xref: /freebsd/contrib/ntp/NEWS (revision f4aafb9ea6efd41efe05876d0e6ed70e46b425f0)
1---
2NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
3
4Focus: Security, Bug fixes, enhancements.
5
6Severity: MEDIUM
7
8When building NTP from source, there is a new configure option
9available, --enable-dynamic-interleave.  More information on this below.
10
11Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
12versions of ntp.  These events have almost certainly happened in the
13past, it's just that they were silently counted and not logged.  With
14the increasing awareness around security, we feel it's better to clearly
15log these events to help detect abusive behavior.  This increased
16logging can also help detect other problems, too.
17
18In addition to bug fixes and enhancements, this release fixes the
19following 9 low- and medium-severity vulnerabilities:
20
21* Improve NTP security against buffer comparison timing attacks,
22  AKA: authdecrypt-timing
23   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
24   References: Sec 2879 / CVE-2016-1550
25   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
26	4.3.0 up to, but not including 4.3.92
27   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
28   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
29   Summary: Packet authentication tests have been performed using
30	memcmp() or possibly bcmp(), and it is potentially possible
31	for a local or perhaps LAN-based attacker to send a packet with
32	an authentication payload and indirectly observe how much of
33	the digest has matched.
34   Mitigation:
35	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
36	    or the NTP Public Services Project Download Page.
37	Properly monitor your ntpd instances.
38   Credit: This weakness was discovered independently by Loganaden
39   	Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
40
41* Zero origin timestamp bypass: Additional KoD checks.
42   References: Sec 2945 / Sec 2901 / CVE-2015-8138
43   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
44   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
45
46* peer associations were broken by the fix for NtpBug2899
47   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
48   References: Sec 2952 / CVE-2015-7704
49   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
50   	4.3.0 up to, but not including 4.3.92
51   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
52   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
53   	associations did not address all of the issues.
54   Mitigation:
55        Implement BCP-38.
56        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
57	    or the NTP Public Services Project Download Page
58        If you can't upgrade, use "server" associations instead of
59	    "peer" associations.
60        Monitor your ntpd instances.
61   Credit: This problem was discovered by Michael Tatarinov.
62
63* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
64   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
65   References: Sec 3007 / CVE-2016-1547 / VU#718152
66   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
67	4.3.0 up to, but not including 4.3.92
68   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
69   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
70   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
71	off-path attacker can cause a preemptable client association to
72	be demobilized by sending a crypto NAK packet to a victim client
73	with a spoofed source address of an existing associated peer.
74	This is true even if authentication is enabled.
75
76	Furthermore, if the attacker keeps sending crypto NAK packets,
77	for example one every second, the victim never has a chance to
78	reestablish the association and synchronize time with that
79	legitimate server.
80
81	For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
82	stringent checks are performed on incoming packets, but there
83	are still ways to exploit this vulnerability in versions before
84	ntp-4.2.8p7.
85   Mitigation:
86	Implement BCP-38.
87	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
88	    or the NTP Public Services Project Download Page
89	Properly monitor your =ntpd= instances
90   Credit: This weakness was discovered by Stephen Gray and
91   	Matthew Van Gundy of Cisco ASIG.
92
93* ctl_getitem() return value not always checked
94   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
95   References: Sec 3008 / CVE-2016-2519
96   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
97	4.3.0 up to, but not including 4.3.92
98   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
99   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
100   Summary: ntpq and ntpdc can be used to store and retrieve information
101   	in ntpd. It is possible to store a data value that is larger
102	than the size of the buffer that the ctl_getitem() function of
103	ntpd uses to report the return value. If the length of the
104	requested data value returned by ctl_getitem() is too large,
105	the value NULL is returned instead. There are 2 cases where the
106	return value from ctl_getitem() was not directly checked to make
107	sure it's not NULL, but there are subsequent INSIST() checks
108	that make sure the return value is not NULL. There are no data
109	values ordinarily stored in ntpd that would exceed this buffer
110	length. But if one has permission to store values and one stores
111	a value that is "too large", then ntpd will abort if an attempt
112	is made to read that oversized value.
113    Mitigation:
114        Implement BCP-38.
115        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
116	    or the NTP Public Services Project Download Page
117        Properly monitor your ntpd instances.
118    Credit: This weakness was discovered by Yihan Lian of the Cloud
119    	Security Team, Qihoo 360.
120
121* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
122   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
123   References: Sec 3009 / CVE-2016-2518 / VU#718152
124   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
125	4.3.0 up to, but not including 4.3.92
126   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
127   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
128   Summary: Using a crafted packet to create a peer association with
129   	hmode > 7 causes the MATCH_ASSOC() lookup to make an
130	out-of-bounds reference.
131   Mitigation:
132	Implement BCP-38.
133	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
134	    or the NTP Public Services Project Download Page
135	Properly monitor your ntpd instances
136   Credit: This weakness was discovered by Yihan Lian of the Cloud
137   	Security Team, Qihoo 360.
138
139* remote configuration trustedkey/requestkey/controlkey values are not
140	properly validated
141   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
142   References: Sec 3010 / CVE-2016-2517 / VU#718152
143   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
144	4.3.0 up to, but not including 4.3.92
145   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
146   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
147   Summary: If ntpd was expressly configured to allow for remote
148   	configuration, a malicious user who knows the controlkey for
149	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
150	can create a session with ntpd and then send a crafted packet to
151	ntpd that will change the value of the trustedkey, controlkey,
152	or requestkey to a value that will prevent any subsequent
153	authentication with ntpd until ntpd is restarted.
154   Mitigation:
155	Implement BCP-38.
156	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
157	    or the NTP Public Services Project Download Page
158	Properly monitor your =ntpd= instances
159   Credit: This weakness was discovered by Yihan Lian of the Cloud
160   	Security Team, Qihoo 360.
161
162* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
163   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
164   References: Sec 3011 / CVE-2016-2516 / VU#718152
165   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
166   	4.3.0 up to, but not including 4.3.92
167   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
168   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
169   Summary: If ntpd was expressly configured to allow for remote
170   	configuration, a malicious user who knows the controlkey for
171	ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
172	can create a session with ntpd and if an existing association is
173	unconfigured using the same IP twice on the unconfig directive
174	line, ntpd will abort.
175   Mitigation:
176	Implement BCP-38.
177	Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
178	    or the NTP Public Services Project Download Page
179	Properly monitor your ntpd instances
180   Credit: This weakness was discovered by Yihan Lian of the Cloud
181   	Security Team, Qihoo 360.
182
183* Refclock impersonation vulnerability
184   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
185   References: Sec 3020 / CVE-2016-1551
186   Affects: On a very limited number of OSes, all NTP releases up to but
187	not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
188	By "very limited number of OSes" we mean no general-purpose OSes
189	have yet been identified that have this vulnerability.
190   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
191   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
192   Summary: While most OSes implement martian packet filtering in their
193   	network stack, at least regarding 127.0.0.0/8, some will allow
194	packets claiming to be from 127.0.0.0/8 that arrive over a
195	physical network. On these OSes, if ntpd is configured to use a
196	reference clock an attacker can inject packets over the network
197	that look like they are coming from that reference clock.
198   Mitigation:
199        Implement martian packet filtering and BCP-38.
200        Configure ntpd to use an adequate number of time sources.
201        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
202	    or the NTP Public Services Project Download Page
203        If you are unable to upgrade and if you are running an OS that
204	    has this vulnerability, implement martian packet filters and
205	    lobby your OS vendor to fix this problem, or run your
206	    refclocks on computers that use OSes that are not vulnerable
207	    to these attacks and have your vulnerable machines get their
208	    time from protected resources.
209        Properly monitor your ntpd instances.
210   Credit: This weakness was discovered by Matt Street and others of
211   	Cisco ASIG.
212
213The following issues were fixed in earlier releases and contain
214improvements in 4.2.8p7:
215
216* Clients that receive a KoD should validate the origin timestamp field.
217   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
218   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
219   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
220
221* Skeleton key: passive server with trusted key can serve time.
222   References: Sec 2936 / CVE-2015-7974
223   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
224   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
225
226Two other vulnerabilities have been reported, and the mitigations
227for these are as follows:
228
229* Interleave-pivot
230   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
231   References: Sec 2978 / CVE-2016-1548
232   Affects: All ntp-4 releases.
233   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
234   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
235   Summary: It is possible to change the time of an ntpd client or deny
236   	service to an ntpd client by forcing it to change from basic
237	client/server mode to interleaved symmetric mode. An attacker
238	can spoof a packet from a legitimate ntpd server with an origin
239	timestamp that matches the peer->dst timestamp recorded for that
240	server. After making this switch, the client will reject all
241	future legitimate server responses. It is possible to force the
242	victim client to move time after the mode has been changed.
243	ntpq gives no indication that the mode has been switched.
244   Mitigation:
245        Implement BCP-38.
246        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
247	    or the NTP Public Services Project Download Page.  These
248	    versions will not dynamically "flip" into interleave mode
249	    unless configured to do so.
250        Properly monitor your ntpd instances.
251   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
252   	and separately by Jonathan Gardner of Cisco ASIG.
253
254* Sybil vulnerability: ephemeral association attack
255   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
256   References: Sec 3012 / CVE-2016-1549
257   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
258   	4.3.0 up to, but not including 4.3.92
259   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
260   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
261   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
262   	the feature introduced in ntp-4.2.8p6 allowing an optional 4th
263	field in the ntp.keys file to specify which IPs can serve time,
264	a malicious authenticated peer can create arbitrarily-many
265	ephemeral associations in order to win the clock selection of
266	ntpd and modify a victim's clock.
267   Mitigation:
268        Implement BCP-38.
269        Use the 4th field in the ntp.keys file to specify which IPs
270	    can be time servers.
271        Properly monitor your ntpd instances.
272   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
273
274Other fixes:
275
276* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
277  - fixed yet another race condition in the threaded resolver code.
278* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
279* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
280  - integrated patches by Loganaden Velvidron <logan@ntp.org>
281    with some modifications & unit tests
282* [Bug 2960] async name resolution fixes for chroot() environments.
283  Reinhard Max.
284* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
285* [Bug 2995] Fixes to compile on Windows
286* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
287* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
288  - Patch provided by Ch. Weisgerber
289* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
290  - A change related to [Bug 2853] forbids trailing white space in
291    remote config commands. perlinger@ntp.org
292* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
293  - report and patch from Aleksandr Kostikov.
294  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
295* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
296  - fixed memory leak in access list (auth[read]keys.c)
297  - refactored handling of key access lists (auth[read]keys.c)
298  - reduced number of error branches (authreadkeys.c)
299* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
300* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
301* [Bug 3031] ntp broadcastclient unable to synchronize to an server
302             when the time of server changed. perlinger@ntp.org
303  - Check the initial delay calculation and reject/unpeer the broadcast
304    server if the delay exceeds 50ms. Retry again after the next
305    broadcast packet.
306* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
307* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
308* Update html/xleave.html documentation.  Harlan Stenn.
309* Update ntp.conf documentation.  Harlan Stenn.
310* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
311* Fix typo in html/monopt.html.  Harlan Stenn.
312* Add README.pullrequests.  Harlan Stenn.
313* Cleanup to include/ntp.h.  Harlan Stenn.
314
315New option to 'configure':
316
317While looking in to the issues around Bug 2978, the "interleave pivot"
318issue, it became clear that there are some intricate and unresolved
319issues with interleave operations.  We also realized that the interleave
320protocol was never added to the NTPv4 Standard, and it should have been.
321
322Interleave mode was first released in July of 2008, and can be engaged
323in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
324contain the 'xleave' option, which will expressly enable interlave mode
325for that association.  Additionally, if a time packet arrives and is
326found inconsistent with normal protocol behavior but has certain
327characteristics that are compatible with interleave mode, NTP will
328dynamically switch to interleave mode.  With sufficient knowledge, an
329attacker can send a crafted forged packet to an NTP instance that
330triggers only one side to enter interleaved mode.
331
332To prevent this attack until we can thoroughly document, describe,
333fix, and test the dynamic interleave mode, we've added a new
334'configure' option to the build process:
335
336 --enable-dynamic-interleave
337
338This option controls whether or not NTP will, if conditions are right,
339engage dynamic interleave mode.  Dynamic interleave mode is disabled by
340default in ntp-4.2.8p7.
341
342---
343NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
344
345Focus: Security, Bug fixes, enhancements.
346
347Severity: MEDIUM
348
349In addition to bug fixes and enhancements, this release fixes the
350following 1 low- and 8 medium-severity vulnerabilities:
351
352* Potential Infinite Loop in 'ntpq'
353   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
354   References: Sec 2548 / CVE-2015-8158
355   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
356	4.3.0 up to, but not including 4.3.90
357   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
358   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
359   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
360	The loop's only stopping conditions are receiving a complete and
361	correct response or hitting a small number of error conditions.
362	If the packet contains incorrect values that don't trigger one of
363	the error conditions, the loop continues to receive new packets.
364	Note well, this is an attack against an instance of 'ntpq', not
365	'ntpd', and this attack requires the attacker to do one of the
366	following:
367	* Own a malicious NTP server that the client trusts
368	* Prevent a legitimate NTP server from sending packets to
369	    the 'ntpq' client
370	* MITM the 'ntpq' communications between the 'ntpq' client
371	    and the NTP server
372   Mitigation:
373	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
374	or the NTP Public Services Project Download Page
375   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
376
377* 0rigin: Zero Origin Timestamp Bypass
378   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
379   References: Sec 2945 / CVE-2015-8138
380   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
381	4.3.0 up to, but not including 4.3.90
382   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
383   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
384	(3.7 - LOW if you score AC:L)
385   Summary: To distinguish legitimate peer responses from forgeries, a
386	client attempts to verify a response packet by ensuring that the
387	origin timestamp in the packet matches the origin timestamp it
388	transmitted in its last request.  A logic error exists that
389	allows packets with an origin timestamp of zero to bypass this
390	check whenever there is not an outstanding request to the server.
391   Mitigation:
392	Configure 'ntpd' to get time from multiple sources.
393	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
394	    or the NTP Public Services Project Download Page.
395	Monitor your 'ntpd= instances.
396   Credit: This weakness was discovered by Matthey Van Gundy and
397	Jonathan Gardner of Cisco ASIG.
398
399* Stack exhaustion in recursive traversal of restriction list
400   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
401   References: Sec 2940 / CVE-2015-7978
402   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
403	4.3.0 up to, but not including 4.3.90
404   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
405   Summary: An unauthenticated 'ntpdc reslist' command can cause a
406   	segmentation fault in ntpd by exhausting the call stack.
407   Mitigation:
408	Implement BCP-38.
409	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
410	    or the NTP Public Services Project Download Page.
411	If you are unable to upgrade:
412            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
413	    If you must enable mode 7:
414		configure the use of a 'requestkey' to control who can
415		    issue mode 7 requests.
416		configure 'restrict noquery' to further limit mode 7
417		    requests to trusted sources.
418		Monitor your ntpd instances.
419   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
420
421* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
422   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
423   References: Sec 2942 / CVE-2015-7979
424   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
425	4.3.0 up to, but not including 4.3.90
426   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
427   Summary: An off-path attacker can send broadcast packets with bad
428	authentication (wrong key, mismatched key, incorrect MAC, etc)
429	to broadcast clients. It is observed that the broadcast client
430	tears down the association with the broadcast server upon
431	receiving just one bad packet.
432   Mitigation:
433	Implement BCP-38.
434	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
435	or the NTP Public Services Project Download Page.
436	Monitor your 'ntpd' instances.
437	If this sort of attack is an active problem for you, you have
438	    deeper problems to investigate.  In this case also consider
439	    having smaller NTP broadcast domains.
440   Credit: This weakness was discovered by Aanchal Malhotra of Boston
441   	University.
442
443* reslist NULL pointer dereference
444   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
445   References: Sec 2939 / CVE-2015-7977
446   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
447	4.3.0 up to, but not including 4.3.90
448   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
449   Summary: An unauthenticated 'ntpdc reslist' command can cause a
450	segmentation fault in ntpd by causing a NULL pointer dereference.
451   Mitigation:
452	Implement BCP-38.
453	Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
454	the NTP Public Services Project Download Page.
455	If you are unable to upgrade:
456	    mode 7 is disabled by default.  Don't enable it.
457	    If you must enable mode 7:
458		configure the use of a 'requestkey' to control who can
459		    issue mode 7 requests.
460		configure 'restrict noquery' to further limit mode 7
461		    requests to trusted sources.
462	Monitor your ntpd instances.
463   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
464
465* 'ntpq saveconfig' command allows dangerous characters in filenames.
466   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
467   References: Sec 2938 / CVE-2015-7976
468   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
469	4.3.0 up to, but not including 4.3.90
470   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
471   Summary: The ntpq saveconfig command does not do adequate filtering
472   	of special characters from the supplied filename.
473	Note well: The ability to use the saveconfig command is controlled
474	by the 'restrict nomodify' directive, and the recommended default
475	configuration is to disable this capability.  If the ability to
476	execute a 'saveconfig' is required, it can easily (and should) be
477	limited and restricted to a known small number of IP addresses.
478   Mitigation:
479	Implement BCP-38.
480	use 'restrict default nomodify' in your 'ntp.conf' file.
481	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
482	If you are unable to upgrade:
483	    build NTP with 'configure --disable-saveconfig' if you will
484	    	never need this capability, or
485	    use 'restrict default nomodify' in your 'ntp.conf' file.  Be
486		careful about what IPs have the ability to send 'modify'
487		requests to 'ntpd'.
488	Monitor your ntpd instances.
489	'saveconfig' requests are logged to syslog - monitor your syslog files.
490   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
491
492* nextvar() missing length check in ntpq
493   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
494   References: Sec 2937 / CVE-2015-7975
495   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
496	4.3.0 up to, but not including 4.3.90
497   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
498	If you score A:C, this becomes 4.0.
499   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
500   Summary: ntpq may call nextvar() which executes a memcpy() into the
501	name buffer without a proper length check against its maximum
502	length of 256 bytes. Note well that we're taking about ntpq here.
503	The usual worst-case effect of this vulnerability is that the
504	specific instance of ntpq will crash and the person or process
505	that did this will have stopped themselves.
506   Mitigation:
507	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
508	    or the NTP Public Services Project Download Page.
509	If you are unable to upgrade:
510	    If you have scripts that feed input to ntpq make sure there are
511		some sanity checks on the input received from the "outside".
512	    This is potentially more dangerous if ntpq is run as root.
513   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
514
515* Skeleton Key: Any trusted key system can serve time
516   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
517   References: Sec 2936 / CVE-2015-7974
518   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
519	4.3.0 up to, but not including 4.3.90
520   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
521   Summary: Symmetric key encryption uses a shared trusted key. The
522	reported title for this issue was "Missing key check allows
523	impersonation between authenticated peers" and the report claimed
524	"A key specified only for one server should only work to
525	authenticate that server, other trusted keys should be refused."
526	Except there has never been any correlation between this trusted
527	key and server v. clients machines and there has never been any
528	way to specify a key only for one server. We have treated this as
529	an enhancement request, and ntp-4.2.8p6 includes other checks and
530	tests to strengthen clients against attacks coming from broadcast
531	servers.
532   Mitigation:
533	Implement BCP-38.
534	If this scenario represents a real or a potential issue for you,
535	    upgrade to 4.2.8p6, or later, from the NTP Project Download
536	    Page or the NTP Public Services Project Download Page, and
537	    use the new field in the ntp.keys file that specifies the list
538	    of IPs that are allowed to serve time. Note that this alone
539	    will not protect against time packets with forged source IP
540	    addresses, however other changes in ntp-4.2.8p6 provide
541	    significant mitigation against broadcast attacks. MITM attacks
542	    are a different story.
543	If you are unable to upgrade:
544	    Don't use broadcast mode if you cannot monitor your client
545	    	servers.
546	    If you choose to use symmetric keys to authenticate time
547	    	packets in a hostile environment where ephemeral time
548		servers can be created, or if it is expected that malicious
549		time servers will participate in an NTP broadcast domain,
550		limit the number of participating systems that participate
551		in the shared-key group.
552	Monitor your ntpd instances.
553   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
554
555* Deja Vu: Replay attack on authenticated broadcast mode
556   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
557   References: Sec 2935 / CVE-2015-7973
558   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
559   	4.3.0 up to, but not including 4.3.90
560   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
561   Summary: If an NTP network is configured for broadcast operations then
562   	either a man-in-the-middle attacker or a malicious participant
563	that has the same trusted keys as the victim can replay time packets.
564   Mitigation:
565	Implement BCP-38.
566	Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
567	    or the NTP Public Services Project Download Page.
568	If you are unable to upgrade:
569	    Don't use broadcast mode if you cannot monitor your client servers.
570	Monitor your ntpd instances.
571   Credit: This weakness was discovered by Aanchal Malhotra of Boston
572	University.
573
574Other fixes:
575
576* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
577* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
578  - applied patch by shenpeng11@huawei.com with minor adjustments
579* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
580* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
581* [Bug 2892] Several test cases assume IPv6 capabilities even when
582             IPv6 is disabled in the build. perlinger@ntp.org
583  - Found this already fixed, but validation led to cleanup actions.
584* [Bug 2905] DNS lookups broken. perlinger@ntp.org
585  - added limits to stack consumption, fixed some return code handling
586* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
587  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
588  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
589* [Bug 2980] reduce number of warnings. perlinger@ntp.org
590  - integrated several patches from Havard Eidnes (he@uninett.no)
591* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
592  - implement 'auth_log2()' using integer bithack instead of float calculation
593* Make leapsec_query debug messages less verbose.  Harlan Stenn.
594
595---
596NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
597
598Focus: Security, Bug fixes, enhancements.
599
600Severity: MEDIUM
601
602In addition to bug fixes and enhancements, this release fixes the
603following medium-severity vulnerability:
604
605* Small-step/big-step.  Close the panic gate earlier.
606    References: Sec 2956, CVE-2015-5300
607    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
608	4.3.0 up to, but not including 4.3.78
609    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
610    Summary: If ntpd is always started with the -g option, which is
611	common and against long-standing recommendation, and if at the
612	moment ntpd is restarted an attacker can immediately respond to
613	enough requests from enough sources trusted by the target, which
614	is difficult and not common, there is a window of opportunity
615	where the attacker can cause ntpd to set the time to an
616	arbitrary value. Similarly, if an attacker is able to respond
617	to enough requests from enough sources trusted by the target,
618	the attacker can cause ntpd to abort and restart, at which
619	point it can tell the target to set the time to an arbitrary
620	value if and only if ntpd was re-started against long-standing
621	recommendation with the -g flag, or if ntpd was not given the
622	-g flag, the attacker can move the target system's time by at
623	most 900 seconds' time per attack.
624    Mitigation:
625	Configure ntpd to get time from multiple sources.
626	Upgrade to 4.2.8p5, or later, from the NTP Project Download
627	    Page or the NTP Public Services Project Download Page
628	As we've long documented, only use the -g option to ntpd in
629	    cold-start situations.
630	Monitor your ntpd instances.
631    Credit: This weakness was discovered by Aanchal Malhotra,
632	Isaac E. Cohen, and Sharon Goldberg at Boston University.
633
634    NOTE WELL: The -g flag disables the limit check on the panic_gate
635	in ntpd, which is 900 seconds by default. The bug identified by
636	the researchers at Boston University is that the panic_gate
637	check was only re-enabled after the first change to the system
638	clock that was greater than 128 milliseconds, by default. The
639	correct behavior is that the panic_gate check should be
640	re-enabled after any initial time correction.
641
642	If an attacker is able to inject consistent but erroneous time
643	responses to your systems via the network or "over the air",
644	perhaps by spoofing radio, cellphone, or navigation satellite
645	transmissions, they are in a great position to affect your
646	system's clock. There comes a point where your very best
647	defenses include:
648
649	    Configure ntpd to get time from multiple sources.
650	    Monitor your ntpd instances.
651
652Other fixes:
653
654* Coverity submission process updated from Coverity 5 to Coverity 7.
655  The NTP codebase has been undergoing regular Coverity scans on an
656  ongoing basis since 2006.  As part of our recent upgrade from
657  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
658  the newly-written Unity test programs.  These were fixed.
659* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
660* [Bug 2887] stratum -1 config results as showing value 99
661  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
662* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
663* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
664* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
665  - applied patch by Christos Zoulas.  perlinger@ntp.org
666* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
667* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
668  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
669  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
670* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
671  - accept key file only if there are no parsing errors
672  - fixed size_t/u_int format clash
673  - fixed wrong use of 'strlcpy'
674* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
675* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
676  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
677  - promote use of 'size_t' for values that express a size
678  - use ptr-to-const for read-only arguments
679  - make sure SOCKET values are not truncated (win32-specific)
680  - format string fixes
681* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
682* [Bug 2967] ntpdate command suffers an assertion failure
683  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
684* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
685              lots of clients. perlinger@ntp.org
686* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
687  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
688* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
689* Unity test cleanup.  Harlan Stenn.
690* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
691* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
692* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
693* Quiet a warning from clang.  Harlan Stenn.
694
695---
696NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
697
698Focus: Security, Bug fixes, enhancements.
699
700Severity: MEDIUM
701
702In addition to bug fixes and enhancements, this release fixes the
703following 13 low- and medium-severity vulnerabilities:
704
705* Incomplete vallen (value length) checks in ntp_crypto.c, leading
706  to potential crashes or potential code injection/information leakage.
707
708    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
709    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
710    	and 4.3.0 up to, but not including 4.3.77
711    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
712    Summary: The fix for CVE-2014-9750 was incomplete in that there were
713    	certain code paths where a packet with particular autokey operations
714	that contained malicious data was not always being completely
715	validated. Receipt of these packets can cause ntpd to crash.
716    Mitigation:
717        Don't use autokey.
718	Upgrade to 4.2.8p4, or later, from the NTP Project Download
719	    Page or the NTP Public Services Project Download Page
720	Monitor your ntpd instances.
721	Credit: This weakness was discovered by Tenable Network Security.
722
723* Clients that receive a KoD should validate the origin timestamp field.
724
725    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
726    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
727	and 4.3.0 up to, but not including 4.3.77
728    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
729    Summary: An ntpd client that honors Kiss-of-Death responses will honor
730    	KoD messages that have been forged by an attacker, causing it to
731	delay or stop querying its servers for time updates. Also, an
732	attacker can forge packets that claim to be from the target and
733	send them to servers often enough that a server that implements
734	KoD rate limiting will send the target machine a KoD response to
735	attempt to reduce the rate of incoming packets, or it may also
736	trigger a firewall block at the server for packets from the target
737	machine. For either of these attacks to succeed, the attacker must
738	know what servers the target is communicating with. An attacker
739	can be anywhere on the Internet and can frequently learn the
740	identity of the target's time source by sending the target a
741	time query.
742    Mitigation:
743        Implement BCP-38.
744	Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
745	    or the NTP Public Services Project Download Page
746	If you can't upgrade, restrict who can query ntpd to learn who
747	    its servers are, and what IPs are allowed to ask your system
748	    for the time. This mitigation is heavy-handed.
749	Monitor your ntpd instances.
750    Note:
751    	4.2.8p4 protects against the first attack. For the second attack,
752    	all we can do is warn when it is happening, which we do in 4.2.8p4.
753    Credit: This weakness was discovered by Aanchal Malhotra,
754    	Issac E. Cohen, and Sharon Goldberg of Boston University.
755
756* configuration directives to change "pidfile" and "driftfile" should
757  only be allowed locally.
758
759  References: Sec 2902 / CVE-2015-5196
760  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
761	and 4.3.0 up to, but not including 4.3.77
762   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
763   Summary: If ntpd is configured to allow for remote configuration,
764	and if the (possibly spoofed) source IP address is allowed to
765	send remote configuration requests, and if the attacker knows
766	the remote configuration password, it's possible for an attacker
767	to use the "pidfile" or "driftfile" directives to potentially
768	overwrite other files.
769   Mitigation:
770	Implement BCP-38.
771	Upgrade to 4.2.8p4, or later, from the NTP Project Download
772	    Page or the NTP Public Services Project Download Page
773	If you cannot upgrade, don't enable remote configuration.
774	If you must enable remote configuration and cannot upgrade,
775	    remote configuration of NTF's ntpd requires:
776	    - an explicitly configured trustedkey, and you should also
777	    	configure a controlkey.
778	    - access from a permitted IP. You choose the IPs.
779	    - authentication. Don't disable it. Practice secure key safety.
780	Monitor your ntpd instances.
781   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
782
783* Slow memory leak in CRYPTO_ASSOC
784
785  References: Sec 2909 / CVE-2015-7701
786  Affects: All ntp-4 releases that use autokey up to, but not
787    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
788  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
789  	4.6 otherwise
790  Summary: If ntpd is configured to use autokey, then an attacker can
791	send packets to ntpd that will, after several days of ongoing
792	attack, cause it to run out of memory.
793  Mitigation:
794	Don't use autokey.
795	Upgrade to 4.2.8p4, or later, from the NTP Project Download
796	    Page or the NTP Public Services Project Download Page
797	Monitor your ntpd instances.
798  Credit: This weakness was discovered by Tenable Network Security.
799
800* mode 7 loop counter underrun
801
802  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
803  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
804  	and 4.3.0 up to, but not including 4.3.77
805  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
806  Summary: If ntpd is configured to enable mode 7 packets, and if the
807	use of mode 7 packets is not properly protected thru the use of
808	the available mode 7 authentication and restriction mechanisms,
809	and if the (possibly spoofed) source IP address is allowed to
810	send mode 7 queries, then an attacker can send a crafted packet
811	to ntpd that will cause it to crash.
812  Mitigation:
813	Implement BCP-38.
814	Upgrade to 4.2.8p4, or later, from the NTP Project Download
815	    Page or the NTP Public Services Project Download Page.
816	      If you are unable to upgrade:
817	In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
818	If you must enable mode 7:
819	    configure the use of a requestkey to control who can issue
820		mode 7 requests.
821	    configure restrict noquery to further limit mode 7 requests
822		to trusted sources.
823	Monitor your ntpd instances.
824Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
825
826* memory corruption in password store
827
828  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
829  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
830  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
831  Summary: If ntpd is configured to allow remote configuration, and if
832	the (possibly spoofed) source IP address is allowed to send
833	remote configuration requests, and if the attacker knows the
834	remote configuration password or if ntpd was configured to
835	disable authentication, then an attacker can send a set of
836	packets to ntpd that may cause a crash or theoretically
837	perform a code injection attack.
838  Mitigation:
839	Implement BCP-38.
840	Upgrade to 4.2.8p4, or later, from the NTP Project Download
841	    Page or the NTP Public Services Project Download Page.
842	If you are unable to upgrade, remote configuration of NTF's
843	    ntpd requires:
844		an explicitly configured "trusted" key. Only configure
845			this if you need it.
846		access from a permitted IP address. You choose the IPs.
847		authentication. Don't disable it. Practice secure key safety.
848	Monitor your ntpd instances.
849  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
850
851* Infinite loop if extended logging enabled and the logfile and
852  keyfile are the same.
853
854    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
855    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
856	and 4.3.0 up to, but not including 4.3.77
857    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
858    Summary: If ntpd is configured to allow remote configuration, and if
859	the (possibly spoofed) source IP address is allowed to send
860	remote configuration requests, and if the attacker knows the
861	remote configuration password or if ntpd was configured to
862	disable authentication, then an attacker can send a set of
863	packets to ntpd that will cause it to crash and/or create a
864	potentially huge log file. Specifically, the attacker could
865	enable extended logging, point the key file at the log file,
866	and cause what amounts to an infinite loop.
867    Mitigation:
868	Implement BCP-38.
869	Upgrade to 4.2.8p4, or later, from the NTP Project Download
870	    Page or the NTP Public Services Project Download Page.
871	If you are unable to upgrade, remote configuration of NTF's ntpd
872	  requires:
873            an explicitly configured "trusted" key. Only configure this
874	    	if you need it.
875            access from a permitted IP address. You choose the IPs.
876            authentication. Don't disable it. Practice secure key safety.
877        Monitor your ntpd instances.
878    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
879
880* Potential path traversal vulnerability in the config file saving of
881  ntpd on VMS.
882
883  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
884  Affects: All ntp-4 releases running under VMS up to, but not
885	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
886  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
887  Summary: If ntpd is configured to allow remote configuration, and if
888	the (possibly spoofed) IP address is allowed to send remote
889	configuration requests, and if the attacker knows the remote
890	configuration password or if ntpd was configured to disable
891	authentication, then an attacker can send a set of packets to
892	ntpd that may cause ntpd to overwrite files.
893  Mitigation:
894	Implement BCP-38.
895	Upgrade to 4.2.8p4, or later, from the NTP Project Download
896	    Page or the NTP Public Services Project Download Page.
897	If you are unable to upgrade, remote configuration of NTF's ntpd
898	    requires:
899		an explicitly configured "trusted" key. Only configure
900			this if you need it.
901		access from permitted IP addresses. You choose the IPs.
902		authentication. Don't disable it. Practice key security safety.
903        Monitor your ntpd instances.
904    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
905
906* ntpq atoascii() potential memory corruption
907
908  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
909  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
910	and 4.3.0 up to, but not including 4.3.77
911  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
912  Summary: If an attacker can figure out the precise moment that ntpq
913	is listening for data and the port number it is listening on or
914	if the attacker can provide a malicious instance ntpd that
915	victims will connect to then an attacker can send a set of
916	crafted mode 6 response packets that, if received by ntpq,
917	can cause ntpq to crash.
918  Mitigation:
919	Implement BCP-38.
920	Upgrade to 4.2.8p4, or later, from the NTP Project Download
921	    Page or the NTP Public Services Project Download Page.
922	If you are unable to upgrade and you run ntpq against a server
923	    and ntpq crashes, try again using raw mode. Build or get a
924	    patched ntpq and see if that fixes the problem. Report new
925	    bugs in ntpq or abusive servers appropriately.
926	If you use ntpq in scripts, make sure ntpq does what you expect
927	    in your scripts.
928  Credit: This weakness was discovered by Yves Younan and
929  	Aleksander Nikolich of Cisco Talos.
930
931* Invalid length data provided by a custom refclock driver could cause
932  a buffer overflow.
933
934  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
935  Affects: Potentially all ntp-4 releases running up to, but not
936	including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
937	that have custom refclocks
938  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
939	5.9 unusual worst case
940  Summary: A negative value for the datalen parameter will overflow a
941	data buffer. NTF's ntpd driver implementations always set this
942	value to 0 and are therefore not vulnerable to this weakness.
943	If you are running a custom refclock driver in ntpd and that
944	driver supplies a negative value for datalen (no custom driver
945	of even minimal competence would do this) then ntpd would
946	overflow a data buffer. It is even hypothetically possible
947	in this case that instead of simply crashing ntpd the attacker
948	could effect a code injection attack.
949  Mitigation:
950	Upgrade to 4.2.8p4, or later, from the NTP Project Download
951	    Page or the NTP Public Services Project Download Page.
952	If you are unable to upgrade:
953		If you are running custom refclock drivers, make sure
954			the signed datalen value is either zero or positive.
955	Monitor your ntpd instances.
956  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
957
958* Password Length Memory Corruption Vulnerability
959
960  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
961  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
962  	4.3.0 up to, but not including 4.3.77
963  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
964  	1.7 usual case, 6.8, worst case
965  Summary: If ntpd is configured to allow remote configuration, and if
966	the (possibly spoofed) source IP address is allowed to send
967	remote configuration requests, and if the attacker knows the
968	remote configuration password or if ntpd was (foolishly)
969	configured to disable authentication, then an attacker can
970	send a set of packets to ntpd that may cause it to crash,
971	with the hypothetical possibility of a small code injection.
972  Mitigation:
973	Implement BCP-38.
974	Upgrade to 4.2.8p4, or later, from the NTP Project Download
975	    Page or the NTP Public Services Project Download Page.
976	If you are unable to upgrade, remote configuration of NTF's
977	    ntpd requires:
978		an explicitly configured "trusted" key. Only configure
979			this if you need it.
980		access from a permitted IP address. You choose the IPs.
981		authentication. Don't disable it. Practice secure key safety.
982	Monitor your ntpd instances.
983  Credit: This weakness was discovered by Yves Younan and
984  	Aleksander Nikolich of Cisco Talos.
985
986* decodenetnum() will ASSERT botch instead of returning FAIL on some
987  bogus values.
988
989  References: Sec 2922 / CVE-2015-7855
990  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
991	4.3.0 up to, but not including 4.3.77
992  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
993  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
994	an unusually long data value where a network address is expected,
995	the decodenetnum() function will abort with an assertion failure
996	instead of simply returning a failure condition.
997  Mitigation:
998	Implement BCP-38.
999	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1000	    Page or the NTP Public Services Project Download Page.
1001	If you are unable to upgrade:
1002		mode 7 is disabled by default. Don't enable it.
1003		Use restrict noquery to limit who can send mode 6
1004			and mode 7 requests.
1005		Configure and use the controlkey and requestkey
1006			authentication directives to limit who can
1007			send mode 6 and mode 7 requests.
1008	Monitor your ntpd instances.
1009  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
1010
1011* NAK to the Future: Symmetric association authentication bypass via
1012  crypto-NAK.
1013
1014  References: Sec 2941 / CVE-2015-7871
1015  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
1016  	4.2.8p4, and 4.3.0 up to but not including 4.3.77
1017  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
1018  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
1019	from unauthenticated ephemeral symmetric peers by bypassing the
1020	authentication required to mobilize peer associations. This
1021	vulnerability appears to have been introduced in ntp-4.2.5p186
1022	when the code handling mobilization of new passive symmetric
1023	associations (lines 1103-1165) was refactored.
1024  Mitigation:
1025	Implement BCP-38.
1026	Upgrade to 4.2.8p4, or later, from the NTP Project Download
1027	    Page or the NTP Public Services Project Download Page.
1028	If you are unable to upgrade:
1029		Apply the patch to the bottom of the "authentic" check
1030			block around line 1136 of ntp_proto.c.
1031	Monitor your ntpd instances.
1032  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
1033
1034Backward-Incompatible changes:
1035* [Bug 2817] Default on Linux is now "rlimit memlock -1".
1036  While the general default of 32M is still the case, under Linux
1037  the default value has been changed to -1 (do not lock ntpd into
1038  memory).  A value of 0 means "lock ntpd into memory with whatever
1039  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
1040  value in it, that value will continue to be used.
1041
1042* [Bug 2886] Misspelling: "outlyer" should be "outlier".
1043  If you've written a script that looks for this case in, say, the
1044  output of ntpq, you probably want to change your regex matches
1045  from 'outlyer' to 'outl[iy]er'.
1046
1047New features in this release:
1048* 'rlimit memlock' now has finer-grained control.  A value of -1 means
1049  "don't lock ntpd into memore".  This is the default for Linux boxes.
1050  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
1051  the value is the number of megabytes of memory to lock.  The default
1052  is 32 megabytes.
1053
1054* The old Google Test framework has been replaced with a new framework,
1055  based on http://www.throwtheswitch.org/unity/ .
1056
1057Bug Fixes and Improvements:
1058* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
1059  privileges and limiting resources in NTPD removes the need to link
1060  forcefully against 'libgcc_s' which does not always work. J.Perlinger
1061* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
1062* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
1063* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
1064* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
1065* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
1066* [Bug 2849] Systems with more than one default route may never
1067  synchronize.  Brian Utterback.  Note that this patch might need to
1068  be reverted once Bug 2043 has been fixed.
1069* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
1070* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
1071* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
1072* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
1073* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
1074* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
1075  be configured for the distribution targets.  Harlan Stenn.
1076* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
1077* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
1078* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
1079* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
1080* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
1081* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
1082* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
1083* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
1084* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
1085* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
1086* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
1087* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
1088* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
1089* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
1090* sntp/tests/ function parameter list cleanup.  Damir Tomić.
1091* tests/libntp/ function parameter list cleanup.  Damir Tomić.
1092* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
1093* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
1094* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
1095* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
1096* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
1097* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1098  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
1099  formatting; first declaration, then code (C90); deleted unnecessary comments;
1100  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
1101* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
1102  fix formatting, cleanup. Tomasz Flendrich
1103* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
1104  Tomasz Flendrich
1105* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
1106  fix formatting. Tomasz Flendrich
1107* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
1108* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
1109* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
1110  Tomasz Flendrich
1111* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
1112* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
1113* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
1114* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
1115* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
1116* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
1117* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
1118fixed formatting. Tomasz Flendrich
1119* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
1120  removed unnecessary comments, cleanup. Tomasz Flendrich
1121* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
1122  comments, cleanup. Tomasz Flendrich
1123* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
1124  Tomasz Flendrich
1125* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
1126* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
1127* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
1128  Tomasz Flendrich
1129* sntp/tests/kodDatabase.c added consts, deleted empty function,
1130  fixed formatting. Tomasz Flendrich
1131* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
1132* sntp/tests/packetHandling.c is now using proper Unity's assertions,
1133  fixed formatting, deleted unused variable. Tomasz Flendrich
1134* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
1135  Tomasz Flendrich
1136* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
1137  fixed formatting. Tomasz Flendrich
1138* sntp/tests/utilities.c is now using proper Unity's assertions, changed
1139  the order of includes, fixed formatting, removed unnecessary comments.
1140  Tomasz Flendrich
1141* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
1142* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
1143  made one function do its job, deleted unnecessary prints, fixed formatting.
1144  Tomasz Flendrich
1145* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
1146* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
1147* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
1148* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
1149* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
1150* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
1151* Don't build sntp/libevent/sample/.  Harlan Stenn.
1152* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
1153* br-flock: --enable-local-libevent.  Harlan Stenn.
1154* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
1155* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
1156* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
1157* Code cleanup.  Harlan Stenn.
1158* libntp/icom.c: Typo fix.  Harlan Stenn.
1159* util/ntptime.c: initialization nit.  Harlan Stenn.
1160* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
1161* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
1162* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
1163  Tomasz Flendrich
1164* Changed progname to be const in many files - now it's consistent. Tomasz
1165  Flendrich
1166* Typo fix for GCC warning suppression.  Harlan Stenn.
1167* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
1168* Added declarations to all Unity tests, and did minor fixes to them.
1169  Reduced the number of warnings by half. Damir Tomić.
1170* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
1171  with the latest Unity updates from Mark. Damir Tomić.
1172* Retire google test - phase I.  Harlan Stenn.
1173* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
1174* Update the NEWS file.  Harlan Stenn.
1175* Autoconf cleanup.  Harlan Stenn.
1176* Unit test dist cleanup. Harlan Stenn.
1177* Cleanup various test Makefile.am files.  Harlan Stenn.
1178* Pthread autoconf macro cleanup.  Harlan Stenn.
1179* Fix progname definition in unity runner scripts.  Harlan Stenn.
1180* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
1181* Update the patch for bug 2817.  Harlan Stenn.
1182* More updates for bug 2817.  Harlan Stenn.
1183* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
1184* gcc on older HPUX may need +allowdups.  Harlan Stenn.
1185* Adding missing MCAST protection.  Harlan Stenn.
1186* Disable certain test programs on certain platforms.  Harlan Stenn.
1187* Implement --enable-problem-tests (on by default).  Harlan Stenn.
1188* build system tweaks.  Harlan Stenn.
1189
1190---
1191NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
1192
1193Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
1194
1195Severity: MEDIUM
1196
1197Security Fix:
1198
1199* [Sec 2853] Crafted remote config packet can crash some versions of
1200  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
1201
1202Under specific circumstances an attacker can send a crafted packet to
1203cause a vulnerable ntpd instance to crash. This requires each of the
1204following to be true:
1205
12061) ntpd set up to allow remote configuration (not allowed by default), and
12072) knowledge of the configuration password, and
12083) access to a computer entrusted to perform remote configuration.
1209
1210This vulnerability is considered low-risk.
1211
1212New features in this release:
1213
1214Optional (disabled by default) support to have ntpd provide smeared
1215leap second time.  A specially built and configured ntpd will only
1216offer smeared time in response to client packets.  These response
1217packets will also contain a "refid" of 254.a.b.c, where the 24 bits
1218of a, b, and c encode the amount of smear in a 2:22 integer:fraction
1219format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
1220information.
1221
1222   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
1223   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
1224
1225We've imported the Unity test framework, and have begun converting
1226the existing google-test items to this new framework.  If you want
1227to write new tests or change old ones, you'll need to have ruby
1228installed.  You don't need ruby to run the test suite.
1229
1230Bug Fixes and Improvements:
1231
1232* CID 739725: Fix a rare resource leak in libevent/listener.c.
1233* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
1234* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
1235* CID 1269537: Clean up a line of dead code in getShmTime().
1236* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
1237* [Bug 2590] autogen-5.18.5.
1238* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
1239  of 'limited'.
1240* [Bug 2650] fix includefile processing.
1241* [Bug 2745] ntpd -x steps clock on leap second
1242   Fixed an initial-value problem that caused misbehaviour in absence of
1243   any leapsecond information.
1244   Do leap second stepping only of the step adjustment is beyond the
1245   proper jump distance limit and step correction is allowed at all.
1246* [Bug 2750] build for Win64
1247  Building for 32bit of loopback ppsapi needs def file
1248* [Bug 2776] Improve ntpq's 'help keytype'.
1249* [Bug 2778] Implement "apeers"  ntpq command to include associd.
1250* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
1251* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
1252  interface is ignored as long as this flag is not set since the
1253  interface is not usable (e.g., no link).
1254* [Bug 2794] Clean up kernel clock status reports.
1255* [Bug 2800] refclock_true.c true_debug() can't open debug log because
1256  of incompatible open/fdopen parameters.
1257* [Bug 2804] install-local-data assumes GNU 'find' semantics.
1258* [Bug 2805] ntpd fails to join multicast group.
1259* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
1260* [Bug 2808] GPSD_JSON driver enhancements, step 1.
1261  Fix crash during cleanup if GPS device not present and char device.
1262  Increase internal token buffer to parse all JSON data, even SKY.
1263  Defer logging of errors during driver init until the first unit is
1264  started, so the syslog is not cluttered when the driver is not used.
1265  Various improvements, see http://bugs.ntp.org/2808 for details.
1266  Changed libjsmn to a more recent version.
1267* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
1268* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
1269* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
1270* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
1271* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
1272* [Bug 2824] Convert update-leap to perl. (also see 2769)
1273* [Bug 2825] Quiet file installation in html/ .
1274* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
1275   NTPD transfers the current TAI (instead of an announcement) now.
1276   This might still needed improvement.
1277   Update autokey data ASAP when 'sys_tai' changes.
1278   Fix unit test that was broken by changes for autokey update.
1279   Avoid potential signature length issue and use DPRINTF where possible
1280     in ntp_crypto.c.
1281* [Bug 2832] refclock_jjy.c supports the TDC-300.
1282* [Bug 2834] Correct a broken html tag in html/refclock.html
1283* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
1284  robust, and require 2 consecutive timestamps to be consistent.
1285* [Bug 2837] Allow a configurable DSCP value.
1286* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
1287* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
1288* [Bug 2842] Bug in mdoc2man.
1289* [Bug 2843] make check fails on 4.3.36
1290   Fixed compiler warnings about numeric range overflow
1291   (The original topic was fixed in a byplay to bug#2830)
1292* [Bug 2845] Harden memory allocation in ntpd.
1293* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
1294* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
1295* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
1296* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
1297* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
1298* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
1299* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
1300* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
1301* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
1302* html/drivers/driver22.html: typo fix.  Harlan Stenn.
1303* refidsmear test cleanup.  Tomasz Flendrich.
1304* refidsmear function support and tests.  Harlan Stenn.
1305* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
1306  something that was only in the 4.2.6 sntp.  Harlan Stenn.
1307* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
1308  Damir Tomić
1309* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
1310  Damir Tomić
1311* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
1312  Damir Tomić
1313* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
1314* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
1315* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
1316  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
1317  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
1318  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
1319  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
1320  Damir Tomić
1321* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
1322  networking.c, keyFile.c, utilities.cpp, sntptest.h,
1323  fileHandlingTest.h. Damir Tomić
1324* Initial support for experimental leap smear code.  Harlan Stenn.
1325* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
1326* Report select() debug messages at debug level 3 now.
1327* sntp/scripts/genLocInfo: treat raspbian as debian.
1328* Unity test framework fixes.
1329  ** Requires ruby for changes to tests.
1330* Initial support for PACKAGE_VERSION tests.
1331* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
1332* tests/bug-2803/Makefile.am must distribute bug-2803.h.
1333* Add an assert to the ntpq ifstats code.
1334* Clean up the RLIMIT_STACK code.
1335* Improve the ntpq documentation around the controlkey keyid.
1336* ntpq.c cleanup.
1337* Windows port build cleanup.
1338
1339---
1340NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
1341
1342Focus: Security and Bug fixes, enhancements.
1343
1344Severity: MEDIUM
1345
1346In addition to bug fixes and enhancements, this release fixes the
1347following medium-severity vulnerabilities involving private key
1348authentication:
1349
1350* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1351
1352    References: Sec 2779 / CVE-2015-1798 / VU#374268
1353    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
1354	including ntp-4.2.8p2 where the installation uses symmetric keys
1355	to authenticate remote associations.
1356    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1357    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1358    Summary: When ntpd is configured to use a symmetric key to authenticate
1359	a remote NTP server/peer, it checks if the NTP message
1360	authentication code (MAC) in received packets is valid, but not if
1361	there actually is any MAC included. Packets without a MAC are
1362	accepted as if they had a valid MAC. This allows a MITM attacker to
1363	send false packets that are accepted by the client/peer without
1364	having to know the symmetric key. The attacker needs to know the
1365	transmit timestamp of the client to match it in the forged reply
1366	and the false reply needs to reach the client before the genuine
1367	reply from the server. The attacker doesn't necessarily need to be
1368	relaying the packets between the client and the server.
1369
1370	Authentication using autokey doesn't have this problem as there is
1371	a check that requires the key ID to be larger than NTP_MAXKEY,
1372	which fails for packets without a MAC.
1373    Mitigation:
1374        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1375	or the NTP Public Services Project Download Page
1376        Configure ntpd with enough time sources and monitor it properly.
1377    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1378
1379* [Sec 2781] Authentication doesn't protect symmetric associations against
1380  DoS attacks.
1381
1382    References: Sec 2781 / CVE-2015-1799 / VU#374268
1383    Affects: All NTP releases starting with at least xntp3.3wy up to but
1384	not including ntp-4.2.8p2 where the installation uses symmetric
1385	key authentication.
1386    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
1387    Note: the CVSS base Score for this issue could be 4.3 or lower, and
1388	it could be higher than 5.4.
1389    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
1390    Summary: An attacker knowing that NTP hosts A and B are peering with
1391	each other (symmetric association) can send a packet to host A
1392	with source address of B which will set the NTP state variables
1393	on A to the values sent by the attacker. Host A will then send
1394	on its next poll to B a packet with originate timestamp that
1395	doesn't match the transmit timestamp of B and the packet will
1396	be dropped. If the attacker does this periodically for both
1397	hosts, they won't be able to synchronize to each other. This is
1398	a known denial-of-service attack, described at
1399	https://www.eecis.udel.edu/~mills/onwire.html .
1400
1401	According to the document the NTP authentication is supposed to
1402	protect symmetric associations against this attack, but that
1403	doesn't seem to be the case. The state variables are updated even
1404	when authentication fails and the peers are sending packets with
1405	originate timestamps that don't match the transmit timestamps on
1406	the receiving side.
1407
1408	This seems to be a very old problem, dating back to at least
1409	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
1410	specifications, so other NTP implementations with support for
1411	symmetric associations and authentication may be vulnerable too.
1412	An update to the NTP RFC to correct this error is in-process.
1413    Mitigation:
1414        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
1415	or the NTP Public Services Project Download Page
1416        Note that for users of autokey, this specific style of MITM attack
1417	is simply a long-known potential problem.
1418        Configure ntpd with appropriate time sources and monitor ntpd.
1419	Alert your staff if problems are detected.
1420    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
1421
1422* New script: update-leap
1423The update-leap script will verify and if necessary, update the
1424leap-second definition file.
1425It requires the following commands in order to work:
1426
1427	wget logger tr sed shasum
1428
1429Some may choose to run this from cron.  It needs more portability testing.
1430
1431Bug Fixes and Improvements:
1432
1433* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
1434* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
1435* [Bug 2346] "graceful termination" signals do not do peer cleanup.
1436* [Bug 2728] See if C99-style structure initialization works.
1437* [Bug 2747] Upgrade libevent to 2.1.5-beta.
1438* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
1439* [Bug 2751] jitter.h has stale copies of l_fp macros.
1440* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
1441* [Bug 2757] Quiet compiler warnings.
1442* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
1443* [Bug 2763] Allow different thresholds for forward and backward steps.
1444* [Bug 2766] ntp-keygen output files should not be world-readable.
1445* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
1446* [Bug 2771] nonvolatile value is documented in wrong units.
1447* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
1448* [Bug 2774] Unreasonably verbose printout - leap pending/warning
1449* [Bug 2775] ntp-keygen.c fails to compile under Windows.
1450* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
1451  Removed non-ASCII characters from some copyright comments.
1452  Removed trailing whitespace.
1453  Updated definitions for Meinberg clocks from current Meinberg header files.
1454  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
1455  Account for updated definitions pulled from Meinberg header files.
1456  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
1457  Replaced some constant numbers by defines from ntp_calendar.h
1458  Modified creation of parse-specific variables for Meinberg devices
1459  in gps16x_message().
1460  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
1461  Modified mbg_tm_str() which now expexts an additional parameter controlling
1462  if the time status shall be printed.
1463* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
1464* [Sec 2781] Authentication doesn't protect symmetric associations against
1465  DoS attacks.
1466* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
1467* [Bug 2789] Quiet compiler warnings from libevent.
1468* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
1469  pause briefly before measuring system clock precision to yield
1470  correct results.
1471* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
1472* Use predefined function types for parse driver functions
1473  used to set up function pointers.
1474  Account for changed prototype of parse_inp_fnc_t functions.
1475  Cast parse conversion results to appropriate types to avoid
1476  compiler warnings.
1477  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
1478  when called with pointers to different types.
1479
1480---
1481NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
1482
1483Focus: Security and Bug fixes, enhancements.
1484
1485Severity: HIGH
1486
1487In addition to bug fixes and enhancements, this release fixes the
1488following high-severity vulnerabilities:
1489
1490* vallen is not validated in several places in ntp_crypto.c, leading
1491  to a potential information leak or possibly a crash
1492
1493    References: Sec 2671 / CVE-2014-9297 / VU#852879
1494    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
1495    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1496    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
1497    Summary: The vallen packet value is not validated in several code
1498             paths in ntp_crypto.c which can lead to information leakage
1499	     or perhaps a crash of the ntpd process.
1500    Mitigation - any of:
1501	Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1502		or the NTP Public Services Project Download Page.
1503	Disable Autokey Authentication by removing, or commenting out,
1504		all configuration directives beginning with the "crypto"
1505		keyword in your ntp.conf file.
1506    Credit: This vulnerability was discovered by Stephen Roettger of the
1507    	Google Security Team, with additional cases found by Sebastian
1508	Krahmer of the SUSE Security Team and Harlan Stenn of Network
1509	Time Foundation.
1510
1511* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
1512  can be bypassed.
1513
1514    References: Sec 2672 / CVE-2014-9298 / VU#852879
1515    Affects: All NTP4 releases before 4.2.8p1, under at least some
1516	versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
1517    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
1518    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
1519    Summary: While available kernels will prevent 127.0.0.1 addresses
1520	from "appearing" on non-localhost IPv4 interfaces, some kernels
1521	do not offer the same protection for ::1 source addresses on
1522	IPv6 interfaces. Since NTP's access control is based on source
1523	address and localhost addresses generally have no restrictions,
1524	an attacker can send malicious control and configuration packets
1525	by spoofing ::1 addresses from the outside. Note Well: This is
1526	not really a bug in NTP, it's a problem with some OSes. If you
1527	have one of these OSes where ::1 can be spoofed, ALL ::1 -based
1528	ACL restrictions on any application can be bypassed!
1529    Mitigation:
1530        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
1531	or the NTP Public Services Project Download Page
1532        Install firewall rules to block packets claiming to come from
1533	::1 from inappropriate network interfaces.
1534    Credit: This vulnerability was discovered by Stephen Roettger of
1535	the Google Security Team.
1536
1537Additionally, over 30 bugfixes and improvements were made to the codebase.
1538See the ChangeLog for more information.
1539
1540---
1541NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
1542
1543Focus: Security and Bug fixes, enhancements.
1544
1545Severity: HIGH
1546
1547In addition to bug fixes and enhancements, this release fixes the
1548following high-severity vulnerabilities:
1549
1550************************** vv NOTE WELL vv *****************************
1551
1552The vulnerabilities listed below can be significantly mitigated by
1553following the BCP of putting
1554
1555 restrict default ... noquery
1556
1557in the ntp.conf file.  With the exception of:
1558
1559   receive(): missing return on error
1560   References: Sec 2670 / CVE-2014-9296 / VU#852879
1561
1562below (which is a limited-risk vulnerability), none of the recent
1563vulnerabilities listed below can be exploited if the source IP is
1564restricted from sending a 'query'-class packet by your ntp.conf file.
1565
1566************************** ^^ NOTE WELL ^^ *****************************
1567
1568* Weak default key in config_auth().
1569
1570  References: [Sec 2665] / CVE-2014-9293 / VU#852879
1571  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1572  Vulnerable Versions: all releases prior to 4.2.7p11
1573  Date Resolved: 28 Jan 2010
1574
1575  Summary: If no 'auth' key is set in the configuration file, ntpd
1576	would generate a random key on the fly.  There were two
1577	problems with this: 1) the generated key was 31 bits in size,
1578	and 2) it used the (now weak) ntp_random() function, which was
1579	seeded with a 32-bit value and could only provide 32 bits of
1580	entropy.  This was sufficient back in the late 1990s when the
1581	code was written.  Not today.
1582
1583  Mitigation - any of:
1584	- Upgrade to 4.2.7p11 or later.
1585	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1586
1587  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
1588  	of the Google Security Team.
1589
1590* Non-cryptographic random number generator with weak seed used by
1591  ntp-keygen to generate symmetric keys.
1592
1593  References: [Sec 2666] / CVE-2014-9294 / VU#852879
1594  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
1595  Vulnerable Versions: All NTP4 releases before 4.2.7p230
1596  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
1597
1598  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
1599  	prepare a random number generator that was of good quality back
1600	in the late 1990s. The random numbers produced was then used to
1601	generate symmetric keys. In ntp-4.2.8 we use a current-technology
1602	cryptographic random number generator, either RAND_bytes from
1603	OpenSSL, or arc4random().
1604
1605  Mitigation - any of:
1606  	- Upgrade to 4.2.7p230 or later.
1607	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1608
1609  Credit:  This vulnerability was discovered in ntp-4.2.6 by
1610  	Stephen Roettger of the Google Security Team.
1611
1612* Buffer overflow in crypto_recv()
1613
1614  References: Sec 2667 / CVE-2014-9295 / VU#852879
1615  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1616  Versions: All releases before 4.2.8
1617  Date Resolved: Stable (4.2.8) 18 Dec 2014
1618
1619  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
1620  	file contains a 'crypto pw ...' directive) a remote attacker
1621	can send a carefully crafted packet that can overflow a stack
1622	buffer and potentially allow malicious code to be executed
1623	with the privilege level of the ntpd process.
1624
1625  Mitigation - any of:
1626  	- Upgrade to 4.2.8, or later, or
1627	- Disable Autokey Authentication by removing, or commenting out,
1628	  all configuration directives beginning with the crypto keyword
1629	  in your ntp.conf file.
1630
1631  Credit: This vulnerability was discovered by Stephen Roettger of the
1632  	Google Security Team.
1633
1634* Buffer overflow in ctl_putdata()
1635
1636  References: Sec 2668 / CVE-2014-9295 / VU#852879
1637  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1638  Versions: All NTP4 releases before 4.2.8
1639  Date Resolved: Stable (4.2.8) 18 Dec 2014
1640
1641  Summary: A remote attacker can send a carefully crafted packet that
1642  	can overflow a stack buffer and potentially allow malicious
1643	code to be executed with the privilege level of the ntpd process.
1644
1645  Mitigation - any of:
1646  	- Upgrade to 4.2.8, or later.
1647	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1648
1649  Credit: This vulnerability was discovered by Stephen Roettger of the
1650  	Google Security Team.
1651
1652* Buffer overflow in configure()
1653
1654  References: Sec 2669 / CVE-2014-9295 / VU#852879
1655  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
1656  Versions: All NTP4 releases before 4.2.8
1657  Date Resolved: Stable (4.2.8) 18 Dec 2014
1658
1659  Summary: A remote attacker can send a carefully crafted packet that
1660	can overflow a stack buffer and potentially allow malicious
1661	code to be executed with the privilege level of the ntpd process.
1662
1663  Mitigation - any of:
1664  	- Upgrade to 4.2.8, or later.
1665	- Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
1666
1667  Credit: This vulnerability was discovered by Stephen Roettger of the
1668	Google Security Team.
1669
1670* receive(): missing return on error
1671
1672  References: Sec 2670 / CVE-2014-9296 / VU#852879
1673  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
1674  Versions: All NTP4 releases before 4.2.8
1675  Date Resolved: Stable (4.2.8) 18 Dec 2014
1676
1677  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
1678  	the code path where an error was detected, which meant
1679	processing did not stop when a specific rare error occurred.
1680	We haven't found a way for this bug to affect system integrity.
1681	If there is no way to affect system integrity the base CVSS
1682	score for this bug is 0. If there is one avenue through which
1683	system integrity can be partially affected, the base score
1684	becomes a 5. If system integrity can be partially affected
1685	via all three integrity metrics, the CVSS base score become 7.5.
1686
1687  Mitigation - any of:
1688        - Upgrade to 4.2.8, or later,
1689        - Remove or comment out all configuration directives
1690	  beginning with the crypto keyword in your ntp.conf file.
1691
1692  Credit: This vulnerability was discovered by Stephen Roettger of the
1693  	Google Security Team.
1694
1695See http://support.ntp.org/security for more information.
1696
1697New features / changes in this release:
1698
1699Important Changes
1700
1701* Internal NTP Era counters
1702
1703The internal counters that track the "era" (range of years) we are in
1704rolls over every 136 years'.  The current "era" started at the stroke of
1705midnight on 1 Jan 1900, and ends just before the stroke of midnight on
17061 Jan 2036.
1707In the past, we have used the "midpoint" of the  range to decide which
1708era we were in.  Given the longevity of some products, it became clear
1709that it would be more functional to "look back" less, and "look forward"
1710more.  We now compile a timestamp into the ntpd executable and when we
1711get a timestamp we us the "built-on" to tell us what era we are in.
1712This check "looks back" 10 years, and "looks forward" 126 years.
1713
1714* ntpdc responses disabled by default
1715
1716Dave Hart writes:
1717
1718For a long time, ntpq and its mostly text-based mode 6 (control)
1719protocol have been preferred over ntpdc and its mode 7 (private
1720request) protocol for runtime queries and configuration.  There has
1721been a goal of deprecating ntpdc, previously held back by numerous
1722capabilities exposed by ntpdc with no ntpq equivalent.  I have been
1723adding commands to ntpq to cover these cases, and I believe I've
1724covered them all, though I've not compared command-by-command
1725recently.
1726
1727As I've said previously, the binary mode 7 protocol involves a lot of
1728hand-rolled structure layout and byte-swapping code in both ntpd and
1729ntpdc which is hard to get right.  As ntpd grows and changes, the
1730changes are difficult to expose via ntpdc while maintaining forward
1731and backward compatibility between ntpdc and ntpd.  In contrast,
1732ntpq's text-based, label=value approach involves more code reuse and
1733allows compatible changes without extra work in most cases.
1734
1735Mode 7 has always been defined as vendor/implementation-specific while
1736mode 6 is described in RFC 1305 and intended to be open to interoperate
1737with other implementations.  There is an early draft of an updated
1738mode 6 description that likely will join the other NTPv4 RFCs
1739eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
1740
1741For these reasons, ntpd 4.2.7p230 by default disables processing of
1742ntpdc queries, reducing ntpd's attack surface and functionally
1743deprecating ntpdc.  If you are in the habit of using ntpdc for certain
1744operations, please try the ntpq equivalent.  If there's no equivalent,
1745please open a bug report at http://bugs.ntp.org./
1746
1747In addition to the above, over 1100 issues have been resolved between
1748the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
1749lists these.
1750
1751---
1752NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
1753
1754Focus: Bug fixes
1755
1756Severity: Medium
1757
1758This is a recommended upgrade.
1759
1760This release updates sys_rootdisp and sys_jitter calculations to match the
1761RFC specification, fixes a potential IPv6 address matching error for the
1762"nic" and "interface" configuration directives, suppresses the creation of
1763extraneous ephemeral associations for certain broadcastclient and
1764multicastclient configurations, cleans up some ntpq display issues, and
1765includes improvements to orphan mode, minor bugs fixes and code clean-ups.
1766
1767New features / changes in this release:
1768
1769ntpd
1770
1771 * Updated "nic" and "interface" IPv6 address handling to prevent
1772   mismatches with localhost [::1] and wildcard [::] which resulted from
1773   using the address/prefix format (e.g. fe80::/64)
1774 * Fix orphan mode stratum incorrectly counting to infinity
1775 * Orphan parent selection metric updated to includes missing ntohl()
1776 * Non-printable stratum 16 refid no longer sent to ntp
1777 * Duplicate ephemeral associations suppressed for broadcastclient and
1778   multicastclient without broadcastdelay
1779 * Exclude undetermined sys_refid from use in loopback TEST12
1780 * Exclude MODE_SERVER responses from KoD rate limiting
1781 * Include root delay in clock_update() sys_rootdisp calculations
1782 * get_systime() updated to exclude sys_residual offset (which only
1783   affected bits "below" sys_tick, the precision threshold)
1784 * sys.peer jitter weighting corrected in sys_jitter calculation
1785
1786ntpq
1787
1788 * -n option extended to include the billboard "server" column
1789 * IPv6 addresses in the local column truncated to prevent overruns
1790
1791---
1792NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
1793
1794Focus: Bug fixes and portability improvements
1795
1796Severity: Medium
1797
1798This is a recommended upgrade.
1799
1800This release includes build infrastructure updates, code
1801clean-ups, minor bug fixes, fixes for a number of minor
1802ref-clock issues, and documentation revisions.
1803
1804Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
1805
1806New features / changes in this release:
1807
1808Build system
1809
1810* Fix checking for struct rtattr
1811* Update config.guess and config.sub for AIX
1812* Upgrade required version of autogen and libopts for building
1813  from our source code repository
1814
1815ntpd
1816
1817* Back-ported several fixes for Coverity warnings from ntp-dev
1818* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
1819* Allow "logconfig =allall" configuration directive
1820* Bind tentative IPv6 addresses on Linux
1821* Correct WWVB/Spectracom driver to timestamp CR instead of LF
1822* Improved tally bit handling to prevent incorrect ntpq peer status reports
1823* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
1824  candidate list unless they are designated a "prefer peer"
1825* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
1826  selection during the 'tos orphanwait' period
1827* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
1828  drivers
1829* Improved support of the Parse Refclock trusttime flag in Meinberg mode
1830* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
1831* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
1832  clock slew on Microsoft Windows
1833* Code cleanup in libntpq
1834
1835ntpdc
1836
1837* Fix timerstats reporting
1838
1839ntpdate
1840
1841* Reduce time required to set clock
1842* Allow a timeout greater than 2 seconds
1843
1844sntp
1845
1846* Backward incompatible command-line option change:
1847  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
1848
1849Documentation
1850
1851* Update html2man. Fix some tags in the .html files
1852* Distribute ntp-wait.html
1853
1854---
1855NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
1856
1857Focus: Bug fixes and portability improvements
1858
1859Severity: Medium
1860
1861This is a recommended upgrade.
1862
1863This release includes build infrastructure updates, code
1864clean-ups, minor bug fixes, fixes for a number of minor
1865ref-clock issues, and documentation revisions.
1866
1867Portability improvements in this release affect AIX, Atari FreeMiNT,
1868FreeBSD4, Linux and Microsoft Windows.
1869
1870New features / changes in this release:
1871
1872Build system
1873* Use lsb_release to get information about Linux distributions.
1874* 'test' is in /usr/bin (instead of /bin) on some systems.
1875* Basic sanity checks for the ChangeLog file.
1876* Source certain build files with ./filename for systems without . in PATH.
1877* IRIX portability fix.
1878* Use a single copy of the "libopts" code.
1879* autogen/libopts upgrade.
1880* configure.ac m4 quoting cleanup.
1881
1882ntpd
1883* Do not bind to IN6_IFF_ANYCAST addresses.
1884* Log the reason for exiting under Windows.
1885* Multicast fixes for Windows.
1886* Interpolation fixes for Windows.
1887* IPv4 and IPv6 Multicast fixes.
1888* Manycast solicitation fixes and general repairs.
1889* JJY refclock cleanup.
1890* NMEA refclock improvements.
1891* Oncore debug message cleanup.
1892* Palisade refclock now builds under Linux.
1893* Give RAWDCF more baud rates.
1894* Support Truetime Satellite clocks under Windows.
1895* Support Arbiter 1093C Satellite clocks under Windows.
1896* Make sure that the "filegen" configuration command defaults to "enable".
1897* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
1898* Prohibit 'includefile' directive in remote configuration command.
1899* Fix 'nic' interface bindings.
1900* Fix the way we link with openssl if openssl is installed in the base
1901  system.
1902
1903ntp-keygen
1904* Fix -V coredump.
1905* OpenSSL version display cleanup.
1906
1907ntpdc
1908* Many counters should be treated as unsigned.
1909
1910ntpdate
1911* Do not ignore replies with equal receive and transmit timestamps.
1912
1913ntpq
1914* libntpq warning cleanup.
1915
1916ntpsnmpd
1917* Correct SNMP type for "precision" and "resolution".
1918* Update the MIB from the draft version to RFC-5907.
1919
1920sntp
1921* Display timezone offset when showing time for sntp in the local
1922  timezone.
1923* Pay proper attention to RATE KoD packets.
1924* Fix a miscalculation of the offset.
1925* Properly parse empty lines in the key file.
1926* Logging cleanup.
1927* Use tv_usec correctly in set_time().
1928* Documentation cleanup.
1929
1930---
1931NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
1932
1933Focus: Bug fixes and portability improvements
1934
1935Severity: Medium
1936
1937This is a recommended upgrade.
1938
1939This release includes build infrastructure updates, code
1940clean-ups, minor bug fixes, fixes for a number of minor
1941ref-clock issues, improved KOD handling, OpenSSL related
1942updates and documentation revisions.
1943
1944Portability improvements in this release affect Irix, Linux,
1945Mac OS, Microsoft Windows, OpenBSD and QNX6
1946
1947New features / changes in this release:
1948
1949ntpd
1950* Range syntax for the trustedkey configuration directive
1951* Unified IPv4 and IPv6 restrict lists
1952
1953ntpdate
1954* Rate limiting and KOD handling
1955
1956ntpsnmpd
1957* default connection to net-snmpd via a unix-domain socket
1958* command-line 'socket name' option
1959
1960ntpq / ntpdc
1961* support for the "passwd ..." syntax
1962* key-type specific password prompts
1963
1964sntp
1965* MD5 authentication of an ntpd
1966* Broadcast and crypto
1967* OpenSSL support
1968
1969---
1970NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
1971
1972Focus: Bug fixes, portability fixes, and documentation improvements
1973
1974Severity: Medium
1975
1976This is a recommended upgrade.
1977
1978---
1979NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1980
1981Focus: enhancements and bug fixes.
1982
1983---
1984NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
1985
1986Focus: Security Fixes
1987
1988Severity: HIGH
1989
1990This release fixes the following high-severity vulnerability:
1991
1992* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
1993
1994  See http://support.ntp.org/security for more information.
1995
1996  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
1997  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
1998  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
1999  request or a mode 7 error response from an address which is not listed
2000  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
2001  reply with a mode 7 error response (and log a message).  In this case:
2002
2003	* If an attacker spoofs the source address of ntpd host A in a
2004	  mode 7 response packet sent to ntpd host B, both A and B will
2005	  continuously send each other error responses, for as long as
2006	  those packets get through.
2007
2008	* If an attacker spoofs an address of ntpd host A in a mode 7
2009	  response packet sent to ntpd host A, A will respond to itself
2010	  endlessly, consuming CPU and logging excessively.
2011
2012  Credit for finding this vulnerability goes to Robin Park and Dmitri
2013  Vinokurov of Alcatel-Lucent.
2014
2015THIS IS A STRONGLY RECOMMENDED UPGRADE.
2016
2017---
2018ntpd now syncs to refclocks right away.
2019
2020Backward-Incompatible changes:
2021
2022ntpd no longer accepts '-v name' or '-V name' to define internal variables.
2023Use '--var name' or '--dvar name' instead. (Bug 817)
2024
2025---
2026NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
2027
2028Focus: Security and Bug Fixes
2029
2030Severity: HIGH
2031
2032This release fixes the following high-severity vulnerability:
2033
2034* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
2035
2036  See http://support.ntp.org/security for more information.
2037
2038  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
2039  line) then a carefully crafted packet sent to the machine will cause
2040  a buffer overflow and possible execution of injected code, running
2041  with the privileges of the ntpd process (often root).
2042
2043  Credit for finding this vulnerability goes to Chris Ries of CMU.
2044
2045This release fixes the following low-severity vulnerabilities:
2046
2047* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
2048  Credit for finding this vulnerability goes to Geoff Keating of Apple.
2049
2050* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
2051  Credit for finding this issue goes to Dave Hart.
2052
2053This release fixes a number of bugs and adds some improvements:
2054
2055* Improved logging
2056* Fix many compiler warnings
2057* Many fixes and improvements for Windows
2058* Adds support for AIX 6.1
2059* Resolves some issues under MacOS X and Solaris
2060
2061THIS IS A STRONGLY RECOMMENDED UPGRADE.
2062
2063---
2064NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
2065
2066Focus: Security Fix
2067
2068Severity: Low
2069
2070This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
2071the OpenSSL library relating to the incorrect checking of the return
2072value of EVP_VerifyFinal function.
2073
2074Credit for finding this issue goes to the Google Security Team for
2075finding the original issue with OpenSSL, and to ocert.org for finding
2076the problem in NTP and telling us about it.
2077
2078This is a recommended upgrade.
2079---
2080NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
2081
2082Focus: Minor Bugfixes
2083
2084This release fixes a number of Windows-specific ntpd bugs and
2085platform-independent ntpdate bugs. A logging bugfix has been applied
2086to the ONCORE driver.
2087
2088The "dynamic" keyword and is now obsolete and deferred binding to local
2089interfaces is the new default. The minimum time restriction for the
2090interface update interval has been dropped.
2091
2092A number of minor build system and documentation fixes are included.
2093
2094This is a recommended upgrade for Windows.
2095
2096---
2097NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
2098
2099Focus: Minor Bugfixes
2100
2101This release updates certain copyright information, fixes several display
2102bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
2103shutdown in the parse refclock driver, removes some lint from the code,
2104stops accessing certain buffers immediately after they were freed, fixes
2105a problem with non-command-line specification of -6, and allows the loopback
2106interface to share addresses with other interfaces.
2107
2108---
2109NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
2110
2111Focus: Minor Bugfixes
2112
2113This release fixes a bug in Windows that made it difficult to
2114terminate ntpd under windows.
2115This is a recommended upgrade for Windows.
2116
2117---
2118NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
2119
2120Focus: Minor Bugfixes
2121
2122This release fixes a multicast mode authentication problem,
2123an error in NTP packet handling on Windows that could lead to
2124ntpd crashing, and several other minor bugs. Handling of
2125multicast interfaces and logging configuration were improved.
2126The required versions of autogen and libopts were incremented.
2127This is a recommended upgrade for Windows and multicast users.
2128
2129---
2130NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
2131
2132Focus: enhancements and bug fixes.
2133
2134Dynamic interface rescanning was added to simplify the use of ntpd in
2135conjunction with DHCP. GNU AutoGen is used for its command-line options
2136processing. Separate PPS devices are supported for PARSE refclocks, MD5
2137signatures are now provided for the release files. Drivers have been
2138added for some new ref-clocks and have been removed for some older
2139ref-clocks. This release also includes other improvements, documentation
2140and bug fixes.
2141
2142K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
2143C support.
2144
2145---
2146NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
2147
2148Focus: enhancements and bug fixes.
2149