-
Notifications
You must be signed in to change notification settings - Fork 53
/
NEWS
1808 lines (1539 loc) · 79.7 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
NTP 4.2.8p6
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following X low- and Y medium-severity vulnerabilities:
* Potential Infinite Loop in 'ntpq'
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2548 / CVE-2015-8158
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
The loop's only stopping conditions are receiving a complete and
correct response or hitting a small number of error conditions.
If the packet contains incorrect values that don't trigger one of
the error conditions, the loop continues to receive new packets.
Note well, this is an attack against an instance of 'ntpq', not
'ntpd', and this attack requires the attacker to do one of the
following:
* Own a malicious NTP server that the client trusts
* Prevent a legitimate NTP server from sending packets to
the 'ntpq' client
* MITM the 'ntpq' communications between the 'ntpq' client
and the NTP server
Mitigation:
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
* 0rigin: Zero Origin Timestamp Bypass
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2945 / CVE-2015-8138
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
(3.7 - LOW if you score AC:L)
Summary: To distinguish legitimate peer responses from forgeries, a
client attempts to verify a response packet by ensuring that the
origin timestamp in the packet matches the origin timestamp it
transmitted in its last request. A logic error exists that
allows packets with an origin timestamp of zero to bypass this
check whenever there is not an outstanding request to the server.
Mitigation:
Configure 'ntpd' to get time from multiple sources.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Monitor your 'ntpd= instances.
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
* Stack exhaustion in recursive traversal of restriction list
Date Resolved: Stable (4.2.8p6) 19 Jan 2016
References: Sec 2940 / CVE-2015-7978
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
Summary: An unauthenticated 'ntpdc reslist' command can cause a
segmentation fault in ntpd by exhausting the call stack.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a 'requestkey' to control who can
issue mode 7 requests.
configure 'restrict noquery' to further limit mode 7
requests to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2942 / CVE-2015-7979
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
Summary: An off-path attacker can send broadcast packets with bad
authentication (wrong key, mismatched key, incorrect MAC, etc)
to broadcast clients. It is observed that the broadcast client
tears down the association with the broadcast server upon
receiving just one bad packet.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Monitor your 'ntpd' instances.
If this sort of attack is an active problem for you, you have
deeper problems to investigate. In this case also consider
having smaller NTP broadcast domains.
Credit: This weakness was discovered by Aanchal Malhotra of Boston
University.
* reslist NULL pointer dereference
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2939 / CVE-2015-7977
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
Summary: An unauthenticated 'ntpdc reslist' command can cause a
segmentation fault in ntpd by causing a NULL pointer dereference.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
the NTP Public Services Project Download Page.
If you are unable to upgrade:
mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a 'requestkey' to control who can
issue mode 7 requests.
configure 'restrict noquery' to further limit mode 7
requests to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
* 'ntpq saveconfig' command allows dangerous characters in filenames.
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2938 / CVE-2015-7976
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
Summary: The ntpq saveconfig command does not do adequate filtering
of special characters from the supplied filename.
Note well: The ability to use the saveconfig command is controlled
by the 'restrict nomodify' directive, and the recommended default
configuration is to disable this capability. If the ability to
execute a 'saveconfig' is required, it can easily (and should) be
limited and restricted to a known small number of IP addresses.
Mitigation:
Implement BCP-38.
use 'restrict default nomodify' in your 'ntp.conf' file.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
If you are unable to upgrade:
build NTP with 'configure --disable-saveconfig' if you will
never need this capability, or
use 'restrict default nomodify' in your 'ntp.conf' file. Be
careful about what IPs have the ability to send 'modify'
requests to 'ntpd'.
Monitor your ntpd instances.
'saveconfig' requests are logged to syslog - monitor your syslog files.
Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
* nextvar() missing length check in ntpq
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2937 / CVE-2015-7975
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
If you score A:C, this becomes 4.0.
CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
Summary: ntpq may call nextvar() which executes a memcpy() into the
name buffer without a proper length check against its maximum
length of 256 bytes. Note well that we're taking about ntpq here.
The usual worst-case effect of this vulnerability is that the
specific instance of ntpq will crash and the person or process
that did this will have stopped themselves.
Mitigation:
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
If you have scripts that feed input to ntpq make sure there are
some sanity checks on the input received from the "outside".
This is potentially more dangerous if ntpq is run as root.
Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
* Skeleton Key: Any trusted key system can serve time
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2936 / CVE-2015-7974
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
Summary: Symmetric key encryption uses a shared trusted key. The
reported title for this issue was "Missing key check allows
impersonation between authenticated peers" and the report claimed
"A key specified only for one server should only work to
authenticate that server, other trusted keys should be refused."
Except there has never been any correlation between this trusted
key and server v. clients machines and there has never been any
way to specify a key only for one server. We have treated this as
an enhancement request, and ntp-4.2.8p6 includes other checks and
tests to strengthen clients against attacks coming from broadcast
servers.
Mitigation:
Implement BCP-38.
If this scenario represents a real or a potential issue for you,
upgrade to 4.2.8p6, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page, and
use the new field in the ntp.keys file that specifies the list
of IPs that are allowed to serve time. Note that this alone
will not protect against time packets with forged source IP
addresses, however other changes in ntp-4.2.8p6 provide
significant mitigation against broadcast attacks. MITM attacks
are a different story.
If you are unable to upgrade:
Don't use broadcast mode if you cannot monitor your client
servers.
If you choose to use symmetric keys to authenticate time
packets in a hostile environment where ephemeral time
servers can be created, or if it is expected that malicious
time servers will participate in an NTP broadcast domain,
limit the number of participating systems that participate
in the shared-key group.
Monitor your ntpd instances.
Credit: This weakness was discovered by Matt Street of Cisco ASIG.
* Deja Vu: Replay attack on authenticated broadcast mode
Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
References: Sec 2935 / CVE-2015-7973
Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
4.3.0 up to, but not including 4.3.90
CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
Summary: If an NTP network is configured for broadcast operations then
either a man-in-the-middle attacker or a malicious participant
that has the same trusted keys as the victim can replay time packets.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade:
Don't use broadcast mode if you cannot monitor your client servers.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra of Boston
University.
Other fixes:
* [Bug 2772] adj_systime overflows tv_usec. [email protected]
* [Bug 2814] msyslog deadlock when signaled. [email protected]
- applied patch by [email protected] with minor adjustments
* [Bug 2882] Look at ntp_request.c:list_peers_sum(). [email protected]
* [Bug 2891] Deadlock in deferred DNS lookup framework. [email protected]
* [Bug 2892] Several test cases assume IPv6 capabilities even when
IPv6 is disabled in the build. [email protected]
- Found this already fixed, but validation led to cleanup actions.
* [Bug 2905] DNS lookups broken. [email protected]
- added limits to stack consumption, fixed some return code handling
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. [email protected]
- make CTRL-C work for retrieval and printing od MRU list. [email protected]
* [Bug 2980] reduce number of warnings. [email protected]
- integrated several patches from Havard Eidnes ([email protected])
* [Bug 2985] bogus calculation in authkeys.c [email protected]
- implement 'auth_log2()' using integer bithack instead of float calculation
* Make leapsec_query debug messages less verbose. Harlan Stenn.
---
NTP 4.2.8p5
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerability:
* Small-step/big-step. Close the panic gate earlier.
References: Sec 2956, CVE-2015-5300
Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
4.3.0 up to, but not including 4.3.78
CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
Summary: If ntpd is always started with the -g option, which is
common and against long-standing recommendation, and if at the
moment ntpd is restarted an attacker can immediately respond to
enough requests from enough sources trusted by the target, which
is difficult and not common, there is a window of opportunity
where the attacker can cause ntpd to set the time to an
arbitrary value. Similarly, if an attacker is able to respond
to enough requests from enough sources trusted by the target,
the attacker can cause ntpd to abort and restart, at which
point it can tell the target to set the time to an arbitrary
value if and only if ntpd was re-started against long-standing
recommendation with the -g flag, or if ntpd was not given the
-g flag, the attacker can move the target system's time by at
most 900 seconds' time per attack.
Mitigation:
Configure ntpd to get time from multiple sources.
Upgrade to 4.2.8p5, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
As we've long documented, only use the -g option to ntpd in
cold-start situations.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aanchal Malhotra,
Isaac E. Cohen, and Sharon Goldberg at Boston University.
NOTE WELL: The -g flag disables the limit check on the panic_gate
in ntpd, which is 900 seconds by default. The bug identified by
the researchers at Boston University is that the panic_gate
check was only re-enabled after the first change to the system
clock that was greater than 128 milliseconds, by default. The
correct behavior is that the panic_gate check should be
re-enabled after any initial time correction.
If an attacker is able to inject consistent but erroneous time
responses to your systems via the network or "over the air",
perhaps by spoofing radio, cellphone, or navigation satellite
transmissions, they are in a great position to affect your
system's clock. There comes a point where your very best
defenses include:
Configure ntpd to get time from multiple sources.
Monitor your ntpd instances.
Other fixes:
* Coverity submission process updated from Coverity 5 to Coverity 7.
The NTP codebase has been undergoing regular Coverity scans on an
ongoing basis since 2006. As part of our recent upgrade from
Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
the newly-written Unity test programs. These were fixed.
* [Bug 2829] Clean up pipe_fds in ntpd.c [email protected]
* [Bug 2887] stratum -1 config results as showing value 99
- fudge stratum should only accept values [0..16]. [email protected]
* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn.
* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray
* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
- applied patch by Christos Zoulas. [email protected]
* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
- fixed data race conditions in threaded DNS worker. [email protected]
- limit threading warm-up to linux; FreeBSD bombs on it. [email protected]
* [Bug 2957] 'unsigned int' vs 'size_t' format clash. [email protected]
- accept key file only if there are no parsing errors
- fixed size_t/u_int format clash
- fixed wrong use of 'strlcpy'
* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. [email protected]
- fixed several other warnings (cast-alignment, missing const, missing prototypes)
- promote use of 'size_t' for values that express a size
- use ptr-to-const for read-only arguments
- make sure SOCKET values are not truncated (win32-specific)
- format string fixes
* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki.
* [Bug 2967] ntpdate command suffers an assertion failure
- fixed ntp_rfc2553.c to return proper address length. [email protected]
* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with
lots of clients. [email protected]
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. [email protected]
* Unity cleanup for FreeBSD-6.4. Harlan Stenn.
* Unity test cleanup. Harlan Stenn.
* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn.
* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn.
* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn.
* Quiet a warning from clang. Harlan Stenn.
---
NTP 4.2.8p4
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
In addition to bug fixes and enhancements, this release fixes the
following 13 low- and medium-severity vulnerabilities:
* Incomplete vallen (value length) checks in ntp_crypto.c, leading
to potential crashes or potential code injection/information leakage.
References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
Summary: The fix for CVE-2014-9750 was incomplete in that there were
certain code paths where a packet with particular autokey operations
that contained malicious data was not always being completely
validated. Receipt of these packets can cause ntpd to crash.
Mitigation:
Don't use autokey.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
Monitor your ntpd instances.
Credit: This weakness was discovered by Tenable Network Security.
* Clients that receive a KoD should validate the origin timestamp field.
References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
Summary: An ntpd client that honors Kiss-of-Death responses will honor
KoD messages that have been forged by an attacker, causing it to
delay or stop querying its servers for time updates. Also, an
attacker can forge packets that claim to be from the target and
send them to servers often enough that a server that implements
KoD rate limiting will send the target machine a KoD response to
attempt to reduce the rate of incoming packets, or it may also
trigger a firewall block at the server for packets from the target
machine. For either of these attacks to succeed, the attacker must
know what servers the target is communicating with. An attacker
can be anywhere on the Internet and can frequently learn the
identity of the target's time source by sending the target a
time query.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
If you can't upgrade, restrict who can query ntpd to learn who
its servers are, and what IPs are allowed to ask your system
for the time. This mitigation is heavy-handed.
Monitor your ntpd instances.
Note:
4.2.8p4 protects against the first attack. For the second attack,
all we can do is warn when it is happening, which we do in 4.2.8p4.
Credit: This weakness was discovered by Aanchal Malhotra,
Issac E. Cohen, and Sharon Goldberg of Boston University.
* configuration directives to change "pidfile" and "driftfile" should
only be allowed locally.
References: Sec 2902 / CVE-2015-5196
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
Summary: If ntpd is configured to allow for remote configuration,
and if the (possibly spoofed) source IP address is allowed to
send remote configuration requests, and if the attacker knows
the remote configuration password, it's possible for an attacker
to use the "pidfile" or "driftfile" directives to potentially
overwrite other files.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
If you cannot upgrade, don't enable remote configuration.
If you must enable remote configuration and cannot upgrade,
remote configuration of NTF's ntpd requires:
- an explicitly configured trustedkey, and you should also
configure a controlkey.
- access from a permitted IP. You choose the IPs.
- authentication. Don't disable it. Practice secure key safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
* Slow memory leak in CRYPTO_ASSOC
References: Sec 2909 / CVE-2015-7701
Affects: All ntp-4 releases that use autokey up to, but not
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
4.6 otherwise
Summary: If ntpd is configured to use autokey, then an attacker can
send packets to ntpd that will, after several days of ongoing
attack, cause it to run out of memory.
Mitigation:
Don't use autokey.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page
Monitor your ntpd instances.
Credit: This weakness was discovered by Tenable Network Security.
* mode 7 loop counter underrun
References: Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
Summary: If ntpd is configured to enable mode 7 packets, and if the
use of mode 7 packets is not properly protected thru the use of
the available mode 7 authentication and restriction mechanisms,
and if the (possibly spoofed) source IP address is allowed to
send mode 7 queries, then an attacker can send a crafted packet
to ntpd that will cause it to crash.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade:
In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
If you must enable mode 7:
configure the use of a requestkey to control who can issue
mode 7 requests.
configure restrict noquery to further limit mode 7 requests
to trusted sources.
Monitor your ntpd instances.
Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
* memory corruption in password store
References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
Summary: If ntpd is configured to allow remote configuration, and if
the (possibly spoofed) source IP address is allowed to send
remote configuration requests, and if the attacker knows the
remote configuration password or if ntpd was configured to
disable authentication, then an attacker can send a set of
packets to ntpd that may cause a crash or theoretically
perform a code injection attack.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade, remote configuration of NTF's
ntpd requires:
an explicitly configured "trusted" key. Only configure
this if you need it.
access from a permitted IP address. You choose the IPs.
authentication. Don't disable it. Practice secure key safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
* Infinite loop if extended logging enabled and the logfile and
keyfile are the same.
References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
Affects: All ntp-4 releases up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
Summary: If ntpd is configured to allow remote configuration, and if
the (possibly spoofed) source IP address is allowed to send
remote configuration requests, and if the attacker knows the
remote configuration password or if ntpd was configured to
disable authentication, then an attacker can send a set of
packets to ntpd that will cause it to crash and/or create a
potentially huge log file. Specifically, the attacker could
enable extended logging, point the key file at the log file,
and cause what amounts to an infinite loop.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade, remote configuration of NTF's ntpd
requires:
an explicitly configured "trusted" key. Only configure this
if you need it.
access from a permitted IP address. You choose the IPs.
authentication. Don't disable it. Practice secure key safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
* Potential path traversal vulnerability in the config file saving of
ntpd on VMS.
References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
Affects: All ntp-4 releases running under VMS up to, but not
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
Summary: If ntpd is configured to allow remote configuration, and if
the (possibly spoofed) IP address is allowed to send remote
configuration requests, and if the attacker knows the remote
configuration password or if ntpd was configured to disable
authentication, then an attacker can send a set of packets to
ntpd that may cause ntpd to overwrite files.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade, remote configuration of NTF's ntpd
requires:
an explicitly configured "trusted" key. Only configure
this if you need it.
access from permitted IP addresses. You choose the IPs.
authentication. Don't disable it. Practice key security safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
* ntpq atoascii() potential memory corruption
References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
and 4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
Summary: If an attacker can figure out the precise moment that ntpq
is listening for data and the port number it is listening on or
if the attacker can provide a malicious instance ntpd that
victims will connect to then an attacker can send a set of
crafted mode 6 response packets that, if received by ntpq,
can cause ntpq to crash.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade and you run ntpq against a server
and ntpq crashes, try again using raw mode. Build or get a
patched ntpq and see if that fixes the problem. Report new
bugs in ntpq or abusive servers appropriately.
If you use ntpq in scripts, make sure ntpq does what you expect
in your scripts.
Credit: This weakness was discovered by Yves Younan and
Aleksander Nikolich of Cisco Talos.
* Invalid length data provided by a custom refclock driver could cause
a buffer overflow.
References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
Affects: Potentially all ntp-4 releases running up to, but not
including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
that have custom refclocks
CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
5.9 unusual worst case
Summary: A negative value for the datalen parameter will overflow a
data buffer. NTF's ntpd driver implementations always set this
value to 0 and are therefore not vulnerable to this weakness.
If you are running a custom refclock driver in ntpd and that
driver supplies a negative value for datalen (no custom driver
of even minimal competence would do this) then ntpd would
overflow a data buffer. It is even hypothetically possible
in this case that instead of simply crashing ntpd the attacker
could effect a code injection attack.
Mitigation:
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade:
If you are running custom refclock drivers, make sure
the signed datalen value is either zero or positive.
Monitor your ntpd instances.
Credit: This weakness was discovered by Yves Younan of Cisco Talos.
* Password Length Memory Corruption Vulnerability
References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
1.7 usual case, 6.8, worst case
Summary: If ntpd is configured to allow remote configuration, and if
the (possibly spoofed) source IP address is allowed to send
remote configuration requests, and if the attacker knows the
remote configuration password or if ntpd was (foolishly)
configured to disable authentication, then an attacker can
send a set of packets to ntpd that may cause it to crash,
with the hypothetical possibility of a small code injection.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade, remote configuration of NTF's
ntpd requires:
an explicitly configured "trusted" key. Only configure
this if you need it.
access from a permitted IP address. You choose the IPs.
authentication. Don't disable it. Practice secure key safety.
Monitor your ntpd instances.
Credit: This weakness was discovered by Yves Younan and
Aleksander Nikolich of Cisco Talos.
* decodenetnum() will ASSERT botch instead of returning FAIL on some
bogus values.
References: Sec 2922 / CVE-2015-7855
Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
4.3.0 up to, but not including 4.3.77
CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
an unusually long data value where a network address is expected,
the decodenetnum() function will abort with an assertion failure
instead of simply returning a failure condition.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade:
mode 7 is disabled by default. Don't enable it.
Use restrict noquery to limit who can send mode 6
and mode 7 requests.
Configure and use the controlkey and requestkey
authentication directives to limit who can
send mode 6 and mode 7 requests.
Monitor your ntpd instances.
Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
* NAK to the Future: Symmetric association authentication bypass via
crypto-NAK.
References: Sec 2941 / CVE-2015-7871
Affects: All ntp-4 releases between 4.2.5p186 up to but not including
4.2.8p4, and 4.3.0 up to but not including 4.3.77
CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
Summary: Crypto-NAK packets can be used to cause ntpd to accept time
from unauthenticated ephemeral symmetric peers by bypassing the
authentication required to mobilize peer associations. This
vulnerability appears to have been introduced in ntp-4.2.5p186
when the code handling mobilization of new passive symmetric
associations (lines 1103-1165) was refactored.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p4, or later, from the NTP Project Download
Page or the NTP Public Services Project Download Page.
If you are unable to upgrade:
Apply the patch to the bottom of the "authentic" check
block around line 1136 of ntp_proto.c.
Monitor your ntpd instances.
Credit: This weakness was discovered by Stephen Gray <[email protected]>.
Backward-Incompatible changes:
* [Bug 2817] Default on Linux is now "rlimit memlock -1".
While the general default of 32M is still the case, under Linux
the default value has been changed to -1 (do not lock ntpd into
memory). A value of 0 means "lock ntpd into memory with whatever
memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
value in it, that value will continue to be used.
* [Bug 2886] Misspelling: "outlyer" should be "outlier".
If you've written a script that looks for this case in, say, the
output of ntpq, you probably want to change your regex matches
from 'outlyer' to 'outl[iy]er'.
New features in this release:
* 'rlimit memlock' now has finer-grained control. A value of -1 means
"don't lock ntpd into memore". This is the default for Linux boxes.
A value of 0 means "lock ntpd into memory" with no limits. Otherwise
the value is the number of megabytes of memory to lock. The default
is 32 megabytes.
* The old Google Test framework has been replaced with a new framework,
based on http://www.throwtheswitch.org/unity/ .
Bug Fixes and Improvements:
* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
privileges and limiting resources in NTPD removes the need to link
forcefully against 'libgcc_s' which does not always work. J.Perlinger
* [Bug 2595] ntpdate man page quirks. Hal Murray, Harlan Stenn.
* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn.
* [Bug 2817] Stop locking ntpd into memory by default under Linux. H.Stenn.
* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c. [email protected]
* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn.
* [Bug 2849] Systems with more than one default route may never
synchronize. Brian Utterback. Note that this patch might need to
be reverted once Bug 2043 has been fixed.
* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn.
* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
* [Bug 2873] libevent should not include .deps/ in the tarball. H.Stenn
* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS. libevent must
be configured for the distribution targets. Harlan Stenn.
* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar.
* [Bug 2886] Mis-spelling: "outlyer" should be "outlier". [email protected]
* [Bug 2888] streamline calendar functions. [email protected]
* [Bug 2889] ntp-dev-4.3.67 does not build on Windows. [email protected]
* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov.
* [Bug 2906] make check needs better support for pthreads. Harlan Stenn.
* [Bug 2907] dist* build targets require our libevent/ to be enabled. HStenn.
* [Bug 2912] no munlockall() under Windows. David Taylor, Harlan Stenn.
* libntp/emalloc.c: Remove explicit include of stdint.h. Harlan Stenn.
* Put Unity CPPFLAGS items in unity_config.h. Harlan Stenn.
* tests/ntpd/g_leapsec.cpp typo fix. Harlan Stenn.
* Phase 1 deprecation of google test in sntp/tests/. Harlan Stenn.
* On some versions of HP-UX, inttypes.h does not include stdint.h. H.Stenn.
* top_srcdir can change based on ntp v. sntp. Harlan Stenn.
* sntp/tests/ function parameter list cleanup. Damir Tomić.
* tests/libntp/ function parameter list cleanup. Damir Tomić.
* tests/ntpd/ function parameter list cleanup. Damir Tomić.
* sntp/unity/unity_config.h: handle stdint.h. Harlan Stenn.
* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris. H.Stenn.
* tests/libntp/timevalops.c and timespecops.c fixed error printing. D.Tomić.
* tests/libntp/ improvements in code and fixed error printing. Damir Tomić.
* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
formatting; first declaration, then code (C90); deleted unnecessary comments;
changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
fix formatting, cleanup. Tomasz Flendrich
* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
Tomasz Flendrich
* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
fix formatting. Tomasz Flendrich
* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
Tomasz Flendrich
* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
fixed formatting. Tomasz Flendrich
* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
removed unnecessary comments, cleanup. Tomasz Flendrich
* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
comments, cleanup. Tomasz Flendrich
* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
Tomasz Flendrich
* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
Tomasz Flendrich
* sntp/tests/kodDatabase.c added consts, deleted empty function,
fixed formatting. Tomasz Flendrich
* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
* sntp/tests/packetHandling.c is now using proper Unity's assertions,
fixed formatting, deleted unused variable. Tomasz Flendrich
* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
Tomasz Flendrich
* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
fixed formatting. Tomasz Flendrich
* sntp/tests/utilities.c is now using proper Unity's assertions, changed
the order of includes, fixed formatting, removed unnecessary comments.
Tomasz Flendrich
* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
made one function do its job, deleted unnecessary prints, fixed formatting.
Tomasz Flendrich
* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
* sntp/unity/unity_config.h: Distribute it. Harlan Stenn.
* sntp/libevent/evconfig-private.h: remove generated filefrom SCM. H.Stenn.
* sntp/unity/Makefile.am: fix some broken paths. Harlan Stenn.
* sntp/unity/unity.c: Clean up a printf(). Harlan Stenn.
* Phase 1 deprecation of google test in tests/libntp/. Harlan Stenn.
* Don't build sntp/libevent/sample/. Harlan Stenn.
* tests/libntp/test_caltontp needs -lpthread. Harlan Stenn.
* br-flock: --enable-local-libevent. Harlan Stenn.
* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
* scripts/lib/NTP/Util.pm: stratum output is version-dependent. Harlan Stenn.
* Get rid of the NTP_ prefix on our assertion macros. Harlan Stenn.
* Code cleanup. Harlan Stenn.
* libntp/icom.c: Typo fix. Harlan Stenn.
* util/ntptime.c: initialization nit. Harlan Stenn.
* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr). Harlan Stenn.
* Add std_unity_tests to various Makefile.am files. Harlan Stenn.
* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
Tomasz Flendrich
* Changed progname to be const in many files - now it's consistent. Tomasz
Flendrich
* Typo fix for GCC warning suppression. Harlan Stenn.
* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
* Added declarations to all Unity tests, and did minor fixes to them.
Reduced the number of warnings by half. Damir Tomić.
* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
with the latest Unity updates from Mark. Damir Tomić.
* Retire google test - phase I. Harlan Stenn.
* Unity test cleanup: move declaration of 'initializing'. Harlan Stenn.
* Update the NEWS file. Harlan Stenn.
* Autoconf cleanup. Harlan Stenn.
* Unit test dist cleanup. Harlan Stenn.
* Cleanup various test Makefile.am files. Harlan Stenn.
* Pthread autoconf macro cleanup. Harlan Stenn.
* Fix progname definition in unity runner scripts. Harlan Stenn.
* Clean trailing whitespace in tests/ntpd/Makefile.am. Harlan Stenn.
* Update the patch for bug 2817. Harlan Stenn.
* More updates for bug 2817. Harlan Stenn.
* Fix bugs in tests/ntpd/ntp_prio_q.c. Harlan Stenn.
* gcc on older HPUX may need +allowdups. Harlan Stenn.
* Adding missing MCAST protection. Harlan Stenn.
* Disable certain test programs on certain platforms. Harlan Stenn.
* Implement --enable-problem-tests (on by default). Harlan Stenn.
* build system tweaks. Harlan Stenn.
---
NTP 4.2.8p3 (Harlan Stenn <[email protected]>, 2015/06/29)
Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
Severity: MEDIUM
Security Fix:
* [Sec 2853] Crafted remote config packet can crash some versions of
ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
Under specific circumstances an attacker can send a crafted packet to
cause a vulnerable ntpd instance to crash. This requires each of the
following to be true:
1) ntpd set up to allow remote configuration (not allowed by default), and
2) knowledge of the configuration password, and
3) access to a computer entrusted to perform remote configuration.
This vulnerability is considered low-risk.
New features in this release:
Optional (disabled by default) support to have ntpd provide smeared
leap second time. A specially built and configured ntpd will only
offer smeared time in response to client packets. These response
packets will also contain a "refid" of 254.a.b.c, where the 24 bits
of a, b, and c encode the amount of smear in a 2:22 integer:fraction
format. See README.leapsmear and http://bugs.ntp.org/2855 for more
information.
*IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
*BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
We've imported the Unity test framework, and have begun converting
the existing google-test items to this new framework. If you want
to write new tests or change old ones, you'll need to have ruby
installed. You don't need ruby to run the test suite.
Bug Fixes and Improvements:
* CID 739725: Fix a rare resource leak in libevent/listener.c.
* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
* CID 1269537: Clean up a line of dead code in getShmTime().
* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
* [Bug 2590] autogen-5.18.5.
* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
of 'limited'.
* [Bug 2650] fix includefile processing.
* [Bug 2745] ntpd -x steps clock on leap second
Fixed an initial-value problem that caused misbehaviour in absence of
any leapsecond information.
Do leap second stepping only of the step adjustment is beyond the
proper jump distance limit and step correction is allowed at all.
* [Bug 2750] build for Win64
Building for 32bit of loopback ppsapi needs def file
* [Bug 2776] Improve ntpq's 'help keytype'.
* [Bug 2778] Implement "apeers" ntpq command to include associd.
* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
interface is ignored as long as this flag is not set since the
interface is not usable (e.g., no link).
* [Bug 2794] Clean up kernel clock status reports.
* [Bug 2800] refclock_true.c true_debug() can't open debug log because
of incompatible open/fdopen parameters.
* [Bug 2804] install-local-data assumes GNU 'find' semantics.
* [Bug 2805] ntpd fails to join multicast group.
* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
* [Bug 2808] GPSD_JSON driver enhancements, step 1.
Fix crash during cleanup if GPS device not present and char device.
Increase internal token buffer to parse all JSON data, even SKY.
Defer logging of errors during driver init until the first unit is
started, so the syslog is not cluttered when the driver is not used.
Various improvements, see http://bugs.ntp.org/2808 for details.
Changed libjsmn to a more recent version.
* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
* [Bug 2824] Convert update-leap to perl. (also see 2769)
* [Bug 2825] Quiet file installation in html/ .
* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
NTPD transfers the current TAI (instead of an announcement) now.
This might still needed improvement.
Update autokey data ASAP when 'sys_tai' changes.
Fix unit test that was broken by changes for autokey update.
Avoid potential signature length issue and use DPRINTF where possible
in ntp_crypto.c.
* [Bug 2832] refclock_jjy.c supports the TDC-300.
* [Bug 2834] Correct a broken html tag in html/refclock.html
* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
robust, and require 2 consecutive timestamps to be consistent.
* [Bug 2837] Allow a configurable DSCP value.
* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
* [Bug 2842] Bug in mdoc2man.
* [Bug 2843] make check fails on 4.3.36
Fixed compiler warnings about numeric range overflow
(The original topic was fixed in a byplay to bug#2830)
* [Bug 2845] Harden memory allocation in ntpd.
* [Bug 2852] 'make check' can't find unity.h. Hal Murray.
* [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
* [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
* [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
* [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
* [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
* [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
* [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
* html/drivers/driver22.html: typo fix. Harlan Stenn.
* refidsmear test cleanup. Tomasz Flendrich.
* refidsmear function support and tests. Harlan Stenn.
* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
something that was only in the 4.2.6 sntp. Harlan Stenn.
* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
Damir Tomić
* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
Damir Tomić
* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
Damir Tomić
* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
Damir Tomić
* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
networking.c, keyFile.c, utilities.cpp, sntptest.h,
fileHandlingTest.h. Damir Tomić
* Initial support for experimental leap smear code. Harlan Stenn.
* Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
* Report select() debug messages at debug level 3 now.
* sntp/scripts/genLocInfo: treat raspbian as debian.
* Unity test framework fixes.
** Requires ruby for changes to tests.
* Initial support for PACKAGE_VERSION tests.
* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
* tests/bug-2803/Makefile.am must distribute bug-2803.h.
* Add an assert to the ntpq ifstats code.
* Clean up the RLIMIT_STACK code.
* Improve the ntpq documentation around the controlkey keyid.
* ntpq.c cleanup.
* Windows port build cleanup.
---
NTP 4.2.8p2 (Harlan Stenn <[email protected]>, 2015/04/07)