xref: /freebsd/contrib/ntp/NEWS (revision cddbc3b40812213ff00041f79174cac0be360a2a)
1---
2NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
3
4Focus: Security, Bug fixes, enhancements.
5
6Severity: MEDIUM
7
8This release fixes a bug that allows an attacker with access to an
9explicitly trusted source to send a crafted malicious mode 6 (ntpq)
10packet that can trigger a NULL pointer dereference, crashing ntpd.
11It also provides 17 other bugfixes and 1 other improvement:
12
13* [Sec 3565] Crafted null dereference attack in authenticated
14	     mode 6 packet <perlinger@ntp.org>
15  - reported by Magnus Stubman
16* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
17  - applied patch by Ian Lepore
18* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
19  - isolate and fix linux/windows specific code issue
20* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
21  - provide better function for incremental string formatting
22* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
23  - applied patch by Gerry Garvey
24* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
25  - original finding by Gerry Garvey, additional cleanup needed
26* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
27  - patch by Christous Zoulas
28* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
29  - finding by Chen Jiabin, plus another one by me
30* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
31  - applied patch by Maciej Szmigiero
32* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
33  - applied patch by Andre Charbonneau
34* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
35  - applied patch by Baruch Siach
36* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
37  - applied patch by Baruch Siach
38* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
39  - refactored handling of GPS era based on 'tos basedate' for
40    parse (TSIP) and JUPITER clocks
41* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
42  - patch by Daniel J. Luke; this does not fix a potential linker
43    regression issue on MacOS.
44* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
45  anomaly <perlinger@ntp.org>, reported by GGarvey.
46  - --enable-bug3527-fix support by HStenn
47* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
48  - applied patch by Gerry Garvey
49* [Bug 3471] Check for openssl/[ch]mac.h.  <perlinger@ntp.org>
50  - added missing check, reported by Reinhard Max <perlinger@ntp.org>
51* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
52  - this is a variant of [bug 3558] and should be fixed with it
53* Implement 'configure --disable-signalled-io'
54
55--
56NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
57
58Focus: Security, Bug fixes, enhancements.
59
60Severity: MEDIUM
61
62This release fixes a "hole" in the noepeer capability introduced to ntpd
63in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
64ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
65
66* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
67
68* [Sec 3012] Fix a hole in the new "noepeer" processing.
69
70* Bug Fixes:
71 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
72 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
73            other TrustedBSD platforms
74 - applied patch by Ian Lepore <perlinger@ntp.org>
75 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
76 - changed interaction with SCM to signal pending startup
77 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
78 - applied patch by Gerry Garvey
79 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
80 - applied patch by Gerry Garvey
81 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
82 - rework of ntpq 'nextvar()' key/value parsing
83 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
84 - applied patch by Gerry Garvey (with mods)
85 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
86 - applied patch by Gerry Garvey
87 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
88 - applied patch by Gerry Garvey (with mods)
89 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
90 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
91 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
92 - applied patch by Gerry Garvey
93 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
94 - applied patch by Gerry Garvey
95 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
96 - add #define ENABLE_CMAC support in configure.  HStenn.
97 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
98 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
99 - patch by Stephen Friedl
100 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
101 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
102 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
103 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
104 - initial patch by Hal Murray; also fixed refclock_report() trouble
105 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
106 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
107 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
108 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
109 - applied patch by Gerry Garvey
110 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
111 - applied patch by Gerry Garvey
112 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
113 with modifications
114 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
115 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
116 - applied patch by Miroslav Lichvar
117 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
118 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
119 - integrated patch by  Reinhard Max
120 [Bug 2821] minor build issues <perlinger@ntp.org>
121 - applied patches by Christos Zoulas, including real bug fixes
122 html/authopt.html: cleanup, from <stenn@ntp.org>
123 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
124 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
125
126--
127NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
128
129Focus: Security, Bug fixes, enhancements.
130
131Severity: MEDIUM
132
133This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
134vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
135provides 65 other non-security fixes and improvements:
136
137* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
138	association (LOW/MED)
139   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
140   References: Sec 3454 / CVE-2018-7185 / VU#961909
141   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
142   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
143	2.9 and 6.8.
144   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
145	score between 2.6 and 3.1
146   Summary:
147	The NTP Protocol allows for both non-authenticated and
148	authenticated associations, in client/server, symmetric (peer),
149	and several broadcast modes. In addition to the basic NTP
150	operational modes, symmetric mode and broadcast servers can
151	support an interleaved mode of operation. In ntp-4.2.8p4 a bug
152	was inadvertently introduced into the protocol engine that
153	allows a non-authenticated zero-origin (reset) packet to reset
154	an authenticated interleaved peer association. If an attacker
155	can send a packet with a zero-origin timestamp and the source
156	IP address of the "other side" of an interleaved association,
157	the 'victim' ntpd will reset its association. The attacker must
158	continue sending these packets in order to maintain the
159	disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
160	interleave mode could be entered dynamically. As of ntp-4.2.8p7,
161	interleaved mode must be explicitly configured/enabled.
162   Mitigation:
163	Implement BCP-38.
164	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
165	    or the NTP Public Services Project Download Page.
166	If you are unable to upgrade to 4.2.8p11 or later and have
167	    'peer HOST xleave' lines in your ntp.conf file, remove the
168	    'xleave' option.
169	Have enough sources of time.
170	Properly monitor your ntpd instances.
171	If ntpd stops running, auto-restart it without -g .
172   Credit:
173   	This weakness was discovered by Miroslav Lichvar of Red Hat.
174
175* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
176	state (LOW/MED)
177   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
178   References: Sec 3453 / CVE-2018-7184 / VU#961909
179   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
180   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
181	Could score between 2.9 and 6.8.
182   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
183	Could score between 2.6 and 6.0.
184   Summary:
185   	The fix for NtpBug2952 was incomplete, and while it fixed one
186	problem it created another.  Specifically, it drops bad packets
187	before updating the "received" timestamp.  This means a
188	third-party can inject a packet with a zero-origin timestamp,
189	meaning the sender wants to reset the association, and the
190	transmit timestamp in this bogus packet will be saved as the
191	most recent "received" timestamp.  The real remote peer does
192	not know this value and this will disrupt the association until
193	the association resets.
194   Mitigation:
195	Implement BCP-38.
196	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
197	    or the NTP Public Services Project Download Page.
198	Use authentication with 'peer' mode.
199	Have enough sources of time.
200	Properly monitor your ntpd instances.
201	If ntpd stops running, auto-restart it without -g .
202   Credit:
203   	This weakness was discovered by Miroslav Lichvar of Red Hat.
204
205* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
206	peering (LOW)
207   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
208   References: Sec 3415 / CVE-2018-7170 / VU#961909
209   	       Sec 3012 / CVE-2016-1549 / VU#718152
210   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
211   	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
212   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
213   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
214   Summary:
215	ntpd can be vulnerable to Sybil attacks.  If a system is set up to
216	use a trustedkey and if one is not using the feature introduced in
217	ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
218	specify which IPs can serve time, a malicious authenticated peer
219	-- i.e. one where the attacker knows the private symmetric key --
220	can create arbitrarily-many ephemeral associations in order to win
221	the clock selection of ntpd and modify a victim's clock.  Three
222	additional protections are offered in ntp-4.2.8p11.  One is the
223	new 'noepeer' directive, which disables symmetric passive
224	ephemeral peering. Another is the new 'ippeerlimit' directive,
225	which limits the number of peers that can be created from an IP.
226	The third extends the functionality of the 4th field in the
227	ntp.keys file to include specifying a subnet range.
228   Mitigation:
229	Implement BCP-38.
230	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
231	    or the NTP Public Services Project Download Page.
232	Use the 'noepeer' directive to prohibit symmetric passive
233	    ephemeral associations.
234	Use the 'ippeerlimit' directive to limit the number of peers
235	    that can be created from an IP.
236	Use the 4th argument in the ntp.keys file to limit the IPs and
237	    subnets that can be time servers.
238	Have enough sources of time.
239	Properly monitor your ntpd instances.
240	If ntpd stops running, auto-restart it without -g .
241   Credit:
242	This weakness was reported as Bug 3012 by Matthew Van Gundy of
243	Cisco ASIG, and separately by Stefan Moser as Bug 3415.
244
245* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
246   Date Resolved: 27 Feb 2018
247   References: Sec 3414 / CVE-2018-7183 / VU#961909
248   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
249   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
250   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
251   Summary:
252   	ntpq is a monitoring and control program for ntpd.  decodearr()
253	is an internal function of ntpq that is used to -- wait for it --
254	decode an array in a response string when formatted data is being
255	displayed.  This is a problem in affected versions of ntpq if a
256	maliciously-altered ntpd returns an array result that will trip this
257	bug, or if a bad actor is able to read an ntpq request on its way to
258	a remote ntpd server and forge and send a response before the remote
259	ntpd sends its response.  It's potentially possible that the
260	malicious data could become injectable/executable code.
261   Mitigation:
262	Implement BCP-38.
263	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
264	    or the NTP Public Services Project Download Page.
265   Credit:
266	This weakness was discovered by Michael Macnair of Thales e-Security.
267
268* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
269	behavior and information leak (Info/Medium)
270   Date Resolved: 27 Feb 2018
271   References: Sec 3412 / CVE-2018-7182 / VU#961909
272   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
273   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
274   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
275	0.0 if C:N
276   Summary:
277	ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
278	A malicious mode 6 packet can be sent to an ntpd instance, and
279	if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
280	cause ctl_getitem() to read past the end of its buffer.
281   Mitigation:
282	Implement BCP-38.
283	Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
284	    or the NTP Public Services Project Download Page.
285	Have enough sources of time.
286	Properly monitor your ntpd instances.
287	If ntpd stops running, auto-restart it without -g .
288   Credit:
289   	This weakness was discovered by Yihan Lian of Qihoo 360.
290
291* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
292   Also see Bug 3415, above.
293   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
294   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
295   References: Sec 3012 / CVE-2016-1549 / VU#718152
296   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
297	4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
298   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
299   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
300   Summary:
301	ntpd can be vulnerable to Sybil attacks.  If a system is set up
302	to use a trustedkey and if one is not using the feature
303	introduced in ntp-4.2.8p6 allowing an optional 4th field in the
304	ntp.keys file to specify which IPs can serve time, a malicious
305	authenticated peer -- i.e. one where the attacker knows the
306	private symmetric key -- can create arbitrarily-many ephemeral
307	associations in order to win the clock selection of ntpd and
308	modify a victim's clock.  Two additional protections are
309	offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
310	disables symmetric passive ephemeral peering. The other extends
311	the functionality of the 4th field in the ntp.keys file to
312	include specifying a subnet range.
313   Mitigation:
314	Implement BCP-38.
315	Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
316	    the NTP Public Services Project Download Page.
317	Use the 'noepeer' directive to prohibit symmetric passive
318	    ephemeral associations.
319	Use the 'ippeerlimit' directive to limit the number of peer
320	    associations from an IP.
321	Use the 4th argument in the ntp.keys file to limit the IPs
322	    and subnets that can be time servers.
323	Properly monitor your ntpd instances.
324   Credit:
325   	This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
326
327* Bug fixes:
328 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
329 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
330 - applied patch by Sean Haugh
331 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
332 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
333 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
334 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
335 - refactoring the MAC code, too
336 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
337 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
338 - applied patch by ggarvey
339 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
340 - applied patch by ggarvey (with minor mods)
341 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
342 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
343 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
344 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
345 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
346 - fixed several issues with hash algos in ntpd, sntp, ntpq,
347   ntpdc and the test suites <perlinger@ntp.org>
348 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
349 - initial patch by Daniel Pouzzner
350 [Bug 3423] QNX adjtime() implementation error checking is
351 wrong <perlinger@ntp.org>
352 [Bug 3417] ntpq ifstats packet counters can be negative
353 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
354 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
355 - raised receive buffer size to 1200 <perlinger@ntp.org>
356 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
357 analysis tool. <abe@ntp.org>
358 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
359 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
360 - fix/drop assumptions on OpenSSL libs directory layout
361 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
362 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
363 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
364 - patch contributed by Alexander Bluhm
365 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
366 rework of formatting & data transfer stuff in 'ntp_control.c'
367 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
368 [Bug 3394] Leap second deletion does not work on ntpd clients
369 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
370 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
371 - increased mimimum stack size to 32kB <perlinger@ntp.org>
372 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
373 - reverted handling of PPS kernel consumer to 4.2.6 behavior
374 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
375 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
376 [Bug 3016] wrong error position reported for bad ":config pool"
377 - fixed location counter & ntpq output <perlinger@ntp.org>
378 [Bug 2900] libntp build order problem.  HStenn.
379 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
380 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
381 perlinger@ntp.org
382 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
383 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
384 Use strlcpy() to copy strings, not memcpy().  HStenn.
385 Typos.  HStenn.
386 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
387 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
388 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
389 Fix trivial warnings from 'make check'. perlinger@ntp.org
390 Fix bug in the override portion of the compiler hardening macro. HStenn.
391 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
392 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
393 sntp: tweak key file logging.  HStenn.
394 sntp: pkt_output(): Improve debug output.  HStenn.
395 update-leap: updates from Paul McMath.
396 When using pkg-config, report --modversion.  HStenn.
397 Clean up libevent configure checks.  HStenn.
398 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
399 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
400 authistrustedip() - use it in more places.  HStenn, JPerlinger.
401 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
402 Update ntp.keys .../N documentation.  HStenn.
403 Distribute testconf.yml.  HStenn.
404 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
405 Rename the configuration flag fifo variables.  HStenn.
406 Improve saveconfig output.  HStenn.
407 Decode restrict flags on receive() debug output.  HStenn.
408 Decode interface flags on receive() debug output.  HStenn.
409 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
410 Update the documentation in ntp.conf.def .  HStenn.
411 restrictions() must return restrict flags and ippeerlimit.  HStenn.
412 Update ntpq peer documentation to describe the 'p' type.  HStenn.
413 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
414 Provide dump_restricts() for debugging.  HStenn.
415 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
416
417* Other items:
418
419* update-leap needs the following perl modules:
420	Net::SSLeay
421	IO::Socket::SSL
422
423* New sysstats variables: sys_lamport, sys_tsrounding
424See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
425sys_lamport counts the number of observed Lamport violations, while
426sys_tsrounding counts observed timestamp rounding events.
427
428* New ntp.conf items:
429
430- restrict ... noepeer
431- restrict ... ippeerlimit N
432
433The 'noepeer' directive will disallow all ephemeral/passive peer
434requests.
435
436The 'ippeerlimit' directive limits the number of time associations
437for each IP in the designated set of addresses.  This limit does not
438apply to explicitly-configured associations.  A value of -1, the current
439default, means an unlimited number of associations may connect from a
440single IP.  0 means "none", etc.  Ordinarily the only way multiple
441associations would come from the same IP would be if the remote side
442was using a proxy.  But a trusted machine might become compromised,
443in which case an attacker might spin up multiple authenticated sessions
444from different ports.  This directive should be helpful in this case.
445
446* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
447field may contain a /subnetbits specification, which identifies  the
448scope of IPs that may use this key.  This IP/subnet restriction can be
449used to limit the IPs that may use the key in most all situations where
450a key is used.
451--
452NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
453
454Focus: Security, Bug fixes, enhancements.
455
456Severity: MEDIUM
457
458This release fixes 5 medium-, 6 low-, and 4 informational-severity
459vulnerabilities, and provides 15 other non-security fixes and improvements:
460
461* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
462   Date Resolved: 21 Mar 2017
463   References: Sec 3389 / CVE-2017-6464 / VU#325339
464   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
465	ntp-4.3.0 up to, but not including ntp-4.3.94.
466   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
467   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
468   Summary:
469	A vulnerability found in the NTP server makes it possible for an
470	authenticated remote user to crash ntpd via a malformed mode
471	configuration directive.
472   Mitigation:
473	Implement BCP-38.
474	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
475	    the NTP Public Services Project Download Page
476	Properly monitor your ntpd instances, and auto-restart
477	    ntpd (without -g) if it stops running.
478   Credit:
479	This weakness was discovered by Cure53.
480
481* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
482    Date Resolved: 21 Mar 2017
483    References: Sec 3388 / CVE-2017-6462 / VU#325339
484    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
485    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
486    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
487    Summary:
488	There is a potential for a buffer overflow in the legacy Datum
489	Programmable Time Server refclock driver.  Here the packets are
490	processed from the /dev/datum device and handled in
491	datum_pts_receive().  Since an attacker would be required to
492	somehow control a malicious /dev/datum device, this does not
493	appear to be a practical attack and renders this issue "Low" in
494	terms of severity.
495   Mitigation:
496	If you have a Datum reference clock installed and think somebody
497	    may maliciously change the device, upgrade to 4.2.8p10, or
498	    later, from the NTP Project Download Page or the NTP Public
499	    Services Project Download Page
500	Properly monitor your ntpd instances, and auto-restart
501	    ntpd (without -g) if it stops running.
502   Credit:
503	This weakness was discovered by Cure53.
504
505* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
506   Date Resolved: 21 Mar 2017
507   References: Sec 3387 / CVE-2017-6463 / VU#325339
508   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
509	ntp-4.3.0 up to, but not including ntp-4.3.94.
510   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
511   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
512   Summary:
513	A vulnerability found in the NTP server allows an authenticated
514	remote attacker to crash the daemon by sending an invalid setting
515	via the :config directive.  The unpeer option expects a number or
516	an address as an argument.  In case the value is "0", a
517	segmentation fault occurs.
518   Mitigation:
519	Implement BCP-38.
520	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
521	    or the NTP Public Services Project Download Page
522	Properly monitor your ntpd instances, and auto-restart
523	    ntpd (without -g) if it stops running.
524   Credit:
525	This weakness was discovered by Cure53.
526
527* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
528   Date Resolved: 21 Mar 2017
529   References: Sec 3386
530   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
531	ntp-4.3.0 up to, but not including ntp-4.3.94.
532   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
533   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
534   Summary:
535	The NTP Mode 6 monitoring and control client, ntpq, uses the
536	function ntpq_stripquotes() to remove quotes and escape characters
537	from a given string.  According to the documentation, the function
538	is supposed to return the number of copied bytes but due to
539	incorrect pointer usage this value is always zero.  Although the
540	return value of this function is never used in the code, this
541	flaw could lead to a vulnerability in the future.  Since relying
542	on wrong return values when performing memory operations is a
543	dangerous practice, it is recommended to return the correct value
544	in accordance with the documentation pertinent to the code.
545   Mitigation:
546	Implement BCP-38.
547	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
548	    or the NTP Public Services Project Download Page
549	Properly monitor your ntpd instances, and auto-restart
550	    ntpd (without -g) if it stops running.
551   Credit:
552	This weakness was discovered by Cure53.
553
554* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
555   Date Resolved: 21 Mar 2017
556   References: Sec 3385
557   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
558	ntp-4.3.0 up to, but not including ntp-4.3.94.
559   Summary:
560	NTP makes use of several wrappers around the standard heap memory
561	allocation functions that are provided by libc.  This is mainly
562	done to introduce additional safety checks concentrated on
563	several goals.  First, they seek to ensure that memory is not
564	accidentally freed, secondly they verify that a correct amount
565	is always allocated and, thirdly, that allocation failures are
566	correctly handled.  There is an additional implementation for
567	scenarios where memory for a specific amount of items of the
568	same size needs to be allocated.  The handling can be found in
569	the oreallocarray() function for which a further number-of-elements
570	parameter needs to be provided.  Although no considerable threat
571	was identified as tied to a lack of use of this function, it is
572	recommended to correctly apply oreallocarray() as a preferred
573	option across all of the locations where it is possible.
574   Mitigation:
575	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
576	    or the NTP Public Services Project Download Page
577   Credit:
578	This weakness was discovered by Cure53.
579
580* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
581	PPSAPI ONLY) (Low)
582   Date Resolved: 21 Mar 2017
583   References: Sec 3384 / CVE-2017-6455 / VU#325339
584   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
585	not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
586	including ntp-4.3.94.
587   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
588   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
589   Summary:
590	The Windows NT port has the added capability to preload DLLs
591	defined in the inherited global local environment variable
592	PPSAPI_DLLS.  The code contained within those libraries is then
593	called from the NTPD service, usually running with elevated
594	privileges. Depending on how securely the machine is setup and
595	configured, if ntpd is configured to use the PPSAPI under Windows
596	this can easily lead to a code injection.
597   Mitigation:
598	Implement BCP-38.
599	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
600	    or the NTP Public Services Project Download Page
601   Credit:
602   This weakness was discovered by Cure53.
603
604* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
605	installer ONLY) (Low)
606   Date Resolved: 21 Mar 2017
607   References: Sec 3383 / CVE-2017-6452 / VU#325339
608   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
609	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
610	to, but not including ntp-4.3.94.
611   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
612   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
613   Summary:
614	The Windows installer for NTP calls strcat(), blindly appending
615	the string passed to the stack buffer in the addSourceToRegistry()
616	function.  The stack buffer is 70 bytes smaller than the buffer
617	in the calling main() function.  Together with the initially
618	copied Registry path, the combination causes a stack buffer
619	overflow and effectively overwrites the stack frame.  The
620	passed application path is actually limited to 256 bytes by the
621	operating system, but this is not sufficient to assure that the
622	affected stack buffer is consistently protected against
623	overflowing at all times.
624   Mitigation:
625	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
626	or the NTP Public Services Project Download Page
627   Credit:
628	This weakness was discovered by Cure53.
629
630* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
631	installer ONLY) (Low)
632   Date Resolved: 21 Mar 2017
633   References: Sec 3382 / CVE-2017-6459 / VU#325339
634   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
635	installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
636	up to, but not including ntp-4.3.94.
637   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
638   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
639   Summary:
640	The Windows installer for NTP calls strcpy() with an argument
641	that specifically contains multiple null bytes.  strcpy() only
642	copies a single terminating null character into the target
643	buffer instead of copying the required double null bytes in the
644	addKeysToRegistry() function.  As a consequence, a garbage
645	registry entry can be created.  The additional arsize parameter
646	is erroneously set to contain two null bytes and the following
647	call to RegSetValueEx() claims to be passing in a multi-string
648	value, though this may not be true.
649   Mitigation:
650	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
651	    or the NTP Public Services Project Download Page
652   Credit:
653	This weakness was discovered by Cure53.
654
655* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
656   References: Sec 3381
657   Summary:
658	The report says: Statically included external projects
659	potentially introduce several problems and the issue of having
660	extensive amounts of code that is "dead" in the resulting binary
661	must clearly be pointed out.  The unnecessary unused code may or
662	may not contain bugs and, quite possibly, might be leveraged for
663	code-gadget-based branch-flow redirection exploits.  Analogically,
664	having source trees statically included as well means a failure
665	in taking advantage of the free feature for periodical updates.
666	This solution is offered by the system's Package Manager. The
667	three libraries identified are libisc, libevent, and libopts.
668   Resolution:
669	For libisc, we already only use a portion of the original library.
670	We've found and fixed bugs in the original implementation (and
671	offered the patches to ISC), and plan to see what has changed
672	since we last upgraded the code.  libisc is generally not
673	installed, and when it it we usually only see the static libisc.a
674	file installed.  Until we know for sure that the bugs we've found
675	and fixed are fixed upstream, we're better off with the copy we
676	are using.
677
678        Version 1 of libevent was the only production version available
679	until recently, and we've been requiring version 2 for a long time.
680	But if the build system has at least version 2 of libevent
681	installed, we'll use the version that is installed on the system.
682	Otherwise, we provide a copy of libevent that we know works.
683
684        libopts is provided by GNU AutoGen, and that library and package
685	undergoes frequent API version updates.  The version of autogen
686	used to generate the tables for the code must match the API
687	version in libopts.  AutoGen can be ... difficult to build and
688	install, and very few developers really need it.  So we have it
689	on our build and development machines, and we provide the
690	specific version of the libopts code in the distribution to make
691	sure that the proper API version of libopts is available.
692
693        As for the point about there being code in these libraries that
694	NTP doesn't use, OK.  But other packages used these libraries as
695	well, and it is reasonable to assume that other people are paying
696	attention to security and code quality issues for the overall
697	libraries.  It takes significant resources to analyze and
698	customize these libraries to only include what we need, and to
699	date we believe the cost of this effort does not justify the benefit.
700   Credit:
701	This issue was discovered by Cure53.
702
703* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
704   Date Resolved: 21 Mar 2017
705   References: Sec 3380
706   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
707   	ntp-4.3.0 up to, but not including ntp-4.3.94.
708   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
709   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
710   Summary:
711	There is a fencepost error in a "recovery branch" of the code for
712	the Oncore GPS receiver if the communication link to the ONCORE
713	is weak / distorted and the decoding doesn't work.
714   Mitigation:
715        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
716	    the NTP Public Services Project Download Page
717        Properly monitor your ntpd instances, and auto-restart
718	    ntpd (without -g) if it stops running.
719   Credit:
720	This weakness was discovered by Cure53.
721
722* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
723   Date Resolved: 21 Mar 2017
724   References: Sec 3379 / CVE-2017-6458 / VU#325339
725   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
726	ntp-4.3.0 up to, but not including ntp-4.3.94.
727   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
728   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
729   Summary:
730	ntpd makes use of different wrappers around ctl_putdata() to
731	create name/value ntpq (mode 6) response strings.  For example,
732	ctl_putstr() is usually used to send string data (variable names
733	or string data).  The formatting code was missing a length check
734	for variable names.  If somebody explicitly created any unusually
735	long variable names in ntpd (longer than 200-512 bytes, depending
736	on the type of variable), then if any of these variables are
737	added to the response list it would overflow a buffer.
738   Mitigation:
739	Implement BCP-38.
740	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
741	    or the NTP Public Services Project Download Page
742	If you don't want to upgrade, then don't setvar variable names
743	    longer than 200-512 bytes in your ntp.conf file.
744	Properly monitor your ntpd instances, and auto-restart
745	    ntpd (without -g) if it stops running.
746   Credit:
747	This weakness was discovered by Cure53.
748
749* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
750   Date Resolved: 21 Mar 2017
751   References: Sec 3378 / CVE-2017-6451 / VU#325339
752   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
753	ntp-4.3.0 up to, but not including ntp-4.3.94.
754   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
755   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
756   Summary:
757	The legacy MX4200 refclock is only built if is specifically
758	enabled, and furthermore additional code changes are required to
759	compile and use it.  But it uses the libc functions snprintf()
760	and vsnprintf() incorrectly, which can lead to an out-of-bounds
761	memory write due to an improper handling of the return value of
762	snprintf()/vsnprintf().  Since the return value is used as an
763	iterator and it can be larger than the buffer's size, it is
764	possible for the iterator to point somewhere outside of the
765	allocated buffer space.  This results in an out-of-bound memory
766	write.  This behavior can be leveraged to overwrite a saved
767	instruction pointer on the stack and gain control over the
768	execution flow.  During testing it was not possible to identify
769	any malicious usage for this vulnerability.  Specifically, no
770	way for an attacker to exploit this vulnerability was ultimately
771	unveiled.  However, it has the potential to be exploited, so the
772	code should be fixed.
773   Mitigation, if you have a Magnavox MX4200 refclock:
774	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
775	    or the NTP Public Services Project Download Page.
776	Properly monitor your ntpd instances, and auto-restart
777	    ntpd (without -g) if it stops running.
778   Credit:
779	This weakness was discovered by Cure53.
780
781* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
782	malicious ntpd (Medium)
783   Date Resolved: 21 Mar 2017
784   References: Sec 3377 / CVE-2017-6460 / VU#325339
785   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
786	ntp-4.3.0 up to, but not including ntp-4.3.94.
787   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
788   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
789   Summary:
790	A stack buffer overflow in ntpq can be triggered by a malicious
791	ntpd server when ntpq requests the restriction list from the server.
792	This is due to a missing length check in the reslist() function.
793	It occurs whenever the function parses the server's response and
794	encounters a flagstr variable of an excessive length.  The string
795	will be copied into a fixed-size buffer, leading to an overflow on
796	the function's stack-frame.  Note well that this problem requires
797	a malicious server, and affects ntpq, not ntpd.
798   Mitigation:
799	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
800	    or the NTP Public Services Project Download Page
801	If you can't upgrade your version of ntpq then if you want to know
802	    the reslist of an instance of ntpd that you do not control,
803	    know that if the target ntpd is malicious that it can send back
804	    a response that intends to crash your ntpq process.
805   Credit:
806	This weakness was discovered by Cure53.
807
808* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
809   Date Resolved: 21 Mar 2017
810   References: Sec 3376
811   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
812	ntp-4.3.0 up to, but not including ntp-4.3.94.
813   CVSS2: N/A
814   CVSS3: N/A
815   Summary:
816	The build process for NTP has not, by default, provided compile
817	or link flags to offer "hardened" security options.  Package
818	maintainers have always been able to provide hardening security
819	flags for their builds.  As of ntp-4.2.8p10, the NTP build
820	system has a way to provide OS-specific hardening flags.  Please
821	note that this is still not a really great solution because it
822	is specific to NTP builds.  It's inefficient to have every
823	package supply, track and maintain this information for every
824	target build.  It would be much better if there was a common way
825	for OSes to provide this information in a way that arbitrary
826	packages could benefit from it.
827   Mitigation:
828	Implement BCP-38.
829	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
830	    or the NTP Public Services Project Download Page
831	Properly monitor your ntpd instances, and auto-restart
832	    ntpd (without -g) if it stops running.
833   Credit:
834	This weakness was reported by Cure53.
835
836* 0rigin DoS (Medium)
837   Date Resolved: 21 Mar 2017
838   References: Sec 3361 / CVE-2016-9042 / VU#325339
839   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
840   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
841   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
842   Summary:
843	An exploitable denial of service vulnerability exists in the
844	origin timestamp check functionality of ntpd 4.2.8p9.  A specially
845	crafted unauthenticated network packet can be used to reset the
846	expected origin timestamp for target peers.  Legitimate replies
847	from targeted peers will fail the origin timestamp check (TEST2)
848	causing the reply to be dropped and creating a denial of service
849	condition.  This vulnerability can only be exploited if the
850	attacker can spoof all of the servers.
851   Mitigation:
852	Implement BCP-38.
853	Configure enough servers/peers that an attacker cannot target
854	    all of your time sources.
855	Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
856	    or the NTP Public Services Project Download Page
857	Properly monitor your ntpd instances, and auto-restart
858	    ntpd (without -g) if it stops running.
859   Credit:
860	This weakness was discovered by Matthew Van Gundy of Cisco.
861
862Other fixes:
863
864* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
865* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
866  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
867* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
868* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
869  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
870  - original patch by Majdi S. Abbas
871* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
872* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
873  - initial patch by Christos Zoulas
874* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
875  - move loader API from 'inline' to proper source
876  - augment pathless dlls with absolute path to NTPD
877  - use 'msyslog()' instead of 'printf() 'for reporting trouble
878* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
879  - applied patch by Matthew Van Gundy
880* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
881  - applied some of the patches provided by Havard. Not all of them
882    still match the current code base, and I did not touch libopt.
883* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
884  - applied patch by Reinhard Max. See bugzilla for limitations.
885* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
886  - fixed dependency inversion from [Bug 2837]
887* [Bug 2896] Nothing happens if minsane < maxclock < minclock
888  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
889* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
890  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
891* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
892  - Fixed these and some more locations of this pattern.
893    Probably din't get them all, though. <perlinger@ntp.org>
894* Update copyright year.
895
896--
897(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
898
899* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
900  - added missed changeset for automatic openssl lib detection
901  - fixed some minor warning issues
902* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
903* configure.ac cleanup.  stenn@ntp.org
904* openssl configure cleanup.  stenn@ntp.org
905
906--
907NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
908
909Focus: Security, Bug fixes, enhancements.
910
911Severity: HIGH
912
913In addition to bug fixes and enhancements, this release fixes the
914following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
9155 low-severity vulnerabilities, and provides 28 other non-security
916fixes and improvements:
917
918* Trap crash
919   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
920   References: Sec 3119 / CVE-2016-9311 / VU#633847
921   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
922   	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
923   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
924   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
925   Summary:
926	ntpd does not enable trap service by default. If trap service
927	has been explicitly enabled, an attacker can send a specially
928	crafted packet to cause a null pointer dereference that will
929	crash ntpd, resulting in a denial of service.
930   Mitigation:
931        Implement BCP-38.
932	Use "restrict default noquery ..." in your ntp.conf file. Only
933	    allow mode 6 queries from trusted networks and hosts.
934        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
935	    or the NTP Public Services Project Download Page
936        Properly monitor your ntpd instances, and auto-restart ntpd
937	    (without -g) if it stops running.
938   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
939
940* Mode 6 information disclosure and DDoS vector
941   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
942   References: Sec 3118 / CVE-2016-9310 / VU#633847
943   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
944	including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
945   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
946   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
947   Summary:
948	An exploitable configuration modification vulnerability exists
949	in the control mode (mode 6) functionality of ntpd. If, against
950	long-standing BCP recommendations, "restrict default noquery ..."
951	is not specified, a specially crafted control mode packet can set
952	ntpd traps, providing information disclosure and DDoS
953	amplification, and unset ntpd traps, disabling legitimate
954	monitoring. A remote, unauthenticated, network attacker can
955	trigger this vulnerability.
956   Mitigation:
957        Implement BCP-38.
958	Use "restrict default noquery ..." in your ntp.conf file.
959        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
960	    or the NTP Public Services Project Download Page
961        Properly monitor your ntpd instances, and auto-restart ntpd
962	    (without -g) if it stops running.
963   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
964
965* Broadcast Mode Replay Prevention DoS
966   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
967   References: Sec 3114 / CVE-2016-7427 / VU#633847
968   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
969	ntp-4.3.90 up to, but not including ntp-4.3.94.
970   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
971   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
972   Summary:
973	The broadcast mode of NTP is expected to only be used in a
974	trusted network. If the broadcast network is accessible to an
975	attacker, a potentially exploitable denial of service
976	vulnerability in ntpd's broadcast mode replay prevention
977	functionality can be abused. An attacker with access to the NTP
978	broadcast domain can periodically inject specially crafted
979	broadcast mode NTP packets into the broadcast domain which,
980	while being logged by ntpd, can cause ntpd to reject broadcast
981	mode packets from legitimate NTP broadcast servers.
982   Mitigation:
983        Implement BCP-38.
984        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
985	    or the NTP Public Services Project Download Page
986        Properly monitor your ntpd instances, and auto-restart ntpd
987	    (without -g) if it stops running.
988   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
989
990* Broadcast Mode Poll Interval Enforcement DoS
991   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
992   References: Sec 3113 / CVE-2016-7428 / VU#633847
993   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
994	ntp-4.3.90 up to, but not including ntp-4.3.94
995   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
996   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
997   Summary:
998	The broadcast mode of NTP is expected to only be used in a
999	trusted network. If the broadcast network is accessible to an
1000	attacker, a potentially exploitable denial of service
1001	vulnerability in ntpd's broadcast mode poll interval enforcement
1002	functionality can be abused. To limit abuse, ntpd restricts the
1003	rate at which each broadcast association will process incoming
1004	packets. ntpd will reject broadcast mode packets that arrive
1005	before the poll interval specified in the preceding broadcast
1006	packet expires. An attacker with access to the NTP broadcast
1007	domain can send specially crafted broadcast mode NTP packets to
1008	the broadcast domain which, while being logged by ntpd, will
1009	cause ntpd to reject broadcast mode packets from legitimate NTP
1010	broadcast servers.
1011   Mitigation:
1012        Implement BCP-38.
1013        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1014	    or the NTP Public Services Project Download Page
1015        Properly monitor your ntpd instances, and auto-restart ntpd
1016	    (without -g) if it stops running.
1017   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1018
1019* Windows: ntpd DoS by oversized UDP packet
1020   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1021   References: Sec 3110 / CVE-2016-9312 / VU#633847
1022   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
1023	and ntp-4.3.0 up to, but not including ntp-4.3.94.
1024   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1025   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1026   Summary:
1027	If a vulnerable instance of ntpd on Windows receives a crafted
1028	malicious packet that is "too big", ntpd will stop working.
1029   Mitigation:
1030        Implement BCP-38.
1031        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1032	    or the NTP Public Services Project Download Page
1033        Properly monitor your ntpd instances, and auto-restart ntpd
1034	    (without -g) if it stops running.
1035   Credit: This weakness was discovered by Robert Pajak of ABB.
1036
1037* 0rigin (zero origin) issues
1038   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1039   References: Sec 3102 / CVE-2016-7431 / VU#633847
1040   Affects: ntp-4.2.8p8, and ntp-4.3.93.
1041   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
1042   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1043   Summary:
1044	Zero Origin timestamp problems were fixed by Bug 2945 in
1045	ntp-4.2.8p6. However, subsequent timestamp validation checks
1046	introduced a regression in the handling of some Zero origin
1047	timestamp checks.
1048   Mitigation:
1049        Implement BCP-38.
1050        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1051	    or the NTP Public Services Project Download Page
1052        Properly monitor your ntpd instances, and auto-restart ntpd
1053	    (without -g) if it stops running.
1054   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
1055	Malhotra of Boston University.
1056
1057* read_mru_list() does inadequate incoming packet checks
1058   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1059   References: Sec 3082 / CVE-2016-7434 / VU#633847
1060   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
1061	ntp-4.3.0 up to, but not including ntp-4.3.94.
1062   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1063   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1064   Summary:
1065	If ntpd is configured to allow mrulist query requests from a
1066	server that sends a crafted malicious packet, ntpd will crash
1067	on receipt of that crafted malicious mrulist query packet.
1068   Mitigation:
1069	Only allow mrulist query packets from trusted hosts.
1070        Implement BCP-38.
1071        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1072	    or the NTP Public Services Project Download Page
1073        Properly monitor your ntpd instances, and auto-restart ntpd
1074	    (without -g) if it stops running.
1075   Credit: This weakness was discovered by Magnus Stubman.
1076
1077* Attack on interface selection
1078   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1079   References: Sec 3072 / CVE-2016-7429 / VU#633847
1080   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1081	ntp-4.3.0 up to, but not including ntp-4.3.94
1082   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1083   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1084   Summary:
1085	When ntpd receives a server response on a socket that corresponds
1086	to a different interface than was used for the request, the peer
1087	structure is updated to use the interface for new requests. If
1088	ntpd is running on a host with multiple interfaces in separate
1089	networks and the operating system doesn't check source address in
1090	received packets (e.g. rp_filter on Linux is set to 0), an
1091	attacker that knows the address of the source can send a packet
1092	with spoofed source address which will cause ntpd to select wrong
1093	interface for the source and prevent it from sending new requests
1094	until the list of interfaces is refreshed, which happens on
1095	routing changes or every 5 minutes by default. If the attack is
1096	repeated often enough (once per second), ntpd will not be able to
1097	synchronize with the source.
1098   Mitigation:
1099        Implement BCP-38.
1100        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1101	    or the NTP Public Services Project Download Page
1102	If you are going to configure your OS to disable source address
1103	    checks, also configure your firewall configuration to control
1104	    what interfaces can receive packets from what networks.
1105        Properly monitor your ntpd instances, and auto-restart ntpd
1106	    (without -g) if it stops running.
1107   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1108
1109* Client rate limiting and server responses
1110   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1111   References: Sec 3071 / CVE-2016-7426 / VU#633847
1112   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
1113	ntp-4.3.0 up to, but not including ntp-4.3.94
1114   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1115   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1116   Summary:
1117	When ntpd is configured with rate limiting for all associations
1118	(restrict default limited in ntp.conf), the limits are applied
1119	also to responses received from its configured sources. An
1120	attacker who knows the sources (e.g., from an IPv4 refid in
1121	server response) and knows the system is (mis)configured in this
1122	way can periodically send packets with spoofed source address to
1123	keep the rate limiting activated and prevent ntpd from accepting
1124	valid responses from its sources.
1125
1126	While this blanket rate limiting can be useful to prevent
1127	brute-force attacks on the origin timestamp, it allows this DoS
1128	attack. Similarly, it allows the attacker to prevent mobilization
1129	of ephemeral associations.
1130   Mitigation:
1131        Implement BCP-38.
1132        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1133	    or the NTP Public Services Project Download Page
1134        Properly monitor your ntpd instances, and auto-restart ntpd
1135	    (without -g) if it stops running.
1136   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1137
1138* Fix for bug 2085 broke initial sync calculations
1139   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1140   References: Sec 3067 / CVE-2016-7433 / VU#633847
1141   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1142	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
1143	root-distance calculation in general is incorrect in all versions
1144	of ntp-4 until this release.
1145   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
1146   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
1147   Summary:
1148	Bug 2085 described a condition where the root delay was included
1149	twice, causing the jitter value to be higher than expected. Due
1150	to a misinterpretation of a small-print variable in The Book, the
1151	fix for this problem was incorrect, resulting in a root distance
1152	that did not include the peer dispersion. The calculations and
1153	formulae have been reviewed and reconciled, and the code has been
1154	updated accordingly.
1155   Mitigation:
1156        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1157	    or the NTP Public Services Project Download Page
1158        Properly monitor your ntpd instances, and auto-restart ntpd
1159	    (without -g) if it stops running.
1160   Credit: This weakness was discovered independently by Brian Utterback of
1161	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
1162
1163Other fixes:
1164
1165* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
1166* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
1167* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
1168  - moved retry decision where it belongs. <perlinger@ntp.org>
1169* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
1170  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
1171* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
1172* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
1173  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
1174* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
1175  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
1176  - added shim layer for SSL API calls with issues (both directions)
1177* [Bug 3089] Serial Parser does not work anymore for hopfser like device
1178  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
1179* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
1180* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
1181  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
1182* [Bug 3067] Root distance calculation needs improvement.  HStenn
1183* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
1184  - PPS-HACK works again.
1185* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
1186  - applied patch by Brian Utterback <brian.utterback@oracle.com>
1187* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
1188* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
1189  <perlinger@ntp.org>
1190  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
1191* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
1192  - Patch provided by Kuramatsu.
1193* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
1194  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
1195* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
1196* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
1197* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
1198* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
1199  - fixed GPS week expansion to work based on build date. Special thanks
1200    to Craig Leres for initial patch and testing.
1201* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
1202  - fixed Makefile.am <perlinger@ntp.org>
1203* [Bug 2689] ATOM driver processes last PPS pulse at startup,
1204             even if it is very old <perlinger@ntp.org>
1205  - make sure PPS source is alive before processing samples
1206  - improve stability close to the 500ms phase jump (phase gate)
1207* Fix typos in include/ntp.h.
1208* Shim X509_get_signature_nid() if needed
1209* git author attribution cleanup
1210* bk ignore file cleanup
1211* remove locks in Windows IO, use rpc-like thread synchronisation instead
1212
1213---
1214NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
1215
1216Focus: Security, Bug fixes, enhancements.
1217
1218Severity: HIGH
1219
1220In addition to bug fixes and enhancements, this release fixes the
1221following 1 high- and 4 low-severity vulnerabilities:
1222
1223* CRYPTO_NAK crash
1224   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1225   References: Sec 3046 / CVE-2016-4957 / VU#321640
1226   Affects: ntp-4.2.8p7, and ntp-4.3.92.
1227   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1228   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1229   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
1230	could cause ntpd to crash.
1231   Mitigation:
1232        Implement BCP-38.
1233        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1234	    or the NTP Public Services Project Download Page
1235        If you cannot upgrade from 4.2.8p7, the only other alternatives
1236	    are to patch your code or filter CRYPTO_NAK packets.
1237        Properly monitor your ntpd instances, and auto-restart ntpd
1238	    (without -g) if it stops running.
1239   Credit: This weakness was discovered by Nicolas Edet of Cisco.
1240
1241* Bad authentication demobilizes ephemeral associations
1242   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1243   References: Sec 3045 / CVE-2016-4953 / VU#321640
1244   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1245	ntp-4.3.0 up to, but not including ntp-4.3.93.
1246   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1247   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1248   Summary: An attacker who knows the origin timestamp and can send a
1249	spoofed packet containing a CRYPTO-NAK to an ephemeral peer
1250	target before any other response is sent can demobilize that
1251	association.
1252   Mitigation:
1253	Implement BCP-38.
1254	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1255	    or the NTP Public Services Project Download Page
1256	Properly monitor your ntpd instances.
1257	Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1258
1259* Processing spoofed server packets
1260   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1261   References: Sec 3044 / CVE-2016-4954 / VU#321640
1262   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1263	ntp-4.3.0 up to, but not including ntp-4.3.93.
1264   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1265   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1266   Summary: An attacker who is able to spoof packets with correct origin
1267	timestamps from enough servers before the expected response
1268	packets arrive at the target machine can affect some peer
1269	variables and, for example, cause a false leap indication to be set.
1270   Mitigation:
1271	Implement BCP-38.
1272	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1273	    or the NTP Public Services Project Download Page
1274	Properly monitor your ntpd instances.
1275   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
1276
1277* Autokey association reset
1278   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1279   References: Sec 3043 / CVE-2016-4955 / VU#321640
1280   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1281	ntp-4.3.0 up to, but not including ntp-4.3.93.
1282   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1283   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1284   Summary: An attacker who is able to spoof a packet with a correct
1285	origin timestamp before the expected response packet arrives at
1286	the target machine can send a CRYPTO_NAK or a bad MAC and cause
1287	the association's peer variables to be cleared. If this can be
1288	done often enough, it will prevent that association from working.
1289   Mitigation:
1290	Implement BCP-38.
1291	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1292	    or the NTP Public Services Project Download Page
1293	Properly monitor your ntpd instances.
1294   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1295
1296* Broadcast interleave
1297   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1298   References: Sec 3042 / CVE-2016-4956 / VU#321640
1299   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1300   	ntp-4.3.0 up to, but not including ntp-4.3.93.
1301   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1302   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1303   Summary: The fix for NtpBug2978 does not cover broadcast associations,
1304   	so broadcast clients can be triggered to flip into interleave mode.
1305   Mitigation:
1306	Implement BCP-38.
1307	Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1308	    or the NTP Public Services Project Download Page
1309	Properly monitor your ntpd instances.
1310   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1311
1312Other fixes:
1313* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
1314  - provide build environment
1315  - 'wint_t' and 'struct timespec' defined by VS2015
1316  - fixed print()/scanf() format issues
1317* [Bug 3052] Add a .gitignore file.  Edmund Wong.
1318* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
1319* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
1320  JPerlinger, HStenn.
1321* Fix typo in ntp-wait and plot_summary.  HStenn.
1322* Make sure we have an "author" file for git imports.  HStenn.
1323* Update the sntp problem tests for MacOS.  HStenn.
1324
1325---
1326NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
1327
1328Focus: Security, Bug fixes, enhancements.
1329
1330Severity: MEDIUM
1331
1332When building NTP from source, there is a new configure option
1333available, --enable-dynamic-interleave.  More information on this below.
1334
1335Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
1336versions of ntp.  These events have almost certainly happened in the
1337past, it's just that they were silently counted and not logged.  With
1338the increasing awareness around security, we feel it's better to clearly
1339log these events to help detect abusive behavior.  This increased
1340logging can also help detect other problems, too.
1341
1342In addition to bug fixes and enhancements, this release fixes the
1343following 9 low- and medium-severity vulnerabilities:
1344
1345* Improve NTP security against buffer comparison timing attacks,
1346  AKA: authdecrypt-timing
1347   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1348   References: Sec 2879 / CVE-2016-1550
1349   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1350	4.3.0 up to, but not including 4.3.92
1351   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
1352   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1353   Summary: Packet authentication tests have been performed using
1354	memcmp() or possibly bcmp(), and it is potentially possible
1355	for a local or perhaps LAN-based attacker to send a packet with
1356	an authentication payload and indirectly observe how much of
1357	the digest has matched.
1358   Mitigation:
1359	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1360	    or the NTP Public Services Project Download Page.
1361	Properly monitor your ntpd instances.
1362   Credit: This weakness was discovered independently by Loganaden
1363   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
1364
1365* Zero origin timestamp bypass: Additional KoD checks.
1366   References: Sec 2945 / Sec 2901 / CVE-2015-8138
1367   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1368   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
1369
1370* peer associations were broken by the fix for NtpBug2899
1371   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1372   References: Sec 2952 / CVE-2015-7704
1373   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1374   	4.3.0 up to, but not including 4.3.92
1375   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1376   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
1377   	associations did not address all of the issues.
1378   Mitigation:
1379        Implement BCP-38.
1380        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1381	    or the NTP Public Services Project Download Page
1382        If you can't upgrade, use "server" associations instead of
1383	    "peer" associations.
1384        Monitor your ntpd instances.
1385   Credit: This problem was discovered by Michael Tatarinov.
1386
1387* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
1388   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1389   References: Sec 3007 / CVE-2016-1547 / VU#718152
1390   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1391	4.3.0 up to, but not including 4.3.92
1392   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1393   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1394   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
1395	off-path attacker can cause a preemptable client association to
1396	be demobilized by sending a crypto NAK packet to a victim client
1397	with a spoofed source address of an existing associated peer.
1398	This is true even if authentication is enabled.
1399
1400	Furthermore, if the attacker keeps sending crypto NAK packets,
1401	for example one every second, the victim never has a chance to
1402	reestablish the association and synchronize time with that
1403	legitimate server.
1404
1405	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
1406	stringent checks are performed on incoming packets, but there
1407	are still ways to exploit this vulnerability in versions before
1408	ntp-4.2.8p7.
1409   Mitigation:
1410	Implement BCP-38.
1411	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1412	    or the NTP Public Services Project Download Page
1413	Properly monitor your ntpd instances
1414   Credit: This weakness was discovered by Stephen Gray and
1415   	Matthew Van Gundy of Cisco ASIG.
1416
1417* ctl_getitem() return value not always checked
1418   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1419   References: Sec 3008 / CVE-2016-2519
1420   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1421	4.3.0 up to, but not including 4.3.92
1422   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1423   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1424   Summary: ntpq and ntpdc can be used to store and retrieve information
1425   	in ntpd. It is possible to store a data value that is larger
1426	than the size of the buffer that the ctl_getitem() function of
1427	ntpd uses to report the return value. If the length of the
1428	requested data value returned by ctl_getitem() is too large,
1429	the value NULL is returned instead. There are 2 cases where the
1430	return value from ctl_getitem() was not directly checked to make
1431	sure it's not NULL, but there are subsequent INSIST() checks
1432	that make sure the return value is not NULL. There are no data
1433	values ordinarily stored in ntpd that would exceed this buffer
1434	length. But if one has permission to store values and one stores
1435	a value that is "too large", then ntpd will abort if an attempt
1436	is made to read that oversized value.
1437    Mitigation:
1438        Implement BCP-38.
1439        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1440	    or the NTP Public Services Project Download Page
1441        Properly monitor your ntpd instances.
1442    Credit: This weakness was discovered by Yihan Lian of the Cloud
1443    	Security Team, Qihoo 360.
1444
1445* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
1446   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1447   References: Sec 3009 / CVE-2016-2518 / VU#718152
1448   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1449	4.3.0 up to, but not including 4.3.92
1450   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1451   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1452   Summary: Using a crafted packet to create a peer association with
1453   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
1454	out-of-bounds reference.
1455   Mitigation:
1456	Implement BCP-38.
1457	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1458	    or the NTP Public Services Project Download Page
1459	Properly monitor your ntpd instances
1460   Credit: This weakness was discovered by Yihan Lian of the Cloud
1461   	Security Team, Qihoo 360.
1462
1463* remote configuration trustedkey/requestkey/controlkey values are not
1464	properly validated
1465   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1466   References: Sec 3010 / CVE-2016-2517 / VU#718152
1467   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1468	4.3.0 up to, but not including 4.3.92
1469   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1470   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1471   Summary: If ntpd was expressly configured to allow for remote
1472   	configuration, a malicious user who knows the controlkey for
1473	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1474	can create a session with ntpd and then send a crafted packet to
1475	ntpd that will change the value of the trustedkey, controlkey,
1476	or requestkey to a value that will prevent any subsequent
1477	authentication with ntpd until ntpd is restarted.
1478   Mitigation:
1479	Implement BCP-38.
1480	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1481	    or the NTP Public Services Project Download Page
1482	Properly monitor your ntpd instances
1483   Credit: This weakness was discovered by Yihan Lian of the Cloud
1484   	Security Team, Qihoo 360.
1485
1486* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1487   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1488   References: Sec 3011 / CVE-2016-2516 / VU#718152
1489   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1490   	4.3.0 up to, but not including 4.3.92
1491   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1492   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1493   Summary: If ntpd was expressly configured to allow for remote
1494   	configuration, a malicious user who knows the controlkey for
1495	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1496	can create a session with ntpd and if an existing association is
1497	unconfigured using the same IP twice on the unconfig directive
1498	line, ntpd will abort.
1499   Mitigation:
1500	Implement BCP-38.
1501	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1502	    or the NTP Public Services Project Download Page
1503	Properly monitor your ntpd instances
1504   Credit: This weakness was discovered by Yihan Lian of the Cloud
1505   	Security Team, Qihoo 360.
1506
1507* Refclock impersonation vulnerability
1508   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1509   References: Sec 3020 / CVE-2016-1551
1510   Affects: On a very limited number of OSes, all NTP releases up to but
1511	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1512	By "very limited number of OSes" we mean no general-purpose OSes
1513	have yet been identified that have this vulnerability.
1514   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1515   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1516   Summary: While most OSes implement martian packet filtering in their
1517   	network stack, at least regarding 127.0.0.0/8, some will allow
1518	packets claiming to be from 127.0.0.0/8 that arrive over a
1519	physical network. On these OSes, if ntpd is configured to use a
1520	reference clock an attacker can inject packets over the network
1521	that look like they are coming from that reference clock.
1522   Mitigation:
1523        Implement martian packet filtering and BCP-38.
1524        Configure ntpd to use an adequate number of time sources.
1525        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1526	    or the NTP Public Services Project Download Page
1527        If you are unable to upgrade and if you are running an OS that
1528	    has this vulnerability, implement martian packet filters and
1529	    lobby your OS vendor to fix this problem, or run your
1530	    refclocks on computers that use OSes that are not vulnerable
1531	    to these attacks and have your vulnerable machines get their
1532	    time from protected resources.
1533        Properly monitor your ntpd instances.
1534   Credit: This weakness was discovered by Matt Street and others of
1535   	Cisco ASIG.
1536
1537The following issues were fixed in earlier releases and contain
1538improvements in 4.2.8p7:
1539
1540* Clients that receive a KoD should validate the origin timestamp field.
1541   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1542   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1543   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1544
1545* Skeleton key: passive server with trusted key can serve time.
1546   References: Sec 2936 / CVE-2015-7974
1547   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1548   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1549
1550Two other vulnerabilities have been reported, and the mitigations
1551for these are as follows:
1552
1553* Interleave-pivot
1554   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1555   References: Sec 2978 / CVE-2016-1548
1556   Affects: All ntp-4 releases.
1557   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1558   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1559   Summary: It is possible to change the time of an ntpd client or deny
1560   	service to an ntpd client by forcing it to change from basic
1561	client/server mode to interleaved symmetric mode. An attacker
1562	can spoof a packet from a legitimate ntpd server with an origin
1563	timestamp that matches the peer->dst timestamp recorded for that
1564	server. After making this switch, the client will reject all
1565	future legitimate server responses. It is possible to force the
1566	victim client to move time after the mode has been changed.
1567	ntpq gives no indication that the mode has been switched.
1568   Mitigation:
1569        Implement BCP-38.
1570        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1571	    or the NTP Public Services Project Download Page.  These
1572	    versions will not dynamically "flip" into interleave mode
1573	    unless configured to do so.
1574        Properly monitor your ntpd instances.
1575   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
1576   	and separately by Jonathan Gardner of Cisco ASIG.
1577
1578* Sybil vulnerability: ephemeral association attack
1579   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1580   References: Sec 3012 / CVE-2016-1549
1581   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1582   	4.3.0 up to, but not including 4.3.92
1583   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
1584   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
1585   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
1586   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
1587	field in the ntp.keys file to specify which IPs can serve time,
1588	a malicious authenticated peer can create arbitrarily-many
1589	ephemeral associations in order to win the clock selection of
1590	ntpd and modify a victim's clock.
1591   Mitigation:
1592        Implement BCP-38.
1593        Use the 4th field in the ntp.keys file to specify which IPs
1594	    can be time servers.
1595        Properly monitor your ntpd instances.
1596   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1597
1598Other fixes:
1599
1600* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
1601  - fixed yet another race condition in the threaded resolver code.
1602* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
1603* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
1604  - integrated patches by Loganaden Velvidron <logan@ntp.org>
1605    with some modifications & unit tests
1606* [Bug 2960] async name resolution fixes for chroot() environments.
1607  Reinhard Max.
1608* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
1609* [Bug 2995] Fixes to compile on Windows
1610* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
1611* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
1612  - Patch provided by Ch. Weisgerber
1613* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
1614  - A change related to [Bug 2853] forbids trailing white space in
1615    remote config commands. perlinger@ntp.org
1616* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
1617  - report and patch from Aleksandr Kostikov.
1618  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
1619* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
1620  - fixed memory leak in access list (auth[read]keys.c)
1621  - refactored handling of key access lists (auth[read]keys.c)
1622  - reduced number of error branches (authreadkeys.c)
1623* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
1624* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
1625* [Bug 3031] ntp broadcastclient unable to synchronize to an server
1626             when the time of server changed. perlinger@ntp.org
1627  - Check the initial delay calculation and reject/unpeer the broadcast
1628    server if the delay exceeds 50ms. Retry again after the next
1629    broadcast packet.
1630* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
1631* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
1632* Update html/xleave.html documentation.  Harlan Stenn.
1633* Update ntp.conf documentation.  Harlan Stenn.
1634* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
1635* Fix typo in html/monopt.html.  Harlan Stenn.
1636* Add README.pullrequests.  Harlan Stenn.
1637* Cleanup to include/ntp.h.  Harlan Stenn.
1638
1639New option to 'configure':
1640
1641While looking in to the issues around Bug 2978, the "interleave pivot"
1642issue, it became clear that there are some intricate and unresolved
1643issues with interleave operations.  We also realized that the interleave
1644protocol was never added to the NTPv4 Standard, and it should have been.
1645
1646Interleave mode was first released in July of 2008, and can be engaged
1647in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
1648contain the 'xleave' option, which will expressly enable interlave mode
1649for that association.  Additionally, if a time packet arrives and is
1650found inconsistent with normal protocol behavior but has certain
1651characteristics that are compatible with interleave mode, NTP will
1652dynamically switch to interleave mode.  With sufficient knowledge, an
1653attacker can send a crafted forged packet to an NTP instance that
1654triggers only one side to enter interleaved mode.
1655
1656To prevent this attack until we can thoroughly document, describe,
1657fix, and test the dynamic interleave mode, we've added a new
1658'configure' option to the build process:
1659
1660 --enable-dynamic-interleave
1661
1662This option controls whether or not NTP will, if conditions are right,
1663engage dynamic interleave mode.  Dynamic interleave mode is disabled by
1664default in ntp-4.2.8p7.
1665
1666---
1667NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
1668
1669Focus: Security, Bug fixes, enhancements.
1670
1671Severity: MEDIUM
1672
1673In addition to bug fixes and enhancements, this release fixes the
1674following 1 low- and 8 medium-severity vulnerabilities:
1675
1676* Potential Infinite Loop in 'ntpq'
1677   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1678   References: Sec 2548 / CVE-2015-8158
1679   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1680	4.3.0 up to, but not including 4.3.90
1681   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1682   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1683   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
1684	The loop's only stopping conditions are receiving a complete and
1685	correct response or hitting a small number of error conditions.
1686	If the packet contains incorrect values that don't trigger one of
1687	the error conditions, the loop continues to receive new packets.
1688	Note well, this is an attack against an instance of 'ntpq', not
1689	'ntpd', and this attack requires the attacker to do one of the
1690	following:
1691	* Own a malicious NTP server that the client trusts
1692	* Prevent a legitimate NTP server from sending packets to
1693	    the 'ntpq' client
1694	* MITM the 'ntpq' communications between the 'ntpq' client
1695	    and the NTP server
1696   Mitigation:
1697	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1698	or the NTP Public Services Project Download Page
1699   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1700
1701* 0rigin: Zero Origin Timestamp Bypass
1702   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1703   References: Sec 2945 / CVE-2015-8138
1704   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1705	4.3.0 up to, but not including 4.3.90
1706   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
1707   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
1708	(3.7 - LOW if you score AC:L)
1709   Summary: To distinguish legitimate peer responses from forgeries, a
1710	client attempts to verify a response packet by ensuring that the
1711	origin timestamp in the packet matches the origin timestamp it
1712	transmitted in its last request.  A logic error exists that
1713	allows packets with an origin timestamp of zero to bypass this
1714	check whenever there is not an outstanding request to the server.
1715   Mitigation:
1716	Configure 'ntpd' to get time from multiple sources.
1717	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1718	    or the NTP Public Services Project Download Page.
1719	Monitor your 'ntpd' instances.
1720   Credit: This weakness was discovered by Matthey Van Gundy and
1721	Jonathan Gardner of Cisco ASIG.
1722
1723* Stack exhaustion in recursive traversal of restriction list
1724   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
1725   References: Sec 2940 / CVE-2015-7978
1726   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1727	4.3.0 up to, but not including 4.3.90
1728   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1729   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1730   	segmentation fault in ntpd by exhausting the call stack.
1731   Mitigation:
1732	Implement BCP-38.
1733	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1734	    or the NTP Public Services Project Download Page.
1735	If you are unable to upgrade:
1736            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
1737	    If you must enable mode 7:
1738		configure the use of a 'requestkey' to control who can
1739		    issue mode 7 requests.
1740		configure 'restrict noquery' to further limit mode 7
1741		    requests to trusted sources.
1742		Monitor your ntpd instances.
1743   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
1744
1745* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
1746   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1747   References: Sec 2942 / CVE-2015-7979
1748   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1749	4.3.0 up to, but not including 4.3.90
1750   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
1751   Summary: An off-path attacker can send broadcast packets with bad
1752	authentication (wrong key, mismatched key, incorrect MAC, etc)
1753	to broadcast clients. It is observed that the broadcast client
1754	tears down the association with the broadcast server upon
1755	receiving just one bad packet.
1756   Mitigation:
1757	Implement BCP-38.
1758	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1759	or the NTP Public Services Project Download Page.
1760	Monitor your 'ntpd' instances.
1761	If this sort of attack is an active problem for you, you have
1762	    deeper problems to investigate.  In this case also consider
1763	    having smaller NTP broadcast domains.
1764   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1765   	University.
1766
1767* reslist NULL pointer dereference
1768   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1769   References: Sec 2939 / CVE-2015-7977
1770   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1771	4.3.0 up to, but not including 4.3.90
1772   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
1773   Summary: An unauthenticated 'ntpdc reslist' command can cause a
1774	segmentation fault in ntpd by causing a NULL pointer dereference.
1775   Mitigation:
1776	Implement BCP-38.
1777	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
1778	the NTP Public Services Project Download Page.
1779	If you are unable to upgrade:
1780	    mode 7 is disabled by default.  Don't enable it.
1781	    If you must enable mode 7:
1782		configure the use of a 'requestkey' to control who can
1783		    issue mode 7 requests.
1784		configure 'restrict noquery' to further limit mode 7
1785		    requests to trusted sources.
1786	Monitor your ntpd instances.
1787   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
1788
1789* 'ntpq saveconfig' command allows dangerous characters in filenames.
1790   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1791   References: Sec 2938 / CVE-2015-7976
1792   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1793	4.3.0 up to, but not including 4.3.90
1794   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
1795   Summary: The ntpq saveconfig command does not do adequate filtering
1796   	of special characters from the supplied filename.
1797	Note well: The ability to use the saveconfig command is controlled
1798	by the 'restrict nomodify' directive, and the recommended default
1799	configuration is to disable this capability.  If the ability to
1800	execute a 'saveconfig' is required, it can easily (and should) be
1801	limited and restricted to a known small number of IP addresses.
1802   Mitigation:
1803	Implement BCP-38.
1804	use 'restrict default nomodify' in your 'ntp.conf' file.
1805	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
1806	If you are unable to upgrade:
1807	    build NTP with 'configure --disable-saveconfig' if you will
1808	    	never need this capability, or
1809	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
1810		careful about what IPs have the ability to send 'modify'
1811		requests to 'ntpd'.
1812	Monitor your ntpd instances.
1813	'saveconfig' requests are logged to syslog - monitor your syslog files.
1814   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
1815
1816* nextvar() missing length check in ntpq
1817   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1818   References: Sec 2937 / CVE-2015-7975
1819   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1820	4.3.0 up to, but not including 4.3.90
1821   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
1822	If you score A:C, this becomes 4.0.
1823   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
1824   Summary: ntpq may call nextvar() which executes a memcpy() into the
1825	name buffer without a proper length check against its maximum
1826	length of 256 bytes. Note well that we're taking about ntpq here.
1827	The usual worst-case effect of this vulnerability is that the
1828	specific instance of ntpq will crash and the person or process
1829	that did this will have stopped themselves.
1830   Mitigation:
1831	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1832	    or the NTP Public Services Project Download Page.
1833	If you are unable to upgrade:
1834	    If you have scripts that feed input to ntpq make sure there are
1835		some sanity checks on the input received from the "outside".
1836	    This is potentially more dangerous if ntpq is run as root.
1837   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
1838
1839* Skeleton Key: Any trusted key system can serve time
1840   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1841   References: Sec 2936 / CVE-2015-7974
1842   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1843	4.3.0 up to, but not including 4.3.90
1844   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
1845   Summary: Symmetric key encryption uses a shared trusted key. The
1846	reported title for this issue was "Missing key check allows
1847	impersonation between authenticated peers" and the report claimed
1848	"A key specified only for one server should only work to
1849	authenticate that server, other trusted keys should be refused."
1850	Except there has never been any correlation between this trusted
1851	key and server v. clients machines and there has never been any
1852	way to specify a key only for one server. We have treated this as
1853	an enhancement request, and ntp-4.2.8p6 includes other checks and
1854	tests to strengthen clients against attacks coming from broadcast
1855	servers.
1856   Mitigation:
1857	Implement BCP-38.
1858	If this scenario represents a real or a potential issue for you,
1859	    upgrade to 4.2.8p6, or later, from the NTP Project Download
1860	    Page or the NTP Public Services Project Download Page, and
1861	    use the new field in the ntp.keys file that specifies the list
1862	    of IPs that are allowed to serve time. Note that this alone
1863	    will not protect against time packets with forged source IP
1864	    addresses, however other changes in ntp-4.2.8p6 provide
1865	    significant mitigation against broadcast attacks. MITM attacks
1866	    are a different story.
1867	If you are unable to upgrade:
1868	    Don't use broadcast mode if you cannot monitor your client
1869	    	servers.
1870	    If you choose to use symmetric keys to authenticate time
1871	    	packets in a hostile environment where ephemeral time
1872		servers can be created, or if it is expected that malicious
1873		time servers will participate in an NTP broadcast domain,
1874		limit the number of participating systems that participate
1875		in the shared-key group.
1876	Monitor your ntpd instances.
1877   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
1878
1879* Deja Vu: Replay attack on authenticated broadcast mode
1880   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
1881   References: Sec 2935 / CVE-2015-7973
1882   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
1883   	4.3.0 up to, but not including 4.3.90
1884   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
1885   Summary: If an NTP network is configured for broadcast operations then
1886   	either a man-in-the-middle attacker or a malicious participant
1887	that has the same trusted keys as the victim can replay time packets.
1888   Mitigation:
1889	Implement BCP-38.
1890	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
1891	    or the NTP Public Services Project Download Page.
1892	If you are unable to upgrade:
1893	    Don't use broadcast mode if you cannot monitor your client servers.
1894	Monitor your ntpd instances.
1895   Credit: This weakness was discovered by Aanchal Malhotra of Boston
1896	University.
1897
1898Other fixes:
1899
1900* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
1901* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
1902  - applied patch by shenpeng11@huawei.com with minor adjustments
1903* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
1904* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
1905* [Bug 2892] Several test cases assume IPv6 capabilities even when
1906             IPv6 is disabled in the build. perlinger@ntp.org
1907  - Found this already fixed, but validation led to cleanup actions.
1908* [Bug 2905] DNS lookups broken. perlinger@ntp.org
1909  - added limits to stack consumption, fixed some return code handling
1910* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
1911  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
1912  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
1913* [Bug 2980] reduce number of warnings. perlinger@ntp.org
1914  - integrated several patches from Havard Eidnes (he@uninett.no)
1915* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
1916  - implement 'auth_log2()' using integer bithack instead of float calculation
1917* Make leapsec_query debug messages less verbose.  Harlan Stenn.
1918
1919---
1920NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
1921
1922Focus: Security, Bug fixes, enhancements.
1923
1924Severity: MEDIUM
1925
1926In addition to bug fixes and enhancements, this release fixes the
1927following medium-severity vulnerability:
1928
1929* Small-step/big-step.  Close the panic gate earlier.
1930    References: Sec 2956, CVE-2015-5300
1931    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
1932	4.3.0 up to, but not including 4.3.78
1933    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
1934    Summary: If ntpd is always started with the -g option, which is
1935	common and against long-standing recommendation, and if at the
1936	moment ntpd is restarted an attacker can immediately respond to
1937	enough requests from enough sources trusted by the target, which
1938	is difficult and not common, there is a window of opportunity
1939	where the attacker can cause ntpd to set the time to an
1940	arbitrary value. Similarly, if an attacker is able to respond
1941	to enough requests from enough sources trusted by the target,
1942	the attacker can cause ntpd to abort and restart, at which
1943	point it can tell the target to set the time to an arbitrary
1944	value if and only if ntpd was re-started against long-standing
1945	recommendation with the -g flag, or if ntpd was not given the
1946	-g flag, the attacker can move the target system's time by at
1947	most 900 seconds' time per attack.
1948    Mitigation:
1949	Configure ntpd to get time from multiple sources.
1950	Upgrade to 4.2.8p5, or later, from the NTP Project Download
1951	    Page or the NTP Public Services Project Download Page
1952	As we've long documented, only use the -g option to ntpd in
1953	    cold-start situations.
1954	Monitor your ntpd instances.
1955    Credit: This weakness was discovered by Aanchal Malhotra,
1956	Isaac E. Cohen, and Sharon Goldberg at Boston University.
1957
1958    NOTE WELL: The -g flag disables the limit check on the panic_gate
1959	in ntpd, which is 900 seconds by default. The bug identified by
1960	the researchers at Boston University is that the panic_gate
1961	check was only re-enabled after the first change to the system
1962	clock that was greater than 128 milliseconds, by default. The
1963	correct behavior is that the panic_gate check should be
1964	re-enabled after any initial time correction.
1965
1966	If an attacker is able to inject consistent but erroneous time
1967	responses to your systems via the network or "over the air",
1968	perhaps by spoofing radio, cellphone, or navigation satellite
1969	transmissions, they are in a great position to affect your
1970	system's clock. There comes a point where your very best
1971	defenses include:
1972
1973	    Configure ntpd to get time from multiple sources.
1974	    Monitor your ntpd instances.
1975
1976Other fixes:
1977
1978* Coverity submission process updated from Coverity 5 to Coverity 7.
1979  The NTP codebase has been undergoing regular Coverity scans on an
1980  ongoing basis since 2006.  As part of our recent upgrade from
1981  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
1982  the newly-written Unity test programs.  These were fixed.
1983* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
1984* [Bug 2887] stratum -1 config results as showing value 99
1985  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
1986* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
1987* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
1988* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
1989  - applied patch by Christos Zoulas.  perlinger@ntp.org
1990* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
1991* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
1992  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
1993  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
1994* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
1995  - accept key file only if there are no parsing errors
1996  - fixed size_t/u_int format clash
1997  - fixed wrong use of 'strlcpy'
1998* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
1999* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
2000  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
2001  - promote use of 'size_t' for values that express a size
2002  - use ptr-to-const for read-only arguments
2003  - make sure SOCKET values are not truncated (win32-specific)
2004  - format string fixes
2005* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
2006* [Bug 2967] ntpdate command suffers an assertion failure
2007  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
2008* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
2009              lots of clients. perlinger@ntp.org
2010* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2011  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2012* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
2013* Unity test cleanup.  Harlan Stenn.
2014* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
2015* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
2016* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
2017* Quiet a warning from clang.  Harlan Stenn.
2018
2019---
2020NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
2021
2022Focus: Security, Bug fixes, enhancements.
2023
2024Severity: MEDIUM
2025
2026In addition to bug fixes and enhancements, this release fixes the
2027following 13 low- and medium-severity vulnerabilities:
2028
2029* Incomplete vallen (value length) checks in ntp_crypto.c, leading
2030  to potential crashes or potential code injection/information leakage.
2031
2032    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
2033    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2034    	and 4.3.0 up to, but not including 4.3.77
2035    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2036    Summary: The fix for CVE-2014-9750 was incomplete in that there were
2037    	certain code paths where a packet with particular autokey operations
2038	that contained malicious data was not always being completely
2039	validated. Receipt of these packets can cause ntpd to crash.
2040    Mitigation:
2041        Don't use autokey.
2042	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2043	    Page or the NTP Public Services Project Download Page
2044	Monitor your ntpd instances.
2045	Credit: This weakness was discovered by Tenable Network Security.
2046
2047* Clients that receive a KoD should validate the origin timestamp field.
2048
2049    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
2050    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2051	and 4.3.0 up to, but not including 4.3.77
2052    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
2053    Summary: An ntpd client that honors Kiss-of-Death responses will honor
2054    	KoD messages that have been forged by an attacker, causing it to
2055	delay or stop querying its servers for time updates. Also, an
2056	attacker can forge packets that claim to be from the target and
2057	send them to servers often enough that a server that implements
2058	KoD rate limiting will send the target machine a KoD response to
2059	attempt to reduce the rate of incoming packets, or it may also
2060	trigger a firewall block at the server for packets from the target
2061	machine. For either of these attacks to succeed, the attacker must
2062	know what servers the target is communicating with. An attacker
2063	can be anywhere on the Internet and can frequently learn the
2064	identity of the target's time source by sending the target a
2065	time query.
2066    Mitigation:
2067        Implement BCP-38.
2068	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
2069	    or the NTP Public Services Project Download Page
2070	If you can't upgrade, restrict who can query ntpd to learn who
2071	    its servers are, and what IPs are allowed to ask your system
2072	    for the time. This mitigation is heavy-handed.
2073	Monitor your ntpd instances.
2074    Note:
2075    	4.2.8p4 protects against the first attack. For the second attack,
2076    	all we can do is warn when it is happening, which we do in 4.2.8p4.
2077    Credit: This weakness was discovered by Aanchal Malhotra,
2078    	Issac E. Cohen, and Sharon Goldberg of Boston University.
2079
2080* configuration directives to change "pidfile" and "driftfile" should
2081  only be allowed locally.
2082
2083  References: Sec 2902 / CVE-2015-5196
2084  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2085	and 4.3.0 up to, but not including 4.3.77
2086   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
2087   Summary: If ntpd is configured to allow for remote configuration,
2088	and if the (possibly spoofed) source IP address is allowed to
2089	send remote configuration requests, and if the attacker knows
2090	the remote configuration password, it's possible for an attacker
2091	to use the "pidfile" or "driftfile" directives to potentially
2092	overwrite other files.
2093   Mitigation:
2094	Implement BCP-38.
2095	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2096	    Page or the NTP Public Services Project Download Page
2097	If you cannot upgrade, don't enable remote configuration.
2098	If you must enable remote configuration and cannot upgrade,
2099	    remote configuration of NTF's ntpd requires:
2100	    - an explicitly configured trustedkey, and you should also
2101	    	configure a controlkey.
2102	    - access from a permitted IP. You choose the IPs.
2103	    - authentication. Don't disable it. Practice secure key safety.
2104	Monitor your ntpd instances.
2105   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
2106
2107* Slow memory leak in CRYPTO_ASSOC
2108
2109  References: Sec 2909 / CVE-2015-7701
2110  Affects: All ntp-4 releases that use autokey up to, but not
2111    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2112  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
2113  	4.6 otherwise
2114  Summary: If ntpd is configured to use autokey, then an attacker can
2115	send packets to ntpd that will, after several days of ongoing
2116	attack, cause it to run out of memory.
2117  Mitigation:
2118	Don't use autokey.
2119	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2120	    Page or the NTP Public Services Project Download Page
2121	Monitor your ntpd instances.
2122  Credit: This weakness was discovered by Tenable Network Security.
2123
2124* mode 7 loop counter underrun
2125
2126  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
2127  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2128  	and 4.3.0 up to, but not including 4.3.77
2129  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2130  Summary: If ntpd is configured to enable mode 7 packets, and if the
2131	use of mode 7 packets is not properly protected thru the use of
2132	the available mode 7 authentication and restriction mechanisms,
2133	and if the (possibly spoofed) source IP address is allowed to
2134	send mode 7 queries, then an attacker can send a crafted packet
2135	to ntpd that will cause it to crash.
2136  Mitigation:
2137	Implement BCP-38.
2138	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2139	    Page or the NTP Public Services Project Download Page.
2140	      If you are unable to upgrade:
2141	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2142	If you must enable mode 7:
2143	    configure the use of a requestkey to control who can issue
2144		mode 7 requests.
2145	    configure restrict noquery to further limit mode 7 requests
2146		to trusted sources.
2147	Monitor your ntpd instances.
2148Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
2149
2150* memory corruption in password store
2151
2152  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
2153  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2154  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
2155  Summary: If ntpd is configured to allow remote configuration, and if
2156	the (possibly spoofed) source IP address is allowed to send
2157	remote configuration requests, and if the attacker knows the
2158	remote configuration password or if ntpd was configured to
2159	disable authentication, then an attacker can send a set of
2160	packets to ntpd that may cause a crash or theoretically
2161	perform a code injection attack.
2162  Mitigation:
2163	Implement BCP-38.
2164	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2165	    Page or the NTP Public Services Project Download Page.
2166	If you are unable to upgrade, remote configuration of NTF's
2167	    ntpd requires:
2168		an explicitly configured "trusted" key. Only configure
2169			this if you need it.
2170		access from a permitted IP address. You choose the IPs.
2171		authentication. Don't disable it. Practice secure key safety.
2172	Monitor your ntpd instances.
2173  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2174
2175* Infinite loop if extended logging enabled and the logfile and
2176  keyfile are the same.
2177
2178    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
2179    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2180	and 4.3.0 up to, but not including 4.3.77
2181    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2182    Summary: If ntpd is configured to allow remote configuration, and if
2183	the (possibly spoofed) source IP address is allowed to send
2184	remote configuration requests, and if the attacker knows the
2185	remote configuration password or if ntpd was configured to
2186	disable authentication, then an attacker can send a set of
2187	packets to ntpd that will cause it to crash and/or create a
2188	potentially huge log file. Specifically, the attacker could
2189	enable extended logging, point the key file at the log file,
2190	and cause what amounts to an infinite loop.
2191    Mitigation:
2192	Implement BCP-38.
2193	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2194	    Page or the NTP Public Services Project Download Page.
2195	If you are unable to upgrade, remote configuration of NTF's ntpd
2196	  requires:
2197            an explicitly configured "trusted" key. Only configure this
2198	    	if you need it.
2199            access from a permitted IP address. You choose the IPs.
2200            authentication. Don't disable it. Practice secure key safety.
2201        Monitor your ntpd instances.
2202    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2203
2204* Potential path traversal vulnerability in the config file saving of
2205  ntpd on VMS.
2206
2207  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
2208  Affects: All ntp-4 releases running under VMS up to, but not
2209	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2210  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
2211  Summary: If ntpd is configured to allow remote configuration, and if
2212	the (possibly spoofed) IP address is allowed to send remote
2213	configuration requests, and if the attacker knows the remote
2214	configuration password or if ntpd was configured to disable
2215	authentication, then an attacker can send a set of packets to
2216	ntpd that may cause ntpd to overwrite files.
2217  Mitigation:
2218	Implement BCP-38.
2219	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2220	    Page or the NTP Public Services Project Download Page.
2221	If you are unable to upgrade, remote configuration of NTF's ntpd
2222	    requires:
2223		an explicitly configured "trusted" key. Only configure
2224			this if you need it.
2225		access from permitted IP addresses. You choose the IPs.
2226		authentication. Don't disable it. Practice key security safety.
2227        Monitor your ntpd instances.
2228    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2229
2230* ntpq atoascii() potential memory corruption
2231
2232  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
2233  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
2234	and 4.3.0 up to, but not including 4.3.77
2235  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
2236  Summary: If an attacker can figure out the precise moment that ntpq
2237	is listening for data and the port number it is listening on or
2238	if the attacker can provide a malicious instance ntpd that
2239	victims will connect to then an attacker can send a set of
2240	crafted mode 6 response packets that, if received by ntpq,
2241	can cause ntpq to crash.
2242  Mitigation:
2243	Implement BCP-38.
2244	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2245	    Page or the NTP Public Services Project Download Page.
2246	If you are unable to upgrade and you run ntpq against a server
2247	    and ntpq crashes, try again using raw mode. Build or get a
2248	    patched ntpq and see if that fixes the problem. Report new
2249	    bugs in ntpq or abusive servers appropriately.
2250	If you use ntpq in scripts, make sure ntpq does what you expect
2251	    in your scripts.
2252  Credit: This weakness was discovered by Yves Younan and
2253  	Aleksander Nikolich of Cisco Talos.
2254
2255* Invalid length data provided by a custom refclock driver could cause
2256  a buffer overflow.
2257
2258  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
2259  Affects: Potentially all ntp-4 releases running up to, but not
2260	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2261	that have custom refclocks
2262  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
2263	5.9 unusual worst case
2264  Summary: A negative value for the datalen parameter will overflow a
2265	data buffer. NTF's ntpd driver implementations always set this
2266	value to 0 and are therefore not vulnerable to this weakness.
2267	If you are running a custom refclock driver in ntpd and that
2268	driver supplies a negative value for datalen (no custom driver
2269	of even minimal competence would do this) then ntpd would
2270	overflow a data buffer. It is even hypothetically possible
2271	in this case that instead of simply crashing ntpd the attacker
2272	could effect a code injection attack.
2273  Mitigation:
2274	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2275	    Page or the NTP Public Services Project Download Page.
2276	If you are unable to upgrade:
2277		If you are running custom refclock drivers, make sure
2278			the signed datalen value is either zero or positive.
2279	Monitor your ntpd instances.
2280  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2281
2282* Password Length Memory Corruption Vulnerability
2283
2284  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
2285  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2286  	4.3.0 up to, but not including 4.3.77
2287  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
2288  	1.7 usual case, 6.8, worst case
2289  Summary: If ntpd is configured to allow remote configuration, and if
2290	the (possibly spoofed) source IP address is allowed to send
2291	remote configuration requests, and if the attacker knows the
2292	remote configuration password or if ntpd was (foolishly)
2293	configured to disable authentication, then an attacker can
2294	send a set of packets to ntpd that may cause it to crash,
2295	with the hypothetical possibility of a small code injection.
2296  Mitigation:
2297	Implement BCP-38.
2298	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2299	    Page or the NTP Public Services Project Download Page.
2300	If you are unable to upgrade, remote configuration of NTF's
2301	    ntpd requires:
2302		an explicitly configured "trusted" key. Only configure
2303			this if you need it.
2304		access from a permitted IP address. You choose the IPs.
2305		authentication. Don't disable it. Practice secure key safety.
2306	Monitor your ntpd instances.
2307  Credit: This weakness was discovered by Yves Younan and
2308  	Aleksander Nikolich of Cisco Talos.
2309
2310* decodenetnum() will ASSERT botch instead of returning FAIL on some
2311  bogus values.
2312
2313  References: Sec 2922 / CVE-2015-7855
2314  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2315	4.3.0 up to, but not including 4.3.77
2316  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2317  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
2318	an unusually long data value where a network address is expected,
2319	the decodenetnum() function will abort with an assertion failure
2320	instead of simply returning a failure condition.
2321  Mitigation:
2322	Implement BCP-38.
2323	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2324	    Page or the NTP Public Services Project Download Page.
2325	If you are unable to upgrade:
2326		mode 7 is disabled by default. Don't enable it.
2327		Use restrict noquery to limit who can send mode 6
2328			and mode 7 requests.
2329		Configure and use the controlkey and requestkey
2330			authentication directives to limit who can
2331			send mode 6 and mode 7 requests.
2332	Monitor your ntpd instances.
2333  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
2334
2335* NAK to the Future: Symmetric association authentication bypass via
2336  crypto-NAK.
2337
2338  References: Sec 2941 / CVE-2015-7871
2339  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
2340  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
2341  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
2342  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
2343	from unauthenticated ephemeral symmetric peers by bypassing the
2344	authentication required to mobilize peer associations. This
2345	vulnerability appears to have been introduced in ntp-4.2.5p186
2346	when the code handling mobilization of new passive symmetric
2347	associations (lines 1103-1165) was refactored.
2348  Mitigation:
2349	Implement BCP-38.
2350	Upgrade to 4.2.8p4, or later, from the NTP Project Download
2351	    Page or the NTP Public Services Project Download Page.
2352	If you are unable to upgrade:
2353		Apply the patch to the bottom of the "authentic" check
2354			block around line 1136 of ntp_proto.c.
2355	Monitor your ntpd instances.
2356  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2357
2358Backward-Incompatible changes:
2359* [Bug 2817] Default on Linux is now "rlimit memlock -1".
2360  While the general default of 32M is still the case, under Linux
2361  the default value has been changed to -1 (do not lock ntpd into
2362  memory).  A value of 0 means "lock ntpd into memory with whatever
2363  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
2364  value in it, that value will continue to be used.
2365
2366* [Bug 2886] Misspelling: "outlyer" should be "outlier".
2367  If you've written a script that looks for this case in, say, the
2368  output of ntpq, you probably want to change your regex matches
2369  from 'outlyer' to 'outl[iy]er'.
2370
2371New features in this release:
2372* 'rlimit memlock' now has finer-grained control.  A value of -1 means
2373  "don't lock ntpd into memore".  This is the default for Linux boxes.
2374  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
2375  the value is the number of megabytes of memory to lock.  The default
2376  is 32 megabytes.
2377
2378* The old Google Test framework has been replaced with a new framework,
2379  based on http://www.throwtheswitch.org/unity/ .
2380
2381Bug Fixes and Improvements:
2382* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
2383  privileges and limiting resources in NTPD removes the need to link
2384  forcefully against 'libgcc_s' which does not always work. J.Perlinger
2385* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
2386* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
2387* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
2388* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
2389* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
2390* [Bug 2849] Systems with more than one default route may never
2391  synchronize.  Brian Utterback.  Note that this patch might need to
2392  be reverted once Bug 2043 has been fixed.
2393* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
2394* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
2395* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
2396* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
2397* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
2398* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
2399  be configured for the distribution targets.  Harlan Stenn.
2400* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
2401* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
2402* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
2403* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
2404* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
2405* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
2406* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
2407* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
2408* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
2409* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
2410* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
2411* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
2412* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
2413* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
2414* sntp/tests/ function parameter list cleanup.  Damir Tomić.
2415* tests/libntp/ function parameter list cleanup.  Damir Tomić.
2416* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
2417* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
2418* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
2419* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
2420* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
2421* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2422  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
2423  formatting; first declaration, then code (C90); deleted unnecessary comments;
2424  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
2425* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
2426  fix formatting, cleanup. Tomasz Flendrich
2427* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
2428  Tomasz Flendrich
2429* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
2430  fix formatting. Tomasz Flendrich
2431* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
2432* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
2433* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
2434  Tomasz Flendrich
2435* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
2436* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
2437* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
2438* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
2439* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
2440* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
2441* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
2442fixed formatting. Tomasz Flendrich
2443* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
2444  removed unnecessary comments, cleanup. Tomasz Flendrich
2445* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
2446  comments, cleanup. Tomasz Flendrich
2447* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
2448  Tomasz Flendrich
2449* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2450* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2451* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2452  Tomasz Flendrich
2453* sntp/tests/kodDatabase.c added consts, deleted empty function,
2454  fixed formatting. Tomasz Flendrich
2455* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2456* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2457  fixed formatting, deleted unused variable. Tomasz Flendrich
2458* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2459  Tomasz Flendrich
2460* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2461  fixed formatting. Tomasz Flendrich
2462* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2463  the order of includes, fixed formatting, removed unnecessary comments.
2464  Tomasz Flendrich
2465* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2466* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2467  made one function do its job, deleted unnecessary prints, fixed formatting.
2468  Tomasz Flendrich
2469* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2470* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2471* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2472* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2473* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2474* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2475* Don't build sntp/libevent/sample/.  Harlan Stenn.
2476* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2477* br-flock: --enable-local-libevent.  Harlan Stenn.
2478* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2479* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2480* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2481* Code cleanup.  Harlan Stenn.
2482* libntp/icom.c: Typo fix.  Harlan Stenn.
2483* util/ntptime.c: initialization nit.  Harlan Stenn.
2484* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2485* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2486* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2487  Tomasz Flendrich
2488* Changed progname to be const in many files - now it's consistent. Tomasz
2489  Flendrich
2490* Typo fix for GCC warning suppression.  Harlan Stenn.
2491* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2492* Added declarations to all Unity tests, and did minor fixes to them.
2493  Reduced the number of warnings by half. Damir Tomić.
2494* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2495  with the latest Unity updates from Mark. Damir Tomić.
2496* Retire google test - phase I.  Harlan Stenn.
2497* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2498* Update the NEWS file.  Harlan Stenn.
2499* Autoconf cleanup.  Harlan Stenn.
2500* Unit test dist cleanup. Harlan Stenn.
2501* Cleanup various test Makefile.am files.  Harlan Stenn.
2502* Pthread autoconf macro cleanup.  Harlan Stenn.
2503* Fix progname definition in unity runner scripts.  Harlan Stenn.
2504* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2505* Update the patch for bug 2817.  Harlan Stenn.
2506* More updates for bug 2817.  Harlan Stenn.
2507* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2508* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2509* Adding missing MCAST protection.  Harlan Stenn.
2510* Disable certain test programs on certain platforms.  Harlan Stenn.
2511* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2512* build system tweaks.  Harlan Stenn.
2513
2514---
2515NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2516
2517Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2518
2519Severity: MEDIUM
2520
2521Security Fix:
2522
2523* [Sec 2853] Crafted remote config packet can crash some versions of
2524  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2525
2526Under specific circumstances an attacker can send a crafted packet to
2527cause a vulnerable ntpd instance to crash. This requires each of the
2528following to be true:
2529
25301) ntpd set up to allow remote configuration (not allowed by default), and
25312) knowledge of the configuration password, and
25323) access to a computer entrusted to perform remote configuration.
2533
2534This vulnerability is considered low-risk.
2535
2536New features in this release:
2537
2538Optional (disabled by default) support to have ntpd provide smeared
2539leap second time.  A specially built and configured ntpd will only
2540offer smeared time in response to client packets.  These response
2541packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2542of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2543format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2544information.
2545
2546   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2547   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2548
2549We've imported the Unity test framework, and have begun converting
2550the existing google-test items to this new framework.  If you want
2551to write new tests or change old ones, you'll need to have ruby
2552installed.  You don't need ruby to run the test suite.
2553
2554Bug Fixes and Improvements:
2555
2556* CID 739725: Fix a rare resource leak in libevent/listener.c.
2557* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2558* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2559* CID 1269537: Clean up a line of dead code in getShmTime().
2560* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2561* [Bug 2590] autogen-5.18.5.
2562* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2563  of 'limited'.
2564* [Bug 2650] fix includefile processing.
2565* [Bug 2745] ntpd -x steps clock on leap second
2566   Fixed an initial-value problem that caused misbehaviour in absence of
2567   any leapsecond information.
2568   Do leap second stepping only of the step adjustment is beyond the
2569   proper jump distance limit and step correction is allowed at all.
2570* [Bug 2750] build for Win64
2571  Building for 32bit of loopback ppsapi needs def file
2572* [Bug 2776] Improve ntpq's 'help keytype'.
2573* [Bug 2778] Implement "apeers"  ntpq command to include associd.
2574* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
2575* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
2576  interface is ignored as long as this flag is not set since the
2577  interface is not usable (e.g., no link).
2578* [Bug 2794] Clean up kernel clock status reports.
2579* [Bug 2800] refclock_true.c true_debug() can't open debug log because
2580  of incompatible open/fdopen parameters.
2581* [Bug 2804] install-local-data assumes GNU 'find' semantics.
2582* [Bug 2805] ntpd fails to join multicast group.
2583* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
2584* [Bug 2808] GPSD_JSON driver enhancements, step 1.
2585  Fix crash during cleanup if GPS device not present and char device.
2586  Increase internal token buffer to parse all JSON data, even SKY.
2587  Defer logging of errors during driver init until the first unit is
2588  started, so the syslog is not cluttered when the driver is not used.
2589  Various improvements, see http://bugs.ntp.org/2808 for details.
2590  Changed libjsmn to a more recent version.
2591* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
2592* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
2593* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
2594* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
2595* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
2596* [Bug 2824] Convert update-leap to perl. (also see 2769)
2597* [Bug 2825] Quiet file installation in html/ .
2598* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
2599   NTPD transfers the current TAI (instead of an announcement) now.
2600   This might still needed improvement.
2601   Update autokey data ASAP when 'sys_tai' changes.
2602   Fix unit test that was broken by changes for autokey update.
2603   Avoid potential signature length issue and use DPRINTF where possible
2604     in ntp_crypto.c.
2605* [Bug 2832] refclock_jjy.c supports the TDC-300.
2606* [Bug 2834] Correct a broken html tag in html/refclock.html
2607* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
2608  robust, and require 2 consecutive timestamps to be consistent.
2609* [Bug 2837] Allow a configurable DSCP value.
2610* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
2611* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
2612* [Bug 2842] Bug in mdoc2man.
2613* [Bug 2843] make check fails on 4.3.36
2614   Fixed compiler warnings about numeric range overflow
2615   (The original topic was fixed in a byplay to bug#2830)
2616* [Bug 2845] Harden memory allocation in ntpd.
2617* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
2618* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
2619* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
2620* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
2621* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
2622* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
2623* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
2624* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
2625* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
2626* html/drivers/driver22.html: typo fix.  Harlan Stenn.
2627* refidsmear test cleanup.  Tomasz Flendrich.
2628* refidsmear function support and tests.  Harlan Stenn.
2629* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
2630  something that was only in the 4.2.6 sntp.  Harlan Stenn.
2631* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
2632  Damir Tomić
2633* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
2634  Damir Tomić
2635* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
2636  Damir Tomić
2637* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
2638* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
2639* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
2640  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2641  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
2642  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
2643  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
2644  Damir Tomić
2645* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
2646  networking.c, keyFile.c, utilities.cpp, sntptest.h,
2647  fileHandlingTest.h. Damir Tomić
2648* Initial support for experimental leap smear code.  Harlan Stenn.
2649* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
2650* Report select() debug messages at debug level 3 now.
2651* sntp/scripts/genLocInfo: treat raspbian as debian.
2652* Unity test framework fixes.
2653  ** Requires ruby for changes to tests.
2654* Initial support for PACKAGE_VERSION tests.
2655* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
2656* tests/bug-2803/Makefile.am must distribute bug-2803.h.
2657* Add an assert to the ntpq ifstats code.
2658* Clean up the RLIMIT_STACK code.
2659* Improve the ntpq documentation around the controlkey keyid.
2660* ntpq.c cleanup.
2661* Windows port build cleanup.
2662
2663---
2664NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
2665
2666Focus: Security and Bug fixes, enhancements.
2667
2668Severity: MEDIUM
2669
2670In addition to bug fixes and enhancements, this release fixes the
2671following medium-severity vulnerabilities involving private key
2672authentication:
2673
2674* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2675
2676    References: Sec 2779 / CVE-2015-1798 / VU#374268
2677    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
2678	including ntp-4.2.8p2 where the installation uses symmetric keys
2679	to authenticate remote associations.
2680    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2681    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2682    Summary: When ntpd is configured to use a symmetric key to authenticate
2683	a remote NTP server/peer, it checks if the NTP message
2684	authentication code (MAC) in received packets is valid, but not if
2685	there actually is any MAC included. Packets without a MAC are
2686	accepted as if they had a valid MAC. This allows a MITM attacker to
2687	send false packets that are accepted by the client/peer without
2688	having to know the symmetric key. The attacker needs to know the
2689	transmit timestamp of the client to match it in the forged reply
2690	and the false reply needs to reach the client before the genuine
2691	reply from the server. The attacker doesn't necessarily need to be
2692	relaying the packets between the client and the server.
2693
2694	Authentication using autokey doesn't have this problem as there is
2695	a check that requires the key ID to be larger than NTP_MAXKEY,
2696	which fails for packets without a MAC.
2697    Mitigation:
2698        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2699	or the NTP Public Services Project Download Page
2700        Configure ntpd with enough time sources and monitor it properly.
2701    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2702
2703* [Sec 2781] Authentication doesn't protect symmetric associations against
2704  DoS attacks.
2705
2706    References: Sec 2781 / CVE-2015-1799 / VU#374268
2707    Affects: All NTP releases starting with at least xntp3.3wy up to but
2708	not including ntp-4.2.8p2 where the installation uses symmetric
2709	key authentication.
2710    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
2711    Note: the CVSS base Score for this issue could be 4.3 or lower, and
2712	it could be higher than 5.4.
2713    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
2714    Summary: An attacker knowing that NTP hosts A and B are peering with
2715	each other (symmetric association) can send a packet to host A
2716	with source address of B which will set the NTP state variables
2717	on A to the values sent by the attacker. Host A will then send
2718	on its next poll to B a packet with originate timestamp that
2719	doesn't match the transmit timestamp of B and the packet will
2720	be dropped. If the attacker does this periodically for both
2721	hosts, they won't be able to synchronize to each other. This is
2722	a known denial-of-service attack, described at
2723	https://www.eecis.udel.edu/~mills/onwire.html .
2724
2725	According to the document the NTP authentication is supposed to
2726	protect symmetric associations against this attack, but that
2727	doesn't seem to be the case. The state variables are updated even
2728	when authentication fails and the peers are sending packets with
2729	originate timestamps that don't match the transmit timestamps on
2730	the receiving side.
2731
2732	This seems to be a very old problem, dating back to at least
2733	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
2734	specifications, so other NTP implementations with support for
2735	symmetric associations and authentication may be vulnerable too.
2736	An update to the NTP RFC to correct this error is in-process.
2737    Mitigation:
2738        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
2739	or the NTP Public Services Project Download Page
2740        Note that for users of autokey, this specific style of MITM attack
2741	is simply a long-known potential problem.
2742        Configure ntpd with appropriate time sources and monitor ntpd.
2743	Alert your staff if problems are detected.
2744    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
2745
2746* New script: update-leap
2747The update-leap script will verify and if necessary, update the
2748leap-second definition file.
2749It requires the following commands in order to work:
2750
2751	wget logger tr sed shasum
2752
2753Some may choose to run this from cron.  It needs more portability testing.
2754
2755Bug Fixes and Improvements:
2756
2757* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
2758* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
2759* [Bug 2346] "graceful termination" signals do not do peer cleanup.
2760* [Bug 2728] See if C99-style structure initialization works.
2761* [Bug 2747] Upgrade libevent to 2.1.5-beta.
2762* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
2763* [Bug 2751] jitter.h has stale copies of l_fp macros.
2764* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
2765* [Bug 2757] Quiet compiler warnings.
2766* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
2767* [Bug 2763] Allow different thresholds for forward and backward steps.
2768* [Bug 2766] ntp-keygen output files should not be world-readable.
2769* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
2770* [Bug 2771] nonvolatile value is documented in wrong units.
2771* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
2772* [Bug 2774] Unreasonably verbose printout - leap pending/warning
2773* [Bug 2775] ntp-keygen.c fails to compile under Windows.
2774* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
2775  Removed non-ASCII characters from some copyright comments.
2776  Removed trailing whitespace.
2777  Updated definitions for Meinberg clocks from current Meinberg header files.
2778  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
2779  Account for updated definitions pulled from Meinberg header files.
2780  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
2781  Replaced some constant numbers by defines from ntp_calendar.h
2782  Modified creation of parse-specific variables for Meinberg devices
2783  in gps16x_message().
2784  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
2785  Modified mbg_tm_str() which now expexts an additional parameter controlling
2786  if the time status shall be printed.
2787* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
2788* [Sec 2781] Authentication doesn't protect symmetric associations against
2789  DoS attacks.
2790* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
2791* [Bug 2789] Quiet compiler warnings from libevent.
2792* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
2793  pause briefly before measuring system clock precision to yield
2794  correct results.
2795* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
2796* Use predefined function types for parse driver functions
2797  used to set up function pointers.
2798  Account for changed prototype of parse_inp_fnc_t functions.
2799  Cast parse conversion results to appropriate types to avoid
2800  compiler warnings.
2801  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
2802  when called with pointers to different types.
2803
2804---
2805NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
2806
2807Focus: Security and Bug fixes, enhancements.
2808
2809Severity: HIGH
2810
2811In addition to bug fixes and enhancements, this release fixes the
2812following high-severity vulnerabilities:
2813
2814* vallen is not validated in several places in ntp_crypto.c, leading
2815  to a potential information leak or possibly a crash
2816
2817    References: Sec 2671 / CVE-2014-9297 / VU#852879
2818    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
2819    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2820    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
2821    Summary: The vallen packet value is not validated in several code
2822             paths in ntp_crypto.c which can lead to information leakage
2823	     or perhaps a crash of the ntpd process.
2824    Mitigation - any of:
2825	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2826		or the NTP Public Services Project Download Page.
2827	Disable Autokey Authentication by removing, or commenting out,
2828		all configuration directives beginning with the "crypto"
2829		keyword in your ntp.conf file.
2830    Credit: This vulnerability was discovered by Stephen Roettger of the
2831    	Google Security Team, with additional cases found by Sebastian
2832	Krahmer of the SUSE Security Team and Harlan Stenn of Network
2833	Time Foundation.
2834
2835* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
2836  can be bypassed.
2837
2838    References: Sec 2672 / CVE-2014-9298 / VU#852879
2839    Affects: All NTP4 releases before 4.2.8p1, under at least some
2840	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
2841    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
2842    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
2843    Summary: While available kernels will prevent 127.0.0.1 addresses
2844	from "appearing" on non-localhost IPv4 interfaces, some kernels
2845	do not offer the same protection for ::1 source addresses on
2846	IPv6 interfaces. Since NTP's access control is based on source
2847	address and localhost addresses generally have no restrictions,
2848	an attacker can send malicious control and configuration packets
2849	by spoofing ::1 addresses from the outside. Note Well: This is
2850	not really a bug in NTP, it's a problem with some OSes. If you
2851	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
2852	ACL restrictions on any application can be bypassed!
2853    Mitigation:
2854        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
2855	or the NTP Public Services Project Download Page
2856        Install firewall rules to block packets claiming to come from
2857	::1 from inappropriate network interfaces.
2858    Credit: This vulnerability was discovered by Stephen Roettger of
2859	the Google Security Team.
2860
2861Additionally, over 30 bugfixes and improvements were made to the codebase.
2862See the ChangeLog for more information.
2863
2864---
2865NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
2866
2867Focus: Security and Bug fixes, enhancements.
2868
2869Severity: HIGH
2870
2871In addition to bug fixes and enhancements, this release fixes the
2872following high-severity vulnerabilities:
2873
2874************************** vv NOTE WELL vv *****************************
2875
2876The vulnerabilities listed below can be significantly mitigated by
2877following the BCP of putting
2878
2879 restrict default ... noquery
2880
2881in the ntp.conf file.  With the exception of:
2882
2883   receive(): missing return on error
2884   References: Sec 2670 / CVE-2014-9296 / VU#852879
2885
2886below (which is a limited-risk vulnerability), none of the recent
2887vulnerabilities listed below can be exploited if the source IP is
2888restricted from sending a 'query'-class packet by your ntp.conf file.
2889
2890************************** ^^ NOTE WELL ^^ *****************************
2891
2892* Weak default key in config_auth().
2893
2894  References: [Sec 2665] / CVE-2014-9293 / VU#852879
2895  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2896  Vulnerable Versions: all releases prior to 4.2.7p11
2897  Date Resolved: 28 Jan 2010
2898
2899  Summary: If no 'auth' key is set in the configuration file, ntpd
2900	would generate a random key on the fly.  There were two
2901	problems with this: 1) the generated key was 31 bits in size,
2902	and 2) it used the (now weak) ntp_random() function, which was
2903	seeded with a 32-bit value and could only provide 32 bits of
2904	entropy.  This was sufficient back in the late 1990s when the
2905	code was written.  Not today.
2906
2907  Mitigation - any of:
2908	- Upgrade to 4.2.7p11 or later.
2909	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2910
2911  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
2912  	of the Google Security Team.
2913
2914* Non-cryptographic random number generator with weak seed used by
2915  ntp-keygen to generate symmetric keys.
2916
2917  References: [Sec 2666] / CVE-2014-9294 / VU#852879
2918  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
2919  Vulnerable Versions: All NTP4 releases before 4.2.7p230
2920  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
2921
2922  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
2923  	prepare a random number generator that was of good quality back
2924	in the late 1990s. The random numbers produced was then used to
2925	generate symmetric keys. In ntp-4.2.8 we use a current-technology
2926	cryptographic random number generator, either RAND_bytes from
2927	OpenSSL, or arc4random().
2928
2929  Mitigation - any of:
2930  	- Upgrade to 4.2.7p230 or later.
2931	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2932
2933  Credit:  This vulnerability was discovered in ntp-4.2.6 by
2934  	Stephen Roettger of the Google Security Team.
2935
2936* Buffer overflow in crypto_recv()
2937
2938  References: Sec 2667 / CVE-2014-9295 / VU#852879
2939  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2940  Versions: All releases before 4.2.8
2941  Date Resolved: Stable (4.2.8) 18 Dec 2014
2942
2943  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
2944  	file contains a 'crypto pw ...' directive) a remote attacker
2945	can send a carefully crafted packet that can overflow a stack
2946	buffer and potentially allow malicious code to be executed
2947	with the privilege level of the ntpd process.
2948
2949  Mitigation - any of:
2950  	- Upgrade to 4.2.8, or later, or
2951	- Disable Autokey Authentication by removing, or commenting out,
2952	  all configuration directives beginning with the crypto keyword
2953	  in your ntp.conf file.
2954
2955  Credit: This vulnerability was discovered by Stephen Roettger of the
2956  	Google Security Team.
2957
2958* Buffer overflow in ctl_putdata()
2959
2960  References: Sec 2668 / CVE-2014-9295 / VU#852879
2961  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2962  Versions: All NTP4 releases before 4.2.8
2963  Date Resolved: Stable (4.2.8) 18 Dec 2014
2964
2965  Summary: A remote attacker can send a carefully crafted packet that
2966  	can overflow a stack buffer and potentially allow malicious
2967	code to be executed with the privilege level of the ntpd process.
2968
2969  Mitigation - any of:
2970  	- Upgrade to 4.2.8, or later.
2971	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2972
2973  Credit: This vulnerability was discovered by Stephen Roettger of the
2974  	Google Security Team.
2975
2976* Buffer overflow in configure()
2977
2978  References: Sec 2669 / CVE-2014-9295 / VU#852879
2979  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
2980  Versions: All NTP4 releases before 4.2.8
2981  Date Resolved: Stable (4.2.8) 18 Dec 2014
2982
2983  Summary: A remote attacker can send a carefully crafted packet that
2984	can overflow a stack buffer and potentially allow malicious
2985	code to be executed with the privilege level of the ntpd process.
2986
2987  Mitigation - any of:
2988  	- Upgrade to 4.2.8, or later.
2989	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
2990
2991  Credit: This vulnerability was discovered by Stephen Roettger of the
2992	Google Security Team.
2993
2994* receive(): missing return on error
2995
2996  References: Sec 2670 / CVE-2014-9296 / VU#852879
2997  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
2998  Versions: All NTP4 releases before 4.2.8
2999  Date Resolved: Stable (4.2.8) 18 Dec 2014
3000
3001  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
3002  	the code path where an error was detected, which meant
3003	processing did not stop when a specific rare error occurred.
3004	We haven't found a way for this bug to affect system integrity.
3005	If there is no way to affect system integrity the base CVSS
3006	score for this bug is 0. If there is one avenue through which
3007	system integrity can be partially affected, the base score
3008	becomes a 5. If system integrity can be partially affected
3009	via all three integrity metrics, the CVSS base score become 7.5.
3010
3011  Mitigation - any of:
3012        - Upgrade to 4.2.8, or later,
3013        - Remove or comment out all configuration directives
3014	  beginning with the crypto keyword in your ntp.conf file.
3015
3016  Credit: This vulnerability was discovered by Stephen Roettger of the
3017  	Google Security Team.
3018
3019See http://support.ntp.org/security for more information.
3020
3021New features / changes in this release:
3022
3023Important Changes
3024
3025* Internal NTP Era counters
3026
3027The internal counters that track the "era" (range of years) we are in
3028rolls over every 136 years'.  The current "era" started at the stroke of
3029midnight on 1 Jan 1900, and ends just before the stroke of midnight on
30301 Jan 2036.
3031In the past, we have used the "midpoint" of the  range to decide which
3032era we were in.  Given the longevity of some products, it became clear
3033that it would be more functional to "look back" less, and "look forward"
3034more.  We now compile a timestamp into the ntpd executable and when we
3035get a timestamp we us the "built-on" to tell us what era we are in.
3036This check "looks back" 10 years, and "looks forward" 126 years.
3037
3038* ntpdc responses disabled by default
3039
3040Dave Hart writes:
3041
3042For a long time, ntpq and its mostly text-based mode 6 (control)
3043protocol have been preferred over ntpdc and its mode 7 (private
3044request) protocol for runtime queries and configuration.  There has
3045been a goal of deprecating ntpdc, previously held back by numerous
3046capabilities exposed by ntpdc with no ntpq equivalent.  I have been
3047adding commands to ntpq to cover these cases, and I believe I've
3048covered them all, though I've not compared command-by-command
3049recently.
3050
3051As I've said previously, the binary mode 7 protocol involves a lot of
3052hand-rolled structure layout and byte-swapping code in both ntpd and
3053ntpdc which is hard to get right.  As ntpd grows and changes, the
3054changes are difficult to expose via ntpdc while maintaining forward
3055and backward compatibility between ntpdc and ntpd.  In contrast,
3056ntpq's text-based, label=value approach involves more code reuse and
3057allows compatible changes without extra work in most cases.
3058
3059Mode 7 has always been defined as vendor/implementation-specific while
3060mode 6 is described in RFC 1305 and intended to be open to interoperate
3061with other implementations.  There is an early draft of an updated
3062mode 6 description that likely will join the other NTPv4 RFCs
3063eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
3064
3065For these reasons, ntpd 4.2.7p230 by default disables processing of
3066ntpdc queries, reducing ntpd's attack surface and functionally
3067deprecating ntpdc.  If you are in the habit of using ntpdc for certain
3068operations, please try the ntpq equivalent.  If there's no equivalent,
3069please open a bug report at http://bugs.ntp.org./
3070
3071In addition to the above, over 1100 issues have been resolved between
3072the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
3073lists these.
3074
3075---
3076NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
3077
3078Focus: Bug fixes
3079
3080Severity: Medium
3081
3082This is a recommended upgrade.
3083
3084This release updates sys_rootdisp and sys_jitter calculations to match the
3085RFC specification, fixes a potential IPv6 address matching error for the
3086"nic" and "interface" configuration directives, suppresses the creation of
3087extraneous ephemeral associations for certain broadcastclient and
3088multicastclient configurations, cleans up some ntpq display issues, and
3089includes improvements to orphan mode, minor bugs fixes and code clean-ups.
3090
3091New features / changes in this release:
3092
3093ntpd
3094
3095 * Updated "nic" and "interface" IPv6 address handling to prevent
3096   mismatches with localhost [::1] and wildcard [::] which resulted from
3097   using the address/prefix format (e.g. fe80::/64)
3098 * Fix orphan mode stratum incorrectly counting to infinity
3099 * Orphan parent selection metric updated to includes missing ntohl()
3100 * Non-printable stratum 16 refid no longer sent to ntp
3101 * Duplicate ephemeral associations suppressed for broadcastclient and
3102   multicastclient without broadcastdelay
3103 * Exclude undetermined sys_refid from use in loopback TEST12
3104 * Exclude MODE_SERVER responses from KoD rate limiting
3105 * Include root delay in clock_update() sys_rootdisp calculations
3106 * get_systime() updated to exclude sys_residual offset (which only
3107   affected bits "below" sys_tick, the precision threshold)
3108 * sys.peer jitter weighting corrected in sys_jitter calculation
3109
3110ntpq
3111
3112 * -n option extended to include the billboard "server" column
3113 * IPv6 addresses in the local column truncated to prevent overruns
3114
3115---
3116NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
3117
3118Focus: Bug fixes and portability improvements
3119
3120Severity: Medium
3121
3122This is a recommended upgrade.
3123
3124This release includes build infrastructure updates, code
3125clean-ups, minor bug fixes, fixes for a number of minor
3126ref-clock issues, and documentation revisions.
3127
3128Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
3129
3130New features / changes in this release:
3131
3132Build system
3133
3134* Fix checking for struct rtattr
3135* Update config.guess and config.sub for AIX
3136* Upgrade required version of autogen and libopts for building
3137  from our source code repository
3138
3139ntpd
3140
3141* Back-ported several fixes for Coverity warnings from ntp-dev
3142* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
3143* Allow "logconfig =allall" configuration directive
3144* Bind tentative IPv6 addresses on Linux
3145* Correct WWVB/Spectracom driver to timestamp CR instead of LF
3146* Improved tally bit handling to prevent incorrect ntpq peer status reports
3147* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
3148  candidate list unless they are designated a "prefer peer"
3149* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
3150  selection during the 'tos orphanwait' period
3151* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
3152  drivers
3153* Improved support of the Parse Refclock trusttime flag in Meinberg mode
3154* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
3155* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
3156  clock slew on Microsoft Windows
3157* Code cleanup in libntpq
3158
3159ntpdc
3160
3161* Fix timerstats reporting
3162
3163ntpdate
3164
3165* Reduce time required to set clock
3166* Allow a timeout greater than 2 seconds
3167
3168sntp
3169
3170* Backward incompatible command-line option change:
3171  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
3172
3173Documentation
3174
3175* Update html2man. Fix some tags in the .html files
3176* Distribute ntp-wait.html
3177
3178---
3179NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
3180
3181Focus: Bug fixes and portability improvements
3182
3183Severity: Medium
3184
3185This is a recommended upgrade.
3186
3187This release includes build infrastructure updates, code
3188clean-ups, minor bug fixes, fixes for a number of minor
3189ref-clock issues, and documentation revisions.
3190
3191Portability improvements in this release affect AIX, Atari FreeMiNT,
3192FreeBSD4, Linux and Microsoft Windows.
3193
3194New features / changes in this release:
3195
3196Build system
3197* Use lsb_release to get information about Linux distributions.
3198* 'test' is in /usr/bin (instead of /bin) on some systems.
3199* Basic sanity checks for the ChangeLog file.
3200* Source certain build files with ./filename for systems without . in PATH.
3201* IRIX portability fix.
3202* Use a single copy of the "libopts" code.
3203* autogen/libopts upgrade.
3204* configure.ac m4 quoting cleanup.
3205
3206ntpd
3207* Do not bind to IN6_IFF_ANYCAST addresses.
3208* Log the reason for exiting under Windows.
3209* Multicast fixes for Windows.
3210* Interpolation fixes for Windows.
3211* IPv4 and IPv6 Multicast fixes.
3212* Manycast solicitation fixes and general repairs.
3213* JJY refclock cleanup.
3214* NMEA refclock improvements.
3215* Oncore debug message cleanup.
3216* Palisade refclock now builds under Linux.
3217* Give RAWDCF more baud rates.
3218* Support Truetime Satellite clocks under Windows.
3219* Support Arbiter 1093C Satellite clocks under Windows.
3220* Make sure that the "filegen" configuration command defaults to "enable".
3221* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
3222* Prohibit 'includefile' directive in remote configuration command.
3223* Fix 'nic' interface bindings.
3224* Fix the way we link with openssl if openssl is installed in the base
3225  system.
3226
3227ntp-keygen
3228* Fix -V coredump.
3229* OpenSSL version display cleanup.
3230
3231ntpdc
3232* Many counters should be treated as unsigned.
3233
3234ntpdate
3235* Do not ignore replies with equal receive and transmit timestamps.
3236
3237ntpq
3238* libntpq warning cleanup.
3239
3240ntpsnmpd
3241* Correct SNMP type for "precision" and "resolution".
3242* Update the MIB from the draft version to RFC-5907.
3243
3244sntp
3245* Display timezone offset when showing time for sntp in the local
3246  timezone.
3247* Pay proper attention to RATE KoD packets.
3248* Fix a miscalculation of the offset.
3249* Properly parse empty lines in the key file.
3250* Logging cleanup.
3251* Use tv_usec correctly in set_time().
3252* Documentation cleanup.
3253
3254---
3255NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
3256
3257Focus: Bug fixes and portability improvements
3258
3259Severity: Medium
3260
3261This is a recommended upgrade.
3262
3263This release includes build infrastructure updates, code
3264clean-ups, minor bug fixes, fixes for a number of minor
3265ref-clock issues, improved KOD handling, OpenSSL related
3266updates and documentation revisions.
3267
3268Portability improvements in this release affect Irix, Linux,
3269Mac OS, Microsoft Windows, OpenBSD and QNX6
3270
3271New features / changes in this release:
3272
3273ntpd
3274* Range syntax for the trustedkey configuration directive
3275* Unified IPv4 and IPv6 restrict lists
3276
3277ntpdate
3278* Rate limiting and KOD handling
3279
3280ntpsnmpd
3281* default connection to net-snmpd via a unix-domain socket
3282* command-line 'socket name' option
3283
3284ntpq / ntpdc
3285* support for the "passwd ..." syntax
3286* key-type specific password prompts
3287
3288sntp
3289* MD5 authentication of an ntpd
3290* Broadcast and crypto
3291* OpenSSL support
3292
3293---
3294NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
3295
3296Focus: Bug fixes, portability fixes, and documentation improvements
3297
3298Severity: Medium
3299
3300This is a recommended upgrade.
3301
3302---
3303NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3304
3305Focus: enhancements and bug fixes.
3306
3307---
3308NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3309
3310Focus: Security Fixes
3311
3312Severity: HIGH
3313
3314This release fixes the following high-severity vulnerability:
3315
3316* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
3317
3318  See http://support.ntp.org/security for more information.
3319
3320  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
3321  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
3322  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
3323  request or a mode 7 error response from an address which is not listed
3324  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
3325  reply with a mode 7 error response (and log a message).  In this case:
3326
3327	* If an attacker spoofs the source address of ntpd host A in a
3328	  mode 7 response packet sent to ntpd host B, both A and B will
3329	  continuously send each other error responses, for as long as
3330	  those packets get through.
3331
3332	* If an attacker spoofs an address of ntpd host A in a mode 7
3333	  response packet sent to ntpd host A, A will respond to itself
3334	  endlessly, consuming CPU and logging excessively.
3335
3336  Credit for finding this vulnerability goes to Robin Park and Dmitri
3337  Vinokurov of Alcatel-Lucent.
3338
3339THIS IS A STRONGLY RECOMMENDED UPGRADE.
3340
3341---
3342ntpd now syncs to refclocks right away.
3343
3344Backward-Incompatible changes:
3345
3346ntpd no longer accepts '-v name' or '-V name' to define internal variables.
3347Use '--var name' or '--dvar name' instead. (Bug 817)
3348
3349---
3350NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
3351
3352Focus: Security and Bug Fixes
3353
3354Severity: HIGH
3355
3356This release fixes the following high-severity vulnerability:
3357
3358* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
3359
3360  See http://support.ntp.org/security for more information.
3361
3362  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
3363  line) then a carefully crafted packet sent to the machine will cause
3364  a buffer overflow and possible execution of injected code, running
3365  with the privileges of the ntpd process (often root).
3366
3367  Credit for finding this vulnerability goes to Chris Ries of CMU.
3368
3369This release fixes the following low-severity vulnerabilities:
3370
3371* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
3372  Credit for finding this vulnerability goes to Geoff Keating of Apple.
3373
3374* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
3375  Credit for finding this issue goes to Dave Hart.
3376
3377This release fixes a number of bugs and adds some improvements:
3378
3379* Improved logging
3380* Fix many compiler warnings
3381* Many fixes and improvements for Windows
3382* Adds support for AIX 6.1
3383* Resolves some issues under MacOS X and Solaris
3384
3385THIS IS A STRONGLY RECOMMENDED UPGRADE.
3386
3387---
3388NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
3389
3390Focus: Security Fix
3391
3392Severity: Low
3393
3394This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
3395the OpenSSL library relating to the incorrect checking of the return
3396value of EVP_VerifyFinal function.
3397
3398Credit for finding this issue goes to the Google Security Team for
3399finding the original issue with OpenSSL, and to ocert.org for finding
3400the problem in NTP and telling us about it.
3401
3402This is a recommended upgrade.
3403---
3404NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
3405
3406Focus: Minor Bugfixes
3407
3408This release fixes a number of Windows-specific ntpd bugs and
3409platform-independent ntpdate bugs. A logging bugfix has been applied
3410to the ONCORE driver.
3411
3412The "dynamic" keyword and is now obsolete and deferred binding to local
3413interfaces is the new default. The minimum time restriction for the
3414interface update interval has been dropped.
3415
3416A number of minor build system and documentation fixes are included.
3417
3418This is a recommended upgrade for Windows.
3419
3420---
3421NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
3422
3423Focus: Minor Bugfixes
3424
3425This release updates certain copyright information, fixes several display
3426bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
3427shutdown in the parse refclock driver, removes some lint from the code,
3428stops accessing certain buffers immediately after they were freed, fixes
3429a problem with non-command-line specification of -6, and allows the loopback
3430interface to share addresses with other interfaces.
3431
3432---
3433NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
3434
3435Focus: Minor Bugfixes
3436
3437This release fixes a bug in Windows that made it difficult to
3438terminate ntpd under windows.
3439This is a recommended upgrade for Windows.
3440
3441---
3442NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
3443
3444Focus: Minor Bugfixes
3445
3446This release fixes a multicast mode authentication problem,
3447an error in NTP packet handling on Windows that could lead to
3448ntpd crashing, and several other minor bugs. Handling of
3449multicast interfaces and logging configuration were improved.
3450The required versions of autogen and libopts were incremented.
3451This is a recommended upgrade for Windows and multicast users.
3452
3453---
3454NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3455
3456Focus: enhancements and bug fixes.
3457
3458Dynamic interface rescanning was added to simplify the use of ntpd in
3459conjunction with DHCP. GNU AutoGen is used for its command-line options
3460processing. Separate PPS devices are supported for PARSE refclocks, MD5
3461signatures are now provided for the release files. Drivers have been
3462added for some new ref-clocks and have been removed for some older
3463ref-clocks. This release also includes other improvements, documentation
3464and bug fixes.
3465
3466K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3467C support.
3468
3469---
3470NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3471
3472Focus: enhancements and bug fixes.
3473