1---
2NTP 4.2.8p18 (Harlan Stenn <stenn@ntp.org>, 2024 May 24)
3
4Focus: Bug fixes
5
6Severity: Recommended
7
8This release:
9
10- changes crypto (OpenSSL or compatible) detection and default build behavior.
11  Previously, crypto was supported if available unless the --without-crypto
12  option was given to configure.  With this release, the prior behavior of
13  falling back to a crypto-free build if usable libcrypto was not found has
14  changed to instead cause configure to fail with an error.
15  The --without-crypto option must be explicitly provided if you want a build
16  that does not use libcrypto functionality.
17- Fixes 40 bugs
18- Includes 40 other improvements
19
20Details below:
21
22* [Bug 3918] Tweak openssl header/library handling. <stenn@ntp.org>
23* [Bug 3914] Spurious "Unexpected origin timestamp" logged after time
24             stepped. <hart@ntp.org>
25* [Bug 3913] Avoid duplicate IPv6 link-local manycast associations.
26             <hart@ntp.org>
27* [Bug 3912] Avoid rare math errors in ntptrace.  <brian.utterback@oracle.com>
28* [Bug 3910] Memory leak using openssl-3 <hart@ntp.org>
29* [Bug 3909] Do not select multicast local address for unicast peer.
30             <hart@ntp.org>
31* [Bug 3903] lib/isc/win32/strerror.c NTstrerror() is not thread-safe.
32             <hart@ntp.org>
33* [Bug 3901] LIB_GETBUF isn't thread-safe. <hart@ntp.org>
34* [Bug 3900] fast_xmit() selects wrong local addr responding to mcast on
35             Windows. <hart@ntp.org>
36* [Bug 3888] ntpd with multiple same-subnet IPs using manycastclient creates
37             duplicate associations. <hart@ntp.org>
38* [Bug 3872] Ignore restrict mask for hostname. <hart@ntp.org>
39* [Bug 3871] 4.2.8p17 build without hopf6021 refclock enabled fails.
40             Reported by Hans Mayer.  Moved NONEMPTY_TRANSLATION_UNIT
41             declaration from ntp_types.h to config.h.  <hart@ntp.org>
42* [Bug 3870] Server drops client packets with ppoll < 4.  <stenn@ntp.org>
43* [Bug 3869] Remove long-gone "calldelay" & "crypto sign" from docs.
44             Reported by PoolMUC@web.de. <hart@ntp.org>
45* [Bug 3868] Cannot restrict a pool peer. <hart@ntp.org>  Thanks to
46             Edward McGuire for tracking down the deficiency.
47* [Bug 3864] ntpd IPv6 refid different for big-endian and little-endian.
48             <hart@ntp.org>
49* [Bug 3859] Use NotifyIpInterfaceChange on Windows ntpd. <hart@ntp.org>
50* [Bug 3856] Enable Edit & Continue debugging with Visual Studio.
51             <hart@ntp.org>
52* [Bug 3855] ntpq lacks an equivalent to ntpdc's delrestrict. <hart@ntp.org>
53* [Bug 3854] ntpd 4.2.8p17 corrupts rawstats file with space in refid.
54             <hart@ntp.org>
55* [Bug 3853] Clean up warnings with modern compilers. <hart@ntp.org>
56* [Bug 3852] check-libntp.mf and friends are not triggering rebuilds as
57             intended. <hart@ntp.org>
58* [Bug 3851] Drop pool server when no local address can reach it.
59             <hart@ntp.org>
60* [Bug 3850] ntpq -c apeers breaks column formatting s2 w/refclock refid.
61             <hart@ntp.org>
62* [Bug 3849] ntpd --wait-sync times out. <hart@ntp.org>
63* [Bug 3847] SSL detection in configure should run-test if runpath is needed.
64             <hart@ntp.org>
65* [Bug 3846] Use -Wno-format-truncation by default. <hart@ntp.org>
66* [Bug 3845] accelerate pool clock_sync when IPv6 has only link-local access.
67             <hart@ntp.org>
68* [Bug 3842] Windows ntpd PPSAPI DLL load failure crashes. <hart@ntp.org>
69* [Bug 3841] 4.2.8p17 build break w/ gcc 12 -Wformat-security without -Wformat
70             Need to remove --Wformat-security when removing -Wformat to
71             silence numerous libopts warnings.  <hart@ntp.org>
72* [Bug 3837] NULL pointer deref crash when ntpd deletes last interface.
73             Reported by renmingshuai.  Correct UNLINK_EXPR_SLIST() when the
74             list is empty. <hart@ntp.org>
75* [Bug 3835] NTP_HARD_*FLAGS not used by libevent tearoff. <hart@ntp.org>
76* [Bug 3831] pollskewlist zeroed on runtime configuration. <hart@ntp.org>
77* [Bug 3830] configure libevent check intersperses output with answer. <stenn@>
78* [Bug 3828] BK should ignore a git repo in the same directory.
79             <burnicki@ntp.org>
80* [Bug 3827] Fix build in case CLOCK_HOPF6021 or CLOCK_WHARTON_400A
81             is disabled.  <burnicki@ntp.org>
82* [Bug 3825] Don't touch HTML files unless building inside a BK repo.
83             Fix the script checkHtmlFileDates.  <burnicki@ntp.org>
84* [Bug 3756] Improve OpenSSL library/header detection.
85* [Bug 3753] ntpd fails to start with FIPS-enabled OpenSSL 3. <hart@ntp.org>
86* [Bug 2734] TEST3 prevents initial interleave sync.  Fix from <PoolMUC@web.de>
87* Log failures to allocate receive buffers.  <hart@ntp.org>
88* Remove extraneous */ from libparse/ieee754io.c
89* Fix .datecheck target line in Makefile.am.  <stenn@ntp.org>
90* Update the copyright year.  <stenn@ntp.org>
91* Update ntp.conf documentation to add "delrestrict" and correct information
92  about KoD rate limiting.  <hart@ntp.org>
93* html/clockopt.html cleanup.  <stenn@ntp.org>
94* util/lsf-times - added.  <stenn@ntp.org>
95* Add DSA, DSA-SHA, and SHA to tests/libntp/digests.c. <hart@ntp.org>
96* Provide ntpd thread names to debugger on Windows. <hart@ntp.org>
97* Remove dead code libntp/numtohost.c and its unit tests. <hart@ntp.org>
98* Remove class A, B, C IPv4 distinctions in netof(). <hart@ntp.org>
99* Use @configure_input@ in various *.in files to include a comment that
100  the file is generated from another pointing to the *.in. <hart@ntp.org>
101* Correct underquoting, indents in ntp_facilitynames.m4. <hart@ntp.org>
102* Clean up a few warnings seen building with older gcc. <hart@ntp.org>
103* Fix build on older FreeBSD lacking sys/procctl.h. <hart@ntp.org>
104* Disable [Bug 3627] workaround on newer FreeBSD which has the kernel fix
105  that makes it unnecessary, re-enabling ASLR stack gap. <hart@ntp.org>
106* Use NONEMPTY_COMPILATION_UNIT in more conditionally-compiled files.
107* Remove useless pointer to Windows Help from system error messages.
108* Avoid newlines within Windows error messages. <hart@ntp.org>
109* Ensure unique association IDs if wrapped. <hart@ntp.org>
110* Simplify calc_addr_distance(). <hart@ntp.org>
111* Clamp min/maxpoll in edge cases in newpeer(). <hart@ntp.org>
112* Quiet local addr change logging when unpeering. <hart@ntp.org>
113* Correct missing arg for %s printf specifier in
114  send_blocking_resp_internal(). <hart@ntp.org>
115* Suppress OpenSSL 3 deprecation warning clutter. <hart@ntp.org>
116* Correct OpenSSL usage in Autokey code to avoid warnings about
117  discarding const qualifiers with OpenSSL 3. <hart@ntp.org>
118* Display KoD refid as text in recently added message. <hart@ntp.org>
119* Avoid running checkHtmlFileDates script repeatedly when no html/*.html
120    files have changed. <hart@ntp.org>
121* Abort configure if --enable-crypto-rand given & unavailable. <hart@ntp.org>
122* Add configure --enable-verbose-ssl to trace SSL detection. <hart@ntp.org>
123* Add build test coverage for --disable-saveconfig to flock-build script.
124  <hart@ntp.org>
125* Remove deprecated configure --with-arlib option. <hart@ntp.org>
126* Remove configure support for ISC UNIX ca. 1998. <hart@ntp.org>
127* Move NTP_OPENSSL and NTP_CRYPTO_RAND invocations from configure.ac files
128  to NTP_LIBNTP. <hart@ntp.org>
129* Remove dead code: HAVE_U_INT32_ONLY_WITH_DNS. <hart@ntp.org>
130* Eliminate [v]snprintf redefinition warnings on macOS. <hart@ntp.org>
131* Fix clang 14 cast increases alignment warning on Linux. <hart@ntp.org>
132* Move ENABLE_CMAC to ntp_openssl.m4, reviving sntp/tests CMAC unit tests.
133  <hart@ntp.org>
134* Use NTP_HARD_CPPFLAGS in libopts tearoff. <hart@ntp.org>
135* wire in --enable-build-framework-help
136
137---
138NTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06)
139
140Focus: Bug fixes
141
142Severity: HIGH (for people running 4.2.8p16)
143
144This release:
145
146- fixes 3 bugs, including a regression
147- adds new unit tests
148
149Details below:
150
151* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
152             event_sync.  Reported by Edward McGuire.  <hart@ntp.org>
153* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
154             <hart@ntp.org>  Miroslav Lichvar identified regression in 4.2.8p16.
155* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
156             4.2.8p15 or earlier.  Reported by Matt Nordhoff, thanks to
157               Miroslav Lichvar and Matt for rapid testing and identifying the
158               problem. <hart@ntp.org>
159* Add tests/libntp/digests.c to catch regressions reading keys file or with
160  symmetric authentication digest output.
161
162---
163NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30)
164
165Focus: Security, Bug fixes
166
167Severity: LOW
168
169This release:
170
171- fixes 4 vulnerabilities (3 LOW and 1 None severity),
172- fixes 46 bugs
173- includes 15 general improvements
174- adds support for OpenSSL-3.0
175
176Details below:
177
178* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
179* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
180             hypothetical input buffer overflow. Reported by ... stenn@
181* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
182  - solved numerically instead of using string manipulation
183* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
184             <stenn@ntp.org>
185* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
186* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
187* [Bug 3814] First poll delay of new or cleared associations miscalculated.
188             <hart@ntp.org>
189* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
190             OpenSSL 3.  Reported by rmsh1216@163.com <hart@ntp.org>
191* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
192* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
193* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
194* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
195             disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
196* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
197  - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
198* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
199  - Report and patch by Yuezhen LUAN <wei6410@sina.com>.
200* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
201* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
202             <hart@ntp.org>
203* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
204* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
205  - Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
206* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
207* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
208* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
209* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
210             Philippe De Muyter <phdm@macqel.be>
211* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
212  - openssl applink needed again for openSSL-1.1.1
213* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
214             Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
215* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
216  - command line options override config statements where applicable
217  - make initial frequency settings idempotent and reversible
218  - make sure kernel PLL gets a recovered drift componsation
219* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
220* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
221  - misleading title; essentially a request to ignore the receiver status.
222    Added a mode bit for this. <perlinger@ntp.org>
223* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
224  - original patch by Richard Schmidt, with mods & unit test fixes
225* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
226  - implement/wrap 'realpath()' to resolve symlinks in device names
227* [Bug 3691] Buffer Overflow reading GPSD output
228  - original patch by matt<ntpbr@mattcorallo.com>
229  - increased max PDU size to 4k to avoid truncation
230* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
231  - patch by Frank Kardel
232* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
233  - ntp{q,dc} now use the same password processing as ntpd does in the key
234    file, so having a binary secret >= 11 bytes is possible for all keys.
235    (This is a different approach to the problem than suggested)
236* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
237* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
238  - patch by Gerry Garvey
239* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
240  - original patch by Gerry Garvey
241* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
242  - original patch by Gerry Garvey
243* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
244  - applied patches by Gerry Garvey
245* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
246* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
247  - idea+patch by Gerry Garvey
248* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
249* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
250  - follow-up: fix inverted sense in check, reset shortfall counter
251* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
252* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
253  - fixed bug identified by Edward McGuire <perlinger@ntp.org>
254* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
255  - applied patch by Gerry Garvey
256* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org>
257  - backport from -dev, plus some more work on warnings for unchecked results
258* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
259             Reported by Israel G. Lugo. <hart@ntp.org>
260* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
261* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
262             Integrated patch from Brian Utterback. <hart@ntp.org>
263* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
264* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
265* Use correct rounding in mstolfp(). perlinger/hart
266* M_ADDF should use u_int32.  <hart@ntp.org>
267* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
268* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
269* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
270* If DEBUG is enabled, the startup banner now says that debug assertions
271  are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
272* syslog valid incoming KoDs.  <stenn@ntp.org>
273* Rename a poorly-named variable.  <stenn@ntp.org>
274* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
275* Use https in the AC_INIT URLs in configure.ac.  <stenn@ntp.org>
276* Implement NTP_FUNC_REALPATH.  <stenn@ntp.org>
277* Lose a gmake construct in ntpd/Makefile.am.  <stenn@ntp.org>
278* upgrade to: autogen-5.18.16
279* upgrade to: libopts-42.1.17
280* upgrade to: autoconf-2.71
281* upgrade to: automake-1.16.15
282* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
283* Support OpenSSL-3.0
284
285---
286NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23)
287
288Focus: Security, Bug fixes
289
290Severity: MEDIUM
291
292This release fixes one vulnerability: Associations that use CMAC
293authentication between ntpd from versions 4.2.8p11/4.3.97 and
2944.2.8p14/4.3.100 will leak a small amount of memory for each packet.
295Eventually, ntpd will run out of memory and abort.
296
297It also fixes 13 other bugs.
298
299* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org>
300* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@>
301  - Thanks to Sylar Tao
302* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org>
303  - rewrite 'decodenetnum()' in terms of inet_pton
304* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
305  - limit number of receive buffers, with an iron reserve for refclocks
306* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org>
307* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org>
308* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org>
309  - integrated patch from Charles Claggett
310* [Bug 3659] Move definition of psl[] from ntp_config.h to
311  ntp_config.h <perlinger@ntp.org>
312* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org>
313* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org>
314  - fix by Gerry garvey
315* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org>
316  - thanks to Gerry Garvey
317* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org>
318  - patch by Gerry Garvey
319* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org>
320* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org>
321  - applied patch by Takao Abe
322
323---
324NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03)
325
326Focus: Security, Bug fixes, enhancements.
327
328Severity: MEDIUM
329
330This release fixes three vulnerabilities: a bug that causes causes an ntpd
331instance that is explicitly configured to override the default and allow
332ntpdc (mode 7) connections to be made to a server to read some uninitialized
333memory; fixes the case where an unmonitored ntpd using an unauthenticated
334association to its servers may be susceptible to a forged packet DoS attack;
335and fixes an attack against a client instance that uses a single
336unauthenticated time source.  It also fixes 46 other bugs and addresses
3374 other issues.
338
339* [Sec 3610] process_control() should bail earlier on short packets. stenn@
340  - Reported by Philippe Antoine
341* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org>
342  - Reported by Miroslav Lichvar
343* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org>
344  - Reported by Miroslav Lichvar
345* [Bug 3637] Emit the version of ntpd in saveconfig.  stenn@
346* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org>
347* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org>
348* [Bug 3634] Typo in discipline.html, reported by Jason Harrison.  stenn@
349* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence
350  - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org>
351* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org>
352  - integrated patch by Cy Schubert
353* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org>
354  - applied patch by Gerry Garvey
355* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org>
356  - applied patch by Gerry Garvey
357* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org>
358  - integrated patch by Richard Steedman
359* [Bug 3615] accelerate refclock startup <perlinger@ntp.org>
360* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org>
361  - Reported by Martin Burnicki
362* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org>
363  - Reported by Philippe Antoine
364* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org>
365  - officially document new "trust date" mode bit for NMEA driver
366  - restore the (previously undocumented) "trust date" feature lost with [bug 3577]
367* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org>
368  - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter'
369* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org>
370  - removed ffs() and fls() prototypes as per Brian Utterback
371* [Bug 3604] Wrong param byte order passing into record_raw_stats() in
372          ntp_io.c <perlinger@ntp.org>
373  - fixed byte and paramter order as suggested by wei6410@sina.com
374* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org>
375* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org>
376  - added padding as suggested by John Paul Adrian Glaubitz
377* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org>
378* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org>
379* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org>
380* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org>
381  - stdout+stderr are set to line buffered during test setup now
382* [Bug 3583] synchronization error <perlinger@ntp.org>
383  - set clock to base date if system time is before that limit
384* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org>
385* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org>
386  - Reported by Paulo Neves
387* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org>
388  - also updates for refclock_nmea.c and refclock_jupiter.c
389* [Bug 3576] New GPS date function API <perlinger@ntp.org>
390* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org>
391* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org>
392* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org>
393  - sidekick: service port resolution in 'ntpdate'
394* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org>
395  - applied patch by Douglas Royds
396* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org>
397* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org>
398  - applied patch by Gerry Garvey
399* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org>
400  - try to harden 'decodenetnum()' against 'getaddrinfo()' errors
401  - fix wrong cond-compile tests in unit tests
402* [Bug 3517] Reducing build noise <perlinger@ntp.org>
403* [Bug 3516] Require tooling from this decade <perlinger@ntp.org>
404  - patch by Philipp Prindeville
405* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org>
406  - patch by Philipp Prindeville
407* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org>
408  - patch by Philipp Prindeville
409* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org>
410  - partial application of patch by Philipp Prindeville
411* [Bug 3491] Signed values of LFP datatypes should always display a sign
412  - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org>
413* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org>
414  - applied (modified) patch by Richard Steedman
415* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org>
416  - applied patch by Gerry Garvey (with minor formatting changes)
417* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org>
418  - applied patch by Miroslav Lichvar
419* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network
420  <perlinger@ntp.org>
421* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user
422             is specified with -u <perlinger@ntp.org>
423  - monitor daemon child startup & propagate exit codes
424* [Bug 1433] runtime check whether the kernel really supports capabilities
425  - (modified) patch by Kurt Roeckx <perlinger@ntp.org>
426* Clean up sntp/networking.c:sendpkt() error message.  <stenn@ntp.org>
427* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org>
428* Startup log improvements. <stenn@ntp.org>
429* Update the copyright year.
430
431---
432NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
433
434Focus: Security, Bug fixes, enhancements.
435
436Severity: MEDIUM
437
438This release fixes a bug that allows an attacker with access to an
439explicitly trusted source to send a crafted malicious mode 6 (ntpq)
440packet that can trigger a NULL pointer dereference, crashing ntpd.
441It also provides 17 other bugfixes and 1 other improvement:
442
443* [Sec 3565] Crafted null dereference attack in authenticated
444               mode 6 packet <perlinger@ntp.org>
445  - reported by Magnus Stubman
446* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
447  - applied patch by Ian Lepore
448* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
449  - isolate and fix linux/windows specific code issue
450* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
451  - provide better function for incremental string formatting
452* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
453  - applied patch by Gerry Garvey
454* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
455  - original finding by Gerry Garvey, additional cleanup needed
456* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
457  - patch by Christous Zoulas
458* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
459  - finding by Chen Jiabin, plus another one by me
460* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
461  - applied patch by Maciej Szmigiero
462* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
463  - applied patch by Andre Charbonneau
464* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
465  - applied patch by Baruch Siach
466* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
467  - applied patch by Baruch Siach
468* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
469  - refactored handling of GPS era based on 'tos basedate' for
470    parse (TSIP) and JUPITER clocks
471* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
472  - patch by Daniel J. Luke; this does not fix a potential linker
473    regression issue on MacOS.
474* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
475  anomaly <perlinger@ntp.org>, reported by GGarvey.
476  - --enable-bug3527-fix support by HStenn
477* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
478  - applied patch by Gerry Garvey
479* [Bug 3471] Check for openssl/[ch]mac.h.  <perlinger@ntp.org>
480  - added missing check, reported by Reinhard Max <perlinger@ntp.org>
481* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
482  - this is a variant of [bug 3558] and should be fixed with it
483* Implement 'configure --disable-signalled-io'
484
485--
486NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
487
488Focus: Security, Bug fixes, enhancements.
489
490Severity: MEDIUM
491
492This release fixes a "hole" in the noepeer capability introduced to ntpd
493in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
494ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
495
496* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
497
498* [Sec 3012] Fix a hole in the new "noepeer" processing.
499
500* Bug Fixes:
501 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
502 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
503            other TrustedBSD platforms
504 - applied patch by Ian Lepore <perlinger@ntp.org>
505 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
506 - changed interaction with SCM to signal pending startup
507 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
508 - applied patch by Gerry Garvey
509 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
510 - applied patch by Gerry Garvey
511 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
512 - rework of ntpq 'nextvar()' key/value parsing
513 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
514 - applied patch by Gerry Garvey (with mods)
515 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
516 - applied patch by Gerry Garvey
517 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
518 - applied patch by Gerry Garvey (with mods)
519 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
520 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
521 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
522 - applied patch by Gerry Garvey
523 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
524 - applied patch by Gerry Garvey
525 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
526 - add #define ENABLE_CMAC support in configure.  HStenn.
527 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
528 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
529 - patch by Stephen Friedl
530 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
531 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
532 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
533 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
534 - initial patch by Hal Murray; also fixed refclock_report() trouble
535 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
536 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
537 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
538 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
539 - applied patch by Gerry Garvey
540 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
541 - applied patch by Gerry Garvey
542 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
543 with modifications
544 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
545 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
546 - applied patch by Miroslav Lichvar
547 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
548 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
549 - integrated patch by  Reinhard Max
550 [Bug 2821] minor build issues <perlinger@ntp.org>
551 - applied patches by Christos Zoulas, including real bug fixes
552 html/authopt.html: cleanup, from <stenn@ntp.org>
553 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
554 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
555
556--
557NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
558
559Focus: Security, Bug fixes, enhancements.
560
561Severity: MEDIUM
562
563This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
564vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
565provides 65 other non-security fixes and improvements:
566
567* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
568          association (LOW/MED)
569   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
570   References: Sec 3454 / CVE-2018-7185 / VU#961909
571   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
572   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
573          2.9 and 6.8.
574   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
575          score between 2.6 and 3.1
576   Summary:
577          The NTP Protocol allows for both non-authenticated and
578          authenticated associations, in client/server, symmetric (peer),
579          and several broadcast modes. In addition to the basic NTP
580          operational modes, symmetric mode and broadcast servers can
581          support an interleaved mode of operation. In ntp-4.2.8p4 a bug
582          was inadvertently introduced into the protocol engine that
583          allows a non-authenticated zero-origin (reset) packet to reset
584          an authenticated interleaved peer association. If an attacker
585          can send a packet with a zero-origin timestamp and the source
586          IP address of the "other side" of an interleaved association,
587          the 'victim' ntpd will reset its association. The attacker must
588          continue sending these packets in order to maintain the
589          disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
590          interleave mode could be entered dynamically. As of ntp-4.2.8p7,
591          interleaved mode must be explicitly configured/enabled.
592   Mitigation:
593          Implement BCP-38.
594          Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
595              or the NTP Public Services Project Download Page.
596          If you are unable to upgrade to 4.2.8p11 or later and have
597              'peer HOST xleave' lines in your ntp.conf file, remove the
598              'xleave' option.
599          Have enough sources of time.
600          Properly monitor your ntpd instances.
601          If ntpd stops running, auto-restart it without -g .
602   Credit:
603          This weakness was discovered by Miroslav Lichvar of Red Hat.
604
605* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
606          state (LOW/MED)
607   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
608   References: Sec 3453 / CVE-2018-7184 / VU#961909
609   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
610   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
611          Could score between 2.9 and 6.8.
612   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
613          Could score between 2.6 and 6.0.
614   Summary:
615          The fix for NtpBug2952 was incomplete, and while it fixed one
616          problem it created another.  Specifically, it drops bad packets
617          before updating the "received" timestamp.  This means a
618          third-party can inject a packet with a zero-origin timestamp,
619          meaning the sender wants to reset the association, and the
620          transmit timestamp in this bogus packet will be saved as the
621          most recent "received" timestamp.  The real remote peer does
622          not know this value and this will disrupt the association until
623          the association resets.
624   Mitigation:
625          Implement BCP-38.
626          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
627              or the NTP Public Services Project Download Page.
628          Use authentication with 'peer' mode.
629          Have enough sources of time.
630          Properly monitor your ntpd instances.
631          If ntpd stops running, auto-restart it without -g .
632   Credit:
633          This weakness was discovered by Miroslav Lichvar of Red Hat.
634
635* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
636          peering (LOW)
637   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
638   References: Sec 3415 / CVE-2018-7170 / VU#961909
639                 Sec 3012 / CVE-2016-1549 / VU#718152
640   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
641          4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
642   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
643   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
644   Summary:
645          ntpd can be vulnerable to Sybil attacks.  If a system is set up to
646          use a trustedkey and if one is not using the feature introduced in
647          ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
648          specify which IPs can serve time, a malicious authenticated peer
649          -- i.e. one where the attacker knows the private symmetric key --
650          can create arbitrarily-many ephemeral associations in order to win
651          the clock selection of ntpd and modify a victim's clock.  Three
652          additional protections are offered in ntp-4.2.8p11.  One is the
653          new 'noepeer' directive, which disables symmetric passive
654          ephemeral peering. Another is the new 'ippeerlimit' directive,
655          which limits the number of peers that can be created from an IP.
656          The third extends the functionality of the 4th field in the
657          ntp.keys file to include specifying a subnet range.
658   Mitigation:
659          Implement BCP-38.
660          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
661              or the NTP Public Services Project Download Page.
662          Use the 'noepeer' directive to prohibit symmetric passive
663              ephemeral associations.
664          Use the 'ippeerlimit' directive to limit the number of peers
665              that can be created from an IP.
666          Use the 4th argument in the ntp.keys file to limit the IPs and
667              subnets that can be time servers.
668          Have enough sources of time.
669          Properly monitor your ntpd instances.
670          If ntpd stops running, auto-restart it without -g .
671   Credit:
672          This weakness was reported as Bug 3012 by Matthew Van Gundy of
673          Cisco ASIG, and separately by Stefan Moser as Bug 3415.
674
675* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
676   Date Resolved: 27 Feb 2018
677   References: Sec 3414 / CVE-2018-7183 / VU#961909
678   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
679   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
680   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
681   Summary:
682          ntpq is a monitoring and control program for ntpd.  decodearr()
683          is an internal function of ntpq that is used to -- wait for it --
684          decode an array in a response string when formatted data is being
685          displayed.  This is a problem in affected versions of ntpq if a
686          maliciously-altered ntpd returns an array result that will trip this
687          bug, or if a bad actor is able to read an ntpq request on its way to
688          a remote ntpd server and forge and send a response before the remote
689          ntpd sends its response.  It's potentially possible that the
690          malicious data could become injectable/executable code.
691   Mitigation:
692          Implement BCP-38.
693          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
694              or the NTP Public Services Project Download Page.
695   Credit:
696          This weakness was discovered by Michael Macnair of Thales e-Security.
697
698* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
699          behavior and information leak (Info/Medium)
700   Date Resolved: 27 Feb 2018
701   References: Sec 3412 / CVE-2018-7182 / VU#961909
702   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
703   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
704   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
705          0.0 if C:N
706   Summary:
707          ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
708          A malicious mode 6 packet can be sent to an ntpd instance, and
709          if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
710          cause ctl_getitem() to read past the end of its buffer.
711   Mitigation:
712          Implement BCP-38.
713          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
714              or the NTP Public Services Project Download Page.
715          Have enough sources of time.
716          Properly monitor your ntpd instances.
717          If ntpd stops running, auto-restart it without -g .
718   Credit:
719          This weakness was discovered by Yihan Lian of Qihoo 360.
720
721* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
722   Also see Bug 3415, above.
723   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
724   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
725   References: Sec 3012 / CVE-2016-1549 / VU#718152
726   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
727          4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
728   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
729   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
730   Summary:
731          ntpd can be vulnerable to Sybil attacks.  If a system is set up
732          to use a trustedkey and if one is not using the feature
733          introduced in ntp-4.2.8p6 allowing an optional 4th field in the
734          ntp.keys file to specify which IPs can serve time, a malicious
735          authenticated peer -- i.e. one where the attacker knows the
736          private symmetric key -- can create arbitrarily-many ephemeral
737          associations in order to win the clock selection of ntpd and
738          modify a victim's clock.  Two additional protections are
739          offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
740          disables symmetric passive ephemeral peering. The other extends
741          the functionality of the 4th field in the ntp.keys file to
742          include specifying a subnet range.
743   Mitigation:
744          Implement BCP-38.
745          Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
746              the NTP Public Services Project Download Page.
747          Use the 'noepeer' directive to prohibit symmetric passive
748              ephemeral associations.
749          Use the 'ippeerlimit' directive to limit the number of peer
750              associations from an IP.
751          Use the 4th argument in the ntp.keys file to limit the IPs
752              and subnets that can be time servers.
753          Properly monitor your ntpd instances.
754   Credit:
755          This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
756
757* Bug fixes:
758 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
759 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
760 - applied patch by Sean Haugh
761 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
762 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
763 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
764 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
765 - refactoring the MAC code, too
766 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
767 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
768 - applied patch by ggarvey
769 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
770 - applied patch by ggarvey (with minor mods)
771 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
772 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
773 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
774 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
775 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
776 - fixed several issues with hash algos in ntpd, sntp, ntpq,
777   ntpdc and the test suites <perlinger@ntp.org>
778 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
779 - initial patch by Daniel Pouzzner
780 [Bug 3423] QNX adjtime() implementation error checking is
781 wrong <perlinger@ntp.org>
782 [Bug 3417] ntpq ifstats packet counters can be negative
783 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
784 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
785 - raised receive buffer size to 1200 <perlinger@ntp.org>
786 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
787 analysis tool. <abe@ntp.org>
788 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
789 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
790 - fix/drop assumptions on OpenSSL libs directory layout
791 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
792 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
793 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
794 - patch contributed by Alexander Bluhm
795 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
796 rework of formatting & data transfer stuff in 'ntp_control.c'
797 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
798 [Bug 3394] Leap second deletion does not work on ntpd clients
799 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
800 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
801 - increased mimimum stack size to 32kB <perlinger@ntp.org>
802 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
803 - reverted handling of PPS kernel consumer to 4.2.6 behavior
804 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
805 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
806 [Bug 3016] wrong error position reported for bad ":config pool"
807 - fixed location counter & ntpq output <perlinger@ntp.org>
808 [Bug 2900] libntp build order problem.  HStenn.
809 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
810 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
811 perlinger@ntp.org
812 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
813 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
814 Use strlcpy() to copy strings, not memcpy().  HStenn.
815 Typos.  HStenn.
816 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
817 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
818 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
819 Fix trivial warnings from 'make check'. perlinger@ntp.org
820 Fix bug in the override portion of the compiler hardening macro. HStenn.
821 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
822 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
823 sntp: tweak key file logging.  HStenn.
824 sntp: pkt_output(): Improve debug output.  HStenn.
825 update-leap: updates from Paul McMath.
826 When using pkg-config, report --modversion.  HStenn.
827 Clean up libevent configure checks.  HStenn.
828 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
829 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
830 authistrustedip() - use it in more places.  HStenn, JPerlinger.
831 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
832 Update ntp.keys .../N documentation.  HStenn.
833 Distribute testconf.yml.  HStenn.
834 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
835 Rename the configuration flag fifo variables.  HStenn.
836 Improve saveconfig output.  HStenn.
837 Decode restrict flags on receive() debug output.  HStenn.
838 Decode interface flags on receive() debug output.  HStenn.
839 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
840 Update the documentation in ntp.conf.def .  HStenn.
841 restrictions() must return restrict flags and ippeerlimit.  HStenn.
842 Update ntpq peer documentation to describe the 'p' type.  HStenn.
843 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
844 Provide dump_restricts() for debugging.  HStenn.
845 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
846
847* Other items:
848
849* update-leap needs the following perl modules:
850          Net::SSLeay
851          IO::Socket::SSL
852
853* New sysstats variables: sys_lamport, sys_tsrounding
854See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
855sys_lamport counts the number of observed Lamport violations, while
856sys_tsrounding counts observed timestamp rounding events.
857
858* New ntp.conf items:
859
860- restrict ... noepeer
861- restrict ... ippeerlimit N
862
863The 'noepeer' directive will disallow all ephemeral/passive peer
864requests.
865
866The 'ippeerlimit' directive limits the number of time associations
867for each IP in the designated set of addresses.  This limit does not
868apply to explicitly-configured associations.  A value of -1, the current
869default, means an unlimited number of associations may connect from a
870single IP.  0 means "none", etc.  Ordinarily the only way multiple
871associations would come from the same IP would be if the remote side
872was using a proxy.  But a trusted machine might become compromised,
873in which case an attacker might spin up multiple authenticated sessions
874from different ports.  This directive should be helpful in this case.
875
876* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
877field may contain a /subnetbits specification, which identifies  the
878scope of IPs that may use this key.  This IP/subnet restriction can be
879used to limit the IPs that may use the key in most all situations where
880a key is used.
881--
882NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
883
884Focus: Security, Bug fixes, enhancements.
885
886Severity: MEDIUM
887
888This release fixes 5 medium-, 6 low-, and 4 informational-severity
889vulnerabilities, and provides 15 other non-security fixes and improvements:
890
891* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
892   Date Resolved: 21 Mar 2017
893   References: Sec 3389 / CVE-2017-6464 / VU#325339
894   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
895          ntp-4.3.0 up to, but not including ntp-4.3.94.
896   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
897   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
898   Summary:
899          A vulnerability found in the NTP server makes it possible for an
900          authenticated remote user to crash ntpd via a malformed mode
901          configuration directive.
902   Mitigation:
903          Implement BCP-38.
904          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
905              the NTP Public Services Project Download Page
906          Properly monitor your ntpd instances, and auto-restart
907              ntpd (without -g) if it stops running.
908   Credit:
909          This weakness was discovered by Cure53.
910
911* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
912    Date Resolved: 21 Mar 2017
913    References: Sec 3388 / CVE-2017-6462 / VU#325339
914    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
915    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
916    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
917    Summary:
918          There is a potential for a buffer overflow in the legacy Datum
919          Programmable Time Server refclock driver.  Here the packets are
920          processed from the /dev/datum device and handled in
921          datum_pts_receive().  Since an attacker would be required to
922          somehow control a malicious /dev/datum device, this does not
923          appear to be a practical attack and renders this issue "Low" in
924          terms of severity.
925   Mitigation:
926          If you have a Datum reference clock installed and think somebody
927              may maliciously change the device, upgrade to 4.2.8p10, or
928              later, from the NTP Project Download Page or the NTP Public
929              Services Project Download Page
930          Properly monitor your ntpd instances, and auto-restart
931              ntpd (without -g) if it stops running.
932   Credit:
933          This weakness was discovered by Cure53.
934
935* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
936   Date Resolved: 21 Mar 2017
937   References: Sec 3387 / CVE-2017-6463 / VU#325339
938   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
939          ntp-4.3.0 up to, but not including ntp-4.3.94.
940   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
941   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
942   Summary:
943          A vulnerability found in the NTP server allows an authenticated
944          remote attacker to crash the daemon by sending an invalid setting
945          via the :config directive.  The unpeer option expects a number or
946          an address as an argument.  In case the value is "0", a
947          segmentation fault occurs.
948   Mitigation:
949          Implement BCP-38.
950          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
951              or the NTP Public Services Project Download Page
952          Properly monitor your ntpd instances, and auto-restart
953              ntpd (without -g) if it stops running.
954   Credit:
955          This weakness was discovered by Cure53.
956
957* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
958   Date Resolved: 21 Mar 2017
959   References: Sec 3386
960   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
961          ntp-4.3.0 up to, but not including ntp-4.3.94.
962   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
963   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
964   Summary:
965          The NTP Mode 6 monitoring and control client, ntpq, uses the
966          function ntpq_stripquotes() to remove quotes and escape characters
967          from a given string.  According to the documentation, the function
968          is supposed to return the number of copied bytes but due to
969          incorrect pointer usage this value is always zero.  Although the
970          return value of this function is never used in the code, this
971          flaw could lead to a vulnerability in the future.  Since relying
972          on wrong return values when performing memory operations is a
973          dangerous practice, it is recommended to return the correct value
974          in accordance with the documentation pertinent to the code.
975   Mitigation:
976          Implement BCP-38.
977          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
978              or the NTP Public Services Project Download Page
979          Properly monitor your ntpd instances, and auto-restart
980              ntpd (without -g) if it stops running.
981   Credit:
982          This weakness was discovered by Cure53.
983
984* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
985   Date Resolved: 21 Mar 2017
986   References: Sec 3385
987   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
988          ntp-4.3.0 up to, but not including ntp-4.3.94.
989   Summary:
990          NTP makes use of several wrappers around the standard heap memory
991          allocation functions that are provided by libc.  This is mainly
992          done to introduce additional safety checks concentrated on
993          several goals.  First, they seek to ensure that memory is not
994          accidentally freed, secondly they verify that a correct amount
995          is always allocated and, thirdly, that allocation failures are
996          correctly handled.  There is an additional implementation for
997          scenarios where memory for a specific amount of items of the
998          same size needs to be allocated.  The handling can be found in
999          the oreallocarray() function for which a further number-of-elements
1000          parameter needs to be provided.  Although no considerable threat
1001          was identified as tied to a lack of use of this function, it is
1002          recommended to correctly apply oreallocarray() as a preferred
1003          option across all of the locations where it is possible.
1004   Mitigation:
1005          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1006              or the NTP Public Services Project Download Page
1007   Credit:
1008          This weakness was discovered by Cure53.
1009
1010* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
1011          PPSAPI ONLY) (Low)
1012   Date Resolved: 21 Mar 2017
1013   References: Sec 3384 / CVE-2017-6455 / VU#325339
1014   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
1015          not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
1016          including ntp-4.3.94.
1017   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1018   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1019   Summary:
1020          The Windows NT port has the added capability to preload DLLs
1021          defined in the inherited global local environment variable
1022          PPSAPI_DLLS.  The code contained within those libraries is then
1023          called from the NTPD service, usually running with elevated
1024          privileges. Depending on how securely the machine is setup and
1025          configured, if ntpd is configured to use the PPSAPI under Windows
1026          this can easily lead to a code injection.
1027   Mitigation:
1028          Implement BCP-38.
1029          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1030              or the NTP Public Services Project Download Page
1031   Credit:
1032   This weakness was discovered by Cure53.
1033
1034* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
1035          installer ONLY) (Low)
1036   Date Resolved: 21 Mar 2017
1037   References: Sec 3383 / CVE-2017-6452 / VU#325339
1038   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
1039          installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
1040          to, but not including ntp-4.3.94.
1041   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1042   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1043   Summary:
1044          The Windows installer for NTP calls strcat(), blindly appending
1045          the string passed to the stack buffer in the addSourceToRegistry()
1046          function.  The stack buffer is 70 bytes smaller than the buffer
1047          in the calling main() function.  Together with the initially
1048          copied Registry path, the combination causes a stack buffer
1049          overflow and effectively overwrites the stack frame.  The
1050          passed application path is actually limited to 256 bytes by the
1051          operating system, but this is not sufficient to assure that the
1052          affected stack buffer is consistently protected against
1053          overflowing at all times.
1054   Mitigation:
1055          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1056          or the NTP Public Services Project Download Page
1057   Credit:
1058          This weakness was discovered by Cure53.
1059
1060* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
1061          installer ONLY) (Low)
1062   Date Resolved: 21 Mar 2017
1063   References: Sec 3382 / CVE-2017-6459 / VU#325339
1064   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
1065          installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
1066          up to, but not including ntp-4.3.94.
1067   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1068   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1069   Summary:
1070          The Windows installer for NTP calls strcpy() with an argument
1071          that specifically contains multiple null bytes.  strcpy() only
1072          copies a single terminating null character into the target
1073          buffer instead of copying the required double null bytes in the
1074          addKeysToRegistry() function.  As a consequence, a garbage
1075          registry entry can be created.  The additional arsize parameter
1076          is erroneously set to contain two null bytes and the following
1077          call to RegSetValueEx() claims to be passing in a multi-string
1078          value, though this may not be true.
1079   Mitigation:
1080          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1081              or the NTP Public Services Project Download Page
1082   Credit:
1083          This weakness was discovered by Cure53.
1084
1085* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
1086   References: Sec 3381
1087   Summary:
1088          The report says: Statically included external projects
1089          potentially introduce several problems and the issue of having
1090          extensive amounts of code that is "dead" in the resulting binary
1091          must clearly be pointed out.  The unnecessary unused code may or
1092          may not contain bugs and, quite possibly, might be leveraged for
1093          code-gadget-based branch-flow redirection exploits.  Analogically,
1094          having source trees statically included as well means a failure
1095          in taking advantage of the free feature for periodical updates.
1096          This solution is offered by the system's Package Manager. The
1097          three libraries identified are libisc, libevent, and libopts.
1098   Resolution:
1099          For libisc, we already only use a portion of the original library.
1100          We've found and fixed bugs in the original implementation (and
1101          offered the patches to ISC), and plan to see what has changed
1102          since we last upgraded the code.  libisc is generally not
1103          installed, and when it it we usually only see the static libisc.a
1104          file installed.  Until we know for sure that the bugs we've found
1105          and fixed are fixed upstream, we're better off with the copy we
1106          are using.
1107
1108        Version 1 of libevent was the only production version available
1109          until recently, and we've been requiring version 2 for a long time.
1110          But if the build system has at least version 2 of libevent
1111          installed, we'll use the version that is installed on the system.
1112          Otherwise, we provide a copy of libevent that we know works.
1113
1114        libopts is provided by GNU AutoGen, and that library and package
1115          undergoes frequent API version updates.  The version of autogen
1116          used to generate the tables for the code must match the API
1117          version in libopts.  AutoGen can be ... difficult to build and
1118          install, and very few developers really need it.  So we have it
1119          on our build and development machines, and we provide the
1120          specific version of the libopts code in the distribution to make
1121          sure that the proper API version of libopts is available.
1122
1123        As for the point about there being code in these libraries that
1124          NTP doesn't use, OK.  But other packages used these libraries as
1125          well, and it is reasonable to assume that other people are paying
1126          attention to security and code quality issues for the overall
1127          libraries.  It takes significant resources to analyze and
1128          customize these libraries to only include what we need, and to
1129          date we believe the cost of this effort does not justify the benefit.
1130   Credit:
1131          This issue was discovered by Cure53.
1132
1133* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
1134   Date Resolved: 21 Mar 2017
1135   References: Sec 3380
1136   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1137          ntp-4.3.0 up to, but not including ntp-4.3.94.
1138   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
1139   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
1140   Summary:
1141          There is a fencepost error in a "recovery branch" of the code for
1142          the Oncore GPS receiver if the communication link to the ONCORE
1143          is weak / distorted and the decoding doesn't work.
1144   Mitigation:
1145        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
1146              the NTP Public Services Project Download Page
1147        Properly monitor your ntpd instances, and auto-restart
1148              ntpd (without -g) if it stops running.
1149   Credit:
1150          This weakness was discovered by Cure53.
1151
1152* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
1153   Date Resolved: 21 Mar 2017
1154   References: Sec 3379 / CVE-2017-6458 / VU#325339
1155   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1156          ntp-4.3.0 up to, but not including ntp-4.3.94.
1157   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
1158   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1159   Summary:
1160          ntpd makes use of different wrappers around ctl_putdata() to
1161          create name/value ntpq (mode 6) response strings.  For example,
1162          ctl_putstr() is usually used to send string data (variable names
1163          or string data).  The formatting code was missing a length check
1164          for variable names.  If somebody explicitly created any unusually
1165          long variable names in ntpd (longer than 200-512 bytes, depending
1166          on the type of variable), then if any of these variables are
1167          added to the response list it would overflow a buffer.
1168   Mitigation:
1169          Implement BCP-38.
1170          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1171              or the NTP Public Services Project Download Page
1172          If you don't want to upgrade, then don't setvar variable names
1173              longer than 200-512 bytes in your ntp.conf file.
1174          Properly monitor your ntpd instances, and auto-restart
1175              ntpd (without -g) if it stops running.
1176   Credit:
1177          This weakness was discovered by Cure53.
1178
1179* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
1180   Date Resolved: 21 Mar 2017
1181   References: Sec 3378 / CVE-2017-6451 / VU#325339
1182   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1183          ntp-4.3.0 up to, but not including ntp-4.3.94.
1184   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
1185   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
1186   Summary:
1187          The legacy MX4200 refclock is only built if is specifically
1188          enabled, and furthermore additional code changes are required to
1189          compile and use it.  But it uses the libc functions snprintf()
1190          and vsnprintf() incorrectly, which can lead to an out-of-bounds
1191          memory write due to an improper handling of the return value of
1192          snprintf()/vsnprintf().  Since the return value is used as an
1193          iterator and it can be larger than the buffer's size, it is
1194          possible for the iterator to point somewhere outside of the
1195          allocated buffer space.  This results in an out-of-bound memory
1196          write.  This behavior can be leveraged to overwrite a saved
1197          instruction pointer on the stack and gain control over the
1198          execution flow.  During testing it was not possible to identify
1199          any malicious usage for this vulnerability.  Specifically, no
1200          way for an attacker to exploit this vulnerability was ultimately
1201          unveiled.  However, it has the potential to be exploited, so the
1202          code should be fixed.
1203   Mitigation, if you have a Magnavox MX4200 refclock:
1204          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1205              or the NTP Public Services Project Download Page.
1206          Properly monitor your ntpd instances, and auto-restart
1207              ntpd (without -g) if it stops running.
1208   Credit:
1209          This weakness was discovered by Cure53.
1210
1211* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
1212          malicious ntpd (Medium)
1213   Date Resolved: 21 Mar 2017
1214   References: Sec 3377 / CVE-2017-6460 / VU#325339
1215   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
1216          ntp-4.3.0 up to, but not including ntp-4.3.94.
1217   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1218   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1219   Summary:
1220          A stack buffer overflow in ntpq can be triggered by a malicious
1221          ntpd server when ntpq requests the restriction list from the server.
1222          This is due to a missing length check in the reslist() function.
1223          It occurs whenever the function parses the server's response and
1224          encounters a flagstr variable of an excessive length.  The string
1225          will be copied into a fixed-size buffer, leading to an overflow on
1226          the function's stack-frame.  Note well that this problem requires
1227          a malicious server, and affects ntpq, not ntpd.
1228   Mitigation:
1229          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1230              or the NTP Public Services Project Download Page
1231          If you can't upgrade your version of ntpq then if you want to know
1232              the reslist of an instance of ntpd that you do not control,
1233              know that if the target ntpd is malicious that it can send back
1234              a response that intends to crash your ntpq process.
1235   Credit:
1236          This weakness was discovered by Cure53.
1237
1238* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
1239   Date Resolved: 21 Mar 2017
1240   References: Sec 3376
1241   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
1242          ntp-4.3.0 up to, but not including ntp-4.3.94.
1243   CVSS2: N/A
1244   CVSS3: N/A
1245   Summary:
1246          The build process for NTP has not, by default, provided compile
1247          or link flags to offer "hardened" security options.  Package
1248          maintainers have always been able to provide hardening security
1249          flags for their builds.  As of ntp-4.2.8p10, the NTP build
1250          system has a way to provide OS-specific hardening flags.  Please
1251          note that this is still not a really great solution because it
1252          is specific to NTP builds.  It's inefficient to have every
1253          package supply, track and maintain this information for every
1254          target build.  It would be much better if there was a common way
1255          for OSes to provide this information in a way that arbitrary
1256          packages could benefit from it.
1257   Mitigation:
1258          Implement BCP-38.
1259          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1260              or the NTP Public Services Project Download Page
1261          Properly monitor your ntpd instances, and auto-restart
1262              ntpd (without -g) if it stops running.
1263   Credit:
1264          This weakness was reported by Cure53.
1265
1266* 0rigin DoS (Medium)
1267   Date Resolved: 21 Mar 2017
1268   References: Sec 3361 / CVE-2016-9042 / VU#325339
1269   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
1270   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
1271   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
1272   Summary:
1273          An exploitable denial of service vulnerability exists in the
1274          origin timestamp check functionality of ntpd 4.2.8p9.  A specially
1275          crafted unauthenticated network packet can be used to reset the
1276          expected origin timestamp for target peers.  Legitimate replies
1277          from targeted peers will fail the origin timestamp check (TEST2)
1278          causing the reply to be dropped and creating a denial of service
1279          condition.  This vulnerability can only be exploited if the
1280          attacker can spoof all of the servers.
1281   Mitigation:
1282          Implement BCP-38.
1283          Configure enough servers/peers that an attacker cannot target
1284              all of your time sources.
1285          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
1286              or the NTP Public Services Project Download Page
1287          Properly monitor your ntpd instances, and auto-restart
1288              ntpd (without -g) if it stops running.
1289   Credit:
1290          This weakness was discovered by Matthew Van Gundy of Cisco.
1291
1292Other fixes:
1293
1294* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
1295* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
1296  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
1297* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
1298* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
1299  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
1300  - original patch by Majdi S. Abbas
1301* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
1302* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
1303  - initial patch by Christos Zoulas
1304* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
1305  - move loader API from 'inline' to proper source
1306  - augment pathless dlls with absolute path to NTPD
1307  - use 'msyslog()' instead of 'printf() 'for reporting trouble
1308* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
1309  - applied patch by Matthew Van Gundy
1310* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
1311  - applied some of the patches provided by Havard. Not all of them
1312    still match the current code base, and I did not touch libopt.
1313* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
1314  - applied patch by Reinhard Max. See bugzilla for limitations.
1315* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
1316  - fixed dependency inversion from [Bug 2837]
1317* [Bug 2896] Nothing happens if minsane < maxclock < minclock
1318  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
1319* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
1320  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
1321* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
1322  - Fixed these and some more locations of this pattern.
1323    Probably din't get them all, though. <perlinger@ntp.org>
1324* Update copyright year.
1325
1326--
1327(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
1328
1329* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
1330  - added missed changeset for automatic openssl lib detection
1331  - fixed some minor warning issues
1332* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
1333* configure.ac cleanup.  stenn@ntp.org
1334* openssl configure cleanup.  stenn@ntp.org
1335
1336--
1337NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
1338
1339Focus: Security, Bug fixes, enhancements.
1340
1341Severity: HIGH
1342
1343In addition to bug fixes and enhancements, this release fixes the
1344following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
13455 low-severity vulnerabilities, and provides 28 other non-security
1346fixes and improvements:
1347
1348* Trap crash
1349   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1350   References: Sec 3119 / CVE-2016-9311 / VU#633847
1351   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1352          including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1353   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
1354   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
1355   Summary:
1356          ntpd does not enable trap service by default. If trap service
1357          has been explicitly enabled, an attacker can send a specially
1358          crafted packet to cause a null pointer dereference that will
1359          crash ntpd, resulting in a denial of service.
1360   Mitigation:
1361        Implement BCP-38.
1362          Use "restrict default noquery ..." in your ntp.conf file. Only
1363              allow mode 6 queries from trusted networks and hosts.
1364        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1365              or the NTP Public Services Project Download Page
1366        Properly monitor your ntpd instances, and auto-restart ntpd
1367              (without -g) if it stops running.
1368   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1369
1370* Mode 6 information disclosure and DDoS vector
1371   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1372   References: Sec 3118 / CVE-2016-9310 / VU#633847
1373   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
1374          including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
1375   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1376   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1377   Summary:
1378          An exploitable configuration modification vulnerability exists
1379          in the control mode (mode 6) functionality of ntpd. If, against
1380          long-standing BCP recommendations, "restrict default noquery ..."
1381          is not specified, a specially crafted control mode packet can set
1382          ntpd traps, providing information disclosure and DDoS
1383          amplification, and unset ntpd traps, disabling legitimate
1384          monitoring. A remote, unauthenticated, network attacker can
1385          trigger this vulnerability.
1386   Mitigation:
1387        Implement BCP-38.
1388          Use "restrict default noquery ..." in your ntp.conf file.
1389        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1390              or the NTP Public Services Project Download Page
1391        Properly monitor your ntpd instances, and auto-restart ntpd
1392              (without -g) if it stops running.
1393   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1394
1395* Broadcast Mode Replay Prevention DoS
1396   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1397   References: Sec 3114 / CVE-2016-7427 / VU#633847
1398   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1399          ntp-4.3.90 up to, but not including ntp-4.3.94.
1400   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1401   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1402   Summary:
1403          The broadcast mode of NTP is expected to only be used in a
1404          trusted network. If the broadcast network is accessible to an
1405          attacker, a potentially exploitable denial of service
1406          vulnerability in ntpd's broadcast mode replay prevention
1407          functionality can be abused. An attacker with access to the NTP
1408          broadcast domain can periodically inject specially crafted
1409          broadcast mode NTP packets into the broadcast domain which,
1410          while being logged by ntpd, can cause ntpd to reject broadcast
1411          mode packets from legitimate NTP broadcast servers.
1412   Mitigation:
1413        Implement BCP-38.
1414        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1415              or the NTP Public Services Project Download Page
1416        Properly monitor your ntpd instances, and auto-restart ntpd
1417              (without -g) if it stops running.
1418   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1419
1420* Broadcast Mode Poll Interval Enforcement DoS
1421   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1422   References: Sec 3113 / CVE-2016-7428 / VU#633847
1423   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
1424          ntp-4.3.90 up to, but not including ntp-4.3.94
1425   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
1426   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1427   Summary:
1428          The broadcast mode of NTP is expected to only be used in a
1429          trusted network. If the broadcast network is accessible to an
1430          attacker, a potentially exploitable denial of service
1431          vulnerability in ntpd's broadcast mode poll interval enforcement
1432          functionality can be abused. To limit abuse, ntpd restricts the
1433          rate at which each broadcast association will process incoming
1434          packets. ntpd will reject broadcast mode packets that arrive
1435          before the poll interval specified in the preceding broadcast
1436          packet expires. An attacker with access to the NTP broadcast
1437          domain can send specially crafted broadcast mode NTP packets to
1438          the broadcast domain which, while being logged by ntpd, will
1439          cause ntpd to reject broadcast mode packets from legitimate NTP
1440          broadcast servers.
1441   Mitigation:
1442        Implement BCP-38.
1443        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1444              or the NTP Public Services Project Download Page
1445        Properly monitor your ntpd instances, and auto-restart ntpd
1446              (without -g) if it stops running.
1447   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
1448
1449* Windows: ntpd DoS by oversized UDP packet
1450   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1451   References: Sec 3110 / CVE-2016-9312 / VU#633847
1452   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
1453          and ntp-4.3.0 up to, but not including ntp-4.3.94.
1454   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1455   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1456   Summary:
1457          If a vulnerable instance of ntpd on Windows receives a crafted
1458          malicious packet that is "too big", ntpd will stop working.
1459   Mitigation:
1460        Implement BCP-38.
1461        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1462              or the NTP Public Services Project Download Page
1463        Properly monitor your ntpd instances, and auto-restart ntpd
1464              (without -g) if it stops running.
1465   Credit: This weakness was discovered by Robert Pajak of ABB.
1466
1467* 0rigin (zero origin) issues
1468   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1469   References: Sec 3102 / CVE-2016-7431 / VU#633847
1470   Affects: ntp-4.2.8p8, and ntp-4.3.93.
1471   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
1472   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1473   Summary:
1474          Zero Origin timestamp problems were fixed by Bug 2945 in
1475          ntp-4.2.8p6. However, subsequent timestamp validation checks
1476          introduced a regression in the handling of some Zero origin
1477          timestamp checks.
1478   Mitigation:
1479        Implement BCP-38.
1480        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1481              or the NTP Public Services Project Download Page
1482        Properly monitor your ntpd instances, and auto-restart ntpd
1483              (without -g) if it stops running.
1484   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
1485          Malhotra of Boston University.
1486
1487* read_mru_list() does inadequate incoming packet checks
1488   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1489   References: Sec 3082 / CVE-2016-7434 / VU#633847
1490   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
1491          ntp-4.3.0 up to, but not including ntp-4.3.94.
1492   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
1493   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1494   Summary:
1495          If ntpd is configured to allow mrulist query requests from a
1496          server that sends a crafted malicious packet, ntpd will crash
1497          on receipt of that crafted malicious mrulist query packet.
1498   Mitigation:
1499          Only allow mrulist query packets from trusted hosts.
1500        Implement BCP-38.
1501        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1502              or the NTP Public Services Project Download Page
1503        Properly monitor your ntpd instances, and auto-restart ntpd
1504              (without -g) if it stops running.
1505   Credit: This weakness was discovered by Magnus Stubman.
1506
1507* Attack on interface selection
1508   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1509   References: Sec 3072 / CVE-2016-7429 / VU#633847
1510   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1511          ntp-4.3.0 up to, but not including ntp-4.3.94
1512   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1513   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1514   Summary:
1515          When ntpd receives a server response on a socket that corresponds
1516          to a different interface than was used for the request, the peer
1517          structure is updated to use the interface for new requests. If
1518          ntpd is running on a host with multiple interfaces in separate
1519          networks and the operating system doesn't check source address in
1520          received packets (e.g. rp_filter on Linux is set to 0), an
1521          attacker that knows the address of the source can send a packet
1522          with spoofed source address which will cause ntpd to select wrong
1523          interface for the source and prevent it from sending new requests
1524          until the list of interfaces is refreshed, which happens on
1525          routing changes or every 5 minutes by default. If the attack is
1526          repeated often enough (once per second), ntpd will not be able to
1527          synchronize with the source.
1528   Mitigation:
1529        Implement BCP-38.
1530        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1531              or the NTP Public Services Project Download Page
1532          If you are going to configure your OS to disable source address
1533              checks, also configure your firewall configuration to control
1534              what interfaces can receive packets from what networks.
1535        Properly monitor your ntpd instances, and auto-restart ntpd
1536              (without -g) if it stops running.
1537   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1538
1539* Client rate limiting and server responses
1540   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1541   References: Sec 3071 / CVE-2016-7426 / VU#633847
1542   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
1543          ntp-4.3.0 up to, but not including ntp-4.3.94
1544   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
1545   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1546   Summary:
1547          When ntpd is configured with rate limiting for all associations
1548          (restrict default limited in ntp.conf), the limits are applied
1549          also to responses received from its configured sources. An
1550          attacker who knows the sources (e.g., from an IPv4 refid in
1551          server response) and knows the system is (mis)configured in this
1552          way can periodically send packets with spoofed source address to
1553          keep the rate limiting activated and prevent ntpd from accepting
1554          valid responses from its sources.
1555
1556          While this blanket rate limiting can be useful to prevent
1557          brute-force attacks on the origin timestamp, it allows this DoS
1558          attack. Similarly, it allows the attacker to prevent mobilization
1559          of ephemeral associations.
1560   Mitigation:
1561        Implement BCP-38.
1562        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1563              or the NTP Public Services Project Download Page
1564        Properly monitor your ntpd instances, and auto-restart ntpd
1565              (without -g) if it stops running.
1566   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1567
1568* Fix for bug 2085 broke initial sync calculations
1569   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
1570   References: Sec 3067 / CVE-2016-7433 / VU#633847
1571   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
1572          ntp-4.3.0 up to, but not including ntp-4.3.94. But the
1573          root-distance calculation in general is incorrect in all versions
1574          of ntp-4 until this release.
1575   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
1576   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
1577   Summary:
1578          Bug 2085 described a condition where the root delay was included
1579          twice, causing the jitter value to be higher than expected. Due
1580          to a misinterpretation of a small-print variable in The Book, the
1581          fix for this problem was incorrect, resulting in a root distance
1582          that did not include the peer dispersion. The calculations and
1583          formulae have been reviewed and reconciled, and the code has been
1584          updated accordingly.
1585   Mitigation:
1586        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
1587              or the NTP Public Services Project Download Page
1588        Properly monitor your ntpd instances, and auto-restart ntpd
1589              (without -g) if it stops running.
1590   Credit: This weakness was discovered independently by Brian Utterback of
1591          Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
1592
1593Other fixes:
1594
1595* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
1596* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
1597* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
1598  - moved retry decision where it belongs. <perlinger@ntp.org>
1599* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
1600  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
1601* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
1602* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
1603  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
1604* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
1605  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
1606  - added shim layer for SSL API calls with issues (both directions)
1607* [Bug 3089] Serial Parser does not work anymore for hopfser like device
1608  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
1609* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
1610* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
1611  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
1612* [Bug 3067] Root distance calculation needs improvement.  HStenn
1613* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
1614  - PPS-HACK works again.
1615* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
1616  - applied patch by Brian Utterback <brian.utterback@oracle.com>
1617* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
1618* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
1619  <perlinger@ntp.org>
1620  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
1621* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
1622  - Patch provided by Kuramatsu.
1623* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
1624  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
1625* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
1626* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
1627* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
1628* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
1629  - fixed GPS week expansion to work based on build date. Special thanks
1630    to Craig Leres for initial patch and testing.
1631* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
1632  - fixed Makefile.am <perlinger@ntp.org>
1633* [Bug 2689] ATOM driver processes last PPS pulse at startup,
1634             even if it is very old <perlinger@ntp.org>
1635  - make sure PPS source is alive before processing samples
1636  - improve stability close to the 500ms phase jump (phase gate)
1637* Fix typos in include/ntp.h.
1638* Shim X509_get_signature_nid() if needed
1639* git author attribution cleanup
1640* bk ignore file cleanup
1641* remove locks in Windows IO, use rpc-like thread synchronisation instead
1642
1643---
1644NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
1645
1646Focus: Security, Bug fixes, enhancements.
1647
1648Severity: HIGH
1649
1650In addition to bug fixes and enhancements, this release fixes the
1651following 1 high- and 4 low-severity vulnerabilities:
1652
1653* CRYPTO_NAK crash
1654   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1655   References: Sec 3046 / CVE-2016-4957 / VU#321640
1656   Affects: ntp-4.2.8p7, and ntp-4.3.92.
1657   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
1658   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1659   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
1660          could cause ntpd to crash.
1661   Mitigation:
1662        Implement BCP-38.
1663        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1664              or the NTP Public Services Project Download Page
1665        If you cannot upgrade from 4.2.8p7, the only other alternatives
1666              are to patch your code or filter CRYPTO_NAK packets.
1667        Properly monitor your ntpd instances, and auto-restart ntpd
1668              (without -g) if it stops running.
1669   Credit: This weakness was discovered by Nicolas Edet of Cisco.
1670
1671* Bad authentication demobilizes ephemeral associations
1672   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1673   References: Sec 3045 / CVE-2016-4953 / VU#321640
1674   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1675          ntp-4.3.0 up to, but not including ntp-4.3.93.
1676   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1677   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1678   Summary: An attacker who knows the origin timestamp and can send a
1679          spoofed packet containing a CRYPTO-NAK to an ephemeral peer
1680          target before any other response is sent can demobilize that
1681          association.
1682   Mitigation:
1683          Implement BCP-38.
1684          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1685              or the NTP Public Services Project Download Page
1686          Properly monitor your ntpd instances.
1687          Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1688
1689* Processing spoofed server packets
1690   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1691   References: Sec 3044 / CVE-2016-4954 / VU#321640
1692   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1693          ntp-4.3.0 up to, but not including ntp-4.3.93.
1694   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1695   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1696   Summary: An attacker who is able to spoof packets with correct origin
1697          timestamps from enough servers before the expected response
1698          packets arrive at the target machine can affect some peer
1699          variables and, for example, cause a false leap indication to be set.
1700   Mitigation:
1701          Implement BCP-38.
1702          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1703              or the NTP Public Services Project Download Page
1704          Properly monitor your ntpd instances.
1705   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
1706
1707* Autokey association reset
1708   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1709   References: Sec 3043 / CVE-2016-4955 / VU#321640
1710   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1711          ntp-4.3.0 up to, but not including ntp-4.3.93.
1712   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1713   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1714   Summary: An attacker who is able to spoof a packet with a correct
1715          origin timestamp before the expected response packet arrives at
1716          the target machine can send a CRYPTO_NAK or a bad MAC and cause
1717          the association's peer variables to be cleared. If this can be
1718          done often enough, it will prevent that association from working.
1719   Mitigation:
1720          Implement BCP-38.
1721          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1722              or the NTP Public Services Project Download Page
1723          Properly monitor your ntpd instances.
1724   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1725
1726* Broadcast interleave
1727   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
1728   References: Sec 3042 / CVE-2016-4956 / VU#321640
1729   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
1730          ntp-4.3.0 up to, but not including ntp-4.3.93.
1731   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
1732   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1733   Summary: The fix for NtpBug2978 does not cover broadcast associations,
1734          so broadcast clients can be triggered to flip into interleave mode.
1735   Mitigation:
1736          Implement BCP-38.
1737          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
1738              or the NTP Public Services Project Download Page
1739          Properly monitor your ntpd instances.
1740   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
1741
1742Other fixes:
1743* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
1744  - provide build environment
1745  - 'wint_t' and 'struct timespec' defined by VS2015
1746  - fixed print()/scanf() format issues
1747* [Bug 3052] Add a .gitignore file.  Edmund Wong.
1748* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
1749* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
1750  JPerlinger, HStenn.
1751* Fix typo in ntp-wait and plot_summary.  HStenn.
1752* Make sure we have an "author" file for git imports.  HStenn.
1753* Update the sntp problem tests for MacOS.  HStenn.
1754
1755---
1756NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
1757
1758Focus: Security, Bug fixes, enhancements.
1759
1760Severity: MEDIUM
1761
1762When building NTP from source, there is a new configure option
1763available, --enable-dynamic-interleave.  More information on this below.
1764
1765Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
1766versions of ntp.  These events have almost certainly happened in the
1767past, it's just that they were silently counted and not logged.  With
1768the increasing awareness around security, we feel it's better to clearly
1769log these events to help detect abusive behavior.  This increased
1770logging can also help detect other problems, too.
1771
1772In addition to bug fixes and enhancements, this release fixes the
1773following 9 low- and medium-severity vulnerabilities:
1774
1775* Improve NTP security against buffer comparison timing attacks,
1776  AKA: authdecrypt-timing
1777   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1778   References: Sec 2879 / CVE-2016-1550
1779   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1780          4.3.0 up to, but not including 4.3.92
1781   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
1782   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
1783   Summary: Packet authentication tests have been performed using
1784          memcmp() or possibly bcmp(), and it is potentially possible
1785          for a local or perhaps LAN-based attacker to send a packet with
1786          an authentication payload and indirectly observe how much of
1787          the digest has matched.
1788   Mitigation:
1789          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1790              or the NTP Public Services Project Download Page.
1791          Properly monitor your ntpd instances.
1792   Credit: This weakness was discovered independently by Loganaden
1793          Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
1794
1795* Zero origin timestamp bypass: Additional KoD checks.
1796   References: Sec 2945 / Sec 2901 / CVE-2015-8138
1797   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1798   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
1799
1800* peer associations were broken by the fix for NtpBug2899
1801   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1802   References: Sec 2952 / CVE-2015-7704
1803   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1804          4.3.0 up to, but not including 4.3.92
1805   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1806   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
1807          associations did not address all of the issues.
1808   Mitigation:
1809        Implement BCP-38.
1810        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1811              or the NTP Public Services Project Download Page
1812        If you can't upgrade, use "server" associations instead of
1813              "peer" associations.
1814        Monitor your ntpd instances.
1815   Credit: This problem was discovered by Michael Tatarinov.
1816
1817* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
1818   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1819   References: Sec 3007 / CVE-2016-1547 / VU#718152
1820   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1821          4.3.0 up to, but not including 4.3.92
1822   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
1823   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
1824   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
1825          off-path attacker can cause a preemptable client association to
1826          be demobilized by sending a crypto NAK packet to a victim client
1827          with a spoofed source address of an existing associated peer.
1828          This is true even if authentication is enabled.
1829
1830          Furthermore, if the attacker keeps sending crypto NAK packets,
1831          for example one every second, the victim never has a chance to
1832          reestablish the association and synchronize time with that
1833          legitimate server.
1834
1835          For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
1836          stringent checks are performed on incoming packets, but there
1837          are still ways to exploit this vulnerability in versions before
1838          ntp-4.2.8p7.
1839   Mitigation:
1840          Implement BCP-38.
1841          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1842              or the NTP Public Services Project Download Page
1843          Properly monitor your ntpd instances
1844   Credit: This weakness was discovered by Stephen Gray and
1845          Matthew Van Gundy of Cisco ASIG.
1846
1847* ctl_getitem() return value not always checked
1848   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1849   References: Sec 3008 / CVE-2016-2519
1850   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1851          4.3.0 up to, but not including 4.3.92
1852   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1853   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1854   Summary: ntpq and ntpdc can be used to store and retrieve information
1855          in ntpd. It is possible to store a data value that is larger
1856          than the size of the buffer that the ctl_getitem() function of
1857          ntpd uses to report the return value. If the length of the
1858          requested data value returned by ctl_getitem() is too large,
1859          the value NULL is returned instead. There are 2 cases where the
1860          return value from ctl_getitem() was not directly checked to make
1861          sure it's not NULL, but there are subsequent INSIST() checks
1862          that make sure the return value is not NULL. There are no data
1863          values ordinarily stored in ntpd that would exceed this buffer
1864          length. But if one has permission to store values and one stores
1865          a value that is "too large", then ntpd will abort if an attempt
1866          is made to read that oversized value.
1867    Mitigation:
1868        Implement BCP-38.
1869        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1870              or the NTP Public Services Project Download Page
1871        Properly monitor your ntpd instances.
1872    Credit: This weakness was discovered by Yihan Lian of the Cloud
1873          Security Team, Qihoo 360.
1874
1875* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
1876   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1877   References: Sec 3009 / CVE-2016-2518 / VU#718152
1878   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1879          4.3.0 up to, but not including 4.3.92
1880   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
1881   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
1882   Summary: Using a crafted packet to create a peer association with
1883          hmode > 7 causes the MATCH_ASSOC() lookup to make an
1884          out-of-bounds reference.
1885   Mitigation:
1886          Implement BCP-38.
1887          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1888              or the NTP Public Services Project Download Page
1889          Properly monitor your ntpd instances
1890   Credit: This weakness was discovered by Yihan Lian of the Cloud
1891          Security Team, Qihoo 360.
1892
1893* remote configuration trustedkey/requestkey/controlkey values are not
1894          properly validated
1895   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1896   References: Sec 3010 / CVE-2016-2517 / VU#718152
1897   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1898          4.3.0 up to, but not including 4.3.92
1899   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
1900   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1901   Summary: If ntpd was expressly configured to allow for remote
1902          configuration, a malicious user who knows the controlkey for
1903          ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1904          can create a session with ntpd and then send a crafted packet to
1905          ntpd that will change the value of the trustedkey, controlkey,
1906          or requestkey to a value that will prevent any subsequent
1907          authentication with ntpd until ntpd is restarted.
1908   Mitigation:
1909          Implement BCP-38.
1910          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1911              or the NTP Public Services Project Download Page
1912          Properly monitor your ntpd instances
1913   Credit: This weakness was discovered by Yihan Lian of the Cloud
1914          Security Team, Qihoo 360.
1915
1916* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
1917   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1918   References: Sec 3011 / CVE-2016-2516 / VU#718152
1919   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
1920          4.3.0 up to, but not including 4.3.92
1921   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
1922   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
1923   Summary: If ntpd was expressly configured to allow for remote
1924          configuration, a malicious user who knows the controlkey for
1925          ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
1926          can create a session with ntpd and if an existing association is
1927          unconfigured using the same IP twice on the unconfig directive
1928          line, ntpd will abort.
1929   Mitigation:
1930          Implement BCP-38.
1931          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1932              or the NTP Public Services Project Download Page
1933          Properly monitor your ntpd instances
1934   Credit: This weakness was discovered by Yihan Lian of the Cloud
1935          Security Team, Qihoo 360.
1936
1937* Refclock impersonation vulnerability
1938   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1939   References: Sec 3020 / CVE-2016-1551
1940   Affects: On a very limited number of OSes, all NTP releases up to but
1941          not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
1942          By "very limited number of OSes" we mean no general-purpose OSes
1943          have yet been identified that have this vulnerability.
1944   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
1945   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1946   Summary: While most OSes implement martian packet filtering in their
1947          network stack, at least regarding 127.0.0.0/8, some will allow
1948          packets claiming to be from 127.0.0.0/8 that arrive over a
1949          physical network. On these OSes, if ntpd is configured to use a
1950          reference clock an attacker can inject packets over the network
1951          that look like they are coming from that reference clock.
1952   Mitigation:
1953        Implement martian packet filtering and BCP-38.
1954        Configure ntpd to use an adequate number of time sources.
1955        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
1956              or the NTP Public Services Project Download Page
1957        If you are unable to upgrade and if you are running an OS that
1958              has this vulnerability, implement martian packet filters and
1959              lobby your OS vendor to fix this problem, or run your
1960              refclocks on computers that use OSes that are not vulnerable
1961              to these attacks and have your vulnerable machines get their
1962              time from protected resources.
1963        Properly monitor your ntpd instances.
1964   Credit: This weakness was discovered by Matt Street and others of
1965          Cisco ASIG.
1966
1967The following issues were fixed in earlier releases and contain
1968improvements in 4.2.8p7:
1969
1970* Clients that receive a KoD should validate the origin timestamp field.
1971   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
1972   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1973   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
1974
1975* Skeleton key: passive server with trusted key can serve time.
1976   References: Sec 2936 / CVE-2015-7974
1977   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
1978   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
1979
1980Two other vulnerabilities have been reported, and the mitigations
1981for these are as follows:
1982
1983* Interleave-pivot
1984   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
1985   References: Sec 2978 / CVE-2016-1548
1986   Affects: All ntp-4 releases.
1987   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
1988   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
1989   Summary: It is possible to change the time of an ntpd client or deny
1990          service to an ntpd client by forcing it to change from basic
1991          client/server mode to interleaved symmetric mode. An attacker
1992          can spoof a packet from a legitimate ntpd server with an origin
1993          timestamp that matches the peer->dst timestamp recorded for that
1994          server. After making this switch, the client will reject all
1995          future legitimate server responses. It is possible to force the
1996          victim client to move time after the mode has been changed.
1997          ntpq gives no indication that the mode has been switched.
1998   Mitigation:
1999        Implement BCP-38.
2000        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
2001              or the NTP Public Services Project Download Page.  These
2002              versions will not dynamically "flip" into interleave mode
2003              unless configured to do so.
2004        Properly monitor your ntpd instances.
2005   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
2006          and separately by Jonathan Gardner of Cisco ASIG.
2007
2008* Sybil vulnerability: ephemeral association attack
2009   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
2010   References: Sec 3012 / CVE-2016-1549
2011   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
2012          4.3.0 up to, but not including 4.3.92
2013   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
2014   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
2015   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
2016          the feature introduced in ntp-4.2.8p6 allowing an optional 4th
2017          field in the ntp.keys file to specify which IPs can serve time,
2018          a malicious authenticated peer can create arbitrarily-many
2019          ephemeral associations in order to win the clock selection of
2020          ntpd and modify a victim's clock.
2021   Mitigation:
2022        Implement BCP-38.
2023        Use the 4th field in the ntp.keys file to specify which IPs
2024              can be time servers.
2025        Properly monitor your ntpd instances.
2026   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2027
2028Other fixes:
2029
2030* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
2031  - fixed yet another race condition in the threaded resolver code.
2032* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
2033* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
2034  - integrated patches by Loganaden Velvidron <logan@ntp.org>
2035    with some modifications & unit tests
2036* [Bug 2960] async name resolution fixes for chroot() environments.
2037  Reinhard Max.
2038* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
2039* [Bug 2995] Fixes to compile on Windows
2040* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
2041* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
2042  - Patch provided by Ch. Weisgerber
2043* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
2044  - A change related to [Bug 2853] forbids trailing white space in
2045    remote config commands. perlinger@ntp.org
2046* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
2047  - report and patch from Aleksandr Kostikov.
2048  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
2049* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
2050  - fixed memory leak in access list (auth[read]keys.c)
2051  - refactored handling of key access lists (auth[read]keys.c)
2052  - reduced number of error branches (authreadkeys.c)
2053* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
2054* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
2055* [Bug 3031] ntp broadcastclient unable to synchronize to an server
2056             when the time of server changed. perlinger@ntp.org
2057  - Check the initial delay calculation and reject/unpeer the broadcast
2058    server if the delay exceeds 50ms. Retry again after the next
2059    broadcast packet.
2060* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
2061* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
2062* Update html/xleave.html documentation.  Harlan Stenn.
2063* Update ntp.conf documentation.  Harlan Stenn.
2064* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
2065* Fix typo in html/monopt.html.  Harlan Stenn.
2066* Add README.pullrequests.  Harlan Stenn.
2067* Cleanup to include/ntp.h.  Harlan Stenn.
2068
2069New option to 'configure':
2070
2071While looking in to the issues around Bug 2978, the "interleave pivot"
2072issue, it became clear that there are some intricate and unresolved
2073issues with interleave operations.  We also realized that the interleave
2074protocol was never added to the NTPv4 Standard, and it should have been.
2075
2076Interleave mode was first released in July of 2008, and can be engaged
2077in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
2078contain the 'xleave' option, which will expressly enable interlave mode
2079for that association.  Additionally, if a time packet arrives and is
2080found inconsistent with normal protocol behavior but has certain
2081characteristics that are compatible with interleave mode, NTP will
2082dynamically switch to interleave mode.  With sufficient knowledge, an
2083attacker can send a crafted forged packet to an NTP instance that
2084triggers only one side to enter interleaved mode.
2085
2086To prevent this attack until we can thoroughly document, describe,
2087fix, and test the dynamic interleave mode, we've added a new
2088'configure' option to the build process:
2089
2090 --enable-dynamic-interleave
2091
2092This option controls whether or not NTP will, if conditions are right,
2093engage dynamic interleave mode.  Dynamic interleave mode is disabled by
2094default in ntp-4.2.8p7.
2095
2096---
2097NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
2098
2099Focus: Security, Bug fixes, enhancements.
2100
2101Severity: MEDIUM
2102
2103In addition to bug fixes and enhancements, this release fixes the
2104following 1 low- and 8 medium-severity vulnerabilities:
2105
2106* Potential Infinite Loop in 'ntpq'
2107   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2108   References: Sec 2548 / CVE-2015-8158
2109   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2110          4.3.0 up to, but not including 4.3.90
2111   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2112   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
2113   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
2114          The loop's only stopping conditions are receiving a complete and
2115          correct response or hitting a small number of error conditions.
2116          If the packet contains incorrect values that don't trigger one of
2117          the error conditions, the loop continues to receive new packets.
2118          Note well, this is an attack against an instance of 'ntpq', not
2119          'ntpd', and this attack requires the attacker to do one of the
2120          following:
2121          * Own a malicious NTP server that the client trusts
2122          * Prevent a legitimate NTP server from sending packets to
2123              the 'ntpq' client
2124          * MITM the 'ntpq' communications between the 'ntpq' client
2125              and the NTP server
2126   Mitigation:
2127          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2128          or the NTP Public Services Project Download Page
2129   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
2130
2131* 0rigin: Zero Origin Timestamp Bypass
2132   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2133   References: Sec 2945 / CVE-2015-8138
2134   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2135          4.3.0 up to, but not including 4.3.90
2136   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
2137   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
2138          (3.7 - LOW if you score AC:L)
2139   Summary: To distinguish legitimate peer responses from forgeries, a
2140          client attempts to verify a response packet by ensuring that the
2141          origin timestamp in the packet matches the origin timestamp it
2142          transmitted in its last request.  A logic error exists that
2143          allows packets with an origin timestamp of zero to bypass this
2144          check whenever there is not an outstanding request to the server.
2145   Mitigation:
2146          Configure 'ntpd' to get time from multiple sources.
2147          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2148              or the NTP Public Services Project Download Page.
2149          Monitor your 'ntpd' instances.
2150   Credit: This weakness was discovered by Matthey Van Gundy and
2151          Jonathan Gardner of Cisco ASIG.
2152
2153* Stack exhaustion in recursive traversal of restriction list
2154   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
2155   References: Sec 2940 / CVE-2015-7978
2156   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2157          4.3.0 up to, but not including 4.3.90
2158   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2159   Summary: An unauthenticated 'ntpdc reslist' command can cause a
2160          segmentation fault in ntpd by exhausting the call stack.
2161   Mitigation:
2162          Implement BCP-38.
2163          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2164              or the NTP Public Services Project Download Page.
2165          If you are unable to upgrade:
2166            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2167              If you must enable mode 7:
2168                    configure the use of a 'requestkey' to control who can
2169                        issue mode 7 requests.
2170                    configure 'restrict noquery' to further limit mode 7
2171                        requests to trusted sources.
2172                    Monitor your ntpd instances.
2173   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
2174
2175* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
2176   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2177   References: Sec 2942 / CVE-2015-7979
2178   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2179          4.3.0 up to, but not including 4.3.90
2180   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
2181   Summary: An off-path attacker can send broadcast packets with bad
2182          authentication (wrong key, mismatched key, incorrect MAC, etc)
2183          to broadcast clients. It is observed that the broadcast client
2184          tears down the association with the broadcast server upon
2185          receiving just one bad packet.
2186   Mitigation:
2187          Implement BCP-38.
2188          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2189          or the NTP Public Services Project Download Page.
2190          Monitor your 'ntpd' instances.
2191          If this sort of attack is an active problem for you, you have
2192              deeper problems to investigate.  In this case also consider
2193              having smaller NTP broadcast domains.
2194   Credit: This weakness was discovered by Aanchal Malhotra of Boston
2195          University.
2196
2197* reslist NULL pointer dereference
2198   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2199   References: Sec 2939 / CVE-2015-7977
2200   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2201          4.3.0 up to, but not including 4.3.90
2202   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
2203   Summary: An unauthenticated 'ntpdc reslist' command can cause a
2204          segmentation fault in ntpd by causing a NULL pointer dereference.
2205   Mitigation:
2206          Implement BCP-38.
2207          Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
2208          the NTP Public Services Project Download Page.
2209          If you are unable to upgrade:
2210              mode 7 is disabled by default.  Don't enable it.
2211              If you must enable mode 7:
2212                    configure the use of a 'requestkey' to control who can
2213                        issue mode 7 requests.
2214                    configure 'restrict noquery' to further limit mode 7
2215                        requests to trusted sources.
2216          Monitor your ntpd instances.
2217   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
2218
2219* 'ntpq saveconfig' command allows dangerous characters in filenames.
2220   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2221   References: Sec 2938 / CVE-2015-7976
2222   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2223          4.3.0 up to, but not including 4.3.90
2224   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
2225   Summary: The ntpq saveconfig command does not do adequate filtering
2226          of special characters from the supplied filename.
2227          Note well: The ability to use the saveconfig command is controlled
2228          by the 'restrict nomodify' directive, and the recommended default
2229          configuration is to disable this capability.  If the ability to
2230          execute a 'saveconfig' is required, it can easily (and should) be
2231          limited and restricted to a known small number of IP addresses.
2232   Mitigation:
2233          Implement BCP-38.
2234          use 'restrict default nomodify' in your 'ntp.conf' file.
2235          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
2236          If you are unable to upgrade:
2237              build NTP with 'configure --disable-saveconfig' if you will
2238                    never need this capability, or
2239              use 'restrict default nomodify' in your 'ntp.conf' file.  Be
2240                    careful about what IPs have the ability to send 'modify'
2241                    requests to 'ntpd'.
2242          Monitor your ntpd instances.
2243          'saveconfig' requests are logged to syslog - monitor your syslog files.
2244   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
2245
2246* nextvar() missing length check in ntpq
2247   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2248   References: Sec 2937 / CVE-2015-7975
2249   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2250          4.3.0 up to, but not including 4.3.90
2251   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
2252          If you score A:C, this becomes 4.0.
2253   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
2254   Summary: ntpq may call nextvar() which executes a memcpy() into the
2255          name buffer without a proper length check against its maximum
2256          length of 256 bytes. Note well that we're taking about ntpq here.
2257          The usual worst-case effect of this vulnerability is that the
2258          specific instance of ntpq will crash and the person or process
2259          that did this will have stopped themselves.
2260   Mitigation:
2261          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2262              or the NTP Public Services Project Download Page.
2263          If you are unable to upgrade:
2264              If you have scripts that feed input to ntpq make sure there are
2265                    some sanity checks on the input received from the "outside".
2266              This is potentially more dangerous if ntpq is run as root.
2267   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
2268
2269* Skeleton Key: Any trusted key system can serve time
2270   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2271   References: Sec 2936 / CVE-2015-7974
2272   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2273          4.3.0 up to, but not including 4.3.90
2274   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
2275   Summary: Symmetric key encryption uses a shared trusted key. The
2276          reported title for this issue was "Missing key check allows
2277          impersonation between authenticated peers" and the report claimed
2278          "A key specified only for one server should only work to
2279          authenticate that server, other trusted keys should be refused."
2280          Except there has never been any correlation between this trusted
2281          key and server v. clients machines and there has never been any
2282          way to specify a key only for one server. We have treated this as
2283          an enhancement request, and ntp-4.2.8p6 includes other checks and
2284          tests to strengthen clients against attacks coming from broadcast
2285          servers.
2286   Mitigation:
2287          Implement BCP-38.
2288          If this scenario represents a real or a potential issue for you,
2289              upgrade to 4.2.8p6, or later, from the NTP Project Download
2290              Page or the NTP Public Services Project Download Page, and
2291              use the new field in the ntp.keys file that specifies the list
2292              of IPs that are allowed to serve time. Note that this alone
2293              will not protect against time packets with forged source IP
2294              addresses, however other changes in ntp-4.2.8p6 provide
2295              significant mitigation against broadcast attacks. MITM attacks
2296              are a different story.
2297          If you are unable to upgrade:
2298              Don't use broadcast mode if you cannot monitor your client
2299                    servers.
2300              If you choose to use symmetric keys to authenticate time
2301                    packets in a hostile environment where ephemeral time
2302                    servers can be created, or if it is expected that malicious
2303                    time servers will participate in an NTP broadcast domain,
2304                    limit the number of participating systems that participate
2305                    in the shared-key group.
2306          Monitor your ntpd instances.
2307   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
2308
2309* Deja Vu: Replay attack on authenticated broadcast mode
2310   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
2311   References: Sec 2935 / CVE-2015-7973
2312   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
2313          4.3.0 up to, but not including 4.3.90
2314   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
2315   Summary: If an NTP network is configured for broadcast operations then
2316          either a man-in-the-middle attacker or a malicious participant
2317          that has the same trusted keys as the victim can replay time packets.
2318   Mitigation:
2319          Implement BCP-38.
2320          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
2321              or the NTP Public Services Project Download Page.
2322          If you are unable to upgrade:
2323              Don't use broadcast mode if you cannot monitor your client servers.
2324          Monitor your ntpd instances.
2325   Credit: This weakness was discovered by Aanchal Malhotra of Boston
2326          University.
2327
2328Other fixes:
2329
2330* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
2331* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
2332  - applied patch by shenpeng11@huawei.com with minor adjustments
2333* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
2334* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
2335* [Bug 2892] Several test cases assume IPv6 capabilities even when
2336             IPv6 is disabled in the build. perlinger@ntp.org
2337  - Found this already fixed, but validation led to cleanup actions.
2338* [Bug 2905] DNS lookups broken. perlinger@ntp.org
2339  - added limits to stack consumption, fixed some return code handling
2340* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2341  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2342  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
2343* [Bug 2980] reduce number of warnings. perlinger@ntp.org
2344  - integrated several patches from Havard Eidnes (he@uninett.no)
2345* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
2346  - implement 'auth_log2()' using integer bithack instead of float calculation
2347* Make leapsec_query debug messages less verbose.  Harlan Stenn.
2348
2349---
2350NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
2351
2352Focus: Security, Bug fixes, enhancements.
2353
2354Severity: MEDIUM
2355
2356In addition to bug fixes and enhancements, this release fixes the
2357following medium-severity vulnerability:
2358
2359* Small-step/big-step.  Close the panic gate earlier.
2360    References: Sec 2956, CVE-2015-5300
2361    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
2362          4.3.0 up to, but not including 4.3.78
2363    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
2364    Summary: If ntpd is always started with the -g option, which is
2365          common and against long-standing recommendation, and if at the
2366          moment ntpd is restarted an attacker can immediately respond to
2367          enough requests from enough sources trusted by the target, which
2368          is difficult and not common, there is a window of opportunity
2369          where the attacker can cause ntpd to set the time to an
2370          arbitrary value. Similarly, if an attacker is able to respond
2371          to enough requests from enough sources trusted by the target,
2372          the attacker can cause ntpd to abort and restart, at which
2373          point it can tell the target to set the time to an arbitrary
2374          value if and only if ntpd was re-started against long-standing
2375          recommendation with the -g flag, or if ntpd was not given the
2376          -g flag, the attacker can move the target system's time by at
2377          most 900 seconds' time per attack.
2378    Mitigation:
2379          Configure ntpd to get time from multiple sources.
2380          Upgrade to 4.2.8p5, or later, from the NTP Project Download
2381              Page or the NTP Public Services Project Download Page
2382          As we've long documented, only use the -g option to ntpd in
2383              cold-start situations.
2384          Monitor your ntpd instances.
2385    Credit: This weakness was discovered by Aanchal Malhotra,
2386          Isaac E. Cohen, and Sharon Goldberg at Boston University.
2387
2388    NOTE WELL: The -g flag disables the limit check on the panic_gate
2389          in ntpd, which is 900 seconds by default. The bug identified by
2390          the researchers at Boston University is that the panic_gate
2391          check was only re-enabled after the first change to the system
2392          clock that was greater than 128 milliseconds, by default. The
2393          correct behavior is that the panic_gate check should be
2394          re-enabled after any initial time correction.
2395
2396          If an attacker is able to inject consistent but erroneous time
2397          responses to your systems via the network or "over the air",
2398          perhaps by spoofing radio, cellphone, or navigation satellite
2399          transmissions, they are in a great position to affect your
2400          system's clock. There comes a point where your very best
2401          defenses include:
2402
2403              Configure ntpd to get time from multiple sources.
2404              Monitor your ntpd instances.
2405
2406Other fixes:
2407
2408* Coverity submission process updated from Coverity 5 to Coverity 7.
2409  The NTP codebase has been undergoing regular Coverity scans on an
2410  ongoing basis since 2006.  As part of our recent upgrade from
2411  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
2412  the newly-written Unity test programs.  These were fixed.
2413* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
2414* [Bug 2887] stratum -1 config results as showing value 99
2415  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
2416* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
2417* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
2418* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
2419  - applied patch by Christos Zoulas.  perlinger@ntp.org
2420* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
2421* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
2422  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
2423  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
2424* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
2425  - accept key file only if there are no parsing errors
2426  - fixed size_t/u_int format clash
2427  - fixed wrong use of 'strlcpy'
2428* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
2429* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
2430  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
2431  - promote use of 'size_t' for values that express a size
2432  - use ptr-to-const for read-only arguments
2433  - make sure SOCKET values are not truncated (win32-specific)
2434  - format string fixes
2435* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
2436* [Bug 2967] ntpdate command suffers an assertion failure
2437  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
2438* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
2439              lots of clients. perlinger@ntp.org
2440* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
2441  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
2442* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
2443* Unity test cleanup.  Harlan Stenn.
2444* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
2445* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
2446* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
2447* Quiet a warning from clang.  Harlan Stenn.
2448
2449---
2450NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
2451
2452Focus: Security, Bug fixes, enhancements.
2453
2454Severity: MEDIUM
2455
2456In addition to bug fixes and enhancements, this release fixes the
2457following 13 low- and medium-severity vulnerabilities:
2458
2459* Incomplete vallen (value length) checks in ntp_crypto.c, leading
2460  to potential crashes or potential code injection/information leakage.
2461
2462    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
2463    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2464          and 4.3.0 up to, but not including 4.3.77
2465    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2466    Summary: The fix for CVE-2014-9750 was incomplete in that there were
2467          certain code paths where a packet with particular autokey operations
2468          that contained malicious data was not always being completely
2469          validated. Receipt of these packets can cause ntpd to crash.
2470    Mitigation:
2471        Don't use autokey.
2472          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2473              Page or the NTP Public Services Project Download Page
2474          Monitor your ntpd instances.
2475          Credit: This weakness was discovered by Tenable Network Security.
2476
2477* Clients that receive a KoD should validate the origin timestamp field.
2478
2479    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
2480    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2481          and 4.3.0 up to, but not including 4.3.77
2482    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
2483    Summary: An ntpd client that honors Kiss-of-Death responses will honor
2484          KoD messages that have been forged by an attacker, causing it to
2485          delay or stop querying its servers for time updates. Also, an
2486          attacker can forge packets that claim to be from the target and
2487          send them to servers often enough that a server that implements
2488          KoD rate limiting will send the target machine a KoD response to
2489          attempt to reduce the rate of incoming packets, or it may also
2490          trigger a firewall block at the server for packets from the target
2491          machine. For either of these attacks to succeed, the attacker must
2492          know what servers the target is communicating with. An attacker
2493          can be anywhere on the Internet and can frequently learn the
2494          identity of the target's time source by sending the target a
2495          time query.
2496    Mitigation:
2497        Implement BCP-38.
2498          Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
2499              or the NTP Public Services Project Download Page
2500          If you can't upgrade, restrict who can query ntpd to learn who
2501              its servers are, and what IPs are allowed to ask your system
2502              for the time. This mitigation is heavy-handed.
2503          Monitor your ntpd instances.
2504    Note:
2505          4.2.8p4 protects against the first attack. For the second attack,
2506          all we can do is warn when it is happening, which we do in 4.2.8p4.
2507    Credit: This weakness was discovered by Aanchal Malhotra,
2508          Issac E. Cohen, and Sharon Goldberg of Boston University.
2509
2510* configuration directives to change "pidfile" and "driftfile" should
2511  only be allowed locally.
2512
2513  References: Sec 2902 / CVE-2015-5196
2514  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2515          and 4.3.0 up to, but not including 4.3.77
2516   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
2517   Summary: If ntpd is configured to allow for remote configuration,
2518          and if the (possibly spoofed) source IP address is allowed to
2519          send remote configuration requests, and if the attacker knows
2520          the remote configuration password, it's possible for an attacker
2521          to use the "pidfile" or "driftfile" directives to potentially
2522          overwrite other files.
2523   Mitigation:
2524          Implement BCP-38.
2525          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2526              Page or the NTP Public Services Project Download Page
2527          If you cannot upgrade, don't enable remote configuration.
2528          If you must enable remote configuration and cannot upgrade,
2529              remote configuration of NTF's ntpd requires:
2530              - an explicitly configured trustedkey, and you should also
2531                    configure a controlkey.
2532              - access from a permitted IP. You choose the IPs.
2533              - authentication. Don't disable it. Practice secure key safety.
2534          Monitor your ntpd instances.
2535   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
2536
2537* Slow memory leak in CRYPTO_ASSOC
2538
2539  References: Sec 2909 / CVE-2015-7701
2540  Affects: All ntp-4 releases that use autokey up to, but not
2541    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2542  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
2543          4.6 otherwise
2544  Summary: If ntpd is configured to use autokey, then an attacker can
2545          send packets to ntpd that will, after several days of ongoing
2546          attack, cause it to run out of memory.
2547  Mitigation:
2548          Don't use autokey.
2549          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2550              Page or the NTP Public Services Project Download Page
2551          Monitor your ntpd instances.
2552  Credit: This weakness was discovered by Tenable Network Security.
2553
2554* mode 7 loop counter underrun
2555
2556  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
2557  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2558          and 4.3.0 up to, but not including 4.3.77
2559  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
2560  Summary: If ntpd is configured to enable mode 7 packets, and if the
2561          use of mode 7 packets is not properly protected thru the use of
2562          the available mode 7 authentication and restriction mechanisms,
2563          and if the (possibly spoofed) source IP address is allowed to
2564          send mode 7 queries, then an attacker can send a crafted packet
2565          to ntpd that will cause it to crash.
2566  Mitigation:
2567          Implement BCP-38.
2568          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2569              Page or the NTP Public Services Project Download Page.
2570                If you are unable to upgrade:
2571          In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
2572          If you must enable mode 7:
2573              configure the use of a requestkey to control who can issue
2574                    mode 7 requests.
2575              configure restrict noquery to further limit mode 7 requests
2576                    to trusted sources.
2577          Monitor your ntpd instances.
2578Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
2579
2580* memory corruption in password store
2581
2582  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
2583  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2584  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
2585  Summary: If ntpd is configured to allow remote configuration, and if
2586          the (possibly spoofed) source IP address is allowed to send
2587          remote configuration requests, and if the attacker knows the
2588          remote configuration password or if ntpd was configured to
2589          disable authentication, then an attacker can send a set of
2590          packets to ntpd that may cause a crash or theoretically
2591          perform a code injection attack.
2592  Mitigation:
2593          Implement BCP-38.
2594          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2595              Page or the NTP Public Services Project Download Page.
2596          If you are unable to upgrade, remote configuration of NTF's
2597              ntpd requires:
2598                    an explicitly configured "trusted" key. Only configure
2599                              this if you need it.
2600                    access from a permitted IP address. You choose the IPs.
2601                    authentication. Don't disable it. Practice secure key safety.
2602          Monitor your ntpd instances.
2603  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2604
2605* Infinite loop if extended logging enabled and the logfile and
2606  keyfile are the same.
2607
2608    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
2609    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
2610          and 4.3.0 up to, but not including 4.3.77
2611    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2612    Summary: If ntpd is configured to allow remote configuration, and if
2613          the (possibly spoofed) source IP address is allowed to send
2614          remote configuration requests, and if the attacker knows the
2615          remote configuration password or if ntpd was configured to
2616          disable authentication, then an attacker can send a set of
2617          packets to ntpd that will cause it to crash and/or create a
2618          potentially huge log file. Specifically, the attacker could
2619          enable extended logging, point the key file at the log file,
2620          and cause what amounts to an infinite loop.
2621    Mitigation:
2622          Implement BCP-38.
2623          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2624              Page or the NTP Public Services Project Download Page.
2625          If you are unable to upgrade, remote configuration of NTF's ntpd
2626            requires:
2627            an explicitly configured "trusted" key. Only configure this
2628                    if you need it.
2629            access from a permitted IP address. You choose the IPs.
2630            authentication. Don't disable it. Practice secure key safety.
2631        Monitor your ntpd instances.
2632    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2633
2634* Potential path traversal vulnerability in the config file saving of
2635  ntpd on VMS.
2636
2637  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
2638  Affects: All ntp-4 releases running under VMS up to, but not
2639          including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2640  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
2641  Summary: If ntpd is configured to allow remote configuration, and if
2642          the (possibly spoofed) IP address is allowed to send remote
2643          configuration requests, and if the attacker knows the remote
2644          configuration password or if ntpd was configured to disable
2645          authentication, then an attacker can send a set of packets to
2646          ntpd that may cause ntpd to overwrite files.
2647  Mitigation:
2648          Implement BCP-38.
2649          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2650              Page or the NTP Public Services Project Download Page.
2651          If you are unable to upgrade, remote configuration of NTF's ntpd
2652              requires:
2653                    an explicitly configured "trusted" key. Only configure
2654                              this if you need it.
2655                    access from permitted IP addresses. You choose the IPs.
2656                    authentication. Don't disable it. Practice key security safety.
2657        Monitor your ntpd instances.
2658    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2659
2660* ntpq atoascii() potential memory corruption
2661
2662  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
2663  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
2664          and 4.3.0 up to, but not including 4.3.77
2665  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
2666  Summary: If an attacker can figure out the precise moment that ntpq
2667          is listening for data and the port number it is listening on or
2668          if the attacker can provide a malicious instance ntpd that
2669          victims will connect to then an attacker can send a set of
2670          crafted mode 6 response packets that, if received by ntpq,
2671          can cause ntpq to crash.
2672  Mitigation:
2673          Implement BCP-38.
2674          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2675              Page or the NTP Public Services Project Download Page.
2676          If you are unable to upgrade and you run ntpq against a server
2677              and ntpq crashes, try again using raw mode. Build or get a
2678              patched ntpq and see if that fixes the problem. Report new
2679              bugs in ntpq or abusive servers appropriately.
2680          If you use ntpq in scripts, make sure ntpq does what you expect
2681              in your scripts.
2682  Credit: This weakness was discovered by Yves Younan and
2683          Aleksander Nikolich of Cisco Talos.
2684
2685* Invalid length data provided by a custom refclock driver could cause
2686  a buffer overflow.
2687
2688  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
2689  Affects: Potentially all ntp-4 releases running up to, but not
2690          including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
2691          that have custom refclocks
2692  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
2693          5.9 unusual worst case
2694  Summary: A negative value for the datalen parameter will overflow a
2695          data buffer. NTF's ntpd driver implementations always set this
2696          value to 0 and are therefore not vulnerable to this weakness.
2697          If you are running a custom refclock driver in ntpd and that
2698          driver supplies a negative value for datalen (no custom driver
2699          of even minimal competence would do this) then ntpd would
2700          overflow a data buffer. It is even hypothetically possible
2701          in this case that instead of simply crashing ntpd the attacker
2702          could effect a code injection attack.
2703  Mitigation:
2704          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2705              Page or the NTP Public Services Project Download Page.
2706          If you are unable to upgrade:
2707                    If you are running custom refclock drivers, make sure
2708                              the signed datalen value is either zero or positive.
2709          Monitor your ntpd instances.
2710  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
2711
2712* Password Length Memory Corruption Vulnerability
2713
2714  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
2715  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2716          4.3.0 up to, but not including 4.3.77
2717  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
2718          1.7 usual case, 6.8, worst case
2719  Summary: If ntpd is configured to allow remote configuration, and if
2720          the (possibly spoofed) source IP address is allowed to send
2721          remote configuration requests, and if the attacker knows the
2722          remote configuration password or if ntpd was (foolishly)
2723          configured to disable authentication, then an attacker can
2724          send a set of packets to ntpd that may cause it to crash,
2725          with the hypothetical possibility of a small code injection.
2726  Mitigation:
2727          Implement BCP-38.
2728          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2729              Page or the NTP Public Services Project Download Page.
2730          If you are unable to upgrade, remote configuration of NTF's
2731              ntpd requires:
2732                    an explicitly configured "trusted" key. Only configure
2733                              this if you need it.
2734                    access from a permitted IP address. You choose the IPs.
2735                    authentication. Don't disable it. Practice secure key safety.
2736          Monitor your ntpd instances.
2737  Credit: This weakness was discovered by Yves Younan and
2738          Aleksander Nikolich of Cisco Talos.
2739
2740* decodenetnum() will ASSERT botch instead of returning FAIL on some
2741  bogus values.
2742
2743  References: Sec 2922 / CVE-2015-7855
2744  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
2745          4.3.0 up to, but not including 4.3.77
2746  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
2747  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
2748          an unusually long data value where a network address is expected,
2749          the decodenetnum() function will abort with an assertion failure
2750          instead of simply returning a failure condition.
2751  Mitigation:
2752          Implement BCP-38.
2753          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2754              Page or the NTP Public Services Project Download Page.
2755          If you are unable to upgrade:
2756                    mode 7 is disabled by default. Don't enable it.
2757                    Use restrict noquery to limit who can send mode 6
2758                              and mode 7 requests.
2759                    Configure and use the controlkey and requestkey
2760                              authentication directives to limit who can
2761                              send mode 6 and mode 7 requests.
2762          Monitor your ntpd instances.
2763  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
2764
2765* NAK to the Future: Symmetric association authentication bypass via
2766  crypto-NAK.
2767
2768  References: Sec 2941 / CVE-2015-7871
2769  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
2770          4.2.8p4, and 4.3.0 up to but not including 4.3.77
2771  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
2772  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
2773          from unauthenticated ephemeral symmetric peers by bypassing the
2774          authentication required to mobilize peer associations. This
2775          vulnerability appears to have been introduced in ntp-4.2.5p186
2776          when the code handling mobilization of new passive symmetric
2777          associations (lines 1103-1165) was refactored.
2778  Mitigation:
2779          Implement BCP-38.
2780          Upgrade to 4.2.8p4, or later, from the NTP Project Download
2781              Page or the NTP Public Services Project Download Page.
2782          If you are unable to upgrade:
2783                    Apply the patch to the bottom of the "authentic" check
2784                              block around line 1136 of ntp_proto.c.
2785          Monitor your ntpd instances.
2786  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
2787
2788Backward-Incompatible changes:
2789* [Bug 2817] Default on Linux is now "rlimit memlock -1".
2790  While the general default of 32M is still the case, under Linux
2791  the default value has been changed to -1 (do not lock ntpd into
2792  memory).  A value of 0 means "lock ntpd into memory with whatever
2793  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
2794  value in it, that value will continue to be used.
2795
2796* [Bug 2886] Misspelling: "outlyer" should be "outlier".
2797  If you've written a script that looks for this case in, say, the
2798  output of ntpq, you probably want to change your regex matches
2799  from 'outlyer' to 'outl[iy]er'.
2800
2801New features in this release:
2802* 'rlimit memlock' now has finer-grained control.  A value of -1 means
2803  "don't lock ntpd into memore".  This is the default for Linux boxes.
2804  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
2805  the value is the number of megabytes of memory to lock.  The default
2806  is 32 megabytes.
2807
2808* The old Google Test framework has been replaced with a new framework,
2809  based on http://www.throwtheswitch.org/unity/ .
2810
2811Bug Fixes and Improvements:
2812* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
2813  privileges and limiting resources in NTPD removes the need to link
2814  forcefully against 'libgcc_s' which does not always work. J.Perlinger
2815* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
2816* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
2817* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
2818* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
2819* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
2820* [Bug 2849] Systems with more than one default route may never
2821  synchronize.  Brian Utterback.  Note that this patch might need to
2822  be reverted once Bug 2043 has been fixed.
2823* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
2824* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
2825* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
2826* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
2827* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
2828* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
2829  be configured for the distribution targets.  Harlan Stenn.
2830* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
2831* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
2832* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
2833* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
2834* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
2835* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
2836* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
2837* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
2838* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
2839* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
2840* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
2841* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
2842* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
2843* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
2844* sntp/tests/ function parameter list cleanup.  Damir Tomić.
2845* tests/libntp/ function parameter list cleanup.  Damir Tomić.
2846* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
2847* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
2848* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
2849* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
2850* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
2851* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
2852  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
2853  formatting; first declaration, then code (C90); deleted unnecessary comments;
2854  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
2855* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
2856  fix formatting, cleanup. Tomasz Flendrich
2857* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
2858  Tomasz Flendrich
2859* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
2860  fix formatting. Tomasz Flendrich
2861* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
2862* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
2863* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
2864  Tomasz Flendrich
2865* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
2866* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
2867* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
2868* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
2869* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
2870* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
2871* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
2872fixed formatting. Tomasz Flendrich
2873* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
2874  removed unnecessary comments, cleanup. Tomasz Flendrich
2875* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
2876  comments, cleanup. Tomasz Flendrich
2877* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
2878  Tomasz Flendrich
2879* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
2880* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
2881* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
2882  Tomasz Flendrich
2883* sntp/tests/kodDatabase.c added consts, deleted empty function,
2884  fixed formatting. Tomasz Flendrich
2885* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
2886* sntp/tests/packetHandling.c is now using proper Unity's assertions,
2887  fixed formatting, deleted unused variable. Tomasz Flendrich
2888* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
2889  Tomasz Flendrich
2890* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
2891  fixed formatting. Tomasz Flendrich
2892* sntp/tests/utilities.c is now using proper Unity's assertions, changed
2893  the order of includes, fixed formatting, removed unnecessary comments.
2894  Tomasz Flendrich
2895* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
2896* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
2897  made one function do its job, deleted unnecessary prints, fixed formatting.
2898  Tomasz Flendrich
2899* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
2900* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
2901* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
2902* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
2903* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
2904* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
2905* Don't build sntp/libevent/sample/.  Harlan Stenn.
2906* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
2907* br-flock: --enable-local-libevent.  Harlan Stenn.
2908* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
2909* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
2910* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
2911* Code cleanup.  Harlan Stenn.
2912* libntp/icom.c: Typo fix.  Harlan Stenn.
2913* util/ntptime.c: initialization nit.  Harlan Stenn.
2914* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
2915* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
2916* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
2917  Tomasz Flendrich
2918* Changed progname to be const in many files - now it's consistent. Tomasz
2919  Flendrich
2920* Typo fix for GCC warning suppression.  Harlan Stenn.
2921* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
2922* Added declarations to all Unity tests, and did minor fixes to them.
2923  Reduced the number of warnings by half. Damir Tomić.
2924* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
2925  with the latest Unity updates from Mark. Damir Tomić.
2926* Retire google test - phase I.  Harlan Stenn.
2927* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
2928* Update the NEWS file.  Harlan Stenn.
2929* Autoconf cleanup.  Harlan Stenn.
2930* Unit test dist cleanup. Harlan Stenn.
2931* Cleanup various test Makefile.am files.  Harlan Stenn.
2932* Pthread autoconf macro cleanup.  Harlan Stenn.
2933* Fix progname definition in unity runner scripts.  Harlan Stenn.
2934* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
2935* Update the patch for bug 2817.  Harlan Stenn.
2936* More updates for bug 2817.  Harlan Stenn.
2937* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
2938* gcc on older HPUX may need +allowdups.  Harlan Stenn.
2939* Adding missing MCAST protection.  Harlan Stenn.
2940* Disable certain test programs on certain platforms.  Harlan Stenn.
2941* Implement --enable-problem-tests (on by default).  Harlan Stenn.
2942* build system tweaks.  Harlan Stenn.
2943
2944---
2945NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
2946
2947Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
2948
2949Severity: MEDIUM
2950
2951Security Fix:
2952
2953* [Sec 2853] Crafted remote config packet can crash some versions of
2954  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
2955
2956Under specific circumstances an attacker can send a crafted packet to
2957cause a vulnerable ntpd instance to crash. This requires each of the
2958following to be true:
2959
29601) ntpd set up to allow remote configuration (not allowed by default), and
29612) knowledge of the configuration password, and
29623) access to a computer entrusted to perform remote configuration.
2963
2964This vulnerability is considered low-risk.
2965
2966New features in this release:
2967
2968Optional (disabled by default) support to have ntpd provide smeared
2969leap second time.  A specially built and configured ntpd will only
2970offer smeared time in response to client packets.  These response
2971packets will also contain a "refid" of 254.a.b.c, where the 24 bits
2972of a, b, and c encode the amount of smear in a 2:22 integer:fraction
2973format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
2974information.
2975
2976   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
2977   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
2978
2979We've imported the Unity test framework, and have begun converting
2980the existing google-test items to this new framework.  If you want
2981to write new tests or change old ones, you'll need to have ruby
2982installed.  You don't need ruby to run the test suite.
2983
2984Bug Fixes and Improvements:
2985
2986* CID 739725: Fix a rare resource leak in libevent/listener.c.
2987* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
2988* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
2989* CID 1269537: Clean up a line of dead code in getShmTime().
2990* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
2991* [Bug 2590] autogen-5.18.5.
2992* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
2993  of 'limited'.
2994* [Bug 2650] fix includefile processing.
2995* [Bug 2745] ntpd -x steps clock on leap second
2996   Fixed an initial-value problem that caused misbehaviour in absence of
2997   any leapsecond information.
2998   Do leap second stepping only of the step adjustment is beyond the
2999   proper jump distance limit and step correction is allowed at all.
3000* [Bug 2750] build for Win64
3001  Building for 32bit of loopback ppsapi needs def file
3002* [Bug 2776] Improve ntpq's 'help keytype'.
3003* [Bug 2778] Implement "apeers"  ntpq command to include associd.
3004* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
3005* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
3006  interface is ignored as long as this flag is not set since the
3007  interface is not usable (e.g., no link).
3008* [Bug 2794] Clean up kernel clock status reports.
3009* [Bug 2800] refclock_true.c true_debug() can't open debug log because
3010  of incompatible open/fdopen parameters.
3011* [Bug 2804] install-local-data assumes GNU 'find' semantics.
3012* [Bug 2805] ntpd fails to join multicast group.
3013* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
3014* [Bug 2808] GPSD_JSON driver enhancements, step 1.
3015  Fix crash during cleanup if GPS device not present and char device.
3016  Increase internal token buffer to parse all JSON data, even SKY.
3017  Defer logging of errors during driver init until the first unit is
3018  started, so the syslog is not cluttered when the driver is not used.
3019  Various improvements, see http://bugs.ntp.org/2808 for details.
3020  Changed libjsmn to a more recent version.
3021* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
3022* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
3023* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
3024* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
3025* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
3026* [Bug 2824] Convert update-leap to perl. (also see 2769)
3027* [Bug 2825] Quiet file installation in html/ .
3028* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
3029   NTPD transfers the current TAI (instead of an announcement) now.
3030   This might still needed improvement.
3031   Update autokey data ASAP when 'sys_tai' changes.
3032   Fix unit test that was broken by changes for autokey update.
3033   Avoid potential signature length issue and use DPRINTF where possible
3034     in ntp_crypto.c.
3035* [Bug 2832] refclock_jjy.c supports the TDC-300.
3036* [Bug 2834] Correct a broken html tag in html/refclock.html
3037* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
3038  robust, and require 2 consecutive timestamps to be consistent.
3039* [Bug 2837] Allow a configurable DSCP value.
3040* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
3041* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
3042* [Bug 2842] Bug in mdoc2man.
3043* [Bug 2843] make check fails on 4.3.36
3044   Fixed compiler warnings about numeric range overflow
3045   (The original topic was fixed in a byplay to bug#2830)
3046* [Bug 2845] Harden memory allocation in ntpd.
3047* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
3048* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
3049* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
3050* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
3051* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
3052* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
3053* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
3054* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
3055* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
3056* html/drivers/driver22.html: typo fix.  Harlan Stenn.
3057* refidsmear test cleanup.  Tomasz Flendrich.
3058* refidsmear function support and tests.  Harlan Stenn.
3059* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
3060  something that was only in the 4.2.6 sntp.  Harlan Stenn.
3061* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
3062  Damir Tomić
3063* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
3064  Damir Tomić
3065* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
3066  Damir Tomić
3067* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
3068* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
3069* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
3070  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
3071  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
3072  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
3073  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
3074  Damir Tomić
3075* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
3076  networking.c, keyFile.c, utilities.cpp, sntptest.h,
3077  fileHandlingTest.h. Damir Tomić
3078* Initial support for experimental leap smear code.  Harlan Stenn.
3079* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
3080* Report select() debug messages at debug level 3 now.
3081* sntp/scripts/genLocInfo: treat raspbian as debian.
3082* Unity test framework fixes.
3083  ** Requires ruby for changes to tests.
3084* Initial support for PACKAGE_VERSION tests.
3085* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
3086* tests/bug-2803/Makefile.am must distribute bug-2803.h.
3087* Add an assert to the ntpq ifstats code.
3088* Clean up the RLIMIT_STACK code.
3089* Improve the ntpq documentation around the controlkey keyid.
3090* ntpq.c cleanup.
3091* Windows port build cleanup.
3092
3093---
3094NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
3095
3096Focus: Security and Bug fixes, enhancements.
3097
3098Severity: MEDIUM
3099
3100In addition to bug fixes and enhancements, this release fixes the
3101following medium-severity vulnerabilities involving private key
3102authentication:
3103
3104* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
3105
3106    References: Sec 2779 / CVE-2015-1798 / VU#374268
3107    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
3108          including ntp-4.2.8p2 where the installation uses symmetric keys
3109          to authenticate remote associations.
3110    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
3111    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
3112    Summary: When ntpd is configured to use a symmetric key to authenticate
3113          a remote NTP server/peer, it checks if the NTP message
3114          authentication code (MAC) in received packets is valid, but not if
3115          there actually is any MAC included. Packets without a MAC are
3116          accepted as if they had a valid MAC. This allows a MITM attacker to
3117          send false packets that are accepted by the client/peer without
3118          having to know the symmetric key. The attacker needs to know the
3119          transmit timestamp of the client to match it in the forged reply
3120          and the false reply needs to reach the client before the genuine
3121          reply from the server. The attacker doesn't necessarily need to be
3122          relaying the packets between the client and the server.
3123
3124          Authentication using autokey doesn't have this problem as there is
3125          a check that requires the key ID to be larger than NTP_MAXKEY,
3126          which fails for packets without a MAC.
3127    Mitigation:
3128        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
3129          or the NTP Public Services Project Download Page
3130        Configure ntpd with enough time sources and monitor it properly.
3131    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
3132
3133* [Sec 2781] Authentication doesn't protect symmetric associations against
3134  DoS attacks.
3135
3136    References: Sec 2781 / CVE-2015-1799 / VU#374268
3137    Affects: All NTP releases starting with at least xntp3.3wy up to but
3138          not including ntp-4.2.8p2 where the installation uses symmetric
3139          key authentication.
3140    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
3141    Note: the CVSS base Score for this issue could be 4.3 or lower, and
3142          it could be higher than 5.4.
3143    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
3144    Summary: An attacker knowing that NTP hosts A and B are peering with
3145          each other (symmetric association) can send a packet to host A
3146          with source address of B which will set the NTP state variables
3147          on A to the values sent by the attacker. Host A will then send
3148          on its next poll to B a packet with originate timestamp that
3149          doesn't match the transmit timestamp of B and the packet will
3150          be dropped. If the attacker does this periodically for both
3151          hosts, they won't be able to synchronize to each other. This is
3152          a known denial-of-service attack, described at
3153          https://www.eecis.udel.edu/~mills/onwire.html .
3154
3155          According to the document the NTP authentication is supposed to
3156          protect symmetric associations against this attack, but that
3157          doesn't seem to be the case. The state variables are updated even
3158          when authentication fails and the peers are sending packets with
3159          originate timestamps that don't match the transmit timestamps on
3160          the receiving side.
3161
3162          This seems to be a very old problem, dating back to at least
3163          xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
3164          specifications, so other NTP implementations with support for
3165          symmetric associations and authentication may be vulnerable too.
3166          An update to the NTP RFC to correct this error is in-process.
3167    Mitigation:
3168        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
3169          or the NTP Public Services Project Download Page
3170        Note that for users of autokey, this specific style of MITM attack
3171          is simply a long-known potential problem.
3172        Configure ntpd with appropriate time sources and monitor ntpd.
3173          Alert your staff if problems are detected.
3174    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
3175
3176* New script: update-leap
3177The update-leap script will verify and if necessary, update the
3178leap-second definition file.
3179It requires the following commands in order to work:
3180
3181          wget logger tr sed shasum
3182
3183Some may choose to run this from cron.  It needs more portability testing.
3184
3185Bug Fixes and Improvements:
3186
3187* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
3188* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
3189* [Bug 2346] "graceful termination" signals do not do peer cleanup.
3190* [Bug 2728] See if C99-style structure initialization works.
3191* [Bug 2747] Upgrade libevent to 2.1.5-beta.
3192* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
3193* [Bug 2751] jitter.h has stale copies of l_fp macros.
3194* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
3195* [Bug 2757] Quiet compiler warnings.
3196* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
3197* [Bug 2763] Allow different thresholds for forward and backward steps.
3198* [Bug 2766] ntp-keygen output files should not be world-readable.
3199* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
3200* [Bug 2771] nonvolatile value is documented in wrong units.
3201* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
3202* [Bug 2774] Unreasonably verbose printout - leap pending/warning
3203* [Bug 2775] ntp-keygen.c fails to compile under Windows.
3204* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
3205  Removed non-ASCII characters from some copyright comments.
3206  Removed trailing whitespace.
3207  Updated definitions for Meinberg clocks from current Meinberg header files.
3208  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
3209  Account for updated definitions pulled from Meinberg header files.
3210  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
3211  Replaced some constant numbers by defines from ntp_calendar.h
3212  Modified creation of parse-specific variables for Meinberg devices
3213  in gps16x_message().
3214  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
3215  Modified mbg_tm_str() which now expexts an additional parameter controlling
3216  if the time status shall be printed.
3217* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
3218* [Sec 2781] Authentication doesn't protect symmetric associations against
3219  DoS attacks.
3220* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
3221* [Bug 2789] Quiet compiler warnings from libevent.
3222* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
3223  pause briefly before measuring system clock precision to yield
3224  correct results.
3225* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
3226* Use predefined function types for parse driver functions
3227  used to set up function pointers.
3228  Account for changed prototype of parse_inp_fnc_t functions.
3229  Cast parse conversion results to appropriate types to avoid
3230  compiler warnings.
3231  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
3232  when called with pointers to different types.
3233
3234---
3235NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
3236
3237Focus: Security and Bug fixes, enhancements.
3238
3239Severity: HIGH
3240
3241In addition to bug fixes and enhancements, this release fixes the
3242following high-severity vulnerabilities:
3243
3244* vallen is not validated in several places in ntp_crypto.c, leading
3245  to a potential information leak or possibly a crash
3246
3247    References: Sec 2671 / CVE-2014-9297 / VU#852879
3248    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
3249    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3250    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
3251    Summary: The vallen packet value is not validated in several code
3252             paths in ntp_crypto.c which can lead to information leakage
3253               or perhaps a crash of the ntpd process.
3254    Mitigation - any of:
3255          Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
3256                    or the NTP Public Services Project Download Page.
3257          Disable Autokey Authentication by removing, or commenting out,
3258                    all configuration directives beginning with the "crypto"
3259                    keyword in your ntp.conf file.
3260    Credit: This vulnerability was discovered by Stephen Roettger of the
3261          Google Security Team, with additional cases found by Sebastian
3262          Krahmer of the SUSE Security Team and Harlan Stenn of Network
3263          Time Foundation.
3264
3265* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
3266  can be bypassed.
3267
3268    References: Sec 2672 / CVE-2014-9298 / VU#852879
3269    Affects: All NTP4 releases before 4.2.8p1, under at least some
3270          versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
3271    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
3272    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
3273    Summary: While available kernels will prevent 127.0.0.1 addresses
3274          from "appearing" on non-localhost IPv4 interfaces, some kernels
3275          do not offer the same protection for ::1 source addresses on
3276          IPv6 interfaces. Since NTP's access control is based on source
3277          address and localhost addresses generally have no restrictions,
3278          an attacker can send malicious control and configuration packets
3279          by spoofing ::1 addresses from the outside. Note Well: This is
3280          not really a bug in NTP, it's a problem with some OSes. If you
3281          have one of these OSes where ::1 can be spoofed, ALL ::1 -based
3282          ACL restrictions on any application can be bypassed!
3283    Mitigation:
3284        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
3285          or the NTP Public Services Project Download Page
3286        Install firewall rules to block packets claiming to come from
3287          ::1 from inappropriate network interfaces.
3288    Credit: This vulnerability was discovered by Stephen Roettger of
3289          the Google Security Team.
3290
3291Additionally, over 30 bugfixes and improvements were made to the codebase.
3292See the ChangeLog for more information.
3293
3294---
3295NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
3296
3297Focus: Security and Bug fixes, enhancements.
3298
3299Severity: HIGH
3300
3301In addition to bug fixes and enhancements, this release fixes the
3302following high-severity vulnerabilities:
3303
3304************************** vv NOTE WELL vv *****************************
3305
3306The vulnerabilities listed below can be significantly mitigated by
3307following the BCP of putting
3308
3309 restrict default ... noquery
3310
3311in the ntp.conf file.  With the exception of:
3312
3313   receive(): missing return on error
3314   References: Sec 2670 / CVE-2014-9296 / VU#852879
3315
3316below (which is a limited-risk vulnerability), none of the recent
3317vulnerabilities listed below can be exploited if the source IP is
3318restricted from sending a 'query'-class packet by your ntp.conf file.
3319
3320************************** ^^ NOTE WELL ^^ *****************************
3321
3322* Weak default key in config_auth().
3323
3324  References: [Sec 2665] / CVE-2014-9293 / VU#852879
3325  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3326  Vulnerable Versions: all releases prior to 4.2.7p11
3327  Date Resolved: 28 Jan 2010
3328
3329  Summary: If no 'auth' key is set in the configuration file, ntpd
3330          would generate a random key on the fly.  There were two
3331          problems with this: 1) the generated key was 31 bits in size,
3332          and 2) it used the (now weak) ntp_random() function, which was
3333          seeded with a 32-bit value and could only provide 32 bits of
3334          entropy.  This was sufficient back in the late 1990s when the
3335          code was written.  Not today.
3336
3337  Mitigation - any of:
3338          - Upgrade to 4.2.7p11 or later.
3339          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3340
3341  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
3342          of the Google Security Team.
3343
3344* Non-cryptographic random number generator with weak seed used by
3345  ntp-keygen to generate symmetric keys.
3346
3347  References: [Sec 2666] / CVE-2014-9294 / VU#852879
3348  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
3349  Vulnerable Versions: All NTP4 releases before 4.2.7p230
3350  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
3351
3352  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
3353          prepare a random number generator that was of good quality back
3354          in the late 1990s. The random numbers produced was then used to
3355          generate symmetric keys. In ntp-4.2.8 we use a current-technology
3356          cryptographic random number generator, either RAND_bytes from
3357          OpenSSL, or arc4random().
3358
3359  Mitigation - any of:
3360          - Upgrade to 4.2.7p230 or later.
3361          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3362
3363  Credit:  This vulnerability was discovered in ntp-4.2.6 by
3364          Stephen Roettger of the Google Security Team.
3365
3366* Buffer overflow in crypto_recv()
3367
3368  References: Sec 2667 / CVE-2014-9295 / VU#852879
3369  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3370  Versions: All releases before 4.2.8
3371  Date Resolved: Stable (4.2.8) 18 Dec 2014
3372
3373  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
3374          file contains a 'crypto pw ...' directive) a remote attacker
3375          can send a carefully crafted packet that can overflow a stack
3376          buffer and potentially allow malicious code to be executed
3377          with the privilege level of the ntpd process.
3378
3379  Mitigation - any of:
3380          - Upgrade to 4.2.8, or later, or
3381          - Disable Autokey Authentication by removing, or commenting out,
3382            all configuration directives beginning with the crypto keyword
3383            in your ntp.conf file.
3384
3385  Credit: This vulnerability was discovered by Stephen Roettger of the
3386          Google Security Team.
3387
3388* Buffer overflow in ctl_putdata()
3389
3390  References: Sec 2668 / CVE-2014-9295 / VU#852879
3391  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3392  Versions: All NTP4 releases before 4.2.8
3393  Date Resolved: Stable (4.2.8) 18 Dec 2014
3394
3395  Summary: A remote attacker can send a carefully crafted packet that
3396          can overflow a stack buffer and potentially allow malicious
3397          code to be executed with the privilege level of the ntpd process.
3398
3399  Mitigation - any of:
3400          - Upgrade to 4.2.8, or later.
3401          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3402
3403  Credit: This vulnerability was discovered by Stephen Roettger of the
3404          Google Security Team.
3405
3406* Buffer overflow in configure()
3407
3408  References: Sec 2669 / CVE-2014-9295 / VU#852879
3409  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
3410  Versions: All NTP4 releases before 4.2.8
3411  Date Resolved: Stable (4.2.8) 18 Dec 2014
3412
3413  Summary: A remote attacker can send a carefully crafted packet that
3414          can overflow a stack buffer and potentially allow malicious
3415          code to be executed with the privilege level of the ntpd process.
3416
3417  Mitigation - any of:
3418          - Upgrade to 4.2.8, or later.
3419          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
3420
3421  Credit: This vulnerability was discovered by Stephen Roettger of the
3422          Google Security Team.
3423
3424* receive(): missing return on error
3425
3426  References: Sec 2670 / CVE-2014-9296 / VU#852879
3427  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
3428  Versions: All NTP4 releases before 4.2.8
3429  Date Resolved: Stable (4.2.8) 18 Dec 2014
3430
3431  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
3432          the code path where an error was detected, which meant
3433          processing did not stop when a specific rare error occurred.
3434          We haven't found a way for this bug to affect system integrity.
3435          If there is no way to affect system integrity the base CVSS
3436          score for this bug is 0. If there is one avenue through which
3437          system integrity can be partially affected, the base score
3438          becomes a 5. If system integrity can be partially affected
3439          via all three integrity metrics, the CVSS base score become 7.5.
3440
3441  Mitigation - any of:
3442        - Upgrade to 4.2.8, or later,
3443        - Remove or comment out all configuration directives
3444            beginning with the crypto keyword in your ntp.conf file.
3445
3446  Credit: This vulnerability was discovered by Stephen Roettger of the
3447          Google Security Team.
3448
3449See http://support.ntp.org/security for more information.
3450
3451New features / changes in this release:
3452
3453Important Changes
3454
3455* Internal NTP Era counters
3456
3457The internal counters that track the "era" (range of years) we are in
3458rolls over every 136 years'.  The current "era" started at the stroke of
3459midnight on 1 Jan 1900, and ends just before the stroke of midnight on
34601 Jan 2036.
3461In the past, we have used the "midpoint" of the  range to decide which
3462era we were in.  Given the longevity of some products, it became clear
3463that it would be more functional to "look back" less, and "look forward"
3464more.  We now compile a timestamp into the ntpd executable and when we
3465get a timestamp we us the "built-on" to tell us what era we are in.
3466This check "looks back" 10 years, and "looks forward" 126 years.
3467
3468* ntpdc responses disabled by default
3469
3470Dave Hart writes:
3471
3472For a long time, ntpq and its mostly text-based mode 6 (control)
3473protocol have been preferred over ntpdc and its mode 7 (private
3474request) protocol for runtime queries and configuration.  There has
3475been a goal of deprecating ntpdc, previously held back by numerous
3476capabilities exposed by ntpdc with no ntpq equivalent.  I have been
3477adding commands to ntpq to cover these cases, and I believe I've
3478covered them all, though I've not compared command-by-command
3479recently.
3480
3481As I've said previously, the binary mode 7 protocol involves a lot of
3482hand-rolled structure layout and byte-swapping code in both ntpd and
3483ntpdc which is hard to get right.  As ntpd grows and changes, the
3484changes are difficult to expose via ntpdc while maintaining forward
3485and backward compatibility between ntpdc and ntpd.  In contrast,
3486ntpq's text-based, label=value approach involves more code reuse and
3487allows compatible changes without extra work in most cases.
3488
3489Mode 7 has always been defined as vendor/implementation-specific while
3490mode 6 is described in RFC 1305 and intended to be open to interoperate
3491with other implementations.  There is an early draft of an updated
3492mode 6 description that likely will join the other NTPv4 RFCs
3493eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
3494
3495For these reasons, ntpd 4.2.7p230 by default disables processing of
3496ntpdc queries, reducing ntpd's attack surface and functionally
3497deprecating ntpdc.  If you are in the habit of using ntpdc for certain
3498operations, please try the ntpq equivalent.  If there's no equivalent,
3499please open a bug report at http://bugs.ntp.org./
3500
3501In addition to the above, over 1100 issues have been resolved between
3502the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
3503lists these.
3504
3505---
3506NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
3507
3508Focus: Bug fixes
3509
3510Severity: Medium
3511
3512This is a recommended upgrade.
3513
3514This release updates sys_rootdisp and sys_jitter calculations to match the
3515RFC specification, fixes a potential IPv6 address matching error for the
3516"nic" and "interface" configuration directives, suppresses the creation of
3517extraneous ephemeral associations for certain broadcastclient and
3518multicastclient configurations, cleans up some ntpq display issues, and
3519includes improvements to orphan mode, minor bugs fixes and code clean-ups.
3520
3521New features / changes in this release:
3522
3523ntpd
3524
3525 * Updated "nic" and "interface" IPv6 address handling to prevent
3526   mismatches with localhost [::1] and wildcard [::] which resulted from
3527   using the address/prefix format (e.g. fe80::/64)
3528 * Fix orphan mode stratum incorrectly counting to infinity
3529 * Orphan parent selection metric updated to includes missing ntohl()
3530 * Non-printable stratum 16 refid no longer sent to ntp
3531 * Duplicate ephemeral associations suppressed for broadcastclient and
3532   multicastclient without broadcastdelay
3533 * Exclude undetermined sys_refid from use in loopback TEST12
3534 * Exclude MODE_SERVER responses from KoD rate limiting
3535 * Include root delay in clock_update() sys_rootdisp calculations
3536 * get_systime() updated to exclude sys_residual offset (which only
3537   affected bits "below" sys_tick, the precision threshold)
3538 * sys.peer jitter weighting corrected in sys_jitter calculation
3539
3540ntpq
3541
3542 * -n option extended to include the billboard "server" column
3543 * IPv6 addresses in the local column truncated to prevent overruns
3544
3545---
3546NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
3547
3548Focus: Bug fixes and portability improvements
3549
3550Severity: Medium
3551
3552This is a recommended upgrade.
3553
3554This release includes build infrastructure updates, code
3555clean-ups, minor bug fixes, fixes for a number of minor
3556ref-clock issues, and documentation revisions.
3557
3558Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
3559
3560New features / changes in this release:
3561
3562Build system
3563
3564* Fix checking for struct rtattr
3565* Update config.guess and config.sub for AIX
3566* Upgrade required version of autogen and libopts for building
3567  from our source code repository
3568
3569ntpd
3570
3571* Back-ported several fixes for Coverity warnings from ntp-dev
3572* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
3573* Allow "logconfig =allall" configuration directive
3574* Bind tentative IPv6 addresses on Linux
3575* Correct WWVB/Spectracom driver to timestamp CR instead of LF
3576* Improved tally bit handling to prevent incorrect ntpq peer status reports
3577* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
3578  candidate list unless they are designated a "prefer peer"
3579* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
3580  selection during the 'tos orphanwait' period
3581* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
3582  drivers
3583* Improved support of the Parse Refclock trusttime flag in Meinberg mode
3584* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
3585* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
3586  clock slew on Microsoft Windows
3587* Code cleanup in libntpq
3588
3589ntpdc
3590
3591* Fix timerstats reporting
3592
3593ntpdate
3594
3595* Reduce time required to set clock
3596* Allow a timeout greater than 2 seconds
3597
3598sntp
3599
3600* Backward incompatible command-line option change:
3601  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
3602
3603Documentation
3604
3605* Update html2man. Fix some tags in the .html files
3606* Distribute ntp-wait.html
3607
3608---
3609NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
3610
3611Focus: Bug fixes and portability improvements
3612
3613Severity: Medium
3614
3615This is a recommended upgrade.
3616
3617This release includes build infrastructure updates, code
3618clean-ups, minor bug fixes, fixes for a number of minor
3619ref-clock issues, and documentation revisions.
3620
3621Portability improvements in this release affect AIX, Atari FreeMiNT,
3622FreeBSD4, Linux and Microsoft Windows.
3623
3624New features / changes in this release:
3625
3626Build system
3627* Use lsb_release to get information about Linux distributions.
3628* 'test' is in /usr/bin (instead of /bin) on some systems.
3629* Basic sanity checks for the ChangeLog file.
3630* Source certain build files with ./filename for systems without . in PATH.
3631* IRIX portability fix.
3632* Use a single copy of the "libopts" code.
3633* autogen/libopts upgrade.
3634* configure.ac m4 quoting cleanup.
3635
3636ntpd
3637* Do not bind to IN6_IFF_ANYCAST addresses.
3638* Log the reason for exiting under Windows.
3639* Multicast fixes for Windows.
3640* Interpolation fixes for Windows.
3641* IPv4 and IPv6 Multicast fixes.
3642* Manycast solicitation fixes and general repairs.
3643* JJY refclock cleanup.
3644* NMEA refclock improvements.
3645* Oncore debug message cleanup.
3646* Palisade refclock now builds under Linux.
3647* Give RAWDCF more baud rates.
3648* Support Truetime Satellite clocks under Windows.
3649* Support Arbiter 1093C Satellite clocks under Windows.
3650* Make sure that the "filegen" configuration command defaults to "enable".
3651* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
3652* Prohibit 'includefile' directive in remote configuration command.
3653* Fix 'nic' interface bindings.
3654* Fix the way we link with openssl if openssl is installed in the base
3655  system.
3656
3657ntp-keygen
3658* Fix -V coredump.
3659* OpenSSL version display cleanup.
3660
3661ntpdc
3662* Many counters should be treated as unsigned.
3663
3664ntpdate
3665* Do not ignore replies with equal receive and transmit timestamps.
3666
3667ntpq
3668* libntpq warning cleanup.
3669
3670ntpsnmpd
3671* Correct SNMP type for "precision" and "resolution".
3672* Update the MIB from the draft version to RFC-5907.
3673
3674sntp
3675* Display timezone offset when showing time for sntp in the local
3676  timezone.
3677* Pay proper attention to RATE KoD packets.
3678* Fix a miscalculation of the offset.
3679* Properly parse empty lines in the key file.
3680* Logging cleanup.
3681* Use tv_usec correctly in set_time().
3682* Documentation cleanup.
3683
3684---
3685NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
3686
3687Focus: Bug fixes and portability improvements
3688
3689Severity: Medium
3690
3691This is a recommended upgrade.
3692
3693This release includes build infrastructure updates, code
3694clean-ups, minor bug fixes, fixes for a number of minor
3695ref-clock issues, improved KOD handling, OpenSSL related
3696updates and documentation revisions.
3697
3698Portability improvements in this release affect Irix, Linux,
3699Mac OS, Microsoft Windows, OpenBSD and QNX6
3700
3701New features / changes in this release:
3702
3703ntpd
3704* Range syntax for the trustedkey configuration directive
3705* Unified IPv4 and IPv6 restrict lists
3706
3707ntpdate
3708* Rate limiting and KOD handling
3709
3710ntpsnmpd
3711* default connection to net-snmpd via a unix-domain socket
3712* command-line 'socket name' option
3713
3714ntpq / ntpdc
3715* support for the "passwd ..." syntax
3716* key-type specific password prompts
3717
3718sntp
3719* MD5 authentication of an ntpd
3720* Broadcast and crypto
3721* OpenSSL support
3722
3723---
3724NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
3725
3726Focus: Bug fixes, portability fixes, and documentation improvements
3727
3728Severity: Medium
3729
3730This is a recommended upgrade.
3731
3732---
3733NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3734
3735Focus: enhancements and bug fixes.
3736
3737---
3738NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
3739
3740Focus: Security Fixes
3741
3742Severity: HIGH
3743
3744This release fixes the following high-severity vulnerability:
3745
3746* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
3747
3748  See http://support.ntp.org/security for more information.
3749
3750  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
3751  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
3752  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
3753  request or a mode 7 error response from an address which is not listed
3754  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
3755  reply with a mode 7 error response (and log a message).  In this case:
3756
3757          * If an attacker spoofs the source address of ntpd host A in a
3758            mode 7 response packet sent to ntpd host B, both A and B will
3759            continuously send each other error responses, for as long as
3760            those packets get through.
3761
3762          * If an attacker spoofs an address of ntpd host A in a mode 7
3763            response packet sent to ntpd host A, A will respond to itself
3764            endlessly, consuming CPU and logging excessively.
3765
3766  Credit for finding this vulnerability goes to Robin Park and Dmitri
3767  Vinokurov of Alcatel-Lucent.
3768
3769THIS IS A STRONGLY RECOMMENDED UPGRADE.
3770
3771---
3772ntpd now syncs to refclocks right away.
3773
3774Backward-Incompatible changes:
3775
3776ntpd no longer accepts '-v name' or '-V name' to define internal variables.
3777Use '--var name' or '--dvar name' instead. (Bug 817)
3778
3779---
3780NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
3781
3782Focus: Security and Bug Fixes
3783
3784Severity: HIGH
3785
3786This release fixes the following high-severity vulnerability:
3787
3788* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
3789
3790  See http://support.ntp.org/security for more information.
3791
3792  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
3793  line) then a carefully crafted packet sent to the machine will cause
3794  a buffer overflow and possible execution of injected code, running
3795  with the privileges of the ntpd process (often root).
3796
3797  Credit for finding this vulnerability goes to Chris Ries of CMU.
3798
3799This release fixes the following low-severity vulnerabilities:
3800
3801* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
3802  Credit for finding this vulnerability goes to Geoff Keating of Apple.
3803
3804* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
3805  Credit for finding this issue goes to Dave Hart.
3806
3807This release fixes a number of bugs and adds some improvements:
3808
3809* Improved logging
3810* Fix many compiler warnings
3811* Many fixes and improvements for Windows
3812* Adds support for AIX 6.1
3813* Resolves some issues under MacOS X and Solaris
3814
3815THIS IS A STRONGLY RECOMMENDED UPGRADE.
3816
3817---
3818NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
3819
3820Focus: Security Fix
3821
3822Severity: Low
3823
3824This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
3825the OpenSSL library relating to the incorrect checking of the return
3826value of EVP_VerifyFinal function.
3827
3828Credit for finding this issue goes to the Google Security Team for
3829finding the original issue with OpenSSL, and to ocert.org for finding
3830the problem in NTP and telling us about it.
3831
3832This is a recommended upgrade.
3833---
3834NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
3835
3836Focus: Minor Bugfixes
3837
3838This release fixes a number of Windows-specific ntpd bugs and
3839platform-independent ntpdate bugs. A logging bugfix has been applied
3840to the ONCORE driver.
3841
3842The "dynamic" keyword and is now obsolete and deferred binding to local
3843interfaces is the new default. The minimum time restriction for the
3844interface update interval has been dropped.
3845
3846A number of minor build system and documentation fixes are included.
3847
3848This is a recommended upgrade for Windows.
3849
3850---
3851NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
3852
3853Focus: Minor Bugfixes
3854
3855This release updates certain copyright information, fixes several display
3856bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
3857shutdown in the parse refclock driver, removes some lint from the code,
3858stops accessing certain buffers immediately after they were freed, fixes
3859a problem with non-command-line specification of -6, and allows the loopback
3860interface to share addresses with other interfaces.
3861
3862---
3863NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
3864
3865Focus: Minor Bugfixes
3866
3867This release fixes a bug in Windows that made it difficult to
3868terminate ntpd under windows.
3869This is a recommended upgrade for Windows.
3870
3871---
3872NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
3873
3874Focus: Minor Bugfixes
3875
3876This release fixes a multicast mode authentication problem,
3877an error in NTP packet handling on Windows that could lead to
3878ntpd crashing, and several other minor bugs. Handling of
3879multicast interfaces and logging configuration were improved.
3880The required versions of autogen and libopts were incremented.
3881This is a recommended upgrade for Windows and multicast users.
3882
3883---
3884NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
3885
3886Focus: enhancements and bug fixes.
3887
3888Dynamic interface rescanning was added to simplify the use of ntpd in
3889conjunction with DHCP. GNU AutoGen is used for its command-line options
3890processing. Separate PPS devices are supported for PARSE refclocks, MD5
3891signatures are now provided for the release files. Drivers have been
3892added for some new ref-clocks and have been removed for some older
3893ref-clocks. This release also includes other improvements, documentation
3894and bug fixes.
3895
3896K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
3897C support.
3898
3899---
3900NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
3901
3902Focus: enhancements and bug fixes.
3903---
3904NTP 4.2.8p17 (Harlan Stenn <stenn@ntp.org>, 2023 Jun 06)
3905
3906Focus: Bug fixes
3907
3908Severity: HIGH (for people running 4.2.8p16)
3909
3910This release:
3911
3912- fixes 3 bugs, including a regression
3913- adds new unit tests
3914
3915Details below:
3916
3917* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
3918             event_sync.  Reported by Edward McGuire.  <hart@ntp.org>
3919* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
3920             <hart@ntp.org>  Miroslav Lichvar identified regression in 4.2.8p16.
3921* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
3922             4.2.8p15 or earlier.  Reported by Matt Nordhoff, thanks to
3923               Miroslav Lichvar and Matt for rapid testing and identifying the
3924               problem. <hart@ntp.org>
3925* Add tests/libntp/digests.c to catch regressions reading keys file or with
3926  symmetric authentication digest output.
3927
3928---
3929NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30)
3930
3931Focus: Security, Bug fixes
3932
3933Severity: LOW
3934
3935This release:
3936
3937- fixes 4 vulnerabilities (3 LOW and 1 None severity),
3938- fixes 46 bugs
3939- includes 15 general improvements
3940- adds support for OpenSSL-3.0
3941
3942Details below:
3943
3944* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
3945* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
3946             hypothetical input buffer overflow. Reported by ... stenn@
3947* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
3948  - solved numerically instead of using string manipulation
3949* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
3950             <stenn@ntp.org>
3951* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
3952* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
3953* [Bug 3814] First poll delay of new or cleared associations miscalculated.
3954             <hart@ntp.org>
3955* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
3956             OpenSSL 3.  Reported by rmsh1216@163.com <hart@ntp.org>
3957* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
3958* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
3959* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
3960* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
3961             disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
3962* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
3963  - ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
3964* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
3965  - Report and patch by Yuezhen LUAN <wei6410@sina.com>.
3966* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
3967* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
3968             <hart@ntp.org>
3969* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
3970* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
3971  - Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
3972* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
3973* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
3974* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
3975* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
3976             Philippe De Muyter <phdm@macqel.be>
3977* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
3978  - openssl applink needed again for openSSL-1.1.1
3979* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
3980             Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
3981* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
3982  - command line options override config statements where applicable
3983  - make initial frequency settings idempotent and reversible
3984  - make sure kernel PLL gets a recovered drift componsation
3985* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
3986* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
3987  - misleading title; essentially a request to ignore the receiver status.
3988    Added a mode bit for this. <perlinger@ntp.org>
3989* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
3990  - original patch by Richard Schmidt, with mods & unit test fixes
3991* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
3992  - implement/wrap 'realpath()' to resolve symlinks in device names
3993* [Bug 3691] Buffer Overflow reading GPSD output
3994  - original patch by matt<ntpbr@mattcorallo.com>
3995  - increased max PDU size to 4k to avoid truncation
3996* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
3997  - patch by Frank Kardel
3998* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
3999  - ntp{q,dc} now use the same password processing as ntpd does in the key
4000    file, so having a binary secret >= 11 bytes is possible for all keys.
4001    (This is a different approach to the problem than suggested)
4002* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
4003* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
4004  - patch by Gerry Garvey
4005* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
4006  - original patch by Gerry Garvey
4007* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
4008  - original patch by Gerry Garvey
4009* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
4010  - applied patches by Gerry Garvey
4011* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
4012* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
4013  - idea+patch by Gerry Garvey
4014* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
4015* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
4016  - follow-up: fix inverted sense in check, reset shortfall counter
4017* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
4018* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
4019  - fixed bug identified by Edward McGuire <perlinger@ntp.org>
4020* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
4021  - applied patch by Gerry Garvey
4022* [Bug 3432] refclocks that 'write()' should check the result <perlinger@ntp.org>
4023  - backport from -dev, plus some more work on warnings for unchecked results
4024* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
4025             Reported by Israel G. Lugo. <hart@ntp.org>
4026* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
4027* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
4028             Integrated patch from Brian Utterback. <hart@ntp.org>
4029* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
4030* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
4031* Use correct rounding in mstolfp(). perlinger/hart
4032* M_ADDF should use u_int32.  <hart@ntp.org>
4033* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
4034* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
4035* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
4036* If DEBUG is enabled, the startup banner now says that debug assertions
4037  are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
4038* syslog valid incoming KoDs.  <stenn@ntp.org>
4039* Rename a poorly-named variable.  <stenn@ntp.org>
4040* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
4041* Use https in the AC_INIT URLs in configure.ac.  <stenn@ntp.org>
4042* Implement NTP_FUNC_REALPATH.  <stenn@ntp.org>
4043* Lose a gmake construct in ntpd/Makefile.am.  <stenn@ntp.org>
4044* upgrade to: autogen-5.18.16
4045* upgrade to: libopts-42.1.17
4046* upgrade to: autoconf-2.71
4047* upgrade to: automake-1.16.15
4048* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
4049* Support OpenSSL-3.0
4050
4051---
4052NTP 4.2.8p15 (Harlan Stenn <stenn@ntp.org>, 2020 Jun 23)
4053
4054Focus: Security, Bug fixes
4055
4056Severity: MEDIUM
4057
4058This release fixes one vulnerability: Associations that use CMAC
4059authentication between ntpd from versions 4.2.8p11/4.3.97 and
40604.2.8p14/4.3.100 will leak a small amount of memory for each packet.
4061Eventually, ntpd will run out of memory and abort.
4062
4063It also fixes 13 other bugs.
4064
4065* [Sec 3661] memory leak with AES128CMAC keys <perlinger@ntp.org>
4066* [Bug 3670] Regression from bad merger between 3592 and 3596 <perlinger@>
4067  - Thanks to Sylar Tao
4068* [Bug 3667] decodenetnum fails with numeric port <perlinger@ntp.org>
4069  - rewrite 'decodenetnum()' in terms of inet_pton
4070* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
4071  - limit number of receive buffers, with an iron reserve for refclocks
4072* [Bug 3664] Enable openSSL CMAC support on Windows <burnicki@ntp.org>
4073* [Bug 3662] Fix build errors on Windows with VS2008 <burnicki@ntp.org>
4074* [Bug 3660] Manycast orphan mode startup discovery problem. <stenn@ntp.org>
4075  - integrated patch from Charles Claggett
4076* [Bug 3659] Move definition of psl[] from ntp_config.h to
4077  ntp_config.h <perlinger@ntp.org>
4078* [Bug 3657] Wrong "Autokey group mismatch" debug message <perlinger@ntp.org>
4079* [Bug 3655] ntpdc memstats hash counts <perlinger@ntp.org>
4080  - fix by Gerry garvey
4081* [Bug 3653] Refclock jitter RMS calculation <perlinger@ntp.org>
4082  - thanks to Gerry Garvey
4083* [Bug 3646] Avoid sync with unsync orphan <perlinger@ntp.org>
4084  - patch by Gerry Garvey
4085* [Bug 3644] Unsynchronized server [...] selected as candidate <perlinger@ntp.org>
4086* [Bug 3639] refclock_jjy: TS-JJY0x can skip time sync depending on the STUS reply. <abe@ntp.org>
4087  - applied patch by Takao Abe
4088
4089---
4090NTP 4.2.8p14 (Harlan Stenn <stenn@ntp.org>, 2020 Mar 03)
4091
4092Focus: Security, Bug fixes, enhancements.
4093
4094Severity: MEDIUM
4095
4096This release fixes three vulnerabilities: a bug that causes causes an ntpd
4097instance that is explicitly configured to override the default and allow
4098ntpdc (mode 7) connections to be made to a server to read some uninitialized
4099memory; fixes the case where an unmonitored ntpd using an unauthenticated
4100association to its servers may be susceptible to a forged packet DoS attack;
4101and fixes an attack against a client instance that uses a single
4102unauthenticated time source.  It also fixes 46 other bugs and addresses
41034 other issues.
4104
4105* [Sec 3610] process_control() should bail earlier on short packets. stenn@
4106  - Reported by Philippe Antoine
4107* [Sec 3596] Highly predictable timestamp attack. <stenn@ntp.org>
4108  - Reported by Miroslav Lichvar
4109* [Sec 3592] DoS attack on client ntpd <perlinger@ntp.org>
4110  - Reported by Miroslav Lichvar
4111* [Bug 3637] Emit the version of ntpd in saveconfig.  stenn@
4112* [Bug 3636] NMEA: combine time/date from multiple sentences <perlinger@ntp.org>
4113* [Bug 3635] Make leapsecond file hash check optional <perlinger@ntp.org>
4114* [Bug 3634] Typo in discipline.html, reported by Jason Harrison.  stenn@
4115* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence
4116  - implement Zeller's congruence in libparse and libntp <perlinger@ntp.org>
4117* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap <perlinger@ntp.org>
4118  - integrated patch by Cy Schubert
4119* [Bug 3620] memory leak in ntpq sysinfo <perlinger@ntp.org>
4120  - applied patch by Gerry Garvey
4121* [Bug 3619] Honour drefid setting in cooked mode and sysinfo <perlinger@ntp.org>
4122  - applied patch by Gerry Garvey
4123* [Bug 3617] Add support for ACE III and Copernicus II receivers <perlinger@ntp.org>
4124  - integrated patch by Richard Steedman
4125* [Bug 3615] accelerate refclock startup <perlinger@ntp.org>
4126* [Bug 3613] Propagate noselect to mobilized pool servers <stenn@ntp.org>
4127  - Reported by Martin Burnicki
4128* [Bug 3612] Use-of-uninitialized-value in receive function <perlinger@ntp.org>
4129  - Reported by Philippe Antoine
4130* [Bug 3611] NMEA time interpreted incorrectly <perlinger@ntp.org>
4131  - officially document new "trust date" mode bit for NMEA driver
4132  - restore the (previously undocumented) "trust date" feature lost with [bug 3577]
4133* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter <perlinger@ntp.org>
4134  - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter'
4135* [Bug 3608] libparse fails to compile on S11.4SRU13 and later <perlinger@ntp.org>
4136  - removed ffs() and fls() prototypes as per Brian Utterback
4137* [Bug 3604] Wrong param byte order passing into record_raw_stats() in
4138          ntp_io.c <perlinger@ntp.org>
4139  - fixed byte and paramter order as suggested by wei6410@sina.com
4140* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no <perlinger@ntp.org>
4141* [Bug 3599] Build fails on linux-m68k due to alignment issues <perlinger@ntp.org>
4142  - added padding as suggested by John Paul Adrian Glaubitz
4143* [Bug 3594] ntpd discards messages coming through nmead <perlinger@ntp.org>
4144* [Bug 3593] ntpd discards silently nmea messages after the 5th string <perlinger@ntp.org>
4145* [Bug 3590] Update refclock_oncore.c to the new GPS date API <perlinger@ntp.org>
4146* [Bug 3585] Unity tests mix buffered and unbuffered output <perlinger@ntp.org>
4147  - stdout+stderr are set to line buffered during test setup now
4148* [Bug 3583] synchronization error <perlinger@ntp.org>
4149  - set clock to base date if system time is before that limit
4150* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled <perlinger@ntp.org>
4151* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) <perlinger@ntp.org>
4152  - Reported by Paulo Neves
4153* [Bug 3577] Update refclock_zyfer.c to the new GPS date API <perlinger@ntp.org>
4154  - also updates for refclock_nmea.c and refclock_jupiter.c
4155* [Bug 3576] New GPS date function API <perlinger@ntp.org>
4156* [Bug 3573] nptdate: missleading error message <perlinger@ntp.org>
4157* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo <perlinger@ntp.org>
4158* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' <perlinger@ntp.org>
4159  - sidekick: service port resolution in 'ntpdate'
4160* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH <perlinger@ntp.org>
4161  - applied patch by Douglas Royds
4162* [Bug 3542] ntpdc monlist parameters cannot be set <perlinger@ntp.org>
4163* [Bug 3533] ntpdc peer_info ipv6 issues <perlinger@ntp.org>
4164  - applied patch by Gerry Garvey
4165* [Bug 3531] make check: test-decodenetnum fails <perlinger@ntp.org>
4166  - try to harden 'decodenetnum()' against 'getaddrinfo()' errors
4167  - fix wrong cond-compile tests in unit tests
4168* [Bug 3517] Reducing build noise <perlinger@ntp.org>
4169* [Bug 3516] Require tooling from this decade <perlinger@ntp.org>
4170  - patch by Philipp Prindeville
4171* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code <perlinger@ntp.org>
4172  - patch by Philipp Prindeville
4173* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings <perlinger@ntp.org>
4174  - patch by Philipp Prindeville
4175* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() <perlinger@ntp.org>
4176  - partial application of patch by Philipp Prindeville
4177* [Bug 3491] Signed values of LFP datatypes should always display a sign
4178  - applied patch by Gerry Garvey & fixed unit tests <perlinger@ntp.org>
4179* [Bug 3490] Patch to support Trimble Resolution Receivers <perlinger@ntp.org>
4180  - applied (modified) patch by Richard Steedman
4181* [Bug 3473] RefID of refclocks should always be text format <perlinger@ntp.org>
4182  - applied patch by Gerry Garvey (with minor formatting changes)
4183* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails <perlinger@ntp.org>
4184  - applied patch by Miroslav Lichvar
4185* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network
4186  <perlinger@ntp.org>
4187* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user
4188             is specified with -u <perlinger@ntp.org>
4189  - monitor daemon child startup & propagate exit codes
4190* [Bug 1433] runtime check whether the kernel really supports capabilities
4191  - (modified) patch by Kurt Roeckx <perlinger@ntp.org>
4192* Clean up sntp/networking.c:sendpkt() error message.  <stenn@ntp.org>
4193* Provide more detail on unrecognized config file parser tokens. <stenn@ntp.org>
4194* Startup log improvements. <stenn@ntp.org>
4195* Update the copyright year.
4196
4197---
4198NTP 4.2.8p13 (Harlan Stenn <stenn@ntp.org>, 2019 Mar 07)
4199
4200Focus: Security, Bug fixes, enhancements.
4201
4202Severity: MEDIUM
4203
4204This release fixes a bug that allows an attacker with access to an
4205explicitly trusted source to send a crafted malicious mode 6 (ntpq)
4206packet that can trigger a NULL pointer dereference, crashing ntpd.
4207It also provides 17 other bugfixes and 1 other improvement:
4208
4209* [Sec 3565] Crafted null dereference attack in authenticated
4210               mode 6 packet <perlinger@ntp.org>
4211  - reported by Magnus Stubman
4212* [Bug 3560] Fix build when HAVE_DROPROOT is not defined <perlinger@ntp.org>
4213  - applied patch by Ian Lepore
4214* [Bug 3558] Crash and integer size bug <perlinger@ntp.org>
4215  - isolate and fix linux/windows specific code issue
4216* [Bug 3556] ntp_loopfilter.c snprintf compilation warnings <perlinger@ntp.org>
4217  - provide better function for incremental string formatting
4218* [Bug 3555] Tidy up print alignment of debug output from ntpdate <perlinger@ntp.org>
4219  - applied patch by Gerry Garvey
4220* [Bug 3554] config revoke stores incorrect value <perlinger@ntp.org>
4221  - original finding by Gerry Garvey, additional cleanup needed
4222* [Bug 3549] Spurious initgroups() error message <perlinger@ntp.org>
4223  - patch by Christous Zoulas
4224* [Bug 3548] Signature not verified on windows system <perlinger@ntp.org>
4225  - finding by Chen Jiabin, plus another one by me
4226* [Bug 3541] patch to fix STA_NANO struct timex units <perlinger@ntp.org>
4227  - applied patch by Maciej Szmigiero
4228* [Bug 3540] Cannot set minsane to 0 anymore <perlinger@ntp.org>
4229  - applied patch by Andre Charbonneau
4230* [Bug 3539] work_fork build fails when droproot is not supported <perlinger@ntp.org>
4231  - applied patch by Baruch Siach
4232* [Bug 3538] Build fails for no-MMU targets <perlinger@ntp.org>
4233  - applied patch by Baruch Siach
4234* [Bug 3535] libparse won't handle GPS week rollover <perlinger@ntp.org>
4235  - refactored handling of GPS era based on 'tos basedate' for
4236    parse (TSIP) and JUPITER clocks
4237* [Bug 3529] Build failures on Mac OS X 10.13 (High Sierra) <perlinger@ntp.org>
4238  - patch by Daniel J. Luke; this does not fix a potential linker
4239    regression issue on MacOS.
4240* [Bug 3527 - Backward Incompatible] mode7 clockinfo fudgeval2 packet
4241  anomaly <perlinger@ntp.org>, reported by GGarvey.
4242  - --enable-bug3527-fix support by HStenn
4243* [Bug 3526] Incorrect poll interval in packet <perlinger@ntp.org>
4244  - applied patch by Gerry Garvey
4245* [Bug 3471] Check for openssl/[ch]mac.h.  <perlinger@ntp.org>
4246  - added missing check, reported by Reinhard Max <perlinger@ntp.org>
4247* [Bug 1674] runtime crashes and sync problems affecting both x86 and x86_64
4248  - this is a variant of [bug 3558] and should be fixed with it
4249* Implement 'configure --disable-signalled-io'
4250
4251--
4252NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
4253
4254Focus: Security, Bug fixes, enhancements.
4255
4256Severity: MEDIUM
4257
4258This release fixes a "hole" in the noepeer capability introduced to ntpd
4259in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
4260ntpq and ntpdc.  It also provides 26 other bugfixes, and 4 other improvements:
4261
4262* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
4263
4264* [Sec 3012] Fix a hole in the new "noepeer" processing.
4265
4266* Bug Fixes:
4267 [Bug 3521] Fix a logic bug in the INVALIDNAK checks.  <stenn@ntp.org>
4268 [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
4269            other TrustedBSD platforms
4270 - applied patch by Ian Lepore <perlinger@ntp.org>
4271 [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
4272 - changed interaction with SCM to signal pending startup
4273 [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
4274 - applied patch by Gerry Garvey
4275 [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
4276 - applied patch by Gerry Garvey
4277 [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
4278 - rework of ntpq 'nextvar()' key/value parsing
4279 [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
4280 - applied patch by Gerry Garvey (with mods)
4281 [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
4282 - applied patch by Gerry Garvey
4283 [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
4284 - applied patch by Gerry Garvey (with mods)
4285 [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
4286 - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
4287 [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
4288 - applied patch by Gerry Garvey
4289 [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
4290 - applied patch by Gerry Garvey
4291 [Bug 3471] Check for openssl/[ch]mac.h.  HStenn.
4292 - add #define ENABLE_CMAC support in configure.  HStenn.
4293 [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
4294 [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
4295 - patch by Stephen Friedl
4296 [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
4297 - fixed IO redirection and CTRL-C handling in ntq and ntpdc
4298 [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
4299 [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
4300 - initial patch by Hal Murray; also fixed refclock_report() trouble
4301 [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph.  <stenn@ntp.org>
4302 [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
4303 - According to Brooks Davis, there was only one location <perlinger@ntp.org>
4304 [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
4305 - applied patch by Gerry Garvey
4306 [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
4307 - applied patch by Gerry Garvey
4308 [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
4309 with modifications
4310 New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
4311 [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
4312 - applied patch by Miroslav Lichvar
4313 [Bug 3426] ntpdate.html -t default is 2 seconds.  Leonid Evdokimov.
4314 [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
4315 - integrated patch by  Reinhard Max
4316 [Bug 2821] minor build issues <perlinger@ntp.org>
4317 - applied patches by Christos Zoulas, including real bug fixes
4318 html/authopt.html: cleanup, from <stenn@ntp.org>
4319 ntpd/ntpd.c: DROPROOT cleanup.  <stenn@ntp.org>
4320 Symmetric key range is 1-65535.  Update docs.   <stenn@ntp.org>
4321
4322--
4323NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
4324
4325Focus: Security, Bug fixes, enhancements.
4326
4327Severity: MEDIUM
4328
4329This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
4330vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
4331provides 65 other non-security fixes and improvements:
4332
4333* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
4334          association (LOW/MED)
4335   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4336   References: Sec 3454 / CVE-2018-7185 / VU#961909
4337   Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
4338   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
4339          2.9 and 6.8.
4340   CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
4341          score between 2.6 and 3.1
4342   Summary:
4343          The NTP Protocol allows for both non-authenticated and
4344          authenticated associations, in client/server, symmetric (peer),
4345          and several broadcast modes. In addition to the basic NTP
4346          operational modes, symmetric mode and broadcast servers can
4347          support an interleaved mode of operation. In ntp-4.2.8p4 a bug
4348          was inadvertently introduced into the protocol engine that
4349          allows a non-authenticated zero-origin (reset) packet to reset
4350          an authenticated interleaved peer association. If an attacker
4351          can send a packet with a zero-origin timestamp and the source
4352          IP address of the "other side" of an interleaved association,
4353          the 'victim' ntpd will reset its association. The attacker must
4354          continue sending these packets in order to maintain the
4355          disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
4356          interleave mode could be entered dynamically. As of ntp-4.2.8p7,
4357          interleaved mode must be explicitly configured/enabled.
4358   Mitigation:
4359          Implement BCP-38.
4360          Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
4361              or the NTP Public Services Project Download Page.
4362          If you are unable to upgrade to 4.2.8p11 or later and have
4363              'peer HOST xleave' lines in your ntp.conf file, remove the
4364              'xleave' option.
4365          Have enough sources of time.
4366          Properly monitor your ntpd instances.
4367          If ntpd stops running, auto-restart it without -g .
4368   Credit:
4369          This weakness was discovered by Miroslav Lichvar of Red Hat.
4370
4371* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
4372          state (LOW/MED)
4373   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4374   References: Sec 3453 / CVE-2018-7184 / VU#961909
4375   Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
4376   CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
4377          Could score between 2.9 and 6.8.
4378   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
4379          Could score between 2.6 and 6.0.
4380   Summary:
4381          The fix for NtpBug2952 was incomplete, and while it fixed one
4382          problem it created another.  Specifically, it drops bad packets
4383          before updating the "received" timestamp.  This means a
4384          third-party can inject a packet with a zero-origin timestamp,
4385          meaning the sender wants to reset the association, and the
4386          transmit timestamp in this bogus packet will be saved as the
4387          most recent "received" timestamp.  The real remote peer does
4388          not know this value and this will disrupt the association until
4389          the association resets.
4390   Mitigation:
4391          Implement BCP-38.
4392          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4393              or the NTP Public Services Project Download Page.
4394          Use authentication with 'peer' mode.
4395          Have enough sources of time.
4396          Properly monitor your ntpd instances.
4397          If ntpd stops running, auto-restart it without -g .
4398   Credit:
4399          This weakness was discovered by Miroslav Lichvar of Red Hat.
4400
4401* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
4402          peering (LOW)
4403   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4404   References: Sec 3415 / CVE-2018-7170 / VU#961909
4405                 Sec 3012 / CVE-2016-1549 / VU#718152
4406   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4407          4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
4408   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
4409   CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4410   Summary:
4411          ntpd can be vulnerable to Sybil attacks.  If a system is set up to
4412          use a trustedkey and if one is not using the feature introduced in
4413          ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
4414          specify which IPs can serve time, a malicious authenticated peer
4415          -- i.e. one where the attacker knows the private symmetric key --
4416          can create arbitrarily-many ephemeral associations in order to win
4417          the clock selection of ntpd and modify a victim's clock.  Three
4418          additional protections are offered in ntp-4.2.8p11.  One is the
4419          new 'noepeer' directive, which disables symmetric passive
4420          ephemeral peering. Another is the new 'ippeerlimit' directive,
4421          which limits the number of peers that can be created from an IP.
4422          The third extends the functionality of the 4th field in the
4423          ntp.keys file to include specifying a subnet range.
4424   Mitigation:
4425          Implement BCP-38.
4426          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4427              or the NTP Public Services Project Download Page.
4428          Use the 'noepeer' directive to prohibit symmetric passive
4429              ephemeral associations.
4430          Use the 'ippeerlimit' directive to limit the number of peers
4431              that can be created from an IP.
4432          Use the 4th argument in the ntp.keys file to limit the IPs and
4433              subnets that can be time servers.
4434          Have enough sources of time.
4435          Properly monitor your ntpd instances.
4436          If ntpd stops running, auto-restart it without -g .
4437   Credit:
4438          This weakness was reported as Bug 3012 by Matthew Van Gundy of
4439          Cisco ASIG, and separately by Stefan Moser as Bug 3415.
4440
4441* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
4442   Date Resolved: 27 Feb 2018
4443   References: Sec 3414 / CVE-2018-7183 / VU#961909
4444   Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
4445   CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
4446   CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
4447   Summary:
4448          ntpq is a monitoring and control program for ntpd.  decodearr()
4449          is an internal function of ntpq that is used to -- wait for it --
4450          decode an array in a response string when formatted data is being
4451          displayed.  This is a problem in affected versions of ntpq if a
4452          maliciously-altered ntpd returns an array result that will trip this
4453          bug, or if a bad actor is able to read an ntpq request on its way to
4454          a remote ntpd server and forge and send a response before the remote
4455          ntpd sends its response.  It's potentially possible that the
4456          malicious data could become injectable/executable code.
4457   Mitigation:
4458          Implement BCP-38.
4459          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4460              or the NTP Public Services Project Download Page.
4461   Credit:
4462          This weakness was discovered by Michael Macnair of Thales e-Security.
4463
4464* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
4465          behavior and information leak (Info/Medium)
4466   Date Resolved: 27 Feb 2018
4467   References: Sec 3412 / CVE-2018-7182 / VU#961909
4468   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
4469   CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
4470   CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4471          0.0 if C:N
4472   Summary:
4473          ctl_getitem()  is used by ntpd to process incoming mode 6 packets.
4474          A malicious mode 6 packet can be sent to an ntpd instance, and
4475          if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
4476          cause ctl_getitem() to read past the end of its buffer.
4477   Mitigation:
4478          Implement BCP-38.
4479          Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
4480              or the NTP Public Services Project Download Page.
4481          Have enough sources of time.
4482          Properly monitor your ntpd instances.
4483          If ntpd stops running, auto-restart it without -g .
4484   Credit:
4485          This weakness was discovered by Yihan Lian of Qihoo 360.
4486
4487* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
4488   Also see Bug 3415, above.
4489   Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
4490   Date Resolved: Stable (4.2.8p11) 27 Feb 2018
4491   References: Sec 3012 / CVE-2016-1549 / VU#718152
4492   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
4493          4.3.0 up to, but not including 4.3.92.  Resolved in 4.2.8p11.
4494   CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
4495   CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
4496   Summary:
4497          ntpd can be vulnerable to Sybil attacks.  If a system is set up
4498          to use a trustedkey and if one is not using the feature
4499          introduced in ntp-4.2.8p6 allowing an optional 4th field in the
4500          ntp.keys file to specify which IPs can serve time, a malicious
4501          authenticated peer -- i.e. one where the attacker knows the
4502          private symmetric key -- can create arbitrarily-many ephemeral
4503          associations in order to win the clock selection of ntpd and
4504          modify a victim's clock.  Two additional protections are
4505          offered in ntp-4.2.8p11.  One is the 'noepeer' directive, which
4506          disables symmetric passive ephemeral peering. The other extends
4507          the functionality of the 4th field in the ntp.keys file to
4508          include specifying a subnet range.
4509   Mitigation:
4510          Implement BCP-38.
4511          Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
4512              the NTP Public Services Project Download Page.
4513          Use the 'noepeer' directive to prohibit symmetric passive
4514              ephemeral associations.
4515          Use the 'ippeerlimit' directive to limit the number of peer
4516              associations from an IP.
4517          Use the 4th argument in the ntp.keys file to limit the IPs
4518              and subnets that can be time servers.
4519          Properly monitor your ntpd instances.
4520   Credit:
4521          This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
4522
4523* Bug fixes:
4524 [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
4525 [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
4526 - applied patch by Sean Haugh
4527 [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
4528 [Bug 3450] Dubious error messages from plausibility checks in get_systime()
4529 - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
4530 [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
4531 - refactoring the MAC code, too
4532 [Bug 3441] Validate the assumption that AF_UNSPEC is 0.  stenn@ntp.org
4533 [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
4534 - applied patch by ggarvey
4535 [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
4536 - applied patch by ggarvey (with minor mods)
4537 [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
4538 - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
4539 [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
4540 [Bug 3433] sntp crashes when run with -a.  <stenn@ntp.org>
4541 [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
4542 - fixed several issues with hash algos in ntpd, sntp, ntpq,
4543   ntpdc and the test suites <perlinger@ntp.org>
4544 [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
4545 - initial patch by Daniel Pouzzner
4546 [Bug 3423] QNX adjtime() implementation error checking is
4547 wrong <perlinger@ntp.org>
4548 [Bug 3417] ntpq ifstats packet counters can be negative
4549 made IFSTATS counter quantities unsigned <perlinger@ntp.org>
4550 [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
4551 - raised receive buffer size to 1200 <perlinger@ntp.org>
4552 [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
4553 analysis tool. <abe@ntp.org>
4554 [Bug 3405] update-leap.in: general cleanup, HTTPS support.  Paul McMath.
4555 [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
4556 - fix/drop assumptions on OpenSSL libs directory layout
4557 [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
4558 - initial patch by timeflies@mail2tor.com  <perlinger@ntp.org>
4559 [Bug 3398] tests fail with core dump <perlinger@ntp.org>
4560 - patch contributed by Alexander Bluhm
4561 [Bug 3397] ctl_putstr() asserts that data fits in its buffer
4562 rework of formatting & data transfer stuff in 'ntp_control.c'
4563 avoids unecessary buffers and size limitations. <perlinger@ntp.org>
4564 [Bug 3394] Leap second deletion does not work on ntpd clients
4565 - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
4566 [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
4567 - increased mimimum stack size to 32kB <perlinger@ntp.org>
4568 [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
4569 - reverted handling of PPS kernel consumer to 4.2.6 behavior
4570 [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
4571 [Bug 3358] Spurious KoD log messages in .INIT. phase.  HStenn.
4572 [Bug 3016] wrong error position reported for bad ":config pool"
4573 - fixed location counter & ntpq output <perlinger@ntp.org>
4574 [Bug 2900] libntp build order problem.  HStenn.
4575 [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
4576 [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
4577 perlinger@ntp.org
4578 [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
4579 [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
4580 Use strlcpy() to copy strings, not memcpy().  HStenn.
4581 Typos.  HStenn.
4582 test_ntp_scanner_LDADD needs ntpd/ntp_io.o.  HStenn.
4583 refclock_jjy.c: Add missing "%s" to an msyslog() call.  HStenn.
4584 Build ntpq and libntpq.a with NTP_HARD_*FLAGS.  perlinger@ntp.org
4585 Fix trivial warnings from 'make check'. perlinger@ntp.org
4586 Fix bug in the override portion of the compiler hardening macro. HStenn.
4587 record_raw_stats(): Log entire packet.  Log writes.  HStenn.
4588 AES-128-CMAC support.  BInglis, HStenn, JPerlinger.
4589 sntp: tweak key file logging.  HStenn.
4590 sntp: pkt_output(): Improve debug output.  HStenn.
4591 update-leap: updates from Paul McMath.
4592 When using pkg-config, report --modversion.  HStenn.
4593 Clean up libevent configure checks.  HStenn.
4594 sntp: show the IP of who sent us a crypto-NAK.  HStenn.
4595 Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn, JPerlinger.
4596 authistrustedip() - use it in more places.  HStenn, JPerlinger.
4597 New sysstats: sys_lamport, sys_tsrounding.  HStenn.
4598 Update ntp.keys .../N documentation.  HStenn.
4599 Distribute testconf.yml.  HStenn.
4600 Add DPRINTF(2,...) lines to receive() for packet drops.  HStenn.
4601 Rename the configuration flag fifo variables.  HStenn.
4602 Improve saveconfig output.  HStenn.
4603 Decode restrict flags on receive() debug output.  HStenn.
4604 Decode interface flags on receive() debug output.  HStenn.
4605 Warn the user if deprecated "driftfile name WanderThreshold" is used.  HStenn.
4606 Update the documentation in ntp.conf.def .  HStenn.
4607 restrictions() must return restrict flags and ippeerlimit.  HStenn.
4608 Update ntpq peer documentation to describe the 'p' type.  HStenn.
4609 Rename restrict 'flags' to 'rflags.  Use an enum for the values.  HStenn.
4610 Provide dump_restricts() for debugging.  HStenn.
4611 Use consistent 4th arg type for [gs]etsockopt.  JPerlinger.
4612
4613* Other items:
4614
4615* update-leap needs the following perl modules:
4616          Net::SSLeay
4617          IO::Socket::SSL
4618
4619* New sysstats variables: sys_lamport, sys_tsrounding
4620See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
4621sys_lamport counts the number of observed Lamport violations, while
4622sys_tsrounding counts observed timestamp rounding events.
4623
4624* New ntp.conf items:
4625
4626- restrict ... noepeer
4627- restrict ... ippeerlimit N
4628
4629The 'noepeer' directive will disallow all ephemeral/passive peer
4630requests.
4631
4632The 'ippeerlimit' directive limits the number of time associations
4633for each IP in the designated set of addresses.  This limit does not
4634apply to explicitly-configured associations.  A value of -1, the current
4635default, means an unlimited number of associations may connect from a
4636single IP.  0 means "none", etc.  Ordinarily the only way multiple
4637associations would come from the same IP would be if the remote side
4638was using a proxy.  But a trusted machine might become compromised,
4639in which case an attacker might spin up multiple authenticated sessions
4640from different ports.  This directive should be helpful in this case.
4641
4642* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
4643field may contain a /subnetbits specification, which identifies  the
4644scope of IPs that may use this key.  This IP/subnet restriction can be
4645used to limit the IPs that may use the key in most all situations where
4646a key is used.
4647--
4648NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
4649
4650Focus: Security, Bug fixes, enhancements.
4651
4652Severity: MEDIUM
4653
4654This release fixes 5 medium-, 6 low-, and 4 informational-severity
4655vulnerabilities, and provides 15 other non-security fixes and improvements:
4656
4657* NTP-01-016 NTP: Denial of Service via Malformed Config (Medium)
4658   Date Resolved: 21 Mar 2017
4659   References: Sec 3389 / CVE-2017-6464 / VU#325339
4660   Affects: All versions of NTP-4, up to but not including ntp-4.2.8p10, and
4661          ntp-4.3.0 up to, but not including ntp-4.3.94.
4662   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
4663   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4664   Summary:
4665          A vulnerability found in the NTP server makes it possible for an
4666          authenticated remote user to crash ntpd via a malformed mode
4667          configuration directive.
4668   Mitigation:
4669          Implement BCP-38.
4670          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
4671              the NTP Public Services Project Download Page
4672          Properly monitor your ntpd instances, and auto-restart
4673              ntpd (without -g) if it stops running.
4674   Credit:
4675          This weakness was discovered by Cure53.
4676
4677* NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Low)
4678    Date Resolved: 21 Mar 2017
4679    References: Sec 3388 / CVE-2017-6462 / VU#325339
4680    Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not including ntp-4.3.94.
4681    CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
4682    CVSS3: Low 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
4683    Summary:
4684          There is a potential for a buffer overflow in the legacy Datum
4685          Programmable Time Server refclock driver.  Here the packets are
4686          processed from the /dev/datum device and handled in
4687          datum_pts_receive().  Since an attacker would be required to
4688          somehow control a malicious /dev/datum device, this does not
4689          appear to be a practical attack and renders this issue "Low" in
4690          terms of severity.
4691   Mitigation:
4692          If you have a Datum reference clock installed and think somebody
4693              may maliciously change the device, upgrade to 4.2.8p10, or
4694              later, from the NTP Project Download Page or the NTP Public
4695              Services Project Download Page
4696          Properly monitor your ntpd instances, and auto-restart
4697              ntpd (without -g) if it stops running.
4698   Credit:
4699          This weakness was discovered by Cure53.
4700
4701* NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Medium)
4702   Date Resolved: 21 Mar 2017
4703   References: Sec 3387 / CVE-2017-6463 / VU#325339
4704   Affects: All versions of ntp, up to but not including ntp-4.2.8p10, and
4705          ntp-4.3.0 up to, but not including ntp-4.3.94.
4706   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
4707   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4708   Summary:
4709          A vulnerability found in the NTP server allows an authenticated
4710          remote attacker to crash the daemon by sending an invalid setting
4711          via the :config directive.  The unpeer option expects a number or
4712          an address as an argument.  In case the value is "0", a
4713          segmentation fault occurs.
4714   Mitigation:
4715          Implement BCP-38.
4716          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4717              or the NTP Public Services Project Download Page
4718          Properly monitor your ntpd instances, and auto-restart
4719              ntpd (without -g) if it stops running.
4720   Credit:
4721          This weakness was discovered by Cure53.
4722
4723* NTP-01-011 NTP: ntpq_stripquotes() returns incorrect value (Informational)
4724   Date Resolved: 21 Mar 2017
4725   References: Sec 3386
4726   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4727          ntp-4.3.0 up to, but not including ntp-4.3.94.
4728   CVSS2: None 0.0 (AV:N/AC:H/Au:N/C:N/I:N/A:N)
4729   CVSS3: None 0.0 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:N
4730   Summary:
4731          The NTP Mode 6 monitoring and control client, ntpq, uses the
4732          function ntpq_stripquotes() to remove quotes and escape characters
4733          from a given string.  According to the documentation, the function
4734          is supposed to return the number of copied bytes but due to
4735          incorrect pointer usage this value is always zero.  Although the
4736          return value of this function is never used in the code, this
4737          flaw could lead to a vulnerability in the future.  Since relying
4738          on wrong return values when performing memory operations is a
4739          dangerous practice, it is recommended to return the correct value
4740          in accordance with the documentation pertinent to the code.
4741   Mitigation:
4742          Implement BCP-38.
4743          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4744              or the NTP Public Services Project Download Page
4745          Properly monitor your ntpd instances, and auto-restart
4746              ntpd (without -g) if it stops running.
4747   Credit:
4748          This weakness was discovered by Cure53.
4749
4750* NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Info)
4751   Date Resolved: 21 Mar 2017
4752   References: Sec 3385
4753   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4754          ntp-4.3.0 up to, but not including ntp-4.3.94.
4755   Summary:
4756          NTP makes use of several wrappers around the standard heap memory
4757          allocation functions that are provided by libc.  This is mainly
4758          done to introduce additional safety checks concentrated on
4759          several goals.  First, they seek to ensure that memory is not
4760          accidentally freed, secondly they verify that a correct amount
4761          is always allocated and, thirdly, that allocation failures are
4762          correctly handled.  There is an additional implementation for
4763          scenarios where memory for a specific amount of items of the
4764          same size needs to be allocated.  The handling can be found in
4765          the oreallocarray() function for which a further number-of-elements
4766          parameter needs to be provided.  Although no considerable threat
4767          was identified as tied to a lack of use of this function, it is
4768          recommended to correctly apply oreallocarray() as a preferred
4769          option across all of the locations where it is possible.
4770   Mitigation:
4771          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4772              or the NTP Public Services Project Download Page
4773   Credit:
4774          This weakness was discovered by Cure53.
4775
4776* NTP-01-009 NTP: Privileged execution of User Library code (WINDOWS
4777          PPSAPI ONLY) (Low)
4778   Date Resolved: 21 Mar 2017
4779   References: Sec 3384 / CVE-2017-6455 / VU#325339
4780   Affects: All Windows versions of ntp-4 that use the PPSAPI, up to but
4781          not including ntp-4.2.8p10, and ntp-4.3.0 up to, but not
4782          including ntp-4.3.94.
4783   CVSS2: MED 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
4784   CVSS3: MED 4.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4785   Summary:
4786          The Windows NT port has the added capability to preload DLLs
4787          defined in the inherited global local environment variable
4788          PPSAPI_DLLS.  The code contained within those libraries is then
4789          called from the NTPD service, usually running with elevated
4790          privileges. Depending on how securely the machine is setup and
4791          configured, if ntpd is configured to use the PPSAPI under Windows
4792          this can easily lead to a code injection.
4793   Mitigation:
4794          Implement BCP-38.
4795          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4796              or the NTP Public Services Project Download Page
4797   Credit:
4798   This weakness was discovered by Cure53.
4799
4800* NTP-01-008 NTP: Stack Buffer Overflow from Command Line (WINDOWS
4801          installer ONLY) (Low)
4802   Date Resolved: 21 Mar 2017
4803   References: Sec 3383 / CVE-2017-6452 / VU#325339
4804   Affects: WINDOWS installer ONLY: All versions of the ntp-4 Windows
4805          installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0 up
4806          to, but not including ntp-4.3.94.
4807   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
4808   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
4809   Summary:
4810          The Windows installer for NTP calls strcat(), blindly appending
4811          the string passed to the stack buffer in the addSourceToRegistry()
4812          function.  The stack buffer is 70 bytes smaller than the buffer
4813          in the calling main() function.  Together with the initially
4814          copied Registry path, the combination causes a stack buffer
4815          overflow and effectively overwrites the stack frame.  The
4816          passed application path is actually limited to 256 bytes by the
4817          operating system, but this is not sufficient to assure that the
4818          affected stack buffer is consistently protected against
4819          overflowing at all times.
4820   Mitigation:
4821          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4822          or the NTP Public Services Project Download Page
4823   Credit:
4824          This weakness was discovered by Cure53.
4825
4826* NTP-01-007 NTP: Data Structure terminated insufficiently (WINDOWS
4827          installer ONLY) (Low)
4828   Date Resolved: 21 Mar 2017
4829   References: Sec 3382 / CVE-2017-6459 / VU#325339
4830   Affects: WINDOWS installer ONLY: All ntp-4 versions of the Windows
4831          installer, up to but not including ntp-4.2.8p10, and ntp-4.3.0
4832          up to, but not including ntp-4.3.94.
4833   CVSS2: Low 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
4834   CVSS3: Low 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
4835   Summary:
4836          The Windows installer for NTP calls strcpy() with an argument
4837          that specifically contains multiple null bytes.  strcpy() only
4838          copies a single terminating null character into the target
4839          buffer instead of copying the required double null bytes in the
4840          addKeysToRegistry() function.  As a consequence, a garbage
4841          registry entry can be created.  The additional arsize parameter
4842          is erroneously set to contain two null bytes and the following
4843          call to RegSetValueEx() claims to be passing in a multi-string
4844          value, though this may not be true.
4845   Mitigation:
4846          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4847              or the NTP Public Services Project Download Page
4848   Credit:
4849          This weakness was discovered by Cure53.
4850
4851* NTP-01-006 NTP: Copious amounts of Unused Code (Informational)
4852   References: Sec 3381
4853   Summary:
4854          The report says: Statically included external projects
4855          potentially introduce several problems and the issue of having
4856          extensive amounts of code that is "dead" in the resulting binary
4857          must clearly be pointed out.  The unnecessary unused code may or
4858          may not contain bugs and, quite possibly, might be leveraged for
4859          code-gadget-based branch-flow redirection exploits.  Analogically,
4860          having source trees statically included as well means a failure
4861          in taking advantage of the free feature for periodical updates.
4862          This solution is offered by the system's Package Manager. The
4863          three libraries identified are libisc, libevent, and libopts.
4864   Resolution:
4865          For libisc, we already only use a portion of the original library.
4866          We've found and fixed bugs in the original implementation (and
4867          offered the patches to ISC), and plan to see what has changed
4868          since we last upgraded the code.  libisc is generally not
4869          installed, and when it it we usually only see the static libisc.a
4870          file installed.  Until we know for sure that the bugs we've found
4871          and fixed are fixed upstream, we're better off with the copy we
4872          are using.
4873
4874        Version 1 of libevent was the only production version available
4875          until recently, and we've been requiring version 2 for a long time.
4876          But if the build system has at least version 2 of libevent
4877          installed, we'll use the version that is installed on the system.
4878          Otherwise, we provide a copy of libevent that we know works.
4879
4880        libopts is provided by GNU AutoGen, and that library and package
4881          undergoes frequent API version updates.  The version of autogen
4882          used to generate the tables for the code must match the API
4883          version in libopts.  AutoGen can be ... difficult to build and
4884          install, and very few developers really need it.  So we have it
4885          on our build and development machines, and we provide the
4886          specific version of the libopts code in the distribution to make
4887          sure that the proper API version of libopts is available.
4888
4889        As for the point about there being code in these libraries that
4890          NTP doesn't use, OK.  But other packages used these libraries as
4891          well, and it is reasonable to assume that other people are paying
4892          attention to security and code quality issues for the overall
4893          libraries.  It takes significant resources to analyze and
4894          customize these libraries to only include what we need, and to
4895          date we believe the cost of this effort does not justify the benefit.
4896   Credit:
4897          This issue was discovered by Cure53.
4898
4899* NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Low)
4900   Date Resolved: 21 Mar 2017
4901   References: Sec 3380
4902   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4903          ntp-4.3.0 up to, but not including ntp-4.3.94.
4904   CVSS2: None 0.0 (AV:L/AC:H/Au:N/C:N/I:N/A:N)
4905   CVSS3: None 0.0 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:N
4906   Summary:
4907          There is a fencepost error in a "recovery branch" of the code for
4908          the Oncore GPS receiver if the communication link to the ONCORE
4909          is weak / distorted and the decoding doesn't work.
4910   Mitigation:
4911        Upgrade to 4.2.8p10, or later, from the NTP Project Download Page or
4912              the NTP Public Services Project Download Page
4913        Properly monitor your ntpd instances, and auto-restart
4914              ntpd (without -g) if it stops running.
4915   Credit:
4916          This weakness was discovered by Cure53.
4917
4918* NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Medium)
4919   Date Resolved: 21 Mar 2017
4920   References: Sec 3379 / CVE-2017-6458 / VU#325339
4921   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4922          ntp-4.3.0 up to, but not including ntp-4.3.94.
4923   CVSS2: MED 4.6 (AV:N/AC:H/Au:M/C:N/I:N/A:C)
4924   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4925   Summary:
4926          ntpd makes use of different wrappers around ctl_putdata() to
4927          create name/value ntpq (mode 6) response strings.  For example,
4928          ctl_putstr() is usually used to send string data (variable names
4929          or string data).  The formatting code was missing a length check
4930          for variable names.  If somebody explicitly created any unusually
4931          long variable names in ntpd (longer than 200-512 bytes, depending
4932          on the type of variable), then if any of these variables are
4933          added to the response list it would overflow a buffer.
4934   Mitigation:
4935          Implement BCP-38.
4936          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4937              or the NTP Public Services Project Download Page
4938          If you don't want to upgrade, then don't setvar variable names
4939              longer than 200-512 bytes in your ntp.conf file.
4940          Properly monitor your ntpd instances, and auto-restart
4941              ntpd (without -g) if it stops running.
4942   Credit:
4943          This weakness was discovered by Cure53.
4944
4945* NTP-01-003 NTP: Improper use of snprintf() in mx4200_send() (Low)
4946   Date Resolved: 21 Mar 2017
4947   References: Sec 3378 / CVE-2017-6451 / VU#325339
4948   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
4949          ntp-4.3.0 up to, but not including ntp-4.3.94.
4950   CVSS2: LOW 0.8 (AV:L/AC:H/Au:M/C:N/I:N/A:P)
4951   CVSS3: LOW 1.8 CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N
4952   Summary:
4953          The legacy MX4200 refclock is only built if is specifically
4954          enabled, and furthermore additional code changes are required to
4955          compile and use it.  But it uses the libc functions snprintf()
4956          and vsnprintf() incorrectly, which can lead to an out-of-bounds
4957          memory write due to an improper handling of the return value of
4958          snprintf()/vsnprintf().  Since the return value is used as an
4959          iterator and it can be larger than the buffer's size, it is
4960          possible for the iterator to point somewhere outside of the
4961          allocated buffer space.  This results in an out-of-bound memory
4962          write.  This behavior can be leveraged to overwrite a saved
4963          instruction pointer on the stack and gain control over the
4964          execution flow.  During testing it was not possible to identify
4965          any malicious usage for this vulnerability.  Specifically, no
4966          way for an attacker to exploit this vulnerability was ultimately
4967          unveiled.  However, it has the potential to be exploited, so the
4968          code should be fixed.
4969   Mitigation, if you have a Magnavox MX4200 refclock:
4970          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4971              or the NTP Public Services Project Download Page.
4972          Properly monitor your ntpd instances, and auto-restart
4973              ntpd (without -g) if it stops running.
4974   Credit:
4975          This weakness was discovered by Cure53.
4976
4977* NTP-01-002 NTP: Buffer Overflow in ntpq when fetching reslist from a
4978          malicious ntpd (Medium)
4979   Date Resolved: 21 Mar 2017
4980   References: Sec 3377 / CVE-2017-6460 / VU#325339
4981   Affects: All versions of ntpq, up to but not including ntp-4.2.8p10, and
4982          ntp-4.3.0 up to, but not including ntp-4.3.94.
4983   CVSS2: MED 4.9 (AV:N/AC:H/Au:S/C:N/I:N/A:C)
4984   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
4985   Summary:
4986          A stack buffer overflow in ntpq can be triggered by a malicious
4987          ntpd server when ntpq requests the restriction list from the server.
4988          This is due to a missing length check in the reslist() function.
4989          It occurs whenever the function parses the server's response and
4990          encounters a flagstr variable of an excessive length.  The string
4991          will be copied into a fixed-size buffer, leading to an overflow on
4992          the function's stack-frame.  Note well that this problem requires
4993          a malicious server, and affects ntpq, not ntpd.
4994   Mitigation:
4995          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
4996              or the NTP Public Services Project Download Page
4997          If you can't upgrade your version of ntpq then if you want to know
4998              the reslist of an instance of ntpd that you do not control,
4999              know that if the target ntpd is malicious that it can send back
5000              a response that intends to crash your ntpq process.
5001   Credit:
5002          This weakness was discovered by Cure53.
5003
5004* NTP-01-001 NTP: Makefile does not enforce Security Flags (Informational)
5005   Date Resolved: 21 Mar 2017
5006   References: Sec 3376
5007   Affects: All versions of NTP, up to but not including ntp-4.2.8p10, and
5008          ntp-4.3.0 up to, but not including ntp-4.3.94.
5009   CVSS2: N/A
5010   CVSS3: N/A
5011   Summary:
5012          The build process for NTP has not, by default, provided compile
5013          or link flags to offer "hardened" security options.  Package
5014          maintainers have always been able to provide hardening security
5015          flags for their builds.  As of ntp-4.2.8p10, the NTP build
5016          system has a way to provide OS-specific hardening flags.  Please
5017          note that this is still not a really great solution because it
5018          is specific to NTP builds.  It's inefficient to have every
5019          package supply, track and maintain this information for every
5020          target build.  It would be much better if there was a common way
5021          for OSes to provide this information in a way that arbitrary
5022          packages could benefit from it.
5023   Mitigation:
5024          Implement BCP-38.
5025          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
5026              or the NTP Public Services Project Download Page
5027          Properly monitor your ntpd instances, and auto-restart
5028              ntpd (without -g) if it stops running.
5029   Credit:
5030          This weakness was reported by Cure53.
5031
5032* 0rigin DoS (Medium)
5033   Date Resolved: 21 Mar 2017
5034   References: Sec 3361 / CVE-2016-9042 / VU#325339
5035   Affects: ntp-4.2.8p9 (21 Nov 2016), up to but not including ntp-4.2.8p10
5036   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C) (worst case)
5037   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H (worst case)
5038   Summary:
5039          An exploitable denial of service vulnerability exists in the
5040          origin timestamp check functionality of ntpd 4.2.8p9.  A specially
5041          crafted unauthenticated network packet can be used to reset the
5042          expected origin timestamp for target peers.  Legitimate replies
5043          from targeted peers will fail the origin timestamp check (TEST2)
5044          causing the reply to be dropped and creating a denial of service
5045          condition.  This vulnerability can only be exploited if the
5046          attacker can spoof all of the servers.
5047   Mitigation:
5048          Implement BCP-38.
5049          Configure enough servers/peers that an attacker cannot target
5050              all of your time sources.
5051          Upgrade to 4.2.8p10, or later, from the NTP Project Download Page
5052              or the NTP Public Services Project Download Page
5053          Properly monitor your ntpd instances, and auto-restart
5054              ntpd (without -g) if it stops running.
5055   Credit:
5056          This weakness was discovered by Matthew Van Gundy of Cisco.
5057
5058Other fixes:
5059
5060* [Bug 3393] clang scan-build findings <perlinger@ntp.org>
5061* [Bug 3363] Support for openssl-1.1.0 without compatibility modes
5062  - rework of patch set from <ntp.org@eroen.eu>. <perlinger@ntp.org>
5063* [Bug 3356] Bugfix 3072 breaks multicastclient <perlinger@ntp.org>
5064* [Bug 3216] libntp audio ioctl() args incorrectly cast to int
5065  on 4.4BSD-Lite derived platforms <perlinger@ntp.org>
5066  - original patch by Majdi S. Abbas
5067* [Bug 3215] 'make distcheck' fails with new BK repo format <perlinger@ntp.org>
5068* [Bug 3173] forking async worker: interrupted pipe I/O <perlinger@ntp.org>
5069  - initial patch by Christos Zoulas
5070* [Bug 3139] (...) time_pps_create: Exec format error <perlinger@ntp.org>
5071  - move loader API from 'inline' to proper source
5072  - augment pathless dlls with absolute path to NTPD
5073  - use 'msyslog()' instead of 'printf() 'for reporting trouble
5074* [Bug 3107] Incorrect Logic for Peer Event Limiting <perlinger@ntp.org>
5075  - applied patch by Matthew Van Gundy
5076* [Bug 3065] Quiet warnings on NetBSD <perlinger@ntp.org>
5077  - applied some of the patches provided by Havard. Not all of them
5078    still match the current code base, and I did not touch libopt.
5079* [Bug 3062] Change the process name of forked DNS worker <perlinger@ntp.org>
5080  - applied patch by Reinhard Max. See bugzilla for limitations.
5081* [Bug 2923] Trap Configuration Fail <perlinger@ntp.org>
5082  - fixed dependency inversion from [Bug 2837]
5083* [Bug 2896] Nothing happens if minsane < maxclock < minclock
5084  - produce ERROR log message about dysfunctional daemon. <perlinger@ntp.org>
5085* [Bug 2851] allow -4/-6 on restrict line with mask <perlinger@ntp.org>
5086  - applied patch by Miroslav Lichvar for ntp4.2.6 compat
5087* [Bug 2645] out-of-bound pointers in ctl_putsys and decode_bitflags
5088  - Fixed these and some more locations of this pattern.
5089    Probably din't get them all, though. <perlinger@ntp.org>
5090* Update copyright year.
5091
5092--
5093(4.2.8p9-win) 2017/02/01 Released by Harlan Stenn <stenn@ntp.org>
5094
5095* [Bug 3144] NTP does not build without openSSL. <perlinger@ntp.org>
5096  - added missed changeset for automatic openssl lib detection
5097  - fixed some minor warning issues
5098* [Bug 3095]  More compatibility with openssl 1.1. <perlinger@ntp.org>
5099* configure.ac cleanup.  stenn@ntp.org
5100* openssl configure cleanup.  stenn@ntp.org
5101
5102--
5103NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21)
5104
5105Focus: Security, Bug fixes, enhancements.
5106
5107Severity: HIGH
5108
5109In addition to bug fixes and enhancements, this release fixes the
5110following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
51115 low-severity vulnerabilities, and provides 28 other non-security
5112fixes and improvements:
5113
5114* Trap crash
5115   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5116   References: Sec 3119 / CVE-2016-9311 / VU#633847
5117   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
5118          including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
5119   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
5120   CVSS3: MED 4.4 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
5121   Summary:
5122          ntpd does not enable trap service by default. If trap service
5123          has been explicitly enabled, an attacker can send a specially
5124          crafted packet to cause a null pointer dereference that will
5125          crash ntpd, resulting in a denial of service.
5126   Mitigation:
5127        Implement BCP-38.
5128          Use "restrict default noquery ..." in your ntp.conf file. Only
5129              allow mode 6 queries from trusted networks and hosts.
5130        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5131              or the NTP Public Services Project Download Page
5132        Properly monitor your ntpd instances, and auto-restart ntpd
5133              (without -g) if it stops running.
5134   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5135
5136* Mode 6 information disclosure and DDoS vector
5137   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5138   References: Sec 3118 / CVE-2016-9310 / VU#633847
5139   Affects: ntp-4.0.90 (21 July 1999), possibly earlier, up to but not
5140          including 4.2.8p9, and ntp-4.3.0 up to but not including ntp-4.3.94.
5141   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
5142   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5143   Summary:
5144          An exploitable configuration modification vulnerability exists
5145          in the control mode (mode 6) functionality of ntpd. If, against
5146          long-standing BCP recommendations, "restrict default noquery ..."
5147          is not specified, a specially crafted control mode packet can set
5148          ntpd traps, providing information disclosure and DDoS
5149          amplification, and unset ntpd traps, disabling legitimate
5150          monitoring. A remote, unauthenticated, network attacker can
5151          trigger this vulnerability.
5152   Mitigation:
5153        Implement BCP-38.
5154          Use "restrict default noquery ..." in your ntp.conf file.
5155        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5156              or the NTP Public Services Project Download Page
5157        Properly monitor your ntpd instances, and auto-restart ntpd
5158              (without -g) if it stops running.
5159   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5160
5161* Broadcast Mode Replay Prevention DoS
5162   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5163   References: Sec 3114 / CVE-2016-7427 / VU#633847
5164   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
5165          ntp-4.3.90 up to, but not including ntp-4.3.94.
5166   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
5167   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5168   Summary:
5169          The broadcast mode of NTP is expected to only be used in a
5170          trusted network. If the broadcast network is accessible to an
5171          attacker, a potentially exploitable denial of service
5172          vulnerability in ntpd's broadcast mode replay prevention
5173          functionality can be abused. An attacker with access to the NTP
5174          broadcast domain can periodically inject specially crafted
5175          broadcast mode NTP packets into the broadcast domain which,
5176          while being logged by ntpd, can cause ntpd to reject broadcast
5177          mode packets from legitimate NTP broadcast servers.
5178   Mitigation:
5179        Implement BCP-38.
5180        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5181              or the NTP Public Services Project Download Page
5182        Properly monitor your ntpd instances, and auto-restart ntpd
5183              (without -g) if it stops running.
5184   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5185
5186* Broadcast Mode Poll Interval Enforcement DoS
5187   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5188   References: Sec 3113 / CVE-2016-7428 / VU#633847
5189   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
5190          ntp-4.3.90 up to, but not including ntp-4.3.94
5191   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
5192   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5193   Summary:
5194          The broadcast mode of NTP is expected to only be used in a
5195          trusted network. If the broadcast network is accessible to an
5196          attacker, a potentially exploitable denial of service
5197          vulnerability in ntpd's broadcast mode poll interval enforcement
5198          functionality can be abused. To limit abuse, ntpd restricts the
5199          rate at which each broadcast association will process incoming
5200          packets. ntpd will reject broadcast mode packets that arrive
5201          before the poll interval specified in the preceding broadcast
5202          packet expires. An attacker with access to the NTP broadcast
5203          domain can send specially crafted broadcast mode NTP packets to
5204          the broadcast domain which, while being logged by ntpd, will
5205          cause ntpd to reject broadcast mode packets from legitimate NTP
5206          broadcast servers.
5207   Mitigation:
5208        Implement BCP-38.
5209        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5210              or the NTP Public Services Project Download Page
5211        Properly monitor your ntpd instances, and auto-restart ntpd
5212              (without -g) if it stops running.
5213   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
5214
5215* Windows: ntpd DoS by oversized UDP packet
5216   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5217   References: Sec 3110 / CVE-2016-9312 / VU#633847
5218   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
5219          and ntp-4.3.0 up to, but not including ntp-4.3.94.
5220   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
5221   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5222   Summary:
5223          If a vulnerable instance of ntpd on Windows receives a crafted
5224          malicious packet that is "too big", ntpd will stop working.
5225   Mitigation:
5226        Implement BCP-38.
5227        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5228              or the NTP Public Services Project Download Page
5229        Properly monitor your ntpd instances, and auto-restart ntpd
5230              (without -g) if it stops running.
5231   Credit: This weakness was discovered by Robert Pajak of ABB.
5232
5233* 0rigin (zero origin) issues
5234   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5235   References: Sec 3102 / CVE-2016-7431 / VU#633847
5236   Affects: ntp-4.2.8p8, and ntp-4.3.93.
5237   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
5238   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5239   Summary:
5240          Zero Origin timestamp problems were fixed by Bug 2945 in
5241          ntp-4.2.8p6. However, subsequent timestamp validation checks
5242          introduced a regression in the handling of some Zero origin
5243          timestamp checks.
5244   Mitigation:
5245        Implement BCP-38.
5246        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5247              or the NTP Public Services Project Download Page
5248        Properly monitor your ntpd instances, and auto-restart ntpd
5249              (without -g) if it stops running.
5250   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
5251          Malhotra of Boston University.
5252
5253* read_mru_list() does inadequate incoming packet checks
5254   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5255   References: Sec 3082 / CVE-2016-7434 / VU#633847
5256   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
5257          ntp-4.3.0 up to, but not including ntp-4.3.94.
5258   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
5259   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5260   Summary:
5261          If ntpd is configured to allow mrulist query requests from a
5262          server that sends a crafted malicious packet, ntpd will crash
5263          on receipt of that crafted malicious mrulist query packet.
5264   Mitigation:
5265          Only allow mrulist query packets from trusted hosts.
5266        Implement BCP-38.
5267        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5268              or the NTP Public Services Project Download Page
5269        Properly monitor your ntpd instances, and auto-restart ntpd
5270              (without -g) if it stops running.
5271   Credit: This weakness was discovered by Magnus Stubman.
5272
5273* Attack on interface selection
5274   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5275   References: Sec 3072 / CVE-2016-7429 / VU#633847
5276   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
5277          ntp-4.3.0 up to, but not including ntp-4.3.94
5278   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
5279   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
5280   Summary:
5281          When ntpd receives a server response on a socket that corresponds
5282          to a different interface than was used for the request, the peer
5283          structure is updated to use the interface for new requests. If
5284          ntpd is running on a host with multiple interfaces in separate
5285          networks and the operating system doesn't check source address in
5286          received packets (e.g. rp_filter on Linux is set to 0), an
5287          attacker that knows the address of the source can send a packet
5288          with spoofed source address which will cause ntpd to select wrong
5289          interface for the source and prevent it from sending new requests
5290          until the list of interfaces is refreshed, which happens on
5291          routing changes or every 5 minutes by default. If the attack is
5292          repeated often enough (once per second), ntpd will not be able to
5293          synchronize with the source.
5294   Mitigation:
5295        Implement BCP-38.
5296        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5297              or the NTP Public Services Project Download Page
5298          If you are going to configure your OS to disable source address
5299              checks, also configure your firewall configuration to control
5300              what interfaces can receive packets from what networks.
5301        Properly monitor your ntpd instances, and auto-restart ntpd
5302              (without -g) if it stops running.
5303   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5304
5305* Client rate limiting and server responses
5306   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5307   References: Sec 3071 / CVE-2016-7426 / VU#633847
5308   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
5309          ntp-4.3.0 up to, but not including ntp-4.3.94
5310   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
5311   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
5312   Summary:
5313          When ntpd is configured with rate limiting for all associations
5314          (restrict default limited in ntp.conf), the limits are applied
5315          also to responses received from its configured sources. An
5316          attacker who knows the sources (e.g., from an IPv4 refid in
5317          server response) and knows the system is (mis)configured in this
5318          way can periodically send packets with spoofed source address to
5319          keep the rate limiting activated and prevent ntpd from accepting
5320          valid responses from its sources.
5321
5322          While this blanket rate limiting can be useful to prevent
5323          brute-force attacks on the origin timestamp, it allows this DoS
5324          attack. Similarly, it allows the attacker to prevent mobilization
5325          of ephemeral associations.
5326   Mitigation:
5327        Implement BCP-38.
5328        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5329              or the NTP Public Services Project Download Page
5330        Properly monitor your ntpd instances, and auto-restart ntpd
5331              (without -g) if it stops running.
5332   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5333
5334* Fix for bug 2085 broke initial sync calculations
5335   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
5336   References: Sec 3067 / CVE-2016-7433 / VU#633847
5337   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
5338          ntp-4.3.0 up to, but not including ntp-4.3.94. But the
5339          root-distance calculation in general is incorrect in all versions
5340          of ntp-4 until this release.
5341   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
5342   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
5343   Summary:
5344          Bug 2085 described a condition where the root delay was included
5345          twice, causing the jitter value to be higher than expected. Due
5346          to a misinterpretation of a small-print variable in The Book, the
5347          fix for this problem was incorrect, resulting in a root distance
5348          that did not include the peer dispersion. The calculations and
5349          formulae have been reviewed and reconciled, and the code has been
5350          updated accordingly.
5351   Mitigation:
5352        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
5353              or the NTP Public Services Project Download Page
5354        Properly monitor your ntpd instances, and auto-restart ntpd
5355              (without -g) if it stops running.
5356   Credit: This weakness was discovered independently by Brian Utterback of
5357          Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University.
5358
5359Other fixes:
5360
5361* [Bug 3142] bug in netmask prefix length detection <perlinger@ntp.org>
5362* [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
5363* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
5364  - moved retry decision where it belongs. <perlinger@ntp.org>
5365* [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
5366  using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
5367* [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
5368* [Bug 3100] ntpq can't retrieve daemon_version <perlinger@ntp.org>
5369  - fixed extended sysvar lookup (bug introduced with bug 3008 fix)
5370* [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
5371  - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
5372  - added shim layer for SSL API calls with issues (both directions)
5373* [Bug 3089] Serial Parser does not work anymore for hopfser like device
5374  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
5375* [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
5376* [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
5377  - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
5378* [Bug 3067] Root distance calculation needs improvement.  HStenn
5379* [Bug 3066] NMEA clock ignores pps. perlinger@ntp.org
5380  - PPS-HACK works again.
5381* [Bug 3059] Potential buffer overrun from oversized hash <perlinger@ntp.org>
5382  - applied patch by Brian Utterback <brian.utterback@oracle.com>
5383* [Bug 3053] ntp_loopfilter.c frequency calc precedence error.  Sarah White.
5384* [Bug 3050] Fix for bug #2960 causes [...] spurious error message.
5385  <perlinger@ntp.org>
5386  - patches by Reinhard Max <max@suse.com> and Havard Eidnes <he@uninett.no>
5387* [Bug 3047] Fix refclock_jjy C-DEX JST2000. abe@ntp.org
5388  - Patch provided by Kuramatsu.
5389* [Bug 3021] unity_fixture.c needs pragma weak <perlinger@ntp.org>
5390  - removed unnecessary & harmful decls of 'setUp()' & 'tearDown()'
5391* [Bug 3019] Windows: ERROR_HOST_UNREACHABLE block packet processing. DMayer
5392* [Bug 2998] sntp/tests/packetProcessing.c broken without openssl. JPerlinger
5393* [Bug 2961] sntp/tests/packetProcessing.c assumes AUTOKEY.  HStenn.
5394* [Bug 2959] refclock_jupiter: gps week correction <perlinger@ntp.org>
5395  - fixed GPS week expansion to work based on build date. Special thanks
5396    to Craig Leres for initial patch and testing.
5397* [Bug 2951] ntpd tests fail: multiple definition of `send_via_ntp_signd'
5398  - fixed Makefile.am <perlinger@ntp.org>
5399* [Bug 2689] ATOM driver processes last PPS pulse at startup,
5400             even if it is very old <perlinger@ntp.org>
5401  - make sure PPS source is alive before processing samples
5402  - improve stability close to the 500ms phase jump (phase gate)
5403* Fix typos in include/ntp.h.
5404* Shim X509_get_signature_nid() if needed
5405* git author attribution cleanup
5406* bk ignore file cleanup
5407* remove locks in Windows IO, use rpc-like thread synchronisation instead
5408
5409---
5410NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)
5411
5412Focus: Security, Bug fixes, enhancements.
5413
5414Severity: HIGH
5415
5416In addition to bug fixes and enhancements, this release fixes the
5417following 1 high- and 4 low-severity vulnerabilities:
5418
5419* CRYPTO_NAK crash
5420   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5421   References: Sec 3046 / CVE-2016-4957 / VU#321640
5422   Affects: ntp-4.2.8p7, and ntp-4.3.92.
5423   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
5424   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5425   Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
5426          could cause ntpd to crash.
5427   Mitigation:
5428        Implement BCP-38.
5429        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5430              or the NTP Public Services Project Download Page
5431        If you cannot upgrade from 4.2.8p7, the only other alternatives
5432              are to patch your code or filter CRYPTO_NAK packets.
5433        Properly monitor your ntpd instances, and auto-restart ntpd
5434              (without -g) if it stops running.
5435   Credit: This weakness was discovered by Nicolas Edet of Cisco.
5436
5437* Bad authentication demobilizes ephemeral associations
5438   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5439   References: Sec 3045 / CVE-2016-4953 / VU#321640
5440   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5441          ntp-4.3.0 up to, but not including ntp-4.3.93.
5442   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5443   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5444   Summary: An attacker who knows the origin timestamp and can send a
5445          spoofed packet containing a CRYPTO-NAK to an ephemeral peer
5446          target before any other response is sent can demobilize that
5447          association.
5448   Mitigation:
5449          Implement BCP-38.
5450          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5451              or the NTP Public Services Project Download Page
5452          Properly monitor your ntpd instances.
5453          Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5454
5455* Processing spoofed server packets
5456   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5457   References: Sec 3044 / CVE-2016-4954 / VU#321640
5458   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5459          ntp-4.3.0 up to, but not including ntp-4.3.93.
5460   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5461   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5462   Summary: An attacker who is able to spoof packets with correct origin
5463          timestamps from enough servers before the expected response
5464          packets arrive at the target machine can affect some peer
5465          variables and, for example, cause a false leap indication to be set.
5466   Mitigation:
5467          Implement BCP-38.
5468          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5469              or the NTP Public Services Project Download Page
5470          Properly monitor your ntpd instances.
5471   Credit: This weakness was discovered by Jakub Prokes of Red Hat.
5472
5473* Autokey association reset
5474   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5475   References: Sec 3043 / CVE-2016-4955 / VU#321640
5476   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5477          ntp-4.3.0 up to, but not including ntp-4.3.93.
5478   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5479   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5480   Summary: An attacker who is able to spoof a packet with a correct
5481          origin timestamp before the expected response packet arrives at
5482          the target machine can send a CRYPTO_NAK or a bad MAC and cause
5483          the association's peer variables to be cleared. If this can be
5484          done often enough, it will prevent that association from working.
5485   Mitigation:
5486          Implement BCP-38.
5487          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5488              or the NTP Public Services Project Download Page
5489          Properly monitor your ntpd instances.
5490   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5491
5492* Broadcast interleave
5493   Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016
5494   References: Sec 3042 / CVE-2016-4956 / VU#321640
5495   Affects: ntp-4, up to but not including ntp-4.2.8p8, and
5496          ntp-4.3.0 up to, but not including ntp-4.3.93.
5497   CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
5498   CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5499   Summary: The fix for NtpBug2978 does not cover broadcast associations,
5500          so broadcast clients can be triggered to flip into interleave mode.
5501   Mitigation:
5502          Implement BCP-38.
5503          Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
5504              or the NTP Public Services Project Download Page
5505          Properly monitor your ntpd instances.
5506   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
5507
5508Other fixes:
5509* [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org
5510  - provide build environment
5511  - 'wint_t' and 'struct timespec' defined by VS2015
5512  - fixed print()/scanf() format issues
5513* [Bug 3052] Add a .gitignore file.  Edmund Wong.
5514* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite.
5515* [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback,
5516  JPerlinger, HStenn.
5517* Fix typo in ntp-wait and plot_summary.  HStenn.
5518* Make sure we have an "author" file for git imports.  HStenn.
5519* Update the sntp problem tests for MacOS.  HStenn.
5520
5521---
5522NTP 4.2.8p7 (Harlan Stenn <stenn@ntp.org>, 2016/04/26)
5523
5524Focus: Security, Bug fixes, enhancements.
5525
5526Severity: MEDIUM
5527
5528When building NTP from source, there is a new configure option
5529available, --enable-dynamic-interleave.  More information on this below.
5530
5531Also note that ntp-4.2.8p7 logs more "unexpected events" than previous
5532versions of ntp.  These events have almost certainly happened in the
5533past, it's just that they were silently counted and not logged.  With
5534the increasing awareness around security, we feel it's better to clearly
5535log these events to help detect abusive behavior.  This increased
5536logging can also help detect other problems, too.
5537
5538In addition to bug fixes and enhancements, this release fixes the
5539following 9 low- and medium-severity vulnerabilities:
5540
5541* Improve NTP security against buffer comparison timing attacks,
5542  AKA: authdecrypt-timing
5543   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5544   References: Sec 2879 / CVE-2016-1550
5545   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5546          4.3.0 up to, but not including 4.3.92
5547   CVSSv2: LOW 2.6 - (AV:L/AC:H/Au:N/C:P/I:P/A:N)
5548   CVSSv3: MED 4.0 - CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
5549   Summary: Packet authentication tests have been performed using
5550          memcmp() or possibly bcmp(), and it is potentially possible
5551          for a local or perhaps LAN-based attacker to send a packet with
5552          an authentication payload and indirectly observe how much of
5553          the digest has matched.
5554   Mitigation:
5555          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5556              or the NTP Public Services Project Download Page.
5557          Properly monitor your ntpd instances.
5558   Credit: This weakness was discovered independently by Loganaden
5559          Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
5560
5561* Zero origin timestamp bypass: Additional KoD checks.
5562   References: Sec 2945 / Sec 2901 / CVE-2015-8138
5563   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
5564   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.92.
5565
5566* peer associations were broken by the fix for NtpBug2899
5567   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5568   References: Sec 2952 / CVE-2015-7704
5569   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5570          4.3.0 up to, but not including 4.3.92
5571   CVSSv2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
5572   Summary: The fix for NtpBug2952 in ntp-4.2.8p5 to address broken peer
5573          associations did not address all of the issues.
5574   Mitigation:
5575        Implement BCP-38.
5576        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5577              or the NTP Public Services Project Download Page
5578        If you can't upgrade, use "server" associations instead of
5579              "peer" associations.
5580        Monitor your ntpd instances.
5581   Credit: This problem was discovered by Michael Tatarinov.
5582
5583* Validate crypto-NAKs, AKA: CRYPTO-NAK DoS
5584   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5585   References: Sec 3007 / CVE-2016-1547 / VU#718152
5586   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5587          4.3.0 up to, but not including 4.3.92
5588   CVSS2: MED 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P)
5589   CVSS3: MED 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
5590   Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an
5591          off-path attacker can cause a preemptable client association to
5592          be demobilized by sending a crypto NAK packet to a victim client
5593          with a spoofed source address of an existing associated peer.
5594          This is true even if authentication is enabled.
5595
5596          Furthermore, if the attacker keeps sending crypto NAK packets,
5597          for example one every second, the victim never has a chance to
5598          reestablish the association and synchronize time with that
5599          legitimate server.
5600
5601          For ntp-4.2.8 thru ntp-4.2.8p6 there is less risk because more
5602          stringent checks are performed on incoming packets, but there
5603          are still ways to exploit this vulnerability in versions before
5604          ntp-4.2.8p7.
5605   Mitigation:
5606          Implement BCP-38.
5607          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5608              or the NTP Public Services Project Download Page
5609          Properly monitor your ntpd instances
5610   Credit: This weakness was discovered by Stephen Gray and
5611          Matthew Van Gundy of Cisco ASIG.
5612
5613* ctl_getitem() return value not always checked
5614   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5615   References: Sec 3008 / CVE-2016-2519
5616   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5617          4.3.0 up to, but not including 4.3.92
5618   CVSSv2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
5619   CVSSv3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5620   Summary: ntpq and ntpdc can be used to store and retrieve information
5621          in ntpd. It is possible to store a data value that is larger
5622          than the size of the buffer that the ctl_getitem() function of
5623          ntpd uses to report the return value. If the length of the
5624          requested data value returned by ctl_getitem() is too large,
5625          the value NULL is returned instead. There are 2 cases where the
5626          return value from ctl_getitem() was not directly checked to make
5627          sure it's not NULL, but there are subsequent INSIST() checks
5628          that make sure the return value is not NULL. There are no data
5629          values ordinarily stored in ntpd that would exceed this buffer
5630          length. But if one has permission to store values and one stores
5631          a value that is "too large", then ntpd will abort if an attempt
5632          is made to read that oversized value.
5633    Mitigation:
5634        Implement BCP-38.
5635        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5636              or the NTP Public Services Project Download Page
5637        Properly monitor your ntpd instances.
5638    Credit: This weakness was discovered by Yihan Lian of the Cloud
5639          Security Team, Qihoo 360.
5640
5641* Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
5642   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5643   References: Sec 3009 / CVE-2016-2518 / VU#718152
5644   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5645          4.3.0 up to, but not including 4.3.92
5646   CVSS2: LOW 2.1 - (AV:N/AC:H/Au:S/C:N/I:N/A:P)
5647   CVSS3: LOW 2.0 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
5648   Summary: Using a crafted packet to create a peer association with
5649          hmode > 7 causes the MATCH_ASSOC() lookup to make an
5650          out-of-bounds reference.
5651   Mitigation:
5652          Implement BCP-38.
5653          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5654              or the NTP Public Services Project Download Page
5655          Properly monitor your ntpd instances
5656   Credit: This weakness was discovered by Yihan Lian of the Cloud
5657          Security Team, Qihoo 360.
5658
5659* remote configuration trustedkey/requestkey/controlkey values are not
5660          properly validated
5661   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5662   References: Sec 3010 / CVE-2016-2517 / VU#718152
5663   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5664          4.3.0 up to, but not including 4.3.92
5665   CVSS2: MED 4.9 - (AV:N/AC:H/Au:S/C:N/I:N/A:C)
5666   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5667   Summary: If ntpd was expressly configured to allow for remote
5668          configuration, a malicious user who knows the controlkey for
5669          ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
5670          can create a session with ntpd and then send a crafted packet to
5671          ntpd that will change the value of the trustedkey, controlkey,
5672          or requestkey to a value that will prevent any subsequent
5673          authentication with ntpd until ntpd is restarted.
5674   Mitigation:
5675          Implement BCP-38.
5676          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5677              or the NTP Public Services Project Download Page
5678          Properly monitor your ntpd instances
5679   Credit: This weakness was discovered by Yihan Lian of the Cloud
5680          Security Team, Qihoo 360.
5681
5682* Duplicate IPs on unconfig directives will cause an assertion botch in ntpd
5683   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5684   References: Sec 3011 / CVE-2016-2516 / VU#718152
5685   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5686          4.3.0 up to, but not including 4.3.92
5687   CVSS2: MED 6.3 - (AV:N/AC:M/Au:S/C:N/I:N/A:C)
5688   CVSS3: MED 4.2 - CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
5689   Summary: If ntpd was expressly configured to allow for remote
5690          configuration, a malicious user who knows the controlkey for
5691          ntpq or the requestkey for ntpdc (if mode7 is expressly enabled)
5692          can create a session with ntpd and if an existing association is
5693          unconfigured using the same IP twice on the unconfig directive
5694          line, ntpd will abort.
5695   Mitigation:
5696          Implement BCP-38.
5697          Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5698              or the NTP Public Services Project Download Page
5699          Properly monitor your ntpd instances
5700   Credit: This weakness was discovered by Yihan Lian of the Cloud
5701          Security Team, Qihoo 360.
5702
5703* Refclock impersonation vulnerability
5704   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5705   References: Sec 3020 / CVE-2016-1551
5706   Affects: On a very limited number of OSes, all NTP releases up to but
5707          not including 4.2.8p7, and 4.3.0 up to but not including 4.3.92.
5708          By "very limited number of OSes" we mean no general-purpose OSes
5709          have yet been identified that have this vulnerability.
5710   CVSSv2: LOW 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N)
5711   CVSSv3: LOW 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
5712   Summary: While most OSes implement martian packet filtering in their
5713          network stack, at least regarding 127.0.0.0/8, some will allow
5714          packets claiming to be from 127.0.0.0/8 that arrive over a
5715          physical network. On these OSes, if ntpd is configured to use a
5716          reference clock an attacker can inject packets over the network
5717          that look like they are coming from that reference clock.
5718   Mitigation:
5719        Implement martian packet filtering and BCP-38.
5720        Configure ntpd to use an adequate number of time sources.
5721        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5722              or the NTP Public Services Project Download Page
5723        If you are unable to upgrade and if you are running an OS that
5724              has this vulnerability, implement martian packet filters and
5725              lobby your OS vendor to fix this problem, or run your
5726              refclocks on computers that use OSes that are not vulnerable
5727              to these attacks and have your vulnerable machines get their
5728              time from protected resources.
5729        Properly monitor your ntpd instances.
5730   Credit: This weakness was discovered by Matt Street and others of
5731          Cisco ASIG.
5732
5733The following issues were fixed in earlier releases and contain
5734improvements in 4.2.8p7:
5735
5736* Clients that receive a KoD should validate the origin timestamp field.
5737   References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
5738   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
5739   Summary: Improvements to the fixes incorporated into 4.2.8p4 and 4.3.77.
5740
5741* Skeleton key: passive server with trusted key can serve time.
5742   References: Sec 2936 / CVE-2015-7974
5743   Affects: All ntp-4 releases up to, but not including 4.2.8p7,
5744   Summary: Improvements to the fixes incorporated in t 4.2.8p6 and 4.3.90.
5745
5746Two other vulnerabilities have been reported, and the mitigations
5747for these are as follows:
5748
5749* Interleave-pivot
5750   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5751   References: Sec 2978 / CVE-2016-1548
5752   Affects: All ntp-4 releases.
5753   CVSSv2: MED 6.4 - (AV:N/AC:L/Au:N/C:N/I:P/A:P)
5754   CVSSv3: MED 7.2 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
5755   Summary: It is possible to change the time of an ntpd client or deny
5756          service to an ntpd client by forcing it to change from basic
5757          client/server mode to interleaved symmetric mode. An attacker
5758          can spoof a packet from a legitimate ntpd server with an origin
5759          timestamp that matches the peer->dst timestamp recorded for that
5760          server. After making this switch, the client will reject all
5761          future legitimate server responses. It is possible to force the
5762          victim client to move time after the mode has been changed.
5763          ntpq gives no indication that the mode has been switched.
5764   Mitigation:
5765        Implement BCP-38.
5766        Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
5767              or the NTP Public Services Project Download Page.  These
5768              versions will not dynamically "flip" into interleave mode
5769              unless configured to do so.
5770        Properly monitor your ntpd instances.
5771   Credit: This weakness was discovered by Miroslav Lichvar of RedHat
5772          and separately by Jonathan Gardner of Cisco ASIG.
5773
5774* Sybil vulnerability: ephemeral association attack
5775   Date Resolved: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
5776   References: Sec 3012 / CVE-2016-1549
5777   Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
5778          4.3.0 up to, but not including 4.3.92
5779   CVSSv2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
5780   CVSS3v: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
5781   Summary: ntpd can be vulnerable to Sybil attacks. If one is not using
5782          the feature introduced in ntp-4.2.8p6 allowing an optional 4th
5783          field in the ntp.keys file to specify which IPs can serve time,
5784          a malicious authenticated peer can create arbitrarily-many
5785          ephemeral associations in order to win the clock selection of
5786          ntpd and modify a victim's clock.
5787   Mitigation:
5788        Implement BCP-38.
5789        Use the 4th field in the ntp.keys file to specify which IPs
5790              can be time servers.
5791        Properly monitor your ntpd instances.
5792   Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
5793
5794Other fixes:
5795
5796* [Bug 2831]  Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
5797  - fixed yet another race condition in the threaded resolver code.
5798* [Bug 2858] bool support.  Use stdbool.h when available.  HStenn.
5799* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
5800  - integrated patches by Loganaden Velvidron <logan@ntp.org>
5801    with some modifications & unit tests
5802* [Bug 2960] async name resolution fixes for chroot() environments.
5803  Reinhard Max.
5804* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
5805* [Bug 2995] Fixes to compile on Windows
5806* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
5807* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
5808  - Patch provided by Ch. Weisgerber
5809* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
5810  - A change related to [Bug 2853] forbids trailing white space in
5811    remote config commands. perlinger@ntp.org
5812* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
5813  - report and patch from Aleksandr Kostikov.
5814  - Overhaul of Windows IO completion port handling. perlinger@ntp.org
5815* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
5816  - fixed memory leak in access list (auth[read]keys.c)
5817  - refactored handling of key access lists (auth[read]keys.c)
5818  - reduced number of error branches (authreadkeys.c)
5819* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
5820* [Bug 3030] ntpq needs a general way to specify refid output format.  HStenn.
5821* [Bug 3031] ntp broadcastclient unable to synchronize to an server
5822             when the time of server changed. perlinger@ntp.org
5823  - Check the initial delay calculation and reject/unpeer the broadcast
5824    server if the delay exceeds 50ms. Retry again after the next
5825    broadcast packet.
5826* [Bug 3036] autokey trips an INSIST in authistrustedip().  Harlan Stenn.
5827* Document ntp.key's optional IP list in authenetic.html.  Harlan Stenn.
5828* Update html/xleave.html documentation.  Harlan Stenn.
5829* Update ntp.conf documentation.  Harlan Stenn.
5830* Fix some Credit: attributions in the NEWS file.  Harlan Stenn.
5831* Fix typo in html/monopt.html.  Harlan Stenn.
5832* Add README.pullrequests.  Harlan Stenn.
5833* Cleanup to include/ntp.h.  Harlan Stenn.
5834
5835New option to 'configure':
5836
5837While looking in to the issues around Bug 2978, the "interleave pivot"
5838issue, it became clear that there are some intricate and unresolved
5839issues with interleave operations.  We also realized that the interleave
5840protocol was never added to the NTPv4 Standard, and it should have been.
5841
5842Interleave mode was first released in July of 2008, and can be engaged
5843in two ways.  Any 'peer' and 'broadcast' lines in the ntp.conf file may
5844contain the 'xleave' option, which will expressly enable interlave mode
5845for that association.  Additionally, if a time packet arrives and is
5846found inconsistent with normal protocol behavior but has certain
5847characteristics that are compatible with interleave mode, NTP will
5848dynamically switch to interleave mode.  With sufficient knowledge, an
5849attacker can send a crafted forged packet to an NTP instance that
5850triggers only one side to enter interleaved mode.
5851
5852To prevent this attack until we can thoroughly document, describe,
5853fix, and test the dynamic interleave mode, we've added a new
5854'configure' option to the build process:
5855
5856 --enable-dynamic-interleave
5857
5858This option controls whether or not NTP will, if conditions are right,
5859engage dynamic interleave mode.  Dynamic interleave mode is disabled by
5860default in ntp-4.2.8p7.
5861
5862---
5863NTP 4.2.8p6 (Harlan Stenn <stenn@ntp.org>, 2016/01/20)
5864
5865Focus: Security, Bug fixes, enhancements.
5866
5867Severity: MEDIUM
5868
5869In addition to bug fixes and enhancements, this release fixes the
5870following 1 low- and 8 medium-severity vulnerabilities:
5871
5872* Potential Infinite Loop in 'ntpq'
5873   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5874   References: Sec 2548 / CVE-2015-8158
5875   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5876          4.3.0 up to, but not including 4.3.90
5877   CVSS2: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
5878   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
5879   Summary: 'ntpq' processes incoming packets in a loop in 'getresponse()'.
5880          The loop's only stopping conditions are receiving a complete and
5881          correct response or hitting a small number of error conditions.
5882          If the packet contains incorrect values that don't trigger one of
5883          the error conditions, the loop continues to receive new packets.
5884          Note well, this is an attack against an instance of 'ntpq', not
5885          'ntpd', and this attack requires the attacker to do one of the
5886          following:
5887          * Own a malicious NTP server that the client trusts
5888          * Prevent a legitimate NTP server from sending packets to
5889              the 'ntpq' client
5890          * MITM the 'ntpq' communications between the 'ntpq' client
5891              and the NTP server
5892   Mitigation:
5893          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5894          or the NTP Public Services Project Download Page
5895   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
5896
5897* 0rigin: Zero Origin Timestamp Bypass
5898   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5899   References: Sec 2945 / CVE-2015-8138
5900   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5901          4.3.0 up to, but not including 4.3.90
5902   CVSS2: (AV:N/AC:L/Au:N/C:N/I:P/A:N) Base Score: 5.0 - MEDIUM
5903   CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Base Score: 5.3 - MEDIUM
5904          (3.7 - LOW if you score AC:L)
5905   Summary: To distinguish legitimate peer responses from forgeries, a
5906          client attempts to verify a response packet by ensuring that the
5907          origin timestamp in the packet matches the origin timestamp it
5908          transmitted in its last request.  A logic error exists that
5909          allows packets with an origin timestamp of zero to bypass this
5910          check whenever there is not an outstanding request to the server.
5911   Mitigation:
5912          Configure 'ntpd' to get time from multiple sources.
5913          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5914              or the NTP Public Services Project Download Page.
5915          Monitor your 'ntpd' instances.
5916   Credit: This weakness was discovered by Matthey Van Gundy and
5917          Jonathan Gardner of Cisco ASIG.
5918
5919* Stack exhaustion in recursive traversal of restriction list
5920   Date Resolved: Stable (4.2.8p6) 19 Jan 2016
5921   References: Sec 2940 / CVE-2015-7978
5922   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5923          4.3.0 up to, but not including 4.3.90
5924   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
5925   Summary: An unauthenticated 'ntpdc reslist' command can cause a
5926          segmentation fault in ntpd by exhausting the call stack.
5927   Mitigation:
5928          Implement BCP-38.
5929          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5930              or the NTP Public Services Project Download Page.
5931          If you are unable to upgrade:
5932            In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
5933              If you must enable mode 7:
5934                    configure the use of a 'requestkey' to control who can
5935                        issue mode 7 requests.
5936                    configure 'restrict noquery' to further limit mode 7
5937                        requests to trusted sources.
5938                    Monitor your ntpd instances.
5939   Credit: This weakness was discovered by Stephen Gray at Cisco ASIG.
5940
5941* Off-path Denial of Service (!DoS) attack on authenticated broadcast mode
5942   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5943   References: Sec 2942 / CVE-2015-7979
5944   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5945          4.3.0 up to, but not including 4.3.90
5946   CVSS: (AV:N/AC:M/Au:N/C:N/I:P/A:P) Base Score: 5.8
5947   Summary: An off-path attacker can send broadcast packets with bad
5948          authentication (wrong key, mismatched key, incorrect MAC, etc)
5949          to broadcast clients. It is observed that the broadcast client
5950          tears down the association with the broadcast server upon
5951          receiving just one bad packet.
5952   Mitigation:
5953          Implement BCP-38.
5954          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
5955          or the NTP Public Services Project Download Page.
5956          Monitor your 'ntpd' instances.
5957          If this sort of attack is an active problem for you, you have
5958              deeper problems to investigate.  In this case also consider
5959              having smaller NTP broadcast domains.
5960   Credit: This weakness was discovered by Aanchal Malhotra of Boston
5961          University.
5962
5963* reslist NULL pointer dereference
5964   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5965   References: Sec 2939 / CVE-2015-7977
5966   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5967          4.3.0 up to, but not including 4.3.90
5968   CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3 - MEDIUM
5969   Summary: An unauthenticated 'ntpdc reslist' command can cause a
5970          segmentation fault in ntpd by causing a NULL pointer dereference.
5971   Mitigation:
5972          Implement BCP-38.
5973          Upgrade to 4.2.8p6, or later, from NTP Project Download Page or
5974          the NTP Public Services Project Download Page.
5975          If you are unable to upgrade:
5976              mode 7 is disabled by default.  Don't enable it.
5977              If you must enable mode 7:
5978                    configure the use of a 'requestkey' to control who can
5979                        issue mode 7 requests.
5980                    configure 'restrict noquery' to further limit mode 7
5981                        requests to trusted sources.
5982          Monitor your ntpd instances.
5983   Credit: This weakness was discovered by Stephen Gray of Cisco ASIG.
5984
5985* 'ntpq saveconfig' command allows dangerous characters in filenames.
5986   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
5987   References: Sec 2938 / CVE-2015-7976
5988   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
5989          4.3.0 up to, but not including 4.3.90
5990   CVSS: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Base Score: 4.0 - MEDIUM
5991   Summary: The ntpq saveconfig command does not do adequate filtering
5992          of special characters from the supplied filename.
5993          Note well: The ability to use the saveconfig command is controlled
5994          by the 'restrict nomodify' directive, and the recommended default
5995          configuration is to disable this capability.  If the ability to
5996          execute a 'saveconfig' is required, it can easily (and should) be
5997          limited and restricted to a known small number of IP addresses.
5998   Mitigation:
5999          Implement BCP-38.
6000          use 'restrict default nomodify' in your 'ntp.conf' file.
6001          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page.
6002          If you are unable to upgrade:
6003              build NTP with 'configure --disable-saveconfig' if you will
6004                    never need this capability, or
6005              use 'restrict default nomodify' in your 'ntp.conf' file.  Be
6006                    careful about what IPs have the ability to send 'modify'
6007                    requests to 'ntpd'.
6008          Monitor your ntpd instances.
6009          'saveconfig' requests are logged to syslog - monitor your syslog files.
6010   Credit: This weakness was discovered by Jonathan Gardner of Cisco ASIG.
6011
6012* nextvar() missing length check in ntpq
6013   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
6014   References: Sec 2937 / CVE-2015-7975
6015   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
6016          4.3.0 up to, but not including 4.3.90
6017   CVSS: (AV:L/AC:H/Au:N/C:N/I:N/A:P) Base Score: 1.2 - LOW
6018          If you score A:C, this becomes 4.0.
6019   CVSSv3: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) Base Score 2.9, LOW
6020   Summary: ntpq may call nextvar() which executes a memcpy() into the
6021          name buffer without a proper length check against its maximum
6022          length of 256 bytes. Note well that we're taking about ntpq here.
6023          The usual worst-case effect of this vulnerability is that the
6024          specific instance of ntpq will crash and the person or process
6025          that did this will have stopped themselves.
6026   Mitigation:
6027          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
6028              or the NTP Public Services Project Download Page.
6029          If you are unable to upgrade:
6030              If you have scripts that feed input to ntpq make sure there are
6031                    some sanity checks on the input received from the "outside".
6032              This is potentially more dangerous if ntpq is run as root.
6033   Credit: This weakness was discovered by Jonathan Gardner at Cisco ASIG.
6034
6035* Skeleton Key: Any trusted key system can serve time
6036   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
6037   References: Sec 2936 / CVE-2015-7974
6038   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
6039          4.3.0 up to, but not including 4.3.90
6040   CVSS: (AV:N/AC:H/Au:S/C:N/I:C/A:N) Base Score: 4.9
6041   Summary: Symmetric key encryption uses a shared trusted key. The
6042          reported title for this issue was "Missing key check allows
6043          impersonation between authenticated peers" and the report claimed
6044          "A key specified only for one server should only work to
6045          authenticate that server, other trusted keys should be refused."
6046          Except there has never been any correlation between this trusted
6047          key and server v. clients machines and there has never been any
6048          way to specify a key only for one server. We have treated this as
6049          an enhancement request, and ntp-4.2.8p6 includes other checks and
6050          tests to strengthen clients against attacks coming from broadcast
6051          servers.
6052   Mitigation:
6053          Implement BCP-38.
6054          If this scenario represents a real or a potential issue for you,
6055              upgrade to 4.2.8p6, or later, from the NTP Project Download
6056              Page or the NTP Public Services Project Download Page, and
6057              use the new field in the ntp.keys file that specifies the list
6058              of IPs that are allowed to serve time. Note that this alone
6059              will not protect against time packets with forged source IP
6060              addresses, however other changes in ntp-4.2.8p6 provide
6061              significant mitigation against broadcast attacks. MITM attacks
6062              are a different story.
6063          If you are unable to upgrade:
6064              Don't use broadcast mode if you cannot monitor your client
6065                    servers.
6066              If you choose to use symmetric keys to authenticate time
6067                    packets in a hostile environment where ephemeral time
6068                    servers can be created, or if it is expected that malicious
6069                    time servers will participate in an NTP broadcast domain,
6070                    limit the number of participating systems that participate
6071                    in the shared-key group.
6072          Monitor your ntpd instances.
6073   Credit: This weakness was discovered by Matt Street of Cisco ASIG.
6074
6075* Deja Vu: Replay attack on authenticated broadcast mode
6076   Date Resolved: Stable (4.2.8p6) 19 Jan 2016; Dev (4.3.90) 19 Jan 2016
6077   References: Sec 2935 / CVE-2015-7973
6078   Affects: All ntp-4 releases up to, but not including 4.2.8p6, and
6079          4.3.0 up to, but not including 4.3.90
6080   CVSS: (AV:A/AC:M/Au:N/C:N/I:P/A:P) Base Score: 4.3 - MEDIUM
6081   Summary: If an NTP network is configured for broadcast operations then
6082          either a man-in-the-middle attacker or a malicious participant
6083          that has the same trusted keys as the victim can replay time packets.
6084   Mitigation:
6085          Implement BCP-38.
6086          Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
6087              or the NTP Public Services Project Download Page.
6088          If you are unable to upgrade:
6089              Don't use broadcast mode if you cannot monitor your client servers.
6090          Monitor your ntpd instances.
6091   Credit: This weakness was discovered by Aanchal Malhotra of Boston
6092          University.
6093
6094Other fixes:
6095
6096* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
6097* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
6098  - applied patch by shenpeng11@huawei.com with minor adjustments
6099* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
6100* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
6101* [Bug 2892] Several test cases assume IPv6 capabilities even when
6102             IPv6 is disabled in the build. perlinger@ntp.org
6103  - Found this already fixed, but validation led to cleanup actions.
6104* [Bug 2905] DNS lookups broken. perlinger@ntp.org
6105  - added limits to stack consumption, fixed some return code handling
6106* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
6107  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
6108  - make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
6109* [Bug 2980] reduce number of warnings. perlinger@ntp.org
6110  - integrated several patches from Havard Eidnes (he@uninett.no)
6111* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
6112  - implement 'auth_log2()' using integer bithack instead of float calculation
6113* Make leapsec_query debug messages less verbose.  Harlan Stenn.
6114
6115---
6116NTP 4.2.8p5 (Harlan Stenn <stenn@ntp.org>, 2016/01/07)
6117
6118Focus: Security, Bug fixes, enhancements.
6119
6120Severity: MEDIUM
6121
6122In addition to bug fixes and enhancements, this release fixes the
6123following medium-severity vulnerability:
6124
6125* Small-step/big-step.  Close the panic gate earlier.
6126    References: Sec 2956, CVE-2015-5300
6127    Affects: All ntp-4 releases up to, but not including 4.2.8p5, and
6128          4.3.0 up to, but not including 4.3.78
6129    CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM
6130    Summary: If ntpd is always started with the -g option, which is
6131          common and against long-standing recommendation, and if at the
6132          moment ntpd is restarted an attacker can immediately respond to
6133          enough requests from enough sources trusted by the target, which
6134          is difficult and not common, there is a window of opportunity
6135          where the attacker can cause ntpd to set the time to an
6136          arbitrary value. Similarly, if an attacker is able to respond
6137          to enough requests from enough sources trusted by the target,
6138          the attacker can cause ntpd to abort and restart, at which
6139          point it can tell the target to set the time to an arbitrary
6140          value if and only if ntpd was re-started against long-standing
6141          recommendation with the -g flag, or if ntpd was not given the
6142          -g flag, the attacker can move the target system's time by at
6143          most 900 seconds' time per attack.
6144    Mitigation:
6145          Configure ntpd to get time from multiple sources.
6146          Upgrade to 4.2.8p5, or later, from the NTP Project Download
6147              Page or the NTP Public Services Project Download Page
6148          As we've long documented, only use the -g option to ntpd in
6149              cold-start situations.
6150          Monitor your ntpd instances.
6151    Credit: This weakness was discovered by Aanchal Malhotra,
6152          Isaac E. Cohen, and Sharon Goldberg at Boston University.
6153
6154    NOTE WELL: The -g flag disables the limit check on the panic_gate
6155          in ntpd, which is 900 seconds by default. The bug identified by
6156          the researchers at Boston University is that the panic_gate
6157          check was only re-enabled after the first change to the system
6158          clock that was greater than 128 milliseconds, by default. The
6159          correct behavior is that the panic_gate check should be
6160          re-enabled after any initial time correction.
6161
6162          If an attacker is able to inject consistent but erroneous time
6163          responses to your systems via the network or "over the air",
6164          perhaps by spoofing radio, cellphone, or navigation satellite
6165          transmissions, they are in a great position to affect your
6166          system's clock. There comes a point where your very best
6167          defenses include:
6168
6169              Configure ntpd to get time from multiple sources.
6170              Monitor your ntpd instances.
6171
6172Other fixes:
6173
6174* Coverity submission process updated from Coverity 5 to Coverity 7.
6175  The NTP codebase has been undergoing regular Coverity scans on an
6176  ongoing basis since 2006.  As part of our recent upgrade from
6177  Coverity 5 to Coverity 7, Coverity identified 16 nits in some of
6178  the newly-written Unity test programs.  These were fixed.
6179* [Bug 2829] Clean up pipe_fds in ntpd.c  perlinger@ntp.org
6180* [Bug 2887] stratum -1 config results as showing value 99
6181  - fudge stratum should only accept values [0..16]. perlinger@ntp.org
6182* [Bug 2932] Update leapsecond file info in miscopt.html.  CWoodbury, HStenn.
6183* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in.  HMurray
6184* [Bug 2944] errno is not preserved properly in ntpdate after sendto call.
6185  - applied patch by Christos Zoulas.  perlinger@ntp.org
6186* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704.
6187* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes.
6188  - fixed data race conditions in threaded DNS worker. perlinger@ntp.org
6189  - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org
6190* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org
6191  - accept key file only if there are no parsing errors
6192  - fixed size_t/u_int format clash
6193  - fixed wrong use of 'strlcpy'
6194* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres.
6195* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org
6196  - fixed several other warnings (cast-alignment, missing const, missing prototypes)
6197  - promote use of 'size_t' for values that express a size
6198  - use ptr-to-const for read-only arguments
6199  - make sure SOCKET values are not truncated (win32-specific)
6200  - format string fixes
6201* [Bug 2965] Local clock didn't work since 4.2.8p4.  Martin Burnicki.
6202* [Bug 2967] ntpdate command suffers an assertion failure
6203  - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org
6204* [Bug 2969]  Seg fault from ntpq/mrulist when looking at server with
6205              lots of clients. perlinger@ntp.org
6206* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
6207  - changed stacked/nested handling of CTRL-C. perlinger@ntp.org
6208* Unity cleanup for FreeBSD-6.4.  Harlan Stenn.
6209* Unity test cleanup.  Harlan Stenn.
6210* Libevent autoconf pthread fixes for FreeBSD-10.  Harlan Stenn.
6211* Header cleanup in tests/sandbox/uglydate.c.  Harlan Stenn.
6212* Header cleanup in tests/libntp/sfptostr.c.  Harlan Stenn.
6213* Quiet a warning from clang.  Harlan Stenn.
6214
6215---
6216NTP 4.2.8p4 (Harlan Stenn <stenn@ntp.org>, 2015/10/21)
6217
6218Focus: Security, Bug fixes, enhancements.
6219
6220Severity: MEDIUM
6221
6222In addition to bug fixes and enhancements, this release fixes the
6223following 13 low- and medium-severity vulnerabilities:
6224
6225* Incomplete vallen (value length) checks in ntp_crypto.c, leading
6226  to potential crashes or potential code injection/information leakage.
6227
6228    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
6229    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6230          and 4.3.0 up to, but not including 4.3.77
6231    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
6232    Summary: The fix for CVE-2014-9750 was incomplete in that there were
6233          certain code paths where a packet with particular autokey operations
6234          that contained malicious data was not always being completely
6235          validated. Receipt of these packets can cause ntpd to crash.
6236    Mitigation:
6237        Don't use autokey.
6238          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6239              Page or the NTP Public Services Project Download Page
6240          Monitor your ntpd instances.
6241          Credit: This weakness was discovered by Tenable Network Security.
6242
6243* Clients that receive a KoD should validate the origin timestamp field.
6244
6245    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
6246    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6247          and 4.3.0 up to, but not including 4.3.77
6248    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
6249    Summary: An ntpd client that honors Kiss-of-Death responses will honor
6250          KoD messages that have been forged by an attacker, causing it to
6251          delay or stop querying its servers for time updates. Also, an
6252          attacker can forge packets that claim to be from the target and
6253          send them to servers often enough that a server that implements
6254          KoD rate limiting will send the target machine a KoD response to
6255          attempt to reduce the rate of incoming packets, or it may also
6256          trigger a firewall block at the server for packets from the target
6257          machine. For either of these attacks to succeed, the attacker must
6258          know what servers the target is communicating with. An attacker
6259          can be anywhere on the Internet and can frequently learn the
6260          identity of the target's time source by sending the target a
6261          time query.
6262    Mitigation:
6263        Implement BCP-38.
6264          Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
6265              or the NTP Public Services Project Download Page
6266          If you can't upgrade, restrict who can query ntpd to learn who
6267              its servers are, and what IPs are allowed to ask your system
6268              for the time. This mitigation is heavy-handed.
6269          Monitor your ntpd instances.
6270    Note:
6271          4.2.8p4 protects against the first attack. For the second attack,
6272          all we can do is warn when it is happening, which we do in 4.2.8p4.
6273    Credit: This weakness was discovered by Aanchal Malhotra,
6274          Issac E. Cohen, and Sharon Goldberg of Boston University.
6275
6276* configuration directives to change "pidfile" and "driftfile" should
6277  only be allowed locally.
6278
6279  References: Sec 2902 / CVE-2015-5196
6280  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6281          and 4.3.0 up to, but not including 4.3.77
6282   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
6283   Summary: If ntpd is configured to allow for remote configuration,
6284          and if the (possibly spoofed) source IP address is allowed to
6285          send remote configuration requests, and if the attacker knows
6286          the remote configuration password, it's possible for an attacker
6287          to use the "pidfile" or "driftfile" directives to potentially
6288          overwrite other files.
6289   Mitigation:
6290          Implement BCP-38.
6291          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6292              Page or the NTP Public Services Project Download Page
6293          If you cannot upgrade, don't enable remote configuration.
6294          If you must enable remote configuration and cannot upgrade,
6295              remote configuration of NTF's ntpd requires:
6296              - an explicitly configured trustedkey, and you should also
6297                    configure a controlkey.
6298              - access from a permitted IP. You choose the IPs.
6299              - authentication. Don't disable it. Practice secure key safety.
6300          Monitor your ntpd instances.
6301   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
6302
6303* Slow memory leak in CRYPTO_ASSOC
6304
6305  References: Sec 2909 / CVE-2015-7701
6306  Affects: All ntp-4 releases that use autokey up to, but not
6307    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6308  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
6309          4.6 otherwise
6310  Summary: If ntpd is configured to use autokey, then an attacker can
6311          send packets to ntpd that will, after several days of ongoing
6312          attack, cause it to run out of memory.
6313  Mitigation:
6314          Don't use autokey.
6315          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6316              Page or the NTP Public Services Project Download Page
6317          Monitor your ntpd instances.
6318  Credit: This weakness was discovered by Tenable Network Security.
6319
6320* mode 7 loop counter underrun
6321
6322  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
6323  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6324          and 4.3.0 up to, but not including 4.3.77
6325  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
6326  Summary: If ntpd is configured to enable mode 7 packets, and if the
6327          use of mode 7 packets is not properly protected thru the use of
6328          the available mode 7 authentication and restriction mechanisms,
6329          and if the (possibly spoofed) source IP address is allowed to
6330          send mode 7 queries, then an attacker can send a crafted packet
6331          to ntpd that will cause it to crash.
6332  Mitigation:
6333          Implement BCP-38.
6334          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6335              Page or the NTP Public Services Project Download Page.
6336                If you are unable to upgrade:
6337          In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
6338          If you must enable mode 7:
6339              configure the use of a requestkey to control who can issue
6340                    mode 7 requests.
6341              configure restrict noquery to further limit mode 7 requests
6342                    to trusted sources.
6343          Monitor your ntpd instances.
6344Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos.
6345
6346* memory corruption in password store
6347
6348  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
6349  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6350  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
6351  Summary: If ntpd is configured to allow remote configuration, and if
6352          the (possibly spoofed) source IP address is allowed to send
6353          remote configuration requests, and if the attacker knows the
6354          remote configuration password or if ntpd was configured to
6355          disable authentication, then an attacker can send a set of
6356          packets to ntpd that may cause a crash or theoretically
6357          perform a code injection attack.
6358  Mitigation:
6359          Implement BCP-38.
6360          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6361              Page or the NTP Public Services Project Download Page.
6362          If you are unable to upgrade, remote configuration of NTF's
6363              ntpd requires:
6364                    an explicitly configured "trusted" key. Only configure
6365                              this if you need it.
6366                    access from a permitted IP address. You choose the IPs.
6367                    authentication. Don't disable it. Practice secure key safety.
6368          Monitor your ntpd instances.
6369  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6370
6371* Infinite loop if extended logging enabled and the logfile and
6372  keyfile are the same.
6373
6374    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
6375    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
6376          and 4.3.0 up to, but not including 4.3.77
6377    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
6378    Summary: If ntpd is configured to allow remote configuration, and if
6379          the (possibly spoofed) source IP address is allowed to send
6380          remote configuration requests, and if the attacker knows the
6381          remote configuration password or if ntpd was configured to
6382          disable authentication, then an attacker can send a set of
6383          packets to ntpd that will cause it to crash and/or create a
6384          potentially huge log file. Specifically, the attacker could
6385          enable extended logging, point the key file at the log file,
6386          and cause what amounts to an infinite loop.
6387    Mitigation:
6388          Implement BCP-38.
6389          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6390              Page or the NTP Public Services Project Download Page.
6391          If you are unable to upgrade, remote configuration of NTF's ntpd
6392            requires:
6393            an explicitly configured "trusted" key. Only configure this
6394                    if you need it.
6395            access from a permitted IP address. You choose the IPs.
6396            authentication. Don't disable it. Practice secure key safety.
6397        Monitor your ntpd instances.
6398    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6399
6400* Potential path traversal vulnerability in the config file saving of
6401  ntpd on VMS.
6402
6403  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
6404  Affects: All ntp-4 releases running under VMS up to, but not
6405          including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6406  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
6407  Summary: If ntpd is configured to allow remote configuration, and if
6408          the (possibly spoofed) IP address is allowed to send remote
6409          configuration requests, and if the attacker knows the remote
6410          configuration password or if ntpd was configured to disable
6411          authentication, then an attacker can send a set of packets to
6412          ntpd that may cause ntpd to overwrite files.
6413  Mitigation:
6414          Implement BCP-38.
6415          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6416              Page or the NTP Public Services Project Download Page.
6417          If you are unable to upgrade, remote configuration of NTF's ntpd
6418              requires:
6419                    an explicitly configured "trusted" key. Only configure
6420                              this if you need it.
6421                    access from permitted IP addresses. You choose the IPs.
6422                    authentication. Don't disable it. Practice key security safety.
6423        Monitor your ntpd instances.
6424    Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6425
6426* ntpq atoascii() potential memory corruption
6427
6428  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
6429  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
6430          and 4.3.0 up to, but not including 4.3.77
6431  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
6432  Summary: If an attacker can figure out the precise moment that ntpq
6433          is listening for data and the port number it is listening on or
6434          if the attacker can provide a malicious instance ntpd that
6435          victims will connect to then an attacker can send a set of
6436          crafted mode 6 response packets that, if received by ntpq,
6437          can cause ntpq to crash.
6438  Mitigation:
6439          Implement BCP-38.
6440          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6441              Page or the NTP Public Services Project Download Page.
6442          If you are unable to upgrade and you run ntpq against a server
6443              and ntpq crashes, try again using raw mode. Build or get a
6444              patched ntpq and see if that fixes the problem. Report new
6445              bugs in ntpq or abusive servers appropriately.
6446          If you use ntpq in scripts, make sure ntpq does what you expect
6447              in your scripts.
6448  Credit: This weakness was discovered by Yves Younan and
6449          Aleksander Nikolich of Cisco Talos.
6450
6451* Invalid length data provided by a custom refclock driver could cause
6452  a buffer overflow.
6453
6454  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
6455  Affects: Potentially all ntp-4 releases running up to, but not
6456          including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
6457          that have custom refclocks
6458  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
6459          5.9 unusual worst case
6460  Summary: A negative value for the datalen parameter will overflow a
6461          data buffer. NTF's ntpd driver implementations always set this
6462          value to 0 and are therefore not vulnerable to this weakness.
6463          If you are running a custom refclock driver in ntpd and that
6464          driver supplies a negative value for datalen (no custom driver
6465          of even minimal competence would do this) then ntpd would
6466          overflow a data buffer. It is even hypothetically possible
6467          in this case that instead of simply crashing ntpd the attacker
6468          could effect a code injection attack.
6469  Mitigation:
6470          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6471              Page or the NTP Public Services Project Download Page.
6472          If you are unable to upgrade:
6473                    If you are running custom refclock drivers, make sure
6474                              the signed datalen value is either zero or positive.
6475          Monitor your ntpd instances.
6476  Credit: This weakness was discovered by Yves Younan of Cisco Talos.
6477
6478* Password Length Memory Corruption Vulnerability
6479
6480  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
6481  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
6482          4.3.0 up to, but not including 4.3.77
6483  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
6484          1.7 usual case, 6.8, worst case
6485  Summary: If ntpd is configured to allow remote configuration, and if
6486          the (possibly spoofed) source IP address is allowed to send
6487          remote configuration requests, and if the attacker knows the
6488          remote configuration password or if ntpd was (foolishly)
6489          configured to disable authentication, then an attacker can
6490          send a set of packets to ntpd that may cause it to crash,
6491          with the hypothetical possibility of a small code injection.
6492  Mitigation:
6493          Implement BCP-38.
6494          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6495              Page or the NTP Public Services Project Download Page.
6496          If you are unable to upgrade, remote configuration of NTF's
6497              ntpd requires:
6498                    an explicitly configured "trusted" key. Only configure
6499                              this if you need it.
6500                    access from a permitted IP address. You choose the IPs.
6501                    authentication. Don't disable it. Practice secure key safety.
6502          Monitor your ntpd instances.
6503  Credit: This weakness was discovered by Yves Younan and
6504          Aleksander Nikolich of Cisco Talos.
6505
6506* decodenetnum() will ASSERT botch instead of returning FAIL on some
6507  bogus values.
6508
6509  References: Sec 2922 / CVE-2015-7855
6510  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
6511          4.3.0 up to, but not including 4.3.77
6512  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
6513  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
6514          an unusually long data value where a network address is expected,
6515          the decodenetnum() function will abort with an assertion failure
6516          instead of simply returning a failure condition.
6517  Mitigation:
6518          Implement BCP-38.
6519          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6520              Page or the NTP Public Services Project Download Page.
6521          If you are unable to upgrade:
6522                    mode 7 is disabled by default. Don't enable it.
6523                    Use restrict noquery to limit who can send mode 6
6524                              and mode 7 requests.
6525                    Configure and use the controlkey and requestkey
6526                              authentication directives to limit who can
6527                              send mode 6 and mode 7 requests.
6528          Monitor your ntpd instances.
6529  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org.
6530
6531* NAK to the Future: Symmetric association authentication bypass via
6532  crypto-NAK.
6533
6534  References: Sec 2941 / CVE-2015-7871
6535  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
6536          4.2.8p4, and 4.3.0 up to but not including 4.3.77
6537  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
6538  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
6539          from unauthenticated ephemeral symmetric peers by bypassing the
6540          authentication required to mobilize peer associations. This
6541          vulnerability appears to have been introduced in ntp-4.2.5p186
6542          when the code handling mobilization of new passive symmetric
6543          associations (lines 1103-1165) was refactored.
6544  Mitigation:
6545          Implement BCP-38.
6546          Upgrade to 4.2.8p4, or later, from the NTP Project Download
6547              Page or the NTP Public Services Project Download Page.
6548          If you are unable to upgrade:
6549                    Apply the patch to the bottom of the "authentic" check
6550                              block around line 1136 of ntp_proto.c.
6551          Monitor your ntpd instances.
6552  Credit: This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
6553
6554Backward-Incompatible changes:
6555* [Bug 2817] Default on Linux is now "rlimit memlock -1".
6556  While the general default of 32M is still the case, under Linux
6557  the default value has been changed to -1 (do not lock ntpd into
6558  memory).  A value of 0 means "lock ntpd into memory with whatever
6559  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
6560  value in it, that value will continue to be used.
6561
6562* [Bug 2886] Misspelling: "outlyer" should be "outlier".
6563  If you've written a script that looks for this case in, say, the
6564  output of ntpq, you probably want to change your regex matches
6565  from 'outlyer' to 'outl[iy]er'.
6566
6567New features in this release:
6568* 'rlimit memlock' now has finer-grained control.  A value of -1 means
6569  "don't lock ntpd into memore".  This is the default for Linux boxes.
6570  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
6571  the value is the number of megabytes of memory to lock.  The default
6572  is 32 megabytes.
6573
6574* The old Google Test framework has been replaced with a new framework,
6575  based on http://www.throwtheswitch.org/unity/ .
6576
6577Bug Fixes and Improvements:
6578* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
6579  privileges and limiting resources in NTPD removes the need to link
6580  forcefully against 'libgcc_s' which does not always work. J.Perlinger
6581* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
6582* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
6583* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
6584* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
6585* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
6586* [Bug 2849] Systems with more than one default route may never
6587  synchronize.  Brian Utterback.  Note that this patch might need to
6588  be reverted once Bug 2043 has been fixed.
6589* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
6590* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
6591* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
6592* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
6593* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
6594* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
6595  be configured for the distribution targets.  Harlan Stenn.
6596* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
6597* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
6598* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
6599* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
6600* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
6601* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
6602* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
6603* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
6604* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
6605* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
6606* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
6607* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
6608* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
6609* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
6610* sntp/tests/ function parameter list cleanup.  Damir Tomić.
6611* tests/libntp/ function parameter list cleanup.  Damir Tomić.
6612* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
6613* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
6614* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
6615* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
6616* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
6617* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
6618  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
6619  formatting; first declaration, then code (C90); deleted unnecessary comments;
6620  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
6621* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
6622  fix formatting, cleanup. Tomasz Flendrich
6623* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
6624  Tomasz Flendrich
6625* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
6626  fix formatting. Tomasz Flendrich
6627* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
6628* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
6629* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
6630  Tomasz Flendrich
6631* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
6632* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
6633* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
6634* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
6635* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
6636* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
6637* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
6638fixed formatting. Tomasz Flendrich
6639* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
6640  removed unnecessary comments, cleanup. Tomasz Flendrich
6641* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
6642  comments, cleanup. Tomasz Flendrich
6643* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
6644  Tomasz Flendrich
6645* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
6646* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
6647* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
6648  Tomasz Flendrich
6649* sntp/tests/kodDatabase.c added consts, deleted empty function,
6650  fixed formatting. Tomasz Flendrich
6651* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
6652* sntp/tests/packetHandling.c is now using proper Unity's assertions,
6653  fixed formatting, deleted unused variable. Tomasz Flendrich
6654* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
6655  Tomasz Flendrich
6656* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
6657  fixed formatting. Tomasz Flendrich
6658* sntp/tests/utilities.c is now using proper Unity's assertions, changed
6659  the order of includes, fixed formatting, removed unnecessary comments.
6660  Tomasz Flendrich
6661* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
6662* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
6663  made one function do its job, deleted unnecessary prints, fixed formatting.
6664  Tomasz Flendrich
6665* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
6666* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
6667* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
6668* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
6669* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
6670* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
6671* Don't build sntp/libevent/sample/.  Harlan Stenn.
6672* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
6673* br-flock: --enable-local-libevent.  Harlan Stenn.
6674* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
6675* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
6676* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
6677* Code cleanup.  Harlan Stenn.
6678* libntp/icom.c: Typo fix.  Harlan Stenn.
6679* util/ntptime.c: initialization nit.  Harlan Stenn.
6680* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
6681* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
6682* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
6683  Tomasz Flendrich
6684* Changed progname to be const in many files - now it's consistent. Tomasz
6685  Flendrich
6686* Typo fix for GCC warning suppression.  Harlan Stenn.
6687* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
6688* Added declarations to all Unity tests, and did minor fixes to them.
6689  Reduced the number of warnings by half. Damir Tomić.
6690* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
6691  with the latest Unity updates from Mark. Damir Tomić.
6692* Retire google test - phase I.  Harlan Stenn.
6693* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
6694* Update the NEWS file.  Harlan Stenn.
6695* Autoconf cleanup.  Harlan Stenn.
6696* Unit test dist cleanup. Harlan Stenn.
6697* Cleanup various test Makefile.am files.  Harlan Stenn.
6698* Pthread autoconf macro cleanup.  Harlan Stenn.
6699* Fix progname definition in unity runner scripts.  Harlan Stenn.
6700* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
6701* Update the patch for bug 2817.  Harlan Stenn.
6702* More updates for bug 2817.  Harlan Stenn.
6703* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
6704* gcc on older HPUX may need +allowdups.  Harlan Stenn.
6705* Adding missing MCAST protection.  Harlan Stenn.
6706* Disable certain test programs on certain platforms.  Harlan Stenn.
6707* Implement --enable-problem-tests (on by default).  Harlan Stenn.
6708* build system tweaks.  Harlan Stenn.
6709
6710---
6711NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
6712
6713Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.
6714
6715Severity: MEDIUM
6716
6717Security Fix:
6718
6719* [Sec 2853] Crafted remote config packet can crash some versions of
6720  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
6721
6722Under specific circumstances an attacker can send a crafted packet to
6723cause a vulnerable ntpd instance to crash. This requires each of the
6724following to be true:
6725
67261) ntpd set up to allow remote configuration (not allowed by default), and
67272) knowledge of the configuration password, and
67283) access to a computer entrusted to perform remote configuration.
6729
6730This vulnerability is considered low-risk.
6731
6732New features in this release:
6733
6734Optional (disabled by default) support to have ntpd provide smeared
6735leap second time.  A specially built and configured ntpd will only
6736offer smeared time in response to client packets.  These response
6737packets will also contain a "refid" of 254.a.b.c, where the 24 bits
6738of a, b, and c encode the amount of smear in a 2:22 integer:fraction
6739format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
6740information.
6741
6742   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
6743   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
6744
6745We've imported the Unity test framework, and have begun converting
6746the existing google-test items to this new framework.  If you want
6747to write new tests or change old ones, you'll need to have ruby
6748installed.  You don't need ruby to run the test suite.
6749
6750Bug Fixes and Improvements:
6751
6752* CID 739725: Fix a rare resource leak in libevent/listener.c.
6753* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
6754* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
6755* CID 1269537: Clean up a line of dead code in getShmTime().
6756* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
6757* [Bug 2590] autogen-5.18.5.
6758* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
6759  of 'limited'.
6760* [Bug 2650] fix includefile processing.
6761* [Bug 2745] ntpd -x steps clock on leap second
6762   Fixed an initial-value problem that caused misbehaviour in absence of
6763   any leapsecond information.
6764   Do leap second stepping only of the step adjustment is beyond the
6765   proper jump distance limit and step correction is allowed at all.
6766* [Bug 2750] build for Win64
6767  Building for 32bit of loopback ppsapi needs def file
6768* [Bug 2776] Improve ntpq's 'help keytype'.
6769* [Bug 2778] Implement "apeers"  ntpq command to include associd.
6770* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
6771* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
6772  interface is ignored as long as this flag is not set since the
6773  interface is not usable (e.g., no link).
6774* [Bug 2794] Clean up kernel clock status reports.
6775* [Bug 2800] refclock_true.c true_debug() can't open debug log because
6776  of incompatible open/fdopen parameters.
6777* [Bug 2804] install-local-data assumes GNU 'find' semantics.
6778* [Bug 2805] ntpd fails to join multicast group.
6779* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
6780* [Bug 2808] GPSD_JSON driver enhancements, step 1.
6781  Fix crash during cleanup if GPS device not present and char device.
6782  Increase internal token buffer to parse all JSON data, even SKY.
6783  Defer logging of errors during driver init until the first unit is
6784  started, so the syslog is not cluttered when the driver is not used.
6785  Various improvements, see http://bugs.ntp.org/2808 for details.
6786  Changed libjsmn to a more recent version.
6787* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
6788* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
6789* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
6790* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
6791* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
6792* [Bug 2824] Convert update-leap to perl. (also see 2769)
6793* [Bug 2825] Quiet file installation in html/ .
6794* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
6795   NTPD transfers the current TAI (instead of an announcement) now.
6796   This might still needed improvement.
6797   Update autokey data ASAP when 'sys_tai' changes.
6798   Fix unit test that was broken by changes for autokey update.
6799   Avoid potential signature length issue and use DPRINTF where possible
6800     in ntp_crypto.c.
6801* [Bug 2832] refclock_jjy.c supports the TDC-300.
6802* [Bug 2834] Correct a broken html tag in html/refclock.html
6803* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
6804  robust, and require 2 consecutive timestamps to be consistent.
6805* [Bug 2837] Allow a configurable DSCP value.
6806* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
6807* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
6808* [Bug 2842] Bug in mdoc2man.
6809* [Bug 2843] make check fails on 4.3.36
6810   Fixed compiler warnings about numeric range overflow
6811   (The original topic was fixed in a byplay to bug#2830)
6812* [Bug 2845] Harden memory allocation in ntpd.
6813* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
6814* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
6815* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
6816* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
6817* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
6818* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
6819* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
6820* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
6821* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
6822* html/drivers/driver22.html: typo fix.  Harlan Stenn.
6823* refidsmear test cleanup.  Tomasz Flendrich.
6824* refidsmear function support and tests.  Harlan Stenn.
6825* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
6826  something that was only in the 4.2.6 sntp.  Harlan Stenn.
6827* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
6828  Damir Tomić
6829* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
6830  Damir Tomić
6831* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
6832  Damir Tomić
6833* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
6834* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
6835* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
6836  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
6837  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
6838  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
6839  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
6840  Damir Tomić
6841* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
6842  networking.c, keyFile.c, utilities.cpp, sntptest.h,
6843  fileHandlingTest.h. Damir Tomić
6844* Initial support for experimental leap smear code.  Harlan Stenn.
6845* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
6846* Report select() debug messages at debug level 3 now.
6847* sntp/scripts/genLocInfo: treat raspbian as debian.
6848* Unity test framework fixes.
6849  ** Requires ruby for changes to tests.
6850* Initial support for PACKAGE_VERSION tests.
6851* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
6852* tests/bug-2803/Makefile.am must distribute bug-2803.h.
6853* Add an assert to the ntpq ifstats code.
6854* Clean up the RLIMIT_STACK code.
6855* Improve the ntpq documentation around the controlkey keyid.
6856* ntpq.c cleanup.
6857* Windows port build cleanup.
6858
6859---
6860NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
6861
6862Focus: Security and Bug fixes, enhancements.
6863
6864Severity: MEDIUM
6865
6866In addition to bug fixes and enhancements, this release fixes the
6867following medium-severity vulnerabilities involving private key
6868authentication:
6869
6870* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
6871
6872    References: Sec 2779 / CVE-2015-1798 / VU#374268
6873    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
6874          including ntp-4.2.8p2 where the installation uses symmetric keys
6875          to authenticate remote associations.
6876    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
6877    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
6878    Summary: When ntpd is configured to use a symmetric key to authenticate
6879          a remote NTP server/peer, it checks if the NTP message
6880          authentication code (MAC) in received packets is valid, but not if
6881          there actually is any MAC included. Packets without a MAC are
6882          accepted as if they had a valid MAC. This allows a MITM attacker to
6883          send false packets that are accepted by the client/peer without
6884          having to know the symmetric key. The attacker needs to know the
6885          transmit timestamp of the client to match it in the forged reply
6886          and the false reply needs to reach the client before the genuine
6887          reply from the server. The attacker doesn't necessarily need to be
6888          relaying the packets between the client and the server.
6889
6890          Authentication using autokey doesn't have this problem as there is
6891          a check that requires the key ID to be larger than NTP_MAXKEY,
6892          which fails for packets without a MAC.
6893    Mitigation:
6894        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
6895          or the NTP Public Services Project Download Page
6896        Configure ntpd with enough time sources and monitor it properly.
6897    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
6898
6899* [Sec 2781] Authentication doesn't protect symmetric associations against
6900  DoS attacks.
6901
6902    References: Sec 2781 / CVE-2015-1799 / VU#374268
6903    Affects: All NTP releases starting with at least xntp3.3wy up to but
6904          not including ntp-4.2.8p2 where the installation uses symmetric
6905          key authentication.
6906    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
6907    Note: the CVSS base Score for this issue could be 4.3 or lower, and
6908          it could be higher than 5.4.
6909    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
6910    Summary: An attacker knowing that NTP hosts A and B are peering with
6911          each other (symmetric association) can send a packet to host A
6912          with source address of B which will set the NTP state variables
6913          on A to the values sent by the attacker. Host A will then send
6914          on its next poll to B a packet with originate timestamp that
6915          doesn't match the transmit timestamp of B and the packet will
6916          be dropped. If the attacker does this periodically for both
6917          hosts, they won't be able to synchronize to each other. This is
6918          a known denial-of-service attack, described at
6919          https://www.eecis.udel.edu/~mills/onwire.html .
6920
6921          According to the document the NTP authentication is supposed to
6922          protect symmetric associations against this attack, but that
6923          doesn't seem to be the case. The state variables are updated even
6924          when authentication fails and the peers are sending packets with
6925          originate timestamps that don't match the transmit timestamps on
6926          the receiving side.
6927
6928          This seems to be a very old problem, dating back to at least
6929          xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
6930          specifications, so other NTP implementations with support for
6931          symmetric associations and authentication may be vulnerable too.
6932          An update to the NTP RFC to correct this error is in-process.
6933    Mitigation:
6934        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
6935          or the NTP Public Services Project Download Page
6936        Note that for users of autokey, this specific style of MITM attack
6937          is simply a long-known potential problem.
6938        Configure ntpd with appropriate time sources and monitor ntpd.
6939          Alert your staff if problems are detected.
6940    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
6941
6942* New script: update-leap
6943The update-leap script will verify and if necessary, update the
6944leap-second definition file.
6945It requires the following commands in order to work:
6946
6947          wget logger tr sed shasum
6948
6949Some may choose to run this from cron.  It needs more portability testing.
6950
6951Bug Fixes and Improvements:
6952
6953* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
6954* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
6955* [Bug 2346] "graceful termination" signals do not do peer cleanup.
6956* [Bug 2728] See if C99-style structure initialization works.
6957* [Bug 2747] Upgrade libevent to 2.1.5-beta.
6958* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
6959* [Bug 2751] jitter.h has stale copies of l_fp macros.
6960* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
6961* [Bug 2757] Quiet compiler warnings.
6962* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
6963* [Bug 2763] Allow different thresholds for forward and backward steps.
6964* [Bug 2766] ntp-keygen output files should not be world-readable.
6965* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
6966* [Bug 2771] nonvolatile value is documented in wrong units.
6967* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
6968* [Bug 2774] Unreasonably verbose printout - leap pending/warning
6969* [Bug 2775] ntp-keygen.c fails to compile under Windows.
6970* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
6971  Removed non-ASCII characters from some copyright comments.
6972  Removed trailing whitespace.
6973  Updated definitions for Meinberg clocks from current Meinberg header files.
6974  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
6975  Account for updated definitions pulled from Meinberg header files.
6976  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
6977  Replaced some constant numbers by defines from ntp_calendar.h
6978  Modified creation of parse-specific variables for Meinberg devices
6979  in gps16x_message().
6980  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
6981  Modified mbg_tm_str() which now expexts an additional parameter controlling
6982  if the time status shall be printed.
6983* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
6984* [Sec 2781] Authentication doesn't protect symmetric associations against
6985  DoS attacks.
6986* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
6987* [Bug 2789] Quiet compiler warnings from libevent.
6988* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
6989  pause briefly before measuring system clock precision to yield
6990  correct results.
6991* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
6992* Use predefined function types for parse driver functions
6993  used to set up function pointers.
6994  Account for changed prototype of parse_inp_fnc_t functions.
6995  Cast parse conversion results to appropriate types to avoid
6996  compiler warnings.
6997  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
6998  when called with pointers to different types.
6999
7000---
7001NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
7002
7003Focus: Security and Bug fixes, enhancements.
7004
7005Severity: HIGH
7006
7007In addition to bug fixes and enhancements, this release fixes the
7008following high-severity vulnerabilities:
7009
7010* vallen is not validated in several places in ntp_crypto.c, leading
7011  to a potential information leak or possibly a crash
7012
7013    References: Sec 2671 / CVE-2014-9297 / VU#852879
7014    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
7015    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7016    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
7017    Summary: The vallen packet value is not validated in several code
7018             paths in ntp_crypto.c which can lead to information leakage
7019               or perhaps a crash of the ntpd process.
7020    Mitigation - any of:
7021          Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
7022                    or the NTP Public Services Project Download Page.
7023          Disable Autokey Authentication by removing, or commenting out,
7024                    all configuration directives beginning with the "crypto"
7025                    keyword in your ntp.conf file.
7026    Credit: This vulnerability was discovered by Stephen Roettger of the
7027          Google Security Team, with additional cases found by Sebastian
7028          Krahmer of the SUSE Security Team and Harlan Stenn of Network
7029          Time Foundation.
7030
7031* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
7032  can be bypassed.
7033
7034    References: Sec 2672 / CVE-2014-9298 / VU#852879
7035    Affects: All NTP4 releases before 4.2.8p1, under at least some
7036          versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
7037    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
7038    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
7039    Summary: While available kernels will prevent 127.0.0.1 addresses
7040          from "appearing" on non-localhost IPv4 interfaces, some kernels
7041          do not offer the same protection for ::1 source addresses on
7042          IPv6 interfaces. Since NTP's access control is based on source
7043          address and localhost addresses generally have no restrictions,
7044          an attacker can send malicious control and configuration packets
7045          by spoofing ::1 addresses from the outside. Note Well: This is
7046          not really a bug in NTP, it's a problem with some OSes. If you
7047          have one of these OSes where ::1 can be spoofed, ALL ::1 -based
7048          ACL restrictions on any application can be bypassed!
7049    Mitigation:
7050        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
7051          or the NTP Public Services Project Download Page
7052        Install firewall rules to block packets claiming to come from
7053          ::1 from inappropriate network interfaces.
7054    Credit: This vulnerability was discovered by Stephen Roettger of
7055          the Google Security Team.
7056
7057Additionally, over 30 bugfixes and improvements were made to the codebase.
7058See the ChangeLog for more information.
7059
7060---
7061NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
7062
7063Focus: Security and Bug fixes, enhancements.
7064
7065Severity: HIGH
7066
7067In addition to bug fixes and enhancements, this release fixes the
7068following high-severity vulnerabilities:
7069
7070************************** vv NOTE WELL vv *****************************
7071
7072The vulnerabilities listed below can be significantly mitigated by
7073following the BCP of putting
7074
7075 restrict default ... noquery
7076
7077in the ntp.conf file.  With the exception of:
7078
7079   receive(): missing return on error
7080   References: Sec 2670 / CVE-2014-9296 / VU#852879
7081
7082below (which is a limited-risk vulnerability), none of the recent
7083vulnerabilities listed below can be exploited if the source IP is
7084restricted from sending a 'query'-class packet by your ntp.conf file.
7085
7086************************** ^^ NOTE WELL ^^ *****************************
7087
7088* Weak default key in config_auth().
7089
7090  References: [Sec 2665] / CVE-2014-9293 / VU#852879
7091  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
7092  Vulnerable Versions: all releases prior to 4.2.7p11
7093  Date Resolved: 28 Jan 2010
7094
7095  Summary: If no 'auth' key is set in the configuration file, ntpd
7096          would generate a random key on the fly.  There were two
7097          problems with this: 1) the generated key was 31 bits in size,
7098          and 2) it used the (now weak) ntp_random() function, which was
7099          seeded with a 32-bit value and could only provide 32 bits of
7100          entropy.  This was sufficient back in the late 1990s when the
7101          code was written.  Not today.
7102
7103  Mitigation - any of:
7104          - Upgrade to 4.2.7p11 or later.
7105          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7106
7107  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
7108          of the Google Security Team.
7109
7110* Non-cryptographic random number generator with weak seed used by
7111  ntp-keygen to generate symmetric keys.
7112
7113  References: [Sec 2666] / CVE-2014-9294 / VU#852879
7114  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
7115  Vulnerable Versions: All NTP4 releases before 4.2.7p230
7116  Date Resolved: Dev (4.2.7p230) 01 Nov 2011
7117
7118  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
7119          prepare a random number generator that was of good quality back
7120          in the late 1990s. The random numbers produced was then used to
7121          generate symmetric keys. In ntp-4.2.8 we use a current-technology
7122          cryptographic random number generator, either RAND_bytes from
7123          OpenSSL, or arc4random().
7124
7125  Mitigation - any of:
7126          - Upgrade to 4.2.7p230 or later.
7127          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7128
7129  Credit:  This vulnerability was discovered in ntp-4.2.6 by
7130          Stephen Roettger of the Google Security Team.
7131
7132* Buffer overflow in crypto_recv()
7133
7134  References: Sec 2667 / CVE-2014-9295 / VU#852879
7135  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7136  Versions: All releases before 4.2.8
7137  Date Resolved: Stable (4.2.8) 18 Dec 2014
7138
7139  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
7140          file contains a 'crypto pw ...' directive) a remote attacker
7141          can send a carefully crafted packet that can overflow a stack
7142          buffer and potentially allow malicious code to be executed
7143          with the privilege level of the ntpd process.
7144
7145  Mitigation - any of:
7146          - Upgrade to 4.2.8, or later, or
7147          - Disable Autokey Authentication by removing, or commenting out,
7148            all configuration directives beginning with the crypto keyword
7149            in your ntp.conf file.
7150
7151  Credit: This vulnerability was discovered by Stephen Roettger of the
7152          Google Security Team.
7153
7154* Buffer overflow in ctl_putdata()
7155
7156  References: Sec 2668 / CVE-2014-9295 / VU#852879
7157  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7158  Versions: All NTP4 releases before 4.2.8
7159  Date Resolved: Stable (4.2.8) 18 Dec 2014
7160
7161  Summary: A remote attacker can send a carefully crafted packet that
7162          can overflow a stack buffer and potentially allow malicious
7163          code to be executed with the privilege level of the ntpd process.
7164
7165  Mitigation - any of:
7166          - Upgrade to 4.2.8, or later.
7167          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7168
7169  Credit: This vulnerability was discovered by Stephen Roettger of the
7170          Google Security Team.
7171
7172* Buffer overflow in configure()
7173
7174  References: Sec 2669 / CVE-2014-9295 / VU#852879
7175  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
7176  Versions: All NTP4 releases before 4.2.8
7177  Date Resolved: Stable (4.2.8) 18 Dec 2014
7178
7179  Summary: A remote attacker can send a carefully crafted packet that
7180          can overflow a stack buffer and potentially allow malicious
7181          code to be executed with the privilege level of the ntpd process.
7182
7183  Mitigation - any of:
7184          - Upgrade to 4.2.8, or later.
7185          - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
7186
7187  Credit: This vulnerability was discovered by Stephen Roettger of the
7188          Google Security Team.
7189
7190* receive(): missing return on error
7191
7192  References: Sec 2670 / CVE-2014-9296 / VU#852879
7193  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
7194  Versions: All NTP4 releases before 4.2.8
7195  Date Resolved: Stable (4.2.8) 18 Dec 2014
7196
7197  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
7198          the code path where an error was detected, which meant
7199          processing did not stop when a specific rare error occurred.
7200          We haven't found a way for this bug to affect system integrity.
7201          If there is no way to affect system integrity the base CVSS
7202          score for this bug is 0. If there is one avenue through which
7203          system integrity can be partially affected, the base score
7204          becomes a 5. If system integrity can be partially affected
7205          via all three integrity metrics, the CVSS base score become 7.5.
7206
7207  Mitigation - any of:
7208        - Upgrade to 4.2.8, or later,
7209        - Remove or comment out all configuration directives
7210            beginning with the crypto keyword in your ntp.conf file.
7211
7212  Credit: This vulnerability was discovered by Stephen Roettger of the
7213          Google Security Team.
7214
7215See http://support.ntp.org/security for more information.
7216
7217New features / changes in this release:
7218
7219Important Changes
7220
7221* Internal NTP Era counters
7222
7223The internal counters that track the "era" (range of years) we are in
7224rolls over every 136 years'.  The current "era" started at the stroke of
7225midnight on 1 Jan 1900, and ends just before the stroke of midnight on
72261 Jan 2036.
7227In the past, we have used the "midpoint" of the  range to decide which
7228era we were in.  Given the longevity of some products, it became clear
7229that it would be more functional to "look back" less, and "look forward"
7230more.  We now compile a timestamp into the ntpd executable and when we
7231get a timestamp we us the "built-on" to tell us what era we are in.
7232This check "looks back" 10 years, and "looks forward" 126 years.
7233
7234* ntpdc responses disabled by default
7235
7236Dave Hart writes:
7237
7238For a long time, ntpq and its mostly text-based mode 6 (control)
7239protocol have been preferred over ntpdc and its mode 7 (private
7240request) protocol for runtime queries and configuration.  There has
7241been a goal of deprecating ntpdc, previously held back by numerous
7242capabilities exposed by ntpdc with no ntpq equivalent.  I have been
7243adding commands to ntpq to cover these cases, and I believe I've
7244covered them all, though I've not compared command-by-command
7245recently.
7246
7247As I've said previously, the binary mode 7 protocol involves a lot of
7248hand-rolled structure layout and byte-swapping code in both ntpd and
7249ntpdc which is hard to get right.  As ntpd grows and changes, the
7250changes are difficult to expose via ntpdc while maintaining forward
7251and backward compatibility between ntpdc and ntpd.  In contrast,
7252ntpq's text-based, label=value approach involves more code reuse and
7253allows compatible changes without extra work in most cases.
7254
7255Mode 7 has always been defined as vendor/implementation-specific while
7256mode 6 is described in RFC 1305 and intended to be open to interoperate
7257with other implementations.  There is an early draft of an updated
7258mode 6 description that likely will join the other NTPv4 RFCs
7259eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
7260
7261For these reasons, ntpd 4.2.7p230 by default disables processing of
7262ntpdc queries, reducing ntpd's attack surface and functionally
7263deprecating ntpdc.  If you are in the habit of using ntpdc for certain
7264operations, please try the ntpq equivalent.  If there's no equivalent,
7265please open a bug report at http://bugs.ntp.org./
7266
7267In addition to the above, over 1100 issues have been resolved between
7268the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
7269lists these.
7270
7271---
7272NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
7273
7274Focus: Bug fixes
7275
7276Severity: Medium
7277
7278This is a recommended upgrade.
7279
7280This release updates sys_rootdisp and sys_jitter calculations to match the
7281RFC specification, fixes a potential IPv6 address matching error for the
7282"nic" and "interface" configuration directives, suppresses the creation of
7283extraneous ephemeral associations for certain broadcastclient and
7284multicastclient configurations, cleans up some ntpq display issues, and
7285includes improvements to orphan mode, minor bugs fixes and code clean-ups.
7286
7287New features / changes in this release:
7288
7289ntpd
7290
7291 * Updated "nic" and "interface" IPv6 address handling to prevent
7292   mismatches with localhost [::1] and wildcard [::] which resulted from
7293   using the address/prefix format (e.g. fe80::/64)
7294 * Fix orphan mode stratum incorrectly counting to infinity
7295 * Orphan parent selection metric updated to includes missing ntohl()
7296 * Non-printable stratum 16 refid no longer sent to ntp
7297 * Duplicate ephemeral associations suppressed for broadcastclient and
7298   multicastclient without broadcastdelay
7299 * Exclude undetermined sys_refid from use in loopback TEST12
7300 * Exclude MODE_SERVER responses from KoD rate limiting
7301 * Include root delay in clock_update() sys_rootdisp calculations
7302 * get_systime() updated to exclude sys_residual offset (which only
7303   affected bits "below" sys_tick, the precision threshold)
7304 * sys.peer jitter weighting corrected in sys_jitter calculation
7305
7306ntpq
7307
7308 * -n option extended to include the billboard "server" column
7309 * IPv6 addresses in the local column truncated to prevent overruns
7310
7311---
7312NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
7313
7314Focus: Bug fixes and portability improvements
7315
7316Severity: Medium
7317
7318This is a recommended upgrade.
7319
7320This release includes build infrastructure updates, code
7321clean-ups, minor bug fixes, fixes for a number of minor
7322ref-clock issues, and documentation revisions.
7323
7324Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
7325
7326New features / changes in this release:
7327
7328Build system
7329
7330* Fix checking for struct rtattr
7331* Update config.guess and config.sub for AIX
7332* Upgrade required version of autogen and libopts for building
7333  from our source code repository
7334
7335ntpd
7336
7337* Back-ported several fixes for Coverity warnings from ntp-dev
7338* Fix a rare boundary condition in UNLINK_EXPR_SLIST()
7339* Allow "logconfig =allall" configuration directive
7340* Bind tentative IPv6 addresses on Linux
7341* Correct WWVB/Spectracom driver to timestamp CR instead of LF
7342* Improved tally bit handling to prevent incorrect ntpq peer status reports
7343* Exclude the Undisciplined Local Clock and ACTS drivers from the initial
7344  candidate list unless they are designated a "prefer peer"
7345* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
7346  selection during the 'tos orphanwait' period
7347* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
7348  drivers
7349* Improved support of the Parse Refclock trusttime flag in Meinberg mode
7350* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
7351* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
7352  clock slew on Microsoft Windows
7353* Code cleanup in libntpq
7354
7355ntpdc
7356
7357* Fix timerstats reporting
7358
7359ntpdate
7360
7361* Reduce time required to set clock
7362* Allow a timeout greater than 2 seconds
7363
7364sntp
7365
7366* Backward incompatible command-line option change:
7367  -l/--filelog changed -l/--logfile (to be consistent with ntpd)
7368
7369Documentation
7370
7371* Update html2man. Fix some tags in the .html files
7372* Distribute ntp-wait.html
7373
7374---
7375NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
7376
7377Focus: Bug fixes and portability improvements
7378
7379Severity: Medium
7380
7381This is a recommended upgrade.
7382
7383This release includes build infrastructure updates, code
7384clean-ups, minor bug fixes, fixes for a number of minor
7385ref-clock issues, and documentation revisions.
7386
7387Portability improvements in this release affect AIX, Atari FreeMiNT,
7388FreeBSD4, Linux and Microsoft Windows.
7389
7390New features / changes in this release:
7391
7392Build system
7393* Use lsb_release to get information about Linux distributions.
7394* 'test' is in /usr/bin (instead of /bin) on some systems.
7395* Basic sanity checks for the ChangeLog file.
7396* Source certain build files with ./filename for systems without . in PATH.
7397* IRIX portability fix.
7398* Use a single copy of the "libopts" code.
7399* autogen/libopts upgrade.
7400* configure.ac m4 quoting cleanup.
7401
7402ntpd
7403* Do not bind to IN6_IFF_ANYCAST addresses.
7404* Log the reason for exiting under Windows.
7405* Multicast fixes for Windows.
7406* Interpolation fixes for Windows.
7407* IPv4 and IPv6 Multicast fixes.
7408* Manycast solicitation fixes and general repairs.
7409* JJY refclock cleanup.
7410* NMEA refclock improvements.
7411* Oncore debug message cleanup.
7412* Palisade refclock now builds under Linux.
7413* Give RAWDCF more baud rates.
7414* Support Truetime Satellite clocks under Windows.
7415* Support Arbiter 1093C Satellite clocks under Windows.
7416* Make sure that the "filegen" configuration command defaults to "enable".
7417* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
7418* Prohibit 'includefile' directive in remote configuration command.
7419* Fix 'nic' interface bindings.
7420* Fix the way we link with openssl if openssl is installed in the base
7421  system.
7422
7423ntp-keygen
7424* Fix -V coredump.
7425* OpenSSL version display cleanup.
7426
7427ntpdc
7428* Many counters should be treated as unsigned.
7429
7430ntpdate
7431* Do not ignore replies with equal receive and transmit timestamps.
7432
7433ntpq
7434* libntpq warning cleanup.
7435
7436ntpsnmpd
7437* Correct SNMP type for "precision" and "resolution".
7438* Update the MIB from the draft version to RFC-5907.
7439
7440sntp
7441* Display timezone offset when showing time for sntp in the local
7442  timezone.
7443* Pay proper attention to RATE KoD packets.
7444* Fix a miscalculation of the offset.
7445* Properly parse empty lines in the key file.
7446* Logging cleanup.
7447* Use tv_usec correctly in set_time().
7448* Documentation cleanup.
7449
7450---
7451NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
7452
7453Focus: Bug fixes and portability improvements
7454
7455Severity: Medium
7456
7457This is a recommended upgrade.
7458
7459This release includes build infrastructure updates, code
7460clean-ups, minor bug fixes, fixes for a number of minor
7461ref-clock issues, improved KOD handling, OpenSSL related
7462updates and documentation revisions.
7463
7464Portability improvements in this release affect Irix, Linux,
7465Mac OS, Microsoft Windows, OpenBSD and QNX6
7466
7467New features / changes in this release:
7468
7469ntpd
7470* Range syntax for the trustedkey configuration directive
7471* Unified IPv4 and IPv6 restrict lists
7472
7473ntpdate
7474* Rate limiting and KOD handling
7475
7476ntpsnmpd
7477* default connection to net-snmpd via a unix-domain socket
7478* command-line 'socket name' option
7479
7480ntpq / ntpdc
7481* support for the "passwd ..." syntax
7482* key-type specific password prompts
7483
7484sntp
7485* MD5 authentication of an ntpd
7486* Broadcast and crypto
7487* OpenSSL support
7488
7489---
7490NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
7491
7492Focus: Bug fixes, portability fixes, and documentation improvements
7493
7494Severity: Medium
7495
7496This is a recommended upgrade.
7497
7498---
7499NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
7500
7501Focus: enhancements and bug fixes.
7502
7503---
7504NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
7505
7506Focus: Security Fixes
7507
7508Severity: HIGH
7509
7510This release fixes the following high-severity vulnerability:
7511
7512* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
7513
7514  See http://support.ntp.org/security for more information.
7515
7516  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
7517  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
7518  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
7519  request or a mode 7 error response from an address which is not listed
7520  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
7521  reply with a mode 7 error response (and log a message).  In this case:
7522
7523          * If an attacker spoofs the source address of ntpd host A in a
7524            mode 7 response packet sent to ntpd host B, both A and B will
7525            continuously send each other error responses, for as long as
7526            those packets get through.
7527
7528          * If an attacker spoofs an address of ntpd host A in a mode 7
7529            response packet sent to ntpd host A, A will respond to itself
7530            endlessly, consuming CPU and logging excessively.
7531
7532  Credit for finding this vulnerability goes to Robin Park and Dmitri
7533  Vinokurov of Alcatel-Lucent.
7534
7535THIS IS A STRONGLY RECOMMENDED UPGRADE.
7536
7537---
7538ntpd now syncs to refclocks right away.
7539
7540Backward-Incompatible changes:
7541
7542ntpd no longer accepts '-v name' or '-V name' to define internal variables.
7543Use '--var name' or '--dvar name' instead. (Bug 817)
7544
7545---
7546NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
7547
7548Focus: Security and Bug Fixes
7549
7550Severity: HIGH
7551
7552This release fixes the following high-severity vulnerability:
7553
7554* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
7555
7556  See http://support.ntp.org/security for more information.
7557
7558  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
7559  line) then a carefully crafted packet sent to the machine will cause
7560  a buffer overflow and possible execution of injected code, running
7561  with the privileges of the ntpd process (often root).
7562
7563  Credit for finding this vulnerability goes to Chris Ries of CMU.
7564
7565This release fixes the following low-severity vulnerabilities:
7566
7567* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
7568  Credit for finding this vulnerability goes to Geoff Keating of Apple.
7569
7570* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
7571  Credit for finding this issue goes to Dave Hart.
7572
7573This release fixes a number of bugs and adds some improvements:
7574
7575* Improved logging
7576* Fix many compiler warnings
7577* Many fixes and improvements for Windows
7578* Adds support for AIX 6.1
7579* Resolves some issues under MacOS X and Solaris
7580
7581THIS IS A STRONGLY RECOMMENDED UPGRADE.
7582
7583---
7584NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
7585
7586Focus: Security Fix
7587
7588Severity: Low
7589
7590This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
7591the OpenSSL library relating to the incorrect checking of the return
7592value of EVP_VerifyFinal function.
7593
7594Credit for finding this issue goes to the Google Security Team for
7595finding the original issue with OpenSSL, and to ocert.org for finding
7596the problem in NTP and telling us about it.
7597
7598This is a recommended upgrade.
7599---
7600NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
7601
7602Focus: Minor Bugfixes
7603
7604This release fixes a number of Windows-specific ntpd bugs and
7605platform-independent ntpdate bugs. A logging bugfix has been applied
7606to the ONCORE driver.
7607
7608The "dynamic" keyword and is now obsolete and deferred binding to local
7609interfaces is the new default. The minimum time restriction for the
7610interface update interval has been dropped.
7611
7612A number of minor build system and documentation fixes are included.
7613
7614This is a recommended upgrade for Windows.
7615
7616---
7617NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
7618
7619Focus: Minor Bugfixes
7620
7621This release updates certain copyright information, fixes several display
7622bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
7623shutdown in the parse refclock driver, removes some lint from the code,
7624stops accessing certain buffers immediately after they were freed, fixes
7625a problem with non-command-line specification of -6, and allows the loopback
7626interface to share addresses with other interfaces.
7627
7628---
7629NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
7630
7631Focus: Minor Bugfixes
7632
7633This release fixes a bug in Windows that made it difficult to
7634terminate ntpd under windows.
7635This is a recommended upgrade for Windows.
7636
7637---
7638NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
7639
7640Focus: Minor Bugfixes
7641
7642This release fixes a multicast mode authentication problem,
7643an error in NTP packet handling on Windows that could lead to
7644ntpd crashing, and several other minor bugs. Handling of
7645multicast interfaces and logging configuration were improved.
7646The required versions of autogen and libopts were incremented.
7647This is a recommended upgrade for Windows and multicast users.
7648
7649---
7650NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
7651
7652Focus: enhancements and bug fixes.
7653
7654Dynamic interface rescanning was added to simplify the use of ntpd in
7655conjunction with DHCP. GNU AutoGen is used for its command-line options
7656processing. Separate PPS devices are supported for PARSE refclocks, MD5
7657signatures are now provided for the release files. Drivers have been
7658added for some new ref-clocks and have been removed for some older
7659ref-clocks. This release also includes other improvements, documentation
7660and bug fixes.
7661
7662K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
7663C support.
7664
7665---
7666NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
7667
7668Focus: enhancements and bug fixes.
7669