  Summary: If ntpd is configured to allow remote configuration, and if
194	the (possibly spoofed) IP address is allowed to send remote
195	configuration requests, and if the attacker knows the remote
196	configuration password or if ntpd was configured to disable
197	authentication, then an attacker can send a set of packets to
198	ntpd that may cause ntpd to overwrite files.
199  Mitigation:
200	Implement BCP-38.
201	Upgrade to 4.2.8p4, or later, from the NTP Project Download
202	    Page or the NTP Public Services Project Download Page.
203	If you are unable to upgrade, remote configuration of NTF's ntpd
204	    requires:
205		an explicitly configured "trusted" key. Only configure
206			this if you need it.
207		access from permitted IP addresses. You choose the IPs.
208		authentication. Don't disable it. Practice key security safety.
209        Monitor your ntpd instances.
210    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
211
212* ntpq atoascii() potential memory corruption
213
214  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
215  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
216	and 4.3.0 up to, but not including 4.3.77
217  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
218  Summary: If an attacker can figure out the precise moment that ntpq
219	is listening for data and the port number it is listening on or
220	if the attacker can provide a malicious instance ntpd that
221	victims will connect to then an attacker can send a set of
222	crafted mode 6 response packets that, if received by ntpq,
223	can cause ntpq to crash.
224  Mitigation:
225	Implement BCP-38.
226	Upgrade to 4.2.8p4, or later, from the NTP Project Download
227	    Page or the NTP Public Services Project Download Page.
228	If you are unable to upgrade and you run ntpq against a server
229	    and ntpq crashes, try again using raw mode. Build or get a
230	    patched ntpq and see if that fixes the problem. Report new
231	    bugs in ntpq or abusive servers appropriately.
232	If you use ntpq in scripts, make sure ntpq does what you expect
233	    in your scripts.
234  Credit: This weakness was discovered by Yves Younan and
235  	Aleksander Nikolich of Cisco Talos.
236
237* Invalid length data provided by a custom refclock driver could cause
238  a buffer overflow.
239
240  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
241  Affects: Potentially all ntp-4 releases running up to, but not
242	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
243	that have custom refclocks
244  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
245	5.9 unusual worst case
246  Summary: A negative value for the datalen parameter will overflow a
247	data buffer. NTF's ntpd driver implementations always set this
248	value to 0 and are therefore not vulnerable to this weakness.
249	If you are running a custom refclock driver in ntpd and that
250	driver supplies a negative value for datalen (no custom driver
251	of even minimal competence would do this) then ntpd would
252	overflow a data buffer. It is even hypothetically possible
253	in this case that instead of simply crashing ntpd the attacker
254	could effect a code injection attack.
255  Mitigation:
256	Upgrade to 4.2.8p4, or later, from the NTP Project Download
257	    Page or the NTP Public Services Project Download Page.
258	If you are unable to upgrade:
259		If you are running custom refclock drivers, make sure
260			the signed datalen value is either zero or positive.
261	Monitor your ntpd instances.
262  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
263
264* Password Length Memory Corruption Vulnerability
265
266  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
267  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
268  	4.3.0 up to, but not including 4.3.77
269  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
270  	1.7 usual case, 6.8, worst case
271  Summary: If ntpd is configured to allow remote configuration, and if
272	the (possibly spoofed) source IP address is allowed to send
273	remote configuration requests, and if the attacker knows the
274	remote configuration password or if ntpd was (foolishly)
275	configured to disable authentication, then an attacker can
276	send a set of packets to ntpd that may cause it to crash,
277	with the hypothetical possibility of a small code injection.
278  Mitigation:
279	Implement BCP-38.
280	Upgrade to 4.2.8p4, or later, from the NTP Project Download
281	    Page or the NTP Public Services Project Download Page.
282	If you are unable to upgrade, remote configuration of NTF's
283	    ntpd requires:
284		an explicitly configured "trusted" key. Only configure
285			this if you need it.
286		access from a permitted IP address. You choose the IPs.
287		authentication. Don't disable it. Practice secure key safety.
288	Monitor your ntpd instances.
289  Credit: This weakness was discovered by Yves Younan and
290  	Aleksander Nikolich of Cisco Talos.
291
292* decodenetnum() will ASSERT botch instead of returning FAIL on some
293  bogus values.
294
295  References: Sec 2922 / CVE-2015-7855
296  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
297	4.3.0 up to, but not including 4.3.77
298  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
299  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
300	an unusually long data value where a network address is expected,
301	the decodenetnum() function will abort with an assertion failure
302	instead of simply returning a failure condition.
303  Mitigation:
304	Implement BCP-38.
305	Upgrade to 4.2.8p4, or later, from the NTP Project Download
306	    Page or the NTP Public Services Project Download Page.
307	If you are unable to upgrade:
308		mode 7 is disabled by default. Don't enable it.
309		Use restrict noquery to limit who can send mode 6
310			and mode 7 requests.
311		Configure and use the controlkey and requestkey
312			authentication directives to limit who can
313			send mode 6 and mode 7 requests.
314	Monitor your ntpd instances.
315  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
316
317* NAK to the Future: Symmetric association authentication bypass via
318  crypto-NAK.
319
320  References: Sec 2941 / CVE-2015-7871
321  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
322  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
323  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
324  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
325	from unauthenticated ephemeral symmetric peers by bypassing the
326	authentication required to mobilize peer associations. This
327	vulnerability appears to have been introduced in ntp-4.2.5p186
328	when the code handling mobilization of new passive symmetric
329	associations (lines 1103-1165) was refactored.
330  Mitigation:
331	Implement BCP-38.
332	Upgrade to 4.2.8p4, or later, from the NTP Project Download
333	    Page or the NTP Public Services Project Download Page.
334	If you are unable to upgrade:
335		Apply the patch to the bottom of the "authentic" check
336			block around line 1136 of ntp_proto.c.
337	Monitor your ntpd instances.
338  Credit: This weakness was discovered by Stephen Gray <stepgray@cisco.com>.
339
340Backward-Incompatible changes:
341* [Bug 2817] Default on Linux is now "rlimit memlock -1".
342While the general default of 32M is still the case, under Linux
343the default value has been changed to -1 (do not lock ntpd into
344  memory).  A value of 0 means "lock ntpd into memory with whatever
345  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
346  value in it, that value will continue to be used.
347
348* [Bug 2886] Misspelling: "outlyer" should be "outlier".
349  If you've written a script that looks for this case in, say, the
350  output of ntpq, you probably want to change your regex matches
351  from 'outlyer' to 'outl[iy]er'.
352
353New features in this release:
354* 'rlimit memlock' now has finer-grained control.  A value of -1 means
355  "don't lock ntpd into memore".  This is the default for Linux boxes.
356  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
357  the value is the number of megabytes of memory to lock.  The default
358  is 32 megabytes.
359
360* The old Google Test framework has been replaced with a new framework,
361  based on http://www.throwtheswitch.org/unity/ .
362
363Bug Fixes and Improvements:
364* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
365  privileges and limiting resources in NTPD removes the need to link
366  forcefully against 'libgcc_s' which does not always work. J.Perlinger
367* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
368* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
369* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
370* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
371* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
372* [Bug 2849] Systems with more than one default route may never
373  synchronize.  Brian Utterback.  Note that this patch might need to
374  be reverted once Bug 2043 has been fixed.
375* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
376* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
377* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
378* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
379* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
380* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
381  be configured for the distribution targets.  Harlan Stenn.
382* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
383* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
384* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
385* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
386* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
387* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
388* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
389* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
390* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
391* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
392* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
393* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
394* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
395* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
396* sntp/tests/ function parameter list cleanup.  Damir Tomić.
397* tests/libntp/ function parameter list cleanup.  Damir Tomić.
398* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
399* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
400* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
401* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
402* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
403* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
404  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
405  formatting; first declaration, then code (C90); deleted unnecessary comments;
406  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
407* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
408  fix formatting, cleanup. Tomasz Flendrich
409* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
410  Tomasz Flendrich
411* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
412  fix formatting. Tomasz Flendrich
413* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
414* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
415* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
416  Tomasz Flendrich
417* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
418* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
419* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
420* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
421* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
422* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
423* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
424fixed formatting. Tomasz Flendrich
425* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
426  removed unnecessary comments, cleanup. Tomasz Flendrich
427* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
428  comments, cleanup. Tomasz Flendrich
429* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
430  Tomasz Flendrich
431* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
432* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
433* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
434  Tomasz Flendrich
435* sntp/tests/kodDatabase.c added consts, deleted empty function,
436  fixed formatting. Tomasz Flendrich
437* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
438* sntp/tests/packetHandling.c is now using proper Unity's assertions,
439  fixed formatting, deleted unused variable. Tomasz Flendrich
440* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
441  Tomasz Flendrich
442* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
443  fixed formatting. Tomasz Flendrich
444* sntp/tests/utilities.c is now using proper Unity's assertions, changed
445  the order of includes, fixed formatting, removed unnecessary comments.
446  Tomasz Flendrich
447* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
448* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
449  made one function do its job, deleted unnecessary prints, fixed formatting.
450  Tomasz Flendrich
451* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
452* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
453* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
454* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
455* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
456* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
457* Don't build sntp/libevent/sample/.  Harlan Stenn.
458* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
459* br-flock: --enable-local-libevent.  Harlan Stenn.
460* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
461* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
462* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
463* Code cleanup.  Harlan Stenn.
464* libntp/icom.c: Typo fix.  Harlan Stenn.
465* util/ntptime.c: initialization nit.  Harlan Stenn.
466* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
467* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
468* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
469  Tomasz Flendrich
470* Changed progname to be const in many files - now it's consistent. Tomasz
471  Flendrich
472* Typo fix for GCC warning suppression.  Harlan Stenn.
473* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
474* Added declarations to all Unity tests, and did minor fixes to them.
475  Reduced the number of warnings by half. Damir Tomić.
476* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
477  with the latest Unity updates from Mark. Damir Tomić.
478* Retire google test - phase I.  Harlan Stenn.
479* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
480* Update the NEWS file.  Harlan Stenn.
481* Autoconf cleanup.  Harlan Stenn.
482* Unit test dist cleanup. Harlan Stenn.
483* Cleanup various test Makefile.am files.  Harlan Stenn.
484* Pthread autoconf macro cleanup.  Harlan Stenn.
485* Fix progname definition in unity runner scripts.  Harlan Stenn.
486* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
487* Update the patch for bug 2817.  Harlan Stenn.
488* More updates for bug 2817.  Harlan Stenn.
489* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
490* gcc on older HPUX may need +allowdups.  Harlan Stenn.
491* Adding missing MCAST protection.  Harlan Stenn.
492* Disable certain test programs on certain platforms.  Harlan Stenn.
493* Implement --enable-problem-tests (on by default).  Harlan Stenn.
494* build system tweaks.  Harlan Stenn.
495
496---
497NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
498
499Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
500
501Severity: MEDIUM
502
503Security Fix:
504
505* [Sec 2853] Crafted remote config packet can crash some versions of
506  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
507
508Under specific circumstances an attacker can send a crafted packet to
509cause a vulnerable ntpd instance to crash. This requires each of the
510following to be true:
511
5121) ntpd set up to allow remote configuration (not allowed by default), and
5132) knowledge of the configuration password, and
5143) access to a computer entrusted to perform remote configuration.
515
516This vulnerability is considered low-risk.
517
518New features in this release:
519
520Optional (disabled by default) support to have ntpd provide smeared
521leap second time.  A specially built and configured ntpd will only
522offer smeared time in response to client packets.  These response
523packets will also contain a "refid" of 254.a.b.c, where the 24 bits
524of a, b, and c encode the amount of smear in a 2:22 integer:fraction
525format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
526information.
527
528   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
529   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
530
531We've imported the Unity test framework, and have begun converting
532the existing google-test items to this new framework.  If you want
533to write new tests or change old ones, you'll need to have ruby
534installed.  You don't need ruby to run the test suite.
535
536Bug Fixes and Improvements:
537
538* CID 739725: Fix a rare resource leak in libevent/listener.c.
539* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
540* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
541* CID 1269537: Clean up a line of dead code in getShmTime().
542* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
543* [Bug 2590] autogen-5.18.5.
544* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
545  of 'limited'.
546* [Bug 2650] fix includefile processing.
547* [Bug 2745] ntpd -x steps clock on leap second
548   Fixed an initial-value problem that caused misbehaviour in absence of
549   any leapsecond information.
550   Do leap second stepping only of the step adjustment is beyond the
551   proper jump distance limit and step correction is allowed at all.
552* [Bug 2750] build for Win64
553  Building for 32bit of loopback ppsapi needs def file
554* [Bug 2776] Improve ntpq's 'help keytype'.
555* [Bug 2778] Implement "apeers"  ntpq command to include associd.
556* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
557* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
558  interface is ignored as long as this flag is not set since the
559  interface is not usable (e.g., no link).
560* [Bug 2794] Clean up kernel clock status reports.
561* [Bug 2800] refclock_true.c true_debug() can't open debug log because
562  of incompatible open/fdopen parameters.
563* [Bug 2804] install-local-data assumes GNU 'find' semantics.
564* [Bug 2805] ntpd fails to join multicast group.
565* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
566* [Bug 2808] GPSD_JSON driver enhancements, step 1.
567  Fix crash during cleanup if GPS device not present and char device.
568  Increase internal token buffer to parse all JSON data, even SKY.
569  Defer logging of errors during driver init until the first unit is
570  started, so the syslog is not cluttered when the driver is not used.
571  Various improvements, see http://bugs.ntp.org/2808 for details.
572  Changed libjsmn to a more recent version.
573* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
574* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
575* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
576* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
577* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
578* [Bug 2824] Convert update-leap to perl. (also see 2769)
579* [Bug 2825] Quiet file installation in html/ .
580* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
581   NTPD transfers the current TAI (instead of an announcement) now.
582   This might still needed improvement.
583   Update autokey data ASAP when 'sys_tai' changes.
584   Fix unit test that was broken by changes for autokey update.
585   Avoid potential signature length issue and use DPRINTF where possible
586     in ntp_crypto.c.
587* [Bug 2832] refclock_jjy.c supports the TDC-300.
588* [Bug 2834] Correct a broken html tag in html/refclock.html
589* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
590  robust, and require 2 consecutive timestamps to be consistent.
591* [Bug 2837] Allow a configurable DSCP value.
592* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
593* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
594* [Bug 2842] Bug in mdoc2man.
595* [Bug 2843] make check fails on 4.3.36
596   Fixed compiler warnings about numeric range overflow
597   (The original topic was fixed in a byplay to bug#2830)
598* [Bug 2845] Harden memory allocation in ntpd.
599* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
600* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
601* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
602* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
603* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
604* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
605* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
606* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
607* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
608* html/drivers/driver22.html: typo fix.  Harlan Stenn.
609* refidsmear test cleanup.  Tomasz Flendrich.
610* refidsmear function support and tests.  Harlan Stenn.
611* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
612  something that was only in the 4.2.6 sntp.  Harlan Stenn.
613* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
614  Damir Tomić
615* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
616  Damir Tomić
617* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
618  Damir Tomić
619* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
620* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
621* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
622  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
623  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
624  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
625  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
626  Damir Tomić
627* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
628  networking.c, keyFile.c, utilities.cpp, sntptest.h,
629  fileHandlingTest.h. Damir Tomić
630* Initial support for experimental leap smear code.  Harlan Stenn.
631* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
632* Report select() debug messages at debug level 3 now.
633* sntp/scripts/genLocInfo: treat raspbian as debian.
634* Unity test framework fixes.
635  ** Requires ruby for changes to tests.
636* Initial support for PACKAGE_VERSION tests.
637* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
638* tests/bug-2803/Makefile.am must distribute bug-2803.h.
639* Add an assert to the ntpq ifstats code.
640* Clean up the RLIMIT_STACK code.
641* Improve the ntpq documentation around the controlkey keyid.
642* ntpq.c cleanup.
643* Windows port build cleanup.
644
645---
646NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
647
648Focus: Security and Bug fixes, enhancements.
649
650Severity: MEDIUM
651
652In addition to bug fixes and enhancements, this release fixes the
653following medium-severity vulnerabilities involving private key
654authentication:
655
656* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
657
658    References: Sec 2779 / CVE-2015-1798 / VU#374268
659    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
660	including ntp-4.2.8p2 where the installation uses symmetric keys
661	to authenticate remote associations.
662    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
663    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
664    Summary: When ntpd is configured to use a symmetric key to authenticate
665	a remote NTP server/peer, it checks if the NTP message
666	authentication code (MAC) in received packets is valid, but not if
667	there actually is any MAC included. Packets without a MAC are
668	accepted as if they had a valid MAC. This allows a MITM attacker to
669	send false packets that are accepted by the client/peer without
670	having to know the symmetric key. The attacker needs to know the
671	transmit timestamp of the client to match it in the forged reply
672	and the false reply needs to reach the client before the genuine
673	reply from the server. The attacker doesn't necessarily need to be
674	relaying the packets between the client and the server.
675
676	Authentication using autokey doesn't have this problem as there is
677	a check that requires the key ID to be larger than NTP_MAXKEY,
678	which fails for packets without a MAC.
679    Mitigation:
680        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
681	or the NTP Public Services Project Download Page
682        Configure ntpd with enough time sources and monitor it properly.
683    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
684
685* [Sec 2781] Authentication doesn't protect symmetric associations against
686  DoS attacks.
687
688    References: Sec 2781 / CVE-2015-1799 / VU#374268
689    Affects: All NTP releases starting with at least xntp3.3wy up to but
690	not including ntp-4.2.8p2 where the installation uses symmetric
691	key authentication.
692    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
693    Note: the CVSS base Score for this issue could be 4.3 or lower, and
694	it could be higher than 5.4.
695    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
696    Summary: An attacker knowing that NTP hosts A and B are peering with
697	each other (symmetric association) can send a packet to host A
698	with source address of B which will set the NTP state variables
699	on A to the values sent by the attacker. Host A will then send
700	on its next poll to B a packet with originate timestamp that
701	doesn't match the transmit timestamp of B and the packet will
702	be dropped. If the attacker does this periodically for both
703	hosts, they won't be able to synchronize to each other. This is
704	a known denial-of-service attack, described at
705	https://www.eecis.udel.edu/~mills/onwire.html .
706
707	According to the document the NTP authentication is supposed to
708	protect symmetric associations against this attack, but that
709	doesn't seem to be the case. The state variables are updated even
710	when authentication fails and the peers are sending packets with
711	originate timestamps that don't match the transmit timestamps on
712	the receiving side.
713
714	This seems to be a very old problem, dating back to at least
715	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
716	specifications, so other NTP implementations with support for
717	symmetric associations and authentication may be vulnerable too.
718	An update to the NTP RFC to correct this error is in-process.
719    Mitigation:
720        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
721	or the NTP Public Services Project Download Page
722        Note that for users of autokey, this specific style of MITM attack
723	is simply a long-known potential problem.
724        Configure ntpd with appropriate time sources and monitor ntpd.
725	Alert your staff if problems are detected.
726    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
727
728* New script: update-leap
729The update-leap script will verify and if necessary, update the
730leap-second definition file.
731It requires the following commands in order to work:
732
733	wget logger tr sed shasum
734
735Some may choose to run this from cron.  It needs more portability testing.
736
737Bug Fixes and Improvements:
738
739* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
740* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
741* [Bug 2346] "graceful termination" signals do not do peer cleanup.
742* [Bug 2728] See if C99-style structure initialization works.
743* [Bug 2747] Upgrade libevent to 2.1.5-beta.
744* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
745* [Bug 2751] jitter.h has stale copies of l_fp macros.
746* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
747* [Bug 2757] Quiet compiler warnings.
748* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
749* [Bug 2763] Allow different thresholds for forward and backward steps.
750* [Bug 2766] ntp-keygen output files should not be world-readable.
751* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
752* [Bug 2771] nonvolatile value is documented in wrong units.
753* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
754* [Bug 2774] Unreasonably verbose printout - leap pending/warning
755* [Bug 2775] ntp-keygen.c fails to compile under Windows.
756* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
757  Removed non-ASCII characters from some copyright comments.
758  Removed trailing whitespace.
759  Updated definitions for Meinberg clocks from current Meinberg header files.
760  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
761  Account for updated definitions pulled from Meinberg header files.
762  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
763  Replaced some constant numbers by defines from ntp_calendar.h
764  Modified creation of parse-specific variables for Meinberg devices
765  in gps16x_message().
766  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
767  Modified mbg_tm_str() which now expexts an additional parameter controlling
768  if the time status shall be printed.
769* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
770* [Sec 2781] Authentication doesn't protect symmetric associations against
771  DoS attacks.
772* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
773* [Bug 2789] Quiet compiler warnings from libevent.
774* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
775  pause briefly before measuring system clock precision to yield
776  correct results.
777* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
778* Use predefined function types for parse driver functions
779  used to set up function pointers.
780  Account for changed prototype of parse_inp_fnc_t functions.
781  Cast parse conversion results to appropriate types to avoid
782  compiler warnings.
783  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
784  when called with pointers to different types.
785
786---
787NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
788
789Focus: Security and Bug fixes, enhancements.
790
791Severity: HIGH
792
793In addition to bug fixes and enhancements, this release fixes the
794following high-severity vulnerabilities:
795
796* vallen is not validated in several places in ntp_crypto.c, leading
797  to a potential information leak or possibly a crash
798
799    References: Sec 2671 / CVE-2014-9297 / VU#852879
800    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
801    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
802    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
803    Summary: The vallen packet value is not validated in several code
804             paths in ntp_crypto.c which can lead to information leakage
805	     or perhaps a crash of the ntpd process.
806    Mitigation - any of:
807	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
808		or the NTP Public Services Project Download Page.
809	Disable Autokey Authentication by removing, or commenting out,
810		all configuration directives beginning with the "crypto"
811		keyword in your ntp.conf file.
812    Credit: This vulnerability was discovered by Stephen Roettger of the
813    	Google Security Team, with additional cases found by Sebastian
814	Krahmer of the SUSE Security Team and Harlan Stenn of Network
815	Time Foundation.
816
817* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
818  can be bypassed.
819
820    References: Sec 2672 / CVE-2014-9298 / VU#852879
821    Affects: All NTP4 releases before 4.2.8p1, under at least some
822	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
823    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
824    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
825    Summary: While available kernels will prevent 127.0.0.1 addresses
826	from "appearing" on non-localhost IPv4 interfaces, some kernels
827	do not offer the same protection for ::1 source addresses on
828	IPv6 interfaces. Since NTP's access control is based on source
829	address and localhost addresses generally have no restrictions,
830	an attacker can send malicious control and configuration packets
831	by spoofing ::1 addresses from the outside. Note Well: This is
832	not really a bug in NTP, it's a problem with some OSes. If you
833	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
834	ACL restrictions on any application can be bypassed!
835    Mitigation:
836        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
837	or the NTP Public Services Project Download Page
838        Install firewall rules to block packets claiming to come from
839	::1 from inappropriate network interfaces.
840    Credit: This vulnerability was discovered by Stephen Roettger of
841	the Google Security Team.
842
843Additionally, over 30 bugfixes and improvements were made to the codebase.
844See the ChangeLog for more information.
845
846---
847NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
848
849Focus: Security and Bug fixes, enhancements.
850
851Severity: HIGH
852
853In addition to bug fixes and enhancements, this release fixes the
854following high-severity vulnerabilities:
855
856************************** vv NOTE WELL vv *****************************
857
858The vulnerabilities listed below can be significantly mitigated by
859following the BCP of putting
860
861 restrict default ... noquery
862
863in the ntp.conf file.  With the exception of:
864
865   receive(): missing return on error
866   References: Sec 2670 / CVE-2014-9296 / VU#852879
867
868below (which is a limited-risk vulnerability), none of the recent
869vulnerabilities listed below can be exploited if the source IP is
870restricted from sending a 'query'-class packet by your ntp.conf file.
871
872************************** ^^ NOTE WELL ^^ *****************************
873
874* Weak default key in config_auth().
875
876  References: [Sec 2665] / CVE-2014-9293 / VU#852879
877  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
878  Vulnerable Versions: all releases prior to 4.2.7p11
879  Date Resolved: 28 Jan 2010
880
881  Summary: If no 'auth' key is set in the configuration file, ntpd
882	would generate a random key on the fly.  There were two
883	problems with this: 1) the generated key was 31 bits in size,
884	and 2) it used the (now weak) ntp_random() function, which was
885	seeded with a 32-bit value and could only provide 32 bits of
886	entropy.  This was sufficient back in the late 1990s when the
887	code was written.  Not today.
888
889  Mitigation - any of:
890	- Upgrade to 4.2.7p11 or later.
891	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
892
893  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
894  	of the Google Security Team.
895
896* Non-cryptographic random number generator with weak seed used by
897  ntp-keygen to generate symmetric keys.
898
899  References: [Sec 2666] / CVE-2014-9294 / VU#852879
900  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
901  Vulnerable Versions: All NTP4 releases before 4.2.7p230
902  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
903
904  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
905  	prepare a random number generator that was of good quality back
906	in the late 1990s. The random numbers produced was then used to
907	generate symmetric keys. In ntp-4.2.8 we use a current-technology
908	cryptographic random number generator, either RAND_bytes from
909	OpenSSL, or arc4random().
910
911  Mitigation - any of:
912  	- Upgrade to 4.2.7p230 or later.
913	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
914
915  Credit:  This vulnerability was discovered in ntp-4.2.6 by
916  	Stephen Roettger of the Google Security Team.
917
918* Buffer overflow in crypto_recv()
919
920  References: Sec 2667 / CVE-2014-9295 / VU#852879
921  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
922  Versions: All releases before 4.2.8
923  Date Resolved: Stable (4.2.8) 18 Dec 2014
924
925  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
926  	file contains a 'crypto pw ...' directive) a remote attacker
927	can send a carefully crafted packet that can overflow a stack
928	buffer and potentially allow malicious code to be executed
929	with the privilege level of the ntpd process.
930
931  Mitigation - any of:
932  	- Upgrade to 4.2.8, or later, or
933	- Disable Autokey Authentication by removing, or commenting out,
934	  all configuration directives beginning with the crypto keyword
935	  in your ntp.conf file.
936
937  Credit: This vulnerability was discovered by Stephen Roettger of the
938  	Google Security Team.
939
940* Buffer overflow in ctl_putdata()
941
942  References: Sec 2668 / CVE-2014-9295 / VU#852879
943  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
944  Versions: All NTP4 releases before 4.2.8
945  Date Resolved: Stable (4.2.8) 18 Dec 2014
946
947  Summary: A remote attacker can send a carefully crafted packet that
948  	can overflow a stack buffer and potentially allow malicious
949	code to be executed with the privilege level of the ntpd process.
950
951  Mitigation - any of:
952  	- Upgrade to 4.2.8, or later.
953	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
954
955  Credit: This vulnerability was discovered by Stephen Roettger of the
956  	Google Security Team.
957
958* Buffer overflow in configure()
959
960  References: Sec 2669 / CVE-2014-9295 / VU#852879
961  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
962  Versions: All NTP4 releases before 4.2.8
963  Date Resolved: Stable (4.2.8) 18 Dec 2014
964
965  Summary: A remote attacker can send a carefully crafted packet that
966	can overflow a stack buffer and potentially allow malicious
967	code to be executed with the privilege level of the ntpd process.
968
969  Mitigation - any of:
970  	- Upgrade to 4.2.8, or later.
971	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
972
973  Credit: This vulnerability was discovered by Stephen Roettger of the
974	Google Security Team.
975
976* receive(): missing return on error
977
978  References: Sec 2670 / CVE-2014-9296 / VU#852879
979  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
980  Versions: All NTP4 releases before 4.2.8
981  Date Resolved: Stable (4.2.8) 18 Dec 2014
982
983  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
984  	the code path where an error was detected, which meant
985	processing did not stop when a specific rare error occurred.
986	We haven't found a way for this bug to affect system integrity.
987	If there is no way to affect system integrity the base CVSS
988	score for this bug is 0. If there is one avenue through which
989	system integrity can be partially affected, the base score
990	becomes a 5. If system integrity can be partially affected
991	via all three integrity metrics, the CVSS base score become 7.5.
992
993  Mitigation - any of:
994        - Upgrade to 4.2.8, or later,
995        - Remove or comment out all configuration directives
996	  beginning with the crypto keyword in your ntp.conf file.
997
998  Credit: This vulnerability was discovered by Stephen Roettger of the
999  	Google Security Team.
1000
1001See http://support.ntp.org/security for more information.
1002
1003New features / changes in this release:
1004
1005Important Changes
1006
1007* Internal NTP Era counters
1008
1009The internal counters that track the "era" (range of years) we are in
1010rolls over every 136 years'.  The current "era" started at the stroke of
1011midnight on 1 Jan 1900, and ends just before the stroke of midnight on
10121 Jan 2036.
1013In the past, we have used the "midpoint" of the  range to decide which
1014era we were in.  Given the longevity of some products, it became clear
1015that it would be more functional to "look back" less, and "look forward"
1016more.  We now compile a timestamp into the ntpd executable and when we
1017get a timestamp we us the "built-on" to tell us what era we are in.
1018This check "looks back" 10 years, and "looks forward" 126 years.
1019
1020* ntpdc responses disabled by default
1021
1022Dave Hart writes:
1023
1024For a long time, ntpq and its mostly text-based mode 6 (control)
1025protocol have been preferred over ntpdc and its mode 7 (private
1026request) protocol for runtime queries and configuration.  There has
1027been a goal of deprecating ntpdc, previously held back by numerous
1028capabilities exposed by ntpdc with no ntpq equivalent.  I have been
1029adding commands to ntpq to cover these cases, and I believe I've
1030covered them all, though I've not compared command-by-command
1031recently.
1032
1033As I've said previously, the binary mode 7 protocol involves a lot of
1034hand-rolled structure layout and byte-swapping code in both ntpd and
1035ntpdc which is hard to get right.  As ntpd grows and changes, the
1036changes are difficult to expose via ntpdc while maintaining forward
1037and backward compatibility between ntpdc and ntpd.  In contrast,
1038ntpq's text-based, label=value approach involves more code reuse and
1039allows compatible changes without extra work in most cases.
1040
1041Mode 7 has always been defined as vendor/implementation-specific while
1042mode 6 is described in RFC 1305 and intended to be open to interoperate
1043with other implementations.  There is an early draft of an updated
1044mode 6 description that likely will join the other NTPv4 RFCs
1045eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
1046
1047For these reasons, ntpd 4.2.7p230 by default disables processing of
1048ntpdc queries, reducing ntpd's attack surface and functionally
1049deprecating ntpdc.  If you are in the habit of using ntpdc for certain
1050operations, please try the ntpq equivalent.  If there's no equivalent,
1051please open a bug report at http://bugs.ntp.org./
1052
1053In addition to the above, over 1100 issues have been resolved between
1054the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
1055lists these.
1056
1057---
1058NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
1059
1060Focus: Bug fixes
1061
1062Severity: Medium
1063
1064This is a recommended upgrade.
1065
1066This release updates sys_rootdisp and sys_jitter calculations to match the
1067RFC specification, fixes a potential IPv6 address matching error for the
1068"nic" and "interface" configuration directives, suppresses the creation of
1069extraneous ephemeral associations for certain broadcastclient and
1070multicastclient configurations, cleans up some ntpq display issues, and
1071includes improvements to orphan mode, minor bugs fixes and code clean-ups.
1072
1073New features / changes in this release:
1074
1075ntpd
1076
1077 * Updated "nic" and "interface" IPv6 address handling to prevent
1078   mismatches with localhost [::1] and wildcard [::] which resulted from
1079   using the address/prefix format (e.g. fe80::/64)
1080 * Fix orphan mode stratum incorrectly counting to infinity
1081 * Orphan parent selection metric updated to includes missing ntohl()
1082 * Non-printable stratum 16 refid no longer sent to ntp
1083 * Duplicate ephemeral associations suppressed for broadcastclient and
1084   multicastclient without broadcastdelay
1085 * Exclude undetermined sys_refid from use in loopback TEST12
1086 * Exclude MODE_SERVER responses from KoD rate limiting
1087 * Include root delay in clock_update() sys_rootdisp calculations
1088 * get_systime() updated to exclude sys_residual offset (which only
1089   affected bits "below" sys_tick, the precision threshold)
1090 * sys.peer jitter weighting corrected in sys_jitter calculation
1091
1092ntpq
1093
1094 * -n option extended to include the billboard "server" column
1095 * IPv6 addresses in the local column truncated to prevent overruns
1096
1097---
1098NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
1099
1100Focus: Bug fixes and portability improvements
1101
1102Severity: Medium
1103
1104This is a recommended upgrade.
1105
1106This release includes build infrastructure updates, code
1107clean-ups, minor bug fixes, fixes for a number of minor
1108ref-clock issues, and documentation revisions.
1109
1110Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
1111
1112New features / changes in this release:
1113
1114Build system
1115
1116* Fix checking for struct rtattr
1117* Update config.guess and config.sub for AIX
1118* Upgrade required version of autogen and libopts for building
1119  from our source code repository
1120
1121ntpd
1122
1123* Back-ported several fixes for Coverity warnings from ntp-dev
1124* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
1125* Allow "logconfig =allall" configuration directive
1126* Bind tentative IPv6 addresses on Linux
1127* Correct WWVB/Spectracom driver to timestamp CR instead of LF
1128* Improved tally bit handling to prevent incorrect ntpq peer status reports
1129* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
1130  candidate list unless they are designated a "prefer peer"
1131* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
1132  selection during the 'tos orphanwait' period
1133* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
1134  drivers
1135* Improved support of the Parse Refclock trusttime flag in Meinberg mode
1136* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
1137* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
1138  clock slew on Microsoft Windows
1139* Code cleanup in libntpq
1140
1141ntpdc
1142
1143* Fix timerstats reporting
1144
1145ntpdate
1146
1147* Reduce time required to set clock
1148* Allow a timeout greater than 2 seconds
1149
1150sntp
1151
1152* Backward incompatible command-line option change:
1153  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
1154
1155Documentation
1156
1157* Update html2man. Fix some tags in the .html files
1158* Distribute ntp-wait.html
1159
1160---
1161NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
1162
1163Focus: Bug fixes and portability improvements
1164
1165Severity: Medium
1166
1167This is a recommended upgrade.
1168
1169This release includes build infrastructure updates, code
1170clean-ups, minor bug fixes, fixes for a number of minor
1171ref-clock issues, and documentation revisions.
1172
1173Portability improvements in this release affect AIX, Atari FreeMiNT,
1174FreeBSD4, Linux and Microsoft Windows.
1175
1176New features / changes in this release:
1177
1178Build system
1179* Use lsb_release to get information about Linux distributions.
1180* 'test' is in /usr/bin (instead of /bin) on some systems.
1181* Basic sanity checks for the ChangeLog file.
1182* Source certain build files with ./filename for systems without . in PATH.
1183* IRIX portability fix.
1184* Use a single copy of the "libopts" code.
1185* autogen/libopts upgrade.
1186* configure.ac m4 quoting cleanup.
1187
1188ntpd
1189* Do not bind to IN6_IFF_ANYCAST addresses.
1190* Log the reason for exiting under Windows.
1191* Multicast fixes for Windows.
1192* Interpolation fixes for Windows.
1193* IPv4 and IPv6 Multicast fixes.
1194* Manycast solicitation fixes and general repairs.
1195* JJY refclock cleanup.
1196* NMEA refclock improvements.
1197* Oncore debug message cleanup.
1198* Palisade refclock now builds under Linux.
1199* Give RAWDCF more baud rates.
1200* Support Truetime Satellite clocks under Windows.
1201* Support Arbiter 1093C Satellite clocks under Windows.
1202* Make sure that the "filegen" configuration command defaults to "enable".
1203* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
1204* Prohibit 'includefile' directive in remote configuration command.
1205* Fix 'nic' interface bindings.
1206* Fix the way we link with openssl if openssl is installed in the base
1207  system.
1208
1209ntp-keygen
1210* Fix -V coredump.
1211* OpenSSL version display cleanup.
1212
1213ntpdc
1214* Many counters should be treated as unsigned.
1215
1216ntpdate
1217* Do not ignore replies with equal receive and transmit timestamps.
1218
1219ntpq
1220* libntpq warning cleanup.
1221
1222ntpsnmpd
1223* Correct SNMP type for "precision" and "resolution".
1224* Update the MIB from the draft version to RFC-5907.
1225
1226sntp
1227* Display timezone offset when showing time for sntp in the local
1228  timezone.
1229* Pay proper attention to RATE KoD packets.
1230* Fix a miscalculation of the offset.
1231* Properly parse empty lines in the key file.
1232* Logging cleanup.
1233* Use tv_usec correctly in set_time().
1234* Documentation cleanup.
1235
1236---
1237NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
1238
1239Focus: Bug fixes and portability improvements
1240
1241Severity: Medium
1242
1243This is a recommended upgrade.
1244
1245This release includes build infrastructure updates, code
1246clean-ups, minor bug fixes, fixes for a number of minor
1247ref-clock issues, improved KOD handling, OpenSSL related
1248updates and documentation revisions.
1249
1250Portability improvements in this release affect Irix, Linux,
1251Mac OS, Microsoft Windows, OpenBSD and QNX6
1252
1253New features / changes in this release:
1254
1255ntpd
1256* Range syntax for the trustedkey configuration directive
1257* Unified IPv4 and IPv6 restrict lists
1258
1259ntpdate
1260* Rate limiting and KOD handling
1261
1262ntpsnmpd
1263* default connection to net-snmpd via a unix-domain socket
1264* command-line 'socket name' option
1265
1266ntpq / ntpdc
1267* support for the "passwd ..." syntax
1268* key-type specific password prompts
1269
1270sntp
1271* MD5 authentication of an ntpd
1272* Broadcast and crypto
1273* OpenSSL support
1274
1275---
1276NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
1277
1278Focus: Bug fixes, portability fixes, and documentation improvements
1279
1280Severity: Medium
1281
1282This is a recommended upgrade.
1283
1284---
1285NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1286
1287Focus: enhancements and bug fixes.
1288
1289---
1290NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1291
1292Focus: Security Fixes
1293
1294Severity: HIGH
1295
1296This release fixes the following high-severity vulnerability:
1297
1298* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
1299
1300  See http://support.ntp.org/security for more information.
1301
1302  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
1303  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
1304  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
1305  request or a mode 7 error response from an address which is not listed
1306  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
1307  reply with a mode 7 error response (and log a message).  In this case:
1308
1309	* If an attacker spoofs the source address of ntpd host A in a
1310	  mode 7 response packet sent to ntpd host B, both A and B will
1311	  continuously send each other error responses, for as long as
1312	  those packets get through.
1313
1314	* If an attacker spoofs an address of ntpd host A in a mode 7
1315	  response packet sent to ntpd host A, A will respond to itself
1316	  endlessly, consuming CPU and logging excessively.
1317
1318  Credit for finding this vulnerability goes to Robin Park and Dmitri
1319  Vinokurov of Alcatel-Lucent.
1320
1321THIS IS A STRONGLY RECOMMENDED UPGRADE.
1322
1323---
1324ntpd now syncs to refclocks right away.
1325
1326Backward-Incompatible changes:
1327
1328ntpd no longer accepts '-v name' or '-V name' to define internal variables.
1329Use '--var name' or '--dvar name' instead. (Bug 817)
1330
1331---
1332NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
1333
1334Focus: Security and Bug Fixes
1335
1336Severity: HIGH
1337
1338This release fixes the following high-severity vulnerability:
1339
1340* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
1341
1342  See http://support.ntp.org/security for more information.
1343
1344  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
1345  line) then a carefully crafted packet sent to the machine will cause
1346  a buffer overflow and possible execution of injected code, running
1347  with the privileges of the ntpd process (often root).
1348
1349  Credit for finding this vulnerability goes to Chris Ries of CMU.
1350
1351This release fixes the following low-severity vulnerabilities:
1352
1353* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
1354  Credit for finding this vulnerability goes to Geoff Keating of Apple.
1355
1356* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
1357  Credit for finding this issue goes to Dave Hart.
1358
1359This release fixes a number of bugs and adds some improvements:
1360
1361* Improved logging
1362* Fix many compiler warnings
1363* Many fixes and improvements for Windows
1364* Adds support for AIX 6.1
1365* Resolves some issues under MacOS X and Solaris
1366
1367THIS IS A STRONGLY RECOMMENDED UPGRADE.
1368
1369---
1370NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
1371
1372Focus: Security Fix
1373
1374Severity: Low
1375
1376This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
1377the OpenSSL library relating to the incorrect checking of the return
1378value of EVP_VerifyFinal function.
1379
1380Credit for finding this issue goes to the Google Security Team for
1381finding the original issue with OpenSSL, and to ocert.org for finding
1382the problem in NTP and telling us about it.
1383
1384This is a recommended upgrade.
1385---
1386NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
1387
1388Focus: Minor Bugfixes
1389
1390This release fixes a number of Windows-specific ntpd bugs and
1391platform-independent ntpdate bugs. A logging bugfix has been applied
1392to the ONCORE driver.
1393
1394The "dynamic" keyword and is now obsolete and deferred binding to local
1395interfaces is the new default. The minimum time restriction for the
1396interface update interval has been dropped.
1397
1398A number of minor build system and documentation fixes are included.
1399
1400This is a recommended upgrade for Windows.
1401
1402---
1403NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
1404
1405Focus: Minor Bugfixes
1406
1407This release updates certain copyright information, fixes several display
1408bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
1409shutdown in the parse refclock driver, removes some lint from the code,
1410stops accessing certain buffers immediately after they were freed, fixes
1411a problem with non-command-line specification of -6, and allows the loopback
1412interface to share addresses with other interfaces.
1413
1414---
1415NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
1416
1417Focus: Minor Bugfixes
1418
1419This release fixes a bug in Windows that made it difficult to
1420terminate ntpd under windows.
1421This is a recommended upgrade for Windows.
1422
1423---
1424NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
1425
1426Focus: Minor Bugfixes
1427
1428This release fixes a multicast mode authentication problem,
1429an error in NTP packet handling on Windows that could lead to
1430ntpd crashing, and several other minor bugs. Handling of
1431multicast interfaces and logging configuration were improved.
1432The required versions of autogen and libopts were incremented.
1433This is a recommended upgrade for Windows and multicast users.
1434
1435---
1436NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
1437
1438Focus: enhancements and bug fixes.
1439
1440Dynamic interface rescanning was added to simplify the use of ntpd in
1441conjunction with DHCP. GNU AutoGen is used for its command-line options
1442processing. Separate PPS devices are supported for PARSE refclocks, MD5
1443signatures are now provided for the release files. Drivers have been
1444added for some new ref-clocks and have been removed for some older
1445ref-clocks. This release also includes other improvements, documentation
1446and bug fixes.
1447
1448K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
1449C support.
1450
1451---
1452NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
1453
1454Focus: enhancements and bug fixes.
1455