-
-
Notifications
You must be signed in to change notification settings - Fork 53
/
NEWS
7668 lines (6849 loc) · 361 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
---
NTP 4.2.8p18 (Harlan Stenn <stenn@ntp.org>, 2024 May 24)
Focus: Bug fixes
Severity: Recommended
This release:
- changes crypto (OpenSSL or compatible) detection and default build behavior.
Previously, crypto was supported if available unless the --without-crypto
option was given to configure. With this release, the prior behavior of
falling back to a crypto-free build if usable libcrypto was not found has
changed to instead cause configure to fail with an error.
The --without-crypto option must be explicitly provided if you want a build
that does not use libcrypto functionality.
- Fixes 40 bugs
- Includes 40 other improvements
Details below:
* [Bug 3918] Tweak openssl header/library handling. <stenn@ntp.org>
* [Bug 3914] Spurious "Unexpected origin timestamp" logged after time
stepped. <hart@ntp.org>
* [Bug 3913] Avoid duplicate IPv6 link-local manycast associations.
<hart@ntp.org>
* [Bug 3912] Avoid rare math errors in ntptrace. <brian.utterback@oracle.com>
* [Bug 3910] Memory leak using openssl-3 <hart@ntp.org>
* [Bug 3909] Do not select multicast local address for unicast peer.
<hart@ntp.org>
* [Bug 3903] lib/isc/win32/strerror.c NTstrerror() is not thread-safe.
<hart@ntp.org>
* [Bug 3901] LIB_GETBUF isn't thread-safe. <hart@ntp.org>
* [Bug 3900] fast_xmit() selects wrong local addr responding to mcast on
Windows. <hart@ntp.org>
* [Bug 3888] ntpd with multiple same-subnet IPs using manycastclient creates
duplicate associations. <hart@ntp.org>
* [Bug 3872] Ignore restrict mask for hostname. <hart@ntp.org>
* [Bug 3871] 4.2.8p17 build without hopf6021 refclock enabled fails.
Reported by Hans Mayer. Moved NONEMPTY_TRANSLATION_UNIT
declaration from ntp_types.h to config.h. <hart@ntp.org>
* [Bug 3870] Server drops client packets with ppoll < 4. <stenn@ntp.org>
* [Bug 3869] Remove long-gone "calldelay" & "crypto sign" from docs.
Reported by PoolMUC@web.de. <hart@ntp.org>
* [Bug 3868] Cannot restrict a pool peer. <hart@ntp.org> Thanks to
Edward McGuire for tracking down the deficiency.
* [Bug 3864] ntpd IPv6 refid different for big-endian and little-endian.
<hart@ntp.org>
* [Bug 3859] Use NotifyIpInterfaceChange on Windows ntpd. <hart@ntp.org>
* [Bug 3856] Enable Edit & Continue debugging with Visual Studio.
<hart@ntp.org>
* [Bug 3855] ntpq lacks an equivalent to ntpdc's delrestrict. <hart@ntp.org>
* [Bug 3854] ntpd 4.2.8p17 corrupts rawstats file with space in refid.
<hart@ntp.org>
* [Bug 3853] Clean up warnings with modern compilers. <hart@ntp.org>
* [Bug 3852] check-libntp.mf and friends are not triggering rebuilds as
intended. <hart@ntp.org>
* [Bug 3851] Drop pool server when no local address can reach it.
<hart@ntp.org>
* [Bug 3850] ntpq -c apeers breaks column formatting s2 w/refclock refid.
<hart@ntp.org>
* [Bug 3849] ntpd --wait-sync times out. <hart@ntp.org>
* [Bug 3847] SSL detection in configure should run-test if runpath is needed.
<hart@ntp.org>
* [Bug 3846] Use -Wno-format-truncation by default. <hart@ntp.org>
* [Bug 3845] accelerate pool clock_sync when IPv6 has only link-local access.
<hart@ntp.org>
* [Bug 3842] Windows ntpd PPSAPI DLL load failure crashes. <hart@ntp.org>
* [Bug 3841] 4.2.8p17 build break w/ gcc 12 -Wformat-security without -Wformat
Need to remove --Wformat-security when removing -Wformat to
silence numerous libopts warnings. <hart@ntp.org>
* [Bug 3837] NULL pointer deref crash when ntpd deletes last interface.
Reported by renmingshuai. Correct UNLINK_EXPR_SLIST() when the
list is empty. <hart@ntp.org>
* [Bug 3835] NTP_HARD_*FLAGS not used by libevent tearoff. <hart@ntp.org>
* [Bug 3831] pollskewlist zeroed on runtime configuration. <hart@ntp.org>
* [Bug 3830] configure libevent check intersperses output with answer. <stenn@>
* [Bug 3828] BK should ignore a git repo in the same directory.
<burnicki@ntp.org>
* [Bug 3827] Fix build in case CLOCK_HOPF6021 or CLOCK_WHARTON_400A
is disabled. <burnicki@ntp.org>
* [Bug 3825] Don't touch HTML files unless building inside a BK repo.
Fix the script checkHtmlFileDates. <burnicki@ntp.org>
* [Bug 3756] Improve OpenSSL library/header detection.
* [Bug 3753] ntpd fails to start with FIPS-enabled OpenSSL 3. <hart@ntp.org>
* [Bug 2734] TEST3 prevents initial interleave sync. Fix from <PoolMUC@web.de>
* Log failures to allocate receive buffers. <hart@ntp.org>
* Remove extraneous */ from libparse/ieee754io.c
* Fix .datecheck target line in Makefile.am. <stenn@ntp.org>
* Update the copyright year. <stenn@ntp.org>
* Update ntp.conf documentation to add "delrestrict" and correct information
about KoD rate limiting. <hart@ntp.org>
* html/clockopt.html cleanup. <stenn@ntp.org>
* util/lsf-times - added. <stenn@ntp.org>
* Add DSA, DSA-SHA, and SHA to tests/libntp/digests.c. <hart@ntp.org>
* Provide ntpd thread names to debugger on Windows. <hart@ntp.org>
* Remove dead code libntp/numtohost.c and its unit tests. <hart@ntp.org>
* Remove class A, B, C IPv4 distinctions in netof(). <hart@ntp.org>
* Use @configure_input@ in various *.in files to include a comment that
the file is generated from another pointing to the *.in. <hart@ntp.org>
* Correct underquoting, indents in ntp_facilitynames.m4. <hart@ntp.org>
* Clean up a few warnings seen building with older gcc. <hart@ntp.org>
* Fix build on older FreeBSD lacking sys/procctl.h. <hart@ntp.org>
* Disable [Bug 3627] workaround on newer FreeBSD which has the kernel fix
that makes it unnecessary, re-enabling ASLR stack gap. <hart@ntp.org>
* Use NONEMPTY_COMPILATION_UNIT in more conditionally-compiled files.
* Remove useless pointer to Windows Help from system error messages.
* Avoid newlines within Windows error messages. <hart@ntp.org>
* Ensure unique association IDs if wrapped. <hart@ntp.org>
* Simplify calc_addr_distance(). <hart@ntp.org>
* Clamp min/maxpoll in edge cases in newpeer(). <hart@ntp.org>
* Quiet local addr change logging when unpeering. <hart@ntp.org>
* Correct missing arg for %s printf specifier in
send_blocking_resp_internal(). <hart@ntp.org>
* Suppress OpenSSL 3 deprecation warning clutter. <hart@ntp.org>
* Correct OpenSSL usage in Autokey code to avoid warnings about
discarding const qualifiers with OpenSSL 3. <hart@ntp.org>
* Display KoD refid as text in recently added message. <hart@ntp.org>
* Avoid running checkHtmlFileDates script repeatedly when no html/*.html
files have changed. <hart@ntp.org>
* Abort configure if --enable-crypto-rand given & unavailable. <hart@ntp.org>
* Add configure --enable-verbose-ssl to trace SSL detection. <hart@ntp.org>
* Add build test coverage for --disable-saveconfig to flock-build script.
<hart@ntp.org>
* Remove deprecated configure --with-arlib option. <hart@ntp.org>
* Remove configure support for ISC UNIX ca. 1998. <hart@ntp.org>
* Move NTP_OPENSSL and NTP_CRYPTO_RAND invocations from configure.ac files
to NTP_LIBNTP. <hart@ntp.org>
* Remove dead code: HAVE_U_INT32_ONLY_WITH_DNS. <hart@ntp.org>
* Eliminate [v]snprintf redefinition warnings on macOS. <hart@ntp.org>
* Fix clang 14 cast increases alignment warning on Linux. <hart@ntp.org>
* Move ENABLE_CMAC to ntp_openssl.m4, reviving sntp/tests CMAC unit tests.
<hart@ntp.org>
* Use NTP_HARD_CPPFLAGS in libopts tearoff. <hart@ntp.org>
* wire in --enable-build-framework-help
---
NTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06)
Focus: Bug fixes
Severity: HIGH (for people running 4.2.8p16)
This release:
- fixes 3 bugs, including a regression
- adds new unit tests
Details below:
* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
event_sync. Reported by Edward McGuire. <hart@ntp.org>
* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
<hart@ntp.org> Miroslav Lichvar identified regression in 4.2.8p16.
* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to
Miroslav Lichvar and Matt for rapid testing and identifying the
problem. <hart@ntp.org>
* Add tests/libntp/digests.c to catch regressions reading keys file or with
symmetric authentication digest output.
---
NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30)
Focus: Security, Bug fixes
Severity: LOW
This release:
- fixes 4 vulnerabilities (3 LOW and 1 None severity),
- fixes 46 bugs
- includes 15 general improvements
- adds support for OpenSSL-3.0
Details below:
* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
hypothetical input buffer overflow. Reported by ... stenn@
* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
- solved numerically instead of using string manipulation
* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
<stenn@ntp.org>
* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
* [Bug 3814] First poll delay of new or cleared associations miscalculated.
<hart@ntp.org>
* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org>
* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
- ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
- Report and patch by Yuezhen LUAN <wei6410@sina.com>.
* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
<hart@ntp.org>
* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
- Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
Philippe De Muyter <phdm@macqel.be>
* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
- openssl applink needed again for openSSL-1.1.1
* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
- command line options override config statements where applicable
- make initial frequency settings idempotent and reversible
- make sure kernel PLL gets a recovered drift componsation
* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
- misleading title; essentially a request to ignore the receiver status.
Added a mode bit for this. <perlinger@ntp.org>
* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
- original patch by Richard Schmidt, with mods & unit test fixes
* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
- implement/wrap 'realpath()' to resolve symlinks in device names
* [Bug 3691] Buffer Overflow reading GPSD output
- original patch by matt<ntpbr@mattcorallo.com>
- increased max PDU size to 4k to avoid truncation
* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
- patch by Frank Kardel
* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
- ntp{q,dc} now use the same password processing as ntpd does in the key
file, so having a binary secret >= 11 bytes is possible for all keys.
(This is a different approach to the problem than suggested)
* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
- patch by Gerry Garvey
* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
- applied patches by Gerry Garvey
* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
- idea+patch by Gerry Garvey
* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
- follow-up: fix inverted sense in check, reset shortfall counter
* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
- fixed bug identified by Edward McGuire <perlinger@ntp.org>
* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org>
- backport from -dev, plus some more work on warnings for unchecked results
* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
Reported by Israel G. Lugo. <hart@ntp.org>
* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
Integrated patch from Brian Utterback. <hart@ntp.org>
* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
* Use correct rounding in mstolfp(). perlinger/hart
* M_ADDF should use u_int32. <hart@ntp.org>
* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
* If DEBUG is enabled, the startup banner now says that debug assertions
are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
* syslog valid incoming KoDs. <stenn@ntp.org>
* Rename a poorly-named variable. <stenn@ntp.org>
* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org>
* Implement NTP_FUNC_REALPATH. <stenn@ntp.org>
* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org>
* upgrade to: autogen-5.18.16
* upgrade to: libopts-42.1.17
* upgrade to: autoconf-2.71
* upgrade to: automake-1.16.15
* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
* Support OpenSSL-3.0
---
NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23)
Focus: Security, Bug fixes
Severity: MEDIUM
This release fixes one vulnerability: Associations that use CMAC
authentication between ntpd from versions 4.2.8p11/4.3.97 and
4.2.8p14/4.3.100 will leak a small amount of memory for each packet.
Eventually, ntpd will run out of memory and abort.
It also fixes 13 other bugs.
* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org>
* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@>
- Thanks to Sylar Tao
* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org>
- rewrite 'decodenetnum()' in terms of inet_pton
* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
- limit number of receive buffers, with an iron reserve for refclocks
* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org>
* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org>
* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org>
- integrated patch from Charles Claggett
* [Bug 3659] Move definition of psl[] from ntp_config.h to
ntp_config.h <perlinger@ntp.org>
* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org>
* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org>
- fix by Gerry garvey
* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org>
- thanks to Gerry Garvey
* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org>
- patch by Gerry Garvey
* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org>
* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org>
- applied patch by Takao Abe
---
NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes three vulnerabilities: a bug that causes causes an ntpd
instance that is explicitly configured to override the default and allow
ntpdc (mode 7) connections to be made to a server to read some uninitialized
memory; fixes the case where an unmonitored ntpd using an unauthenticated
association to its servers may be susceptible to a forged packet DoS attack;
and fixes an attack against a client instance that uses a single
unauthenticated time source. It also fixes 46 other bugs and addresses
4 other issues.
* [Sec 3610] process_control() should bail earlier on short packets. stenn@
- Reported by Philippe Antoine
* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org>
- Reported by Miroslav Lichvar
* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org>
- Reported by Miroslav Lichvar
* [Bug 3637] Emit the version of ntpd in saveconfig. stenn@
* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org>
* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org>
* [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@
* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence
- implement Zeller's congruence in libparse and libntp <perlinger@ntp.org>
* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org>
- integrated patch by Cy Schubert
* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org>
- integrated patch by Richard Steedman
* [Bug 3615] accelerate refclock startup <perlinger@ntp.org>
* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org>
- Reported by Martin Burnicki
* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org>
- Reported by Philippe Antoine
* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org>
- officially document new "trust date" mode bit for NMEA driver
- restore the (previously undocumented) "trust date" feature lost with [bug 3577]
* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org>
- mostly based on a patch by Michael Haardt, implementing 'fudge minjitter'
* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org>
- removed ffs() and fls() prototypes as per Brian Utterback
* [Bug 3604] Wrong param byte order passing into record_raw_stats() in
ntp_io.c <perlinger@ntp.org>
- fixed byte and paramter order as suggested by wei6410@sina.com
* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org>
* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org>
- added padding as suggested by John Paul Adrian Glaubitz
* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org>
* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org>
* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org>
* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org>
- stdout+stderr are set to line buffered during test setup now
* [Bug 3583] synchronization error <perlinger@ntp.org>
- set clock to base date if system time is before that limit
* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org>
* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org>
- Reported by Paulo Neves
* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org>
- also updates for refclock_nmea.c and refclock_jupiter.c
* [Bug 3576] New GPS date function API <perlinger@ntp.org>
* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org>
* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org>
* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org>
- sidekick: service port resolution in 'ntpdate'
* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org>
- applied patch by Douglas Royds
* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org>
* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org>
- try to harden 'decodenetnum()' against 'getaddrinfo()' errors
- fix wrong cond-compile tests in unit tests
* [Bug 3517] Reducing build noise <perlinger@ntp.org>
* [Bug 3516] Require tooling from this decade <perlinger@ntp.org>
- patch by Philipp Prindeville
* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org>
- patch by Philipp Prindeville
* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org>
- patch by Philipp Prindeville
* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org>
- partial application of patch by Philipp Prindeville
* [Bug 3491] Signed values of LFP datatypes should always display a sign
- applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org>
* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org>
- applied (modified) patch by Richard Steedman
* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org>
- applied patch by Gerry Garvey (with minor formatting changes)
* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org>
- applied patch by Miroslav Lichvar
* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network
<perlinger@ntp.org>
* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user
is specified with -u <perlinger@ntp.org>
- monitor daemon child startup & propagate exit codes
* [Bug 1433] runtime check whether the kernel really supports capabilities
- (modified) patch by Kurt Roeckx <perlinger@ntp.org>
* Clean up sntp/networking.c:sendpkt() error message. <stenn@ntp.org>
* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org>
* Startup log improvements. <stenn@ntp.org>
* Update the copyright year.
---
NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes a bug that allows an attacker with access to an
explicitly trusted source to send a crafted malicious mode 6 (ntpq)
packet that can trigger a NULL pointer dereference, crashing ntpd.
It also provides 17 other bugfixes and 1 other improvement:
* [Sec 3565] Crafted null dereference attack in authenticated
mode 6 packet <perlinger@ntp.org>
- reported by Magnus Stubman
* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
- applied patch by Ian Lepore
* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
- isolate and fix linux/windows specific code issue
* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
- provide better function for incremental string formatting
* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
- original finding by Gerry Garvey, additional cleanup needed
* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
- patch by Christous Zoulas
* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
- finding by Chen Jiabin, plus another one by me
* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
- applied patch by Maciej Szmigiero
* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
- applied patch by Andre Charbonneau
* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
- applied patch by Baruch Siach
* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
- applied patch by Baruch Siach
* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
- refactored handling of GPS era based on 'tos basedate' for
parse (TSIP) and JUPITER clocks
* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
- patch by Daniel J. Luke; this does not fix a potential linker
regression issue on MacOS.
* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
anomaly <perlinger@ntp.org>, reported by GGarvey.
- --enable-bug3527-fix support by HStenn
* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3471] Check for openssl/[ch]mac.h. <perlinger@ntp.org>
- added missing check, reported by Reinhard Max <perlinger@ntp.org>
* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
- this is a variant of [bug 3558] and should be fixed with it
* Implement 'configure --disable-signalled-io'
--
NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes a "hole" in the noepeer capability introduced to ntpd
in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements:
* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
* [Sec 3012] Fix a hole in the new "noepeer" processing.
* Bug Fixes:
[Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org>
[Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
other TrustedBSD platforms
- applied patch by Ian Lepore <perlinger@ntp.org>
[Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
- changed interaction with SCM to signal pending startup
[Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
- rework of ntpq 'nextvar()' key/value parsing
[Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
[Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
[Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
[Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3471] Check for openssl/[ch]mac.h. HStenn.
- add #define ENABLE_CMAC support in configure. HStenn.
[Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
[Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
- patch by Stephen Friedl
[Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
- fixed IO redirection and CTRL-C handling in ntq and ntpdc
[Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
[Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
- initial patch by Hal Murray; also fixed refclock_report() trouble
[Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org>
[Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
- According to Brooks Davis, there was only one location <perlinger@ntp.org>
[Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
with modifications
New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
[Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
- applied patch by Miroslav Lichvar
[Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov.
[Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
- integrated patch by Reinhard Max
[Bug 2821] minor build issues <perlinger@ntp.org>
- applied patches by Christos Zoulas, including real bug fixes
html/authopt.html: cleanup, from <stenn@ntp.org>
ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org>
Symmetric key range is 1-65535. Update docs. <stenn@ntp.org>
--
NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
provides 65 other non-security fixes and improvements:
* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
association (LOW/MED)
Date Resolved: Stable (4.2.8p11) 27 Feb 2018
References: Sec 3454 / CVE-2018-7185 / VU#961909
Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
2.9 and 6.8.
CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
score between 2.6 and 3.1
Summary:
The NTP Protocol allows for both non-authenticated and
authenticated associations, in client/server, symmetric (peer),
and several broadcast modes. In addition to the basic NTP
operational modes, symmetric mode and broadcast servers can
support an interleaved mode of operation. In ntp-4.2.8p4 a bug
was inadvertently introduced into the protocol engine that
allows a non-authenticated zero-origin (reset) packet to reset
an authenticated interleaved peer association. If an attacker
can send a packet with a zero-origin timestamp and the source
IP address of the "other side" of an interleaved association,
the 'victim' ntpd will reset its association. The attacker must
continue sending these packets in order to maintain the
disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
interleave mode could be entered dynamically. As of ntp-4.2.8p7,
interleaved mode must be explicitly configured/enabled.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
If you are unable to upgrade to 4.2.8p11 or later and have
'peer HOST xleave' lines in your ntp.conf file, remove the
'xleave' option.
Have enough sources of time.
Properly monitor your ntpd instances.
If ntpd stops running, auto-restart it without -g .
Credit:
This weakness was discovered by Miroslav Lichvar of Red Hat.
* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
state (LOW/MED)
Date Resolved: Stable (4.2.8p11) 27 Feb 2018
References: Sec 3453 / CVE-2018-7184 / VU#961909
Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Could score between 2.9 and 6.8.
CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Could score between 2.6 and 6.0.
Summary:
The fix for NtpBug2952 was incomplete, and while it fixed one
problem it created another. Specifically, it drops bad packets
before updating the "received" timestamp. This means a
third-party can inject a packet with a zero-origin timestamp,
meaning the sender wants to reset the association, and the
transmit timestamp in this bogus packet will be saved as the
most recent "received" timestamp. The real remote peer does
not know this value and this will disrupt the association until
the association resets.
Mitigation:
Implement BCP-38.
Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Use authentication with 'peer' mode.
Have enough sources of time.
Properly monitor your ntpd instances.
If ntpd stops running, auto-restart it without -g .
Credit:
This weakness was discovered by Miroslav Lichvar of Red Hat.
* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
peering (LOW)
Date Resolved: Stable (4.2.8p11) 27 Feb 2018
References: Sec 3415 / CVE-2018-7170 / VU#961909
Sec 3012 / CVE-2016-1549 / VU#718152
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11.
CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary:
ntpd can be vulnerable to Sybil attacks. If a system is set up to
use a trustedkey and if one is not using the feature introduced in
ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
specify which IPs can serve time, a malicious authenticated peer
-- i.e. one where the attacker knows the private symmetric key --
can create arbitrarily-many ephemeral associations in order to win
the clock selection of ntpd and modify a victim's clock. Three
additional protections are offered in ntp-4.2.8p11. One is the
new 'noepeer' directive, which disables symmetric passive
ephemeral peering. Another is the new 'ippeerlimit' directive,
which limits the number of peers that can be created from an IP.
The third extends the functionality of the 4th field in the
ntp.keys file to include specifying a subnet range.
Mitigation:
Implement BCP-38.
Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Use the 'noepeer' directive to prohibit symmetric passive
ephemeral associations.
Use the 'ippeerlimit' directive to limit the number of peers
that can be created from an IP.
Use the 4th argument in the ntp.keys file to limit the IPs and
subnets that can be time servers.
Have enough sources of time.
Properly monitor your ntpd instances.
If ntpd stops running, auto-restart it without -g .
Credit:
This weakness was reported as Bug 3012 by Matthew Van Gundy of
Cisco ASIG, and separately by Stefan Moser as Bug 3415.
* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
Date Resolved: 27 Feb 2018
References: Sec 3414 / CVE-2018-7183 / VU#961909
Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Summary:
ntpq is a monitoring and control program for ntpd. decodearr()
is an internal function of ntpq that is used to -- wait for it --
decode an array in a response string when formatted data is being
displayed. This is a problem in affected versions of ntpq if a
maliciously-altered ntpd returns an array result that will trip this
bug, or if a bad actor is able to read an ntpq request on its way to
a remote ntpd server and forge and send a response before the remote
ntpd sends its response. It's potentially possible that the
malicious data could become injectable/executable code.
Mitigation:
Implement BCP-38.
Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Credit:
This weakness was discovered by Michael Macnair of Thales e-Security.
* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
behavior and information leak (Info/Medium)
Date Resolved: 27 Feb 2018
References: Sec 3412 / CVE-2018-7182 / VU#961909
Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.0 if C:N
Summary:
ctl_getitem() is used by ntpd to process incoming mode 6 packets.
A malicious mode 6 packet can be sent to an ntpd instance, and
if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
cause ctl_getitem() to read past the end of its buffer.
Mitigation:
Implement BCP-38.
Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
or the NTP Public Services Project Download Page.
Have enough sources of time.
Properly monitor your ntpd instances.
If ntpd stops running, auto-restart it without -g .
Credit:
This weakness was discovered by Yihan Lian of Qihoo 360.
* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
Also see Bug 3415, above.
Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
Date Resolved: Stable (4.2.8p11) 27 Feb 2018
References: Sec 3012 / CVE-2016-1549 / VU#718152
Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11.
CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary:
ntpd can be vulnerable to Sybil attacks. If a system is set up
to use a trustedkey and if one is not using the feature
introduced in ntp-4.2.8p6 allowing an optional 4th field in the
ntp.keys file to specify which IPs can serve time, a malicious
authenticated peer -- i.e. one where the attacker knows the
private symmetric key -- can create arbitrarily-many ephemeral
associations in order to win the clock selection of ntpd and
modify a victim's clock. Two additional protections are
offered in ntp-4.2.8p11. One is the 'noepeer' directive, which
disables symmetric passive ephemeral peering. The other extends
the functionality of the 4th field in the ntp.keys file to
include specifying a subnet range.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
the NTP Public Services Project Download Page.
Use the 'noepeer' directive to prohibit symmetric passive
ephemeral associations.
Use the 'ippeerlimit' directive to limit the number of peer
associations from an IP.
Use the 4th argument in the ntp.keys file to limit the IPs
and subnets that can be time servers.
Properly monitor your ntpd instances.
Credit:
This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
* Bug fixes:
[Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
[Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
- applied patch by Sean Haugh
[Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
[Bug 3450] Dubious error messages from plausibility checks in get_systime()
- removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
[Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
- refactoring the MAC code, too
[Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org
[Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
- applied patch by ggarvey
[Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
- applied patch by ggarvey (with minor mods)
[Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
- applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
[Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
[Bug 3433] sntp crashes when run with -a. <stenn@ntp.org>
[Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
- fixed several issues with hash algos in ntpd, sntp, ntpq,
ntpdc and the test suites <perlinger@ntp.org>
[Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
- initial patch by Daniel Pouzzner
[Bug 3423] QNX adjtime() implementation error checking is
wrong <perlinger@ntp.org>
[Bug 3417] ntpq ifstats packet counters can be negative
made IFSTATS counter quantities unsigned <perlinger@ntp.org>
[Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
- raised receive buffer size to 1200 <perlinger@ntp.org>
[Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
analysis tool. <abe@ntp.org>
[Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath.
[Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
- fix/drop assumptions on OpenSSL libs directory layout
[Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
- initial patch by timeflies@mail2tor.com <perlinger@ntp.org>
[Bug 3398] tests fail with core dump <perlinger@ntp.org>
- patch contributed by Alexander Bluhm
[Bug 3397] ctl_putstr() asserts that data fits in its buffer
rework of formatting & data transfer stuff in 'ntp_control.c'
avoids unecessary buffers and size limitations. <perlinger@ntp.org>
[Bug 3394] Leap second deletion does not work on ntpd clients
- fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
[Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
- increased mimimum stack size to 32kB <perlinger@ntp.org>
[Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
- reverted handling of PPS kernel consumer to 4.2.6 behavior
[Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
[Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn.
[Bug 3016] wrong error position reported for bad ":config pool"
- fixed location counter & ntpq output <perlinger@ntp.org>
[Bug 2900] libntp build order problem. HStenn.
[Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
[Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
perlinger@ntp.org
[Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
[Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
Use strlcpy() to copy strings, not memcpy(). HStenn.
Typos. HStenn.
test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn.
refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn.
Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org
Fix trivial warnings from 'make check'. perlinger@ntp.org
Fix bug in the override portion of the compiler hardening macro. HStenn.
record_raw_stats(): Log entire packet. Log writes. HStenn.
AES-128-CMAC support. BInglis, HStenn, JPerlinger.
sntp: tweak key file logging. HStenn.
sntp: pkt_output(): Improve debug output. HStenn.
update-leap: updates from Paul McMath.
When using pkg-config, report --modversion. HStenn.
Clean up libevent configure checks. HStenn.
sntp: show the IP of who sent us a crypto-NAK. HStenn.
Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger.
authistrustedip() - use it in more places. HStenn, JPerlinger.
New sysstats: sys_lamport, sys_tsrounding. HStenn.
Update ntp.keys .../N documentation. HStenn.
Distribute testconf.yml. HStenn.
Add DPRINTF(2,...) lines to receive() for packet drops. HStenn.
Rename the configuration flag fifo variables. HStenn.
Improve saveconfig output. HStenn.
Decode restrict flags on receive() debug output. HStenn.
Decode interface flags on receive() debug output. HStenn.
Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn.
Update the documentation in ntp.conf.def . HStenn.
restrictions() must return restrict flags and ippeerlimit. HStenn.
Update ntpq peer documentation to describe the 'p' type. HStenn.
Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn.
Provide dump_restricts() for debugging. HStenn.
Use consistent 4th arg type for [gs]etsockopt. JPerlinger.
* Other items:
* update-leap needs the following perl modules:
Net::SSLeay
IO::Socket::SSL
* New sysstats variables: sys_lamport, sys_tsrounding
See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
sys_lamport counts the number of observed Lamport violations, while
sys_tsrounding counts observed timestamp rounding events.
* New ntp.conf items:
- restrict ... noepeer
- restrict ... ippeerlimit N
The 'noepeer' directive will disallow all ephemeral/passive peer
requests.
The 'ippeerlimit' directive limits the number of time associations
for each IP in the designated set of addresses. This limit does not
apply to explicitly-configured associations. A value of -1, the current
default, means an unlimited number of associations may connect from a
single IP. 0 means "none", etc. Ordinarily the only way multiple
associations would come from the same IP would be if the remote side
was using a proxy. But a trusted machine might become compromised,
in which case an attacker might spin up multiple authenticated sessions
from different ports. This directive should be helpful in this case.
* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
field may contain a /subnetbits specification, which identifies the
scope of IPs that may use this key. This IP/subnet restriction can be
used to limit the IPs that may use the key in most all situations where
a key is used.
--
NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes 5 medium-, 6 low-, and 4 informational-severity
vulnerabilities, and provides 15 other non-security fixes and improvements:
* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3389 / CVE-2017-6464 / VU#325339
Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
A vulnerability found in the NTP server makes it possible for an
authenticated remote user to crash ntpd via a malformed mode
configuration directive.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.
* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
Date Resolved: 21 Mar 2017
References: Sec 3388 / CVE-2017-6462 / VU#325339
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
Summary:
There is a potential for a buffer overflow in the legacy Datum
Programmable Time Server refclock driver. Here the packets are
processed from the /dev/datum device and handled in
datum_pts_receive(). Since an attacker would be required to
somehow control a malicious /dev/datum device, this does not
appear to be a practical attack and renders this issue "Low" in
terms of severity.
Mitigation:
If you have a Datum reference clock installed and think somebody
may maliciously change the device, upgrade to 4.2.8p10, or
later, from the NTP Project Download Page or the NTP Public
Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.
* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
Date Resolved: 21 Mar 2017
References: Sec 3387 / CVE-2017-6463 / VU#325339
Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
Summary:
A vulnerability found in the NTP server allows an authenticated
remote attacker to crash the daemon by sending an invalid setting
via the :config directive. The unpeer option expects a number or
an address as an argument. In case the value is "0", a
segmentation fault occurs.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.
* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
Date Resolved: 21 Mar 2017
References: Sec 3386
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
Summary:
The NTP Mode 6 monitoring and control client, ntpq, uses the
function ntpq_stripquotes() to remove quotes and escape characters
from a given string. According to the documentation, the function
is supposed to return the number of copied bytes but due to
incorrect pointer usage this value is always zero. Although the
return value of this function is never used in the code, this
flaw could lead to a vulnerability in the future. Since relying
on wrong return values when performing memory operations is a
dangerous practice, it is recommended to return the correct value
in accordance with the documentation pertinent to the code.
Mitigation:
Implement BCP-38.
Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
Properly monitor your ntpd instances, and auto-restart
ntpd (without -g) if it stops running.
Credit:
This weakness was discovered by Cure53.
* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
Date Resolved: 21 Mar 2017
References: Sec 3385
Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
ntp-4.3.0 up to, but not including ntp-4.3.94.
Summary:
NTP makes use of several wrappers around the standard heap memory
allocation functions that are provided by libc. This is mainly
done to introduce additional safety checks concentrated on
several goals. First, they seek to ensure that memory is not
accidentally freed, secondly they verify that a correct amount
is always allocated and, thirdly, that allocation failures are
correctly handled. There is an additional implementation for
scenarios where memory for a specific amount of items of the
same size needs to be allocated. The handling can be found in
the oreallocarray() function for which a further number-of-elements
parameter needs to be provided. Although no considerable threat