2 NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/xx)
4 Focus: Security and Bug fixes, enhancements.
8 In addition to bug fixes and enhancements, this release fixes the
9 following medium-severity vulnerabilities involving private key
12 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
14 References: Sec 2779 / CVE-2015-1798 / VU#374268
15 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
16 including ntp-4.2.8p2 where the installation uses symmetric keys
17 to authenticate remote associations.
18 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
19 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
20 Summary: When ntpd is configured to use a symmetric key to authenticate
21 a remote NTP server/peer, it checks if the NTP message
22 authentication code (MAC) in received packets is valid, but not if
23 there actually is any MAC included. Packets without a MAC are
24 accepted as if they had a valid MAC. This allows a MITM attacker to
25 send false packets that are accepted by the client/peer without
26 having to know the symmetric key. The attacker needs to know the
27 transmit timestamp of the client to match it in the forged reply
28 and the false reply needs to reach the client before the genuine
29 reply from the server. The attacker doesn't necessarily need to be
30 relaying the packets between the client and the server.
32 Authentication using autokey doesn't have this problem as there is
33 a check that requires the key ID to be larger than NTP_MAXKEY,
34 which fails for packets without a MAC.
36 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
37 or the NTP Public Services Project Download Page
38 Configure ntpd with enough time sources and monitor it properly.
39 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
41 * [Sec 2781] Authentication doesn't protect symmetric associations against
44 References: Sec 2781 / CVE-2015-1799 / VU#374268
45 Affects: All NTP releases starting with at least xntp3.3wy up to but
46 not including ntp-4.2.8p2 where the installation uses symmetric
48 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
49 Note: the CVSS base Score for this issue could be 4.3 or lower, and
50 it could be higher than 5.4.
51 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
52 Summary: An attacker knowing that NTP hosts A and B are peering with
53 each other (symmetric association) can send a packet to host A
54 with source address of B which will set the NTP state variables
55 on A to the values sent by the attacker. Host A will then send
56 on its next poll to B a packet with originate timestamp that
57 doesn't match the transmit timestamp of B and the packet will
58 be dropped. If the attacker does this periodically for both
59 hosts, they won't be able to synchronize to each other. This is
60 a known denial-of-service attack, described at
61 https://www.eecis.udel.edu/~mills/onwire.html .
63 According to the document the NTP authentication is supposed to
64 protect symmetric associations against this attack, but that
65 doesn't seem to be the case. The state variables are updated even
66 when authentication fails and the peers are sending packets with
67 originate timestamps that don't match the transmit timestamps on
70 This seems to be a very old problem, dating back to at least
71 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
72 specifications, so other NTP implementations with support for
73 symmetric associations and authentication may be vulnerable too.
74 An update to the NTP RFC to correct this error is in-process.
76 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
77 or the NTP Public Services Project Download Page
78 Note that for users of autokey, this specific style of MITM attack
79 is simply a long-known potential problem.
80 Configure ntpd with appropriate time sources and monitor ntpd.
81 Alert your staff if problems are detected.
82 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
84 * New script: update-leap
85 The update-leap script will verify and if necessary, update the
86 leap-second definition file.
87 It requires the following commands in order to work:
89 wget logger tr sed shasum
91 Some may choose to run this from cron. It needs more portability testing.
93 Bug Fixes and Improvements:
95 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
96 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
97 * [Bug 2346] "graceful termination" signals do not do peer cleanup.
98 * [Bug 2728] See if C99-style structure initialization works.
99 * [Bug 2747] Upgrade libevent to 2.1.5-beta.
100 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
101 * [Bug 2751] jitter.h has stale copies of l_fp macros.
102 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
103 * [Bug 2757] Quiet compiler warnings.
104 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
105 * [Bug 2763] Allow different thresholds for forward and backward steps.
106 * [Bug 2766] ntp-keygen output files should not be world-readable.
107 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
108 * [Bug 2771] nonvolatile value is documented in wrong units.
109 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt
110 * [Bug 2774] Unreasonably verbose printout - leap pending/warning
111 * [Bug 2775] ntp-keygen.c fails to compile under Windows.
112 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
113 Removed non-ASCII characters from some copyright comments.
114 Removed trailing whitespace.
115 Updated definitions for Meinberg clocks from current Meinberg header files.
116 Now use C99 fixed-width types and avoid non-ASCII characters in comments.
117 Account for updated definitions pulled from Meinberg header files.
118 Updated comments on Meinberg GPS receivers which are not only called GPS16x.
119 Replaced some constant numbers by defines from ntp_calendar.h
120 Modified creation of parse-specific variables for Meinberg devices
122 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
123 Modified mbg_tm_str() which now expexts an additional parameter controlling
124 if the time status shall be printed.
125 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
126 * [Sec 2781] Authentication doesn't protect symmetric associations against
128 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
129 * [Bug 2789] Quiet compiler warnings from libevent.
130 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution
131 pause briefly before measuring system clock precision to yield
133 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
134 * Use predefined function types for parse driver functions
135 used to set up function pointers.
136 Account for changed prototype of parse_inp_fnc_t functions.
137 Cast parse conversion results to appropriate types to avoid
139 Let ioctl() for Windows accept a (void *) to avoid compiler warnings
140 when called with pointers to different types.
143 NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
145 Focus: Security and Bug fixes, enhancements.
149 In addition to bug fixes and enhancements, this release fixes the
150 following high-severity vulnerabilities:
152 * vallen is not validated in several places in ntp_crypto.c, leading
153 to a potential information leak or possibly a crash
155 References: Sec 2671 / CVE-2014-9297 / VU#852879
156 Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
157 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
158 Date Resolved: Stable (4.2.8p1) 04 Feb 2015
159 Summary: The vallen packet value is not validated in several code
160 paths in ntp_crypto.c which can lead to information leakage
161 or perhaps a crash of the ntpd process.
163 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
164 or the NTP Public Services Project Download Page.
165 Disable Autokey Authentication by removing, or commenting out,
166 all configuration directives beginning with the "crypto"
167 keyword in your ntp.conf file.
168 Credit: This vulnerability was discovered by Stephen Roettger of the
169 Google Security Team, with additional cases found by Sebastian
170 Krahmer of the SUSE Security Team and Harlan Stenn of Network
173 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
176 References: Sec 2672 / CVE-2014-9298 / VU#852879
177 Affects: All NTP4 releases before 4.2.8p1, under at least some
178 versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
179 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
180 Date Resolved: Stable (4.2.8p1) 04 Feb 2014
181 Summary: While available kernels will prevent 127.0.0.1 addresses
182 from "appearing" on non-localhost IPv4 interfaces, some kernels
183 do not offer the same protection for ::1 source addresses on
184 IPv6 interfaces. Since NTP's access control is based on source
185 address and localhost addresses generally have no restrictions,
186 an attacker can send malicious control and configuration packets
187 by spoofing ::1 addresses from the outside. Note Well: This is
188 not really a bug in NTP, it's a problem with some OSes. If you
189 have one of these OSes where ::1 can be spoofed, ALL ::1 -based
190 ACL restrictions on any application can be bypassed!
192 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
193 or the NTP Public Services Project Download Page
194 Install firewall rules to block packets claiming to come from
195 ::1 from inappropriate network interfaces.
196 Credit: This vulnerability was discovered by Stephen Roettger of
197 the Google Security Team.
199 Additionally, over 30 bugfixes and improvements were made to the codebase.
200 See the ChangeLog for more information.
203 NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
205 Focus: Security and Bug fixes, enhancements.
209 In addition to bug fixes and enhancements, this release fixes the
210 following high-severity vulnerabilities:
212 ************************** vv NOTE WELL vv *****************************
214 The vulnerabilities listed below can be significantly mitigated by
215 following the BCP of putting
217 restrict default ... noquery
219 in the ntp.conf file. With the exception of:
221 receive(): missing return on error
222 References: Sec 2670 / CVE-2014-9296 / VU#852879
224 below (which is a limited-risk vulnerability), none of the recent
225 vulnerabilities listed below can be exploited if the source IP is
226 restricted from sending a 'query'-class packet by your ntp.conf file.
228 ************************** ^^ NOTE WELL ^^ *****************************
230 * Weak default key in config_auth().
232 References: [Sec 2665] / CVE-2014-9293 / VU#852879
233 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
234 Vulnerable Versions: all releases prior to 4.2.7p11
235 Date Resolved: 28 Jan 2010
237 Summary: If no 'auth' key is set in the configuration file, ntpd
238 would generate a random key on the fly. There were two
239 problems with this: 1) the generated key was 31 bits in size,
240 and 2) it used the (now weak) ntp_random() function, which was
241 seeded with a 32-bit value and could only provide 32 bits of
242 entropy. This was sufficient back in the late 1990s when the
243 code was written. Not today.
246 - Upgrade to 4.2.7p11 or later.
247 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
249 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
250 of the Google Security Team.
252 * Non-cryptographic random number generator with weak seed used by
253 ntp-keygen to generate symmetric keys.
255 References: [Sec 2666] / CVE-2014-9294 / VU#852879
256 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
257 Vulnerable Versions: All NTP4 releases before 4.2.7p230
258 Date Resolved: Dev (4.2.7p230) 01 Nov 2011
260 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
261 prepare a random number generator that was of good quality back
262 in the late 1990s. The random numbers produced was then used to
263 generate symmetric keys. In ntp-4.2.8 we use a current-technology
264 cryptographic random number generator, either RAND_bytes from
265 OpenSSL, or arc4random().
268 - Upgrade to 4.2.7p230 or later.
269 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
271 Credit: This vulnerability was discovered in ntp-4.2.6 by
272 Stephen Roettger of the Google Security Team.
274 * Buffer overflow in crypto_recv()
276 References: Sec 2667 / CVE-2014-9295 / VU#852879
277 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
278 Versions: All releases before 4.2.8
279 Date Resolved: Stable (4.2.8) 18 Dec 2014
281 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
282 file contains a 'crypto pw ...' directive) a remote attacker
283 can send a carefully crafted packet that can overflow a stack
284 buffer and potentially allow malicious code to be executed
285 with the privilege level of the ntpd process.
288 - Upgrade to 4.2.8, or later, or
289 - Disable Autokey Authentication by removing, or commenting out,
290 all configuration directives beginning with the crypto keyword
291 in your ntp.conf file.
293 Credit: This vulnerability was discovered by Stephen Roettger of the
294 Google Security Team.
296 * Buffer overflow in ctl_putdata()
298 References: Sec 2668 / CVE-2014-9295 / VU#852879
299 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
300 Versions: All NTP4 releases before 4.2.8
301 Date Resolved: Stable (4.2.8) 18 Dec 2014
303 Summary: A remote attacker can send a carefully crafted packet that
304 can overflow a stack buffer and potentially allow malicious
305 code to be executed with the privilege level of the ntpd process.
308 - Upgrade to 4.2.8, or later.
309 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
311 Credit: This vulnerability was discovered by Stephen Roettger of the
312 Google Security Team.
314 * Buffer overflow in configure()
316 References: Sec 2669 / CVE-2014-9295 / VU#852879
317 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
318 Versions: All NTP4 releases before 4.2.8
319 Date Resolved: Stable (4.2.8) 18 Dec 2014
321 Summary: A remote attacker can send a carefully crafted packet that
322 can overflow a stack buffer and potentially allow malicious
323 code to be executed with the privilege level of the ntpd process.
326 - Upgrade to 4.2.8, or later.
327 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
329 Credit: This vulnerability was discovered by Stephen Roettger of the
330 Google Security Team.
332 * receive(): missing return on error
334 References: Sec 2670 / CVE-2014-9296 / VU#852879
335 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
336 Versions: All NTP4 releases before 4.2.8
337 Date Resolved: Stable (4.2.8) 18 Dec 2014
339 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
340 the code path where an error was detected, which meant
341 processing did not stop when a specific rare error occurred.
342 We haven't found a way for this bug to affect system integrity.
343 If there is no way to affect system integrity the base CVSS
344 score for this bug is 0. If there is one avenue through which
345 system integrity can be partially affected, the base score
346 becomes a 5. If system integrity can be partially affected
347 via all three integrity metrics, the CVSS base score become 7.5.
350 - Upgrade to 4.2.8, or later,
351 - Remove or comment out all configuration directives
352 beginning with the crypto keyword in your ntp.conf file.
354 Credit: This vulnerability was discovered by Stephen Roettger of the
355 Google Security Team.
357 See http://support.ntp.org/security for more information.
359 New features / changes in this release:
363 * Internal NTP Era counters
365 The internal counters that track the "era" (range of years) we are in
366 rolls over every 136 years'. The current "era" started at the stroke of
367 midnight on 1 Jan 1900, and ends just before the stroke of midnight on
369 In the past, we have used the "midpoint" of the range to decide which
370 era we were in. Given the longevity of some products, it became clear
371 that it would be more functional to "look back" less, and "look forward"
372 more. We now compile a timestamp into the ntpd executable and when we
373 get a timestamp we us the "built-on" to tell us what era we are in.
374 This check "looks back" 10 years, and "looks forward" 126 years.
376 * ntpdc responses disabled by default
380 For a long time, ntpq and its mostly text-based mode 6 (control)
381 protocol have been preferred over ntpdc and its mode 7 (private
382 request) protocol for runtime queries and configuration. There has
383 been a goal of deprecating ntpdc, previously held back by numerous
384 capabilities exposed by ntpdc with no ntpq equivalent. I have been
385 adding commands to ntpq to cover these cases, and I believe I've
386 covered them all, though I've not compared command-by-command
389 As I've said previously, the binary mode 7 protocol involves a lot of
390 hand-rolled structure layout and byte-swapping code in both ntpd and
391 ntpdc which is hard to get right. As ntpd grows and changes, the
392 changes are difficult to expose via ntpdc while maintaining forward
393 and backward compatibility between ntpdc and ntpd. In contrast,
394 ntpq's text-based, label=value approach involves more code reuse and
395 allows compatible changes without extra work in most cases.
397 Mode 7 has always been defined as vendor/implementation-specific while
398 mode 6 is described in RFC 1305 and intended to be open to interoperate
399 with other implementations. There is an early draft of an updated
400 mode 6 description that likely will join the other NTPv4 RFCs
401 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
403 For these reasons, ntpd 4.2.7p230 by default disables processing of
404 ntpdc queries, reducing ntpd's attack surface and functionally
405 deprecating ntpdc. If you are in the habit of using ntpdc for certain
406 operations, please try the ntpq equivalent. If there's no equivalent,
407 please open a bug report at http://bugs.ntp.org./
409 In addition to the above, over 1100 issues have been resolved between
410 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
414 NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
420 This is a recommended upgrade.
422 This release updates sys_rootdisp and sys_jitter calculations to match the
423 RFC specification, fixes a potential IPv6 address matching error for the
424 "nic" and "interface" configuration directives, suppresses the creation of
425 extraneous ephemeral associations for certain broadcastclient and
426 multicastclient configurations, cleans up some ntpq display issues, and
427 includes improvements to orphan mode, minor bugs fixes and code clean-ups.
429 New features / changes in this release:
433 * Updated "nic" and "interface" IPv6 address handling to prevent
434 mismatches with localhost [::1] and wildcard [::] which resulted from
435 using the address/prefix format (e.g. fe80::/64)
436 * Fix orphan mode stratum incorrectly counting to infinity
437 * Orphan parent selection metric updated to includes missing ntohl()
438 * Non-printable stratum 16 refid no longer sent to ntp
439 * Duplicate ephemeral associations suppressed for broadcastclient and
440 multicastclient without broadcastdelay
441 * Exclude undetermined sys_refid from use in loopback TEST12
442 * Exclude MODE_SERVER responses from KoD rate limiting
443 * Include root delay in clock_update() sys_rootdisp calculations
444 * get_systime() updated to exclude sys_residual offset (which only
445 affected bits "below" sys_tick, the precision threshold)
446 * sys.peer jitter weighting corrected in sys_jitter calculation
450 * -n option extended to include the billboard "server" column
451 * IPv6 addresses in the local column truncated to prevent overruns
454 NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
456 Focus: Bug fixes and portability improvements
460 This is a recommended upgrade.
462 This release includes build infrastructure updates, code
463 clean-ups, minor bug fixes, fixes for a number of minor
464 ref-clock issues, and documentation revisions.
466 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
468 New features / changes in this release:
472 * Fix checking for struct rtattr
473 * Update config.guess and config.sub for AIX
474 * Upgrade required version of autogen and libopts for building
475 from our source code repository
479 * Back-ported several fixes for Coverity warnings from ntp-dev
480 * Fix a rare boundary condition in UNLINK_EXPR_SLIST()
481 * Allow "logconfig =allall" configuration directive
482 * Bind tentative IPv6 addresses on Linux
483 * Correct WWVB/Spectracom driver to timestamp CR instead of LF
484 * Improved tally bit handling to prevent incorrect ntpq peer status reports
485 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial
486 candidate list unless they are designated a "prefer peer"
487 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
488 selection during the 'tos orphanwait' period
489 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
491 * Improved support of the Parse Refclock trusttime flag in Meinberg mode
492 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
493 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
494 clock slew on Microsoft Windows
495 * Code cleanup in libntpq
499 * Fix timerstats reporting
503 * Reduce time required to set clock
504 * Allow a timeout greater than 2 seconds
508 * Backward incompatible command-line option change:
509 -l/--filelog changed -l/--logfile (to be consistent with ntpd)
513 * Update html2man. Fix some tags in the .html files
514 * Distribute ntp-wait.html
517 NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
519 Focus: Bug fixes and portability improvements
523 This is a recommended upgrade.
525 This release includes build infrastructure updates, code
526 clean-ups, minor bug fixes, fixes for a number of minor
527 ref-clock issues, and documentation revisions.
529 Portability improvements in this release affect AIX, Atari FreeMiNT,
530 FreeBSD4, Linux and Microsoft Windows.
532 New features / changes in this release:
535 * Use lsb_release to get information about Linux distributions.
536 * 'test' is in /usr/bin (instead of /bin) on some systems.
537 * Basic sanity checks for the ChangeLog file.
538 * Source certain build files with ./filename for systems without . in PATH.
539 * IRIX portability fix.
540 * Use a single copy of the "libopts" code.
541 * autogen/libopts upgrade.
542 * configure.ac m4 quoting cleanup.
545 * Do not bind to IN6_IFF_ANYCAST addresses.
546 * Log the reason for exiting under Windows.
547 * Multicast fixes for Windows.
548 * Interpolation fixes for Windows.
549 * IPv4 and IPv6 Multicast fixes.
550 * Manycast solicitation fixes and general repairs.
551 * JJY refclock cleanup.
552 * NMEA refclock improvements.
553 * Oncore debug message cleanup.
554 * Palisade refclock now builds under Linux.
555 * Give RAWDCF more baud rates.
556 * Support Truetime Satellite clocks under Windows.
557 * Support Arbiter 1093C Satellite clocks under Windows.
558 * Make sure that the "filegen" configuration command defaults to "enable".
559 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
560 * Prohibit 'includefile' directive in remote configuration command.
561 * Fix 'nic' interface bindings.
562 * Fix the way we link with openssl if openssl is installed in the base
567 * OpenSSL version display cleanup.
570 * Many counters should be treated as unsigned.
573 * Do not ignore replies with equal receive and transmit timestamps.
576 * libntpq warning cleanup.
579 * Correct SNMP type for "precision" and "resolution".
580 * Update the MIB from the draft version to RFC-5907.
583 * Display timezone offset when showing time for sntp in the local
585 * Pay proper attention to RATE KoD packets.
586 * Fix a miscalculation of the offset.
587 * Properly parse empty lines in the key file.
589 * Use tv_usec correctly in set_time().
590 * Documentation cleanup.
593 NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
595 Focus: Bug fixes and portability improvements
599 This is a recommended upgrade.
601 This release includes build infrastructure updates, code
602 clean-ups, minor bug fixes, fixes for a number of minor
603 ref-clock issues, improved KOD handling, OpenSSL related
604 updates and documentation revisions.
606 Portability improvements in this release affect Irix, Linux,
607 Mac OS, Microsoft Windows, OpenBSD and QNX6
609 New features / changes in this release:
612 * Range syntax for the trustedkey configuration directive
613 * Unified IPv4 and IPv6 restrict lists
616 * Rate limiting and KOD handling
619 * default connection to net-snmpd via a unix-domain socket
620 * command-line 'socket name' option
623 * support for the "passwd ..." syntax
624 * key-type specific password prompts
627 * MD5 authentication of an ntpd
628 * Broadcast and crypto
632 NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
634 Focus: Bug fixes, portability fixes, and documentation improvements
638 This is a recommended upgrade.
641 NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
643 Focus: enhancements and bug fixes.
646 NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
648 Focus: Security Fixes
652 This release fixes the following high-severity vulnerability:
654 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
656 See http://support.ntp.org/security for more information.
658 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
659 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
660 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
661 request or a mode 7 error response from an address which is not listed
662 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
663 reply with a mode 7 error response (and log a message). In this case:
665 * If an attacker spoofs the source address of ntpd host A in a
666 mode 7 response packet sent to ntpd host B, both A and B will
667 continuously send each other error responses, for as long as
668 those packets get through.
670 * If an attacker spoofs an address of ntpd host A in a mode 7
671 response packet sent to ntpd host A, A will respond to itself
672 endlessly, consuming CPU and logging excessively.
674 Credit for finding this vulnerability goes to Robin Park and Dmitri
675 Vinokurov of Alcatel-Lucent.
677 THIS IS A STRONGLY RECOMMENDED UPGRADE.
680 ntpd now syncs to refclocks right away.
682 Backward-Incompatible changes:
684 ntpd no longer accepts '-v name' or '-V name' to define internal variables.
685 Use '--var name' or '--dvar name' instead. (Bug 817)
688 NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
690 Focus: Security and Bug Fixes
694 This release fixes the following high-severity vulnerability:
696 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
698 See http://support.ntp.org/security for more information.
700 If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
701 line) then a carefully crafted packet sent to the machine will cause
702 a buffer overflow and possible execution of injected code, running
703 with the privileges of the ntpd process (often root).
705 Credit for finding this vulnerability goes to Chris Ries of CMU.
707 This release fixes the following low-severity vulnerabilities:
709 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
710 Credit for finding this vulnerability goes to Geoff Keating of Apple.
712 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
713 Credit for finding this issue goes to Dave Hart.
715 This release fixes a number of bugs and adds some improvements:
718 * Fix many compiler warnings
719 * Many fixes and improvements for Windows
720 * Adds support for AIX 6.1
721 * Resolves some issues under MacOS X and Solaris
723 THIS IS A STRONGLY RECOMMENDED UPGRADE.
726 NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
732 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
733 the OpenSSL library relating to the incorrect checking of the return
734 value of EVP_VerifyFinal function.
736 Credit for finding this issue goes to the Google Security Team for
737 finding the original issue with OpenSSL, and to ocert.org for finding
738 the problem in NTP and telling us about it.
740 This is a recommended upgrade.
742 NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
744 Focus: Minor Bugfixes
746 This release fixes a number of Windows-specific ntpd bugs and
747 platform-independent ntpdate bugs. A logging bugfix has been applied
748 to the ONCORE driver.
750 The "dynamic" keyword and is now obsolete and deferred binding to local
751 interfaces is the new default. The minimum time restriction for the
752 interface update interval has been dropped.
754 A number of minor build system and documentation fixes are included.
756 This is a recommended upgrade for Windows.
759 NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
761 Focus: Minor Bugfixes
763 This release updates certain copyright information, fixes several display
764 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
765 shutdown in the parse refclock driver, removes some lint from the code,
766 stops accessing certain buffers immediately after they were freed, fixes
767 a problem with non-command-line specification of -6, and allows the loopback
768 interface to share addresses with other interfaces.
771 NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
773 Focus: Minor Bugfixes
775 This release fixes a bug in Windows that made it difficult to
776 terminate ntpd under windows.
777 This is a recommended upgrade for Windows.
780 NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
782 Focus: Minor Bugfixes
784 This release fixes a multicast mode authentication problem,
785 an error in NTP packet handling on Windows that could lead to
786 ntpd crashing, and several other minor bugs. Handling of
787 multicast interfaces and logging configuration were improved.
788 The required versions of autogen and libopts were incremented.
789 This is a recommended upgrade for Windows and multicast users.
792 NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
794 Focus: enhancements and bug fixes.
796 Dynamic interface rescanning was added to simplify the use of ntpd in
797 conjunction with DHCP. GNU AutoGen is used for its command-line options
798 processing. Separate PPS devices are supported for PARSE refclocks, MD5
799 signatures are now provided for the release files. Drivers have been
800 added for some new ref-clocks and have been removed for some older
801 ref-clocks. This release also includes other improvements, documentation
804 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
808 NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
810 Focus: enhancements and bug fixes.