2 NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)
4 Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements.
10 * [Sec 2853] Crafted remote config packet can crash some versions of
11 ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.
13 Under specific circumstances an attacker can send a crafted packet to
14 cause a vulnerable ntpd instance to crash. This requires each of the
17 1) ntpd set up to allow remote configuration (not allowed by default), and
18 2) knowledge of the configuration password, and
19 3) access to a computer entrusted to perform remote configuration.
21 This vulnerability is considered low-risk.
23 New features in this release:
25 Optional (disabled by default) support to have ntpd provide smeared
26 leap second time. A specially built and configured ntpd will only
27 offer smeared time in response to client packets. These response
28 packets will also contain a "refid" of 254.a.b.c, where the 24 bits
29 of a, b, and c encode the amount of smear in a 2:22 integer:fraction
30 format. See README.leapsmear and http://bugs.ntp.org/2855 for more
33 *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
34 *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*
36 We've imported the Unity test framework, and have begun converting
37 the existing google-test items to this new framework. If you want
38 to write new tests or change old ones, you'll need to have ruby
39 installed. You don't need ruby to run the test suite.
41 Bug Fixes and Improvements:
43 * CID 739725: Fix a rare resource leak in libevent/listener.c.
44 * CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
45 * CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
46 * CID 1269537: Clean up a line of dead code in getShmTime().
47 * [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c. Helge Oldach.
48 * [Bug 2590] autogen-5.18.5.
49 * [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
51 * [Bug 2650] fix includefile processing.
52 * [Bug 2745] ntpd -x steps clock on leap second
53 Fixed an initial-value problem that caused misbehaviour in absence of
54 any leapsecond information.
55 Do leap second stepping only of the step adjustment is beyond the
56 proper jump distance limit and step correction is allowed at all.
57 * [Bug 2750] build for Win64
58 Building for 32bit of loopback ppsapi needs def file
59 * [Bug 2776] Improve ntpq's 'help keytype'.
60 * [Bug 2778] Implement "apeers" ntpq command to include associd.
61 * [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
62 * [Bug 2792] If the IFF_RUNNING interface flag is supported then an
63 interface is ignored as long as this flag is not set since the
64 interface is not usable (e.g., no link).
65 * [Bug 2794] Clean up kernel clock status reports.
66 * [Bug 2800] refclock_true.c true_debug() can't open debug log because
67 of incompatible open/fdopen parameters.
68 * [Bug 2804] install-local-data assumes GNU 'find' semantics.
69 * [Bug 2805] ntpd fails to join multicast group.
70 * [Bug 2806] refclock_jjy.c supports the Telephone JJY.
71 * [Bug 2808] GPSD_JSON driver enhancements, step 1.
72 Fix crash during cleanup if GPS device not present and char device.
73 Increase internal token buffer to parse all JSON data, even SKY.
74 Defer logging of errors during driver init until the first unit is
75 started, so the syslog is not cluttered when the driver is not used.
76 Various improvements, see http://bugs.ntp.org/2808 for details.
77 Changed libjsmn to a more recent version.
78 * [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
79 * [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
80 * [Bug 2815] net-snmp before v5.4 has circular library dependencies.
81 * [Bug 2821] Add a missing NTP_PRINTF and a missing const.
82 * [Bug 2822] New leap column in sntp broke NTP::Util.pm.
83 * [Bug 2824] Convert update-leap to perl. (also see 2769)
84 * [Bug 2825] Quiet file installation in html/ .
85 * [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
86 NTPD transfers the current TAI (instead of an announcement) now.
87 This might still needed improvement.
88 Update autokey data ASAP when 'sys_tai' changes.
89 Fix unit test that was broken by changes for autokey update.
90 Avoid potential signature length issue and use DPRINTF where possible
92 * [Bug 2832] refclock_jjy.c supports the TDC-300.
93 * [Bug 2834] Correct a broken html tag in html/refclock.html
94 * [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
95 robust, and require 2 consecutive timestamps to be consistent.
96 * [Bug 2837] Allow a configurable DSCP value.
97 * [Bug 2837] add test for DSCP to ntpd/complete.conf.in
98 * [Bug 2842] Glitch in ntp.conf.def documentation stanza.
99 * [Bug 2842] Bug in mdoc2man.
100 * [Bug 2843] make check fails on 4.3.36
101 Fixed compiler warnings about numeric range overflow
102 (The original topic was fixed in a byplay to bug#2830)
103 * [Bug 2845] Harden memory allocation in ntpd.
104 * [Bug 2852] 'make check' can't find unity.h. Hal Murray.
105 * [Bug 2854] Missing brace in libntp/strdup.c. Masanari Iida.
106 * [Bug 2855] Parser fix for conditional leap smear code. Harlan Stenn.
107 * [Bug 2855] Report leap smear in the REFID. Harlan Stenn.
108 * [Bug 2855] Implement conditional leap smear code. Martin Burnicki.
109 * [Bug 2856] ntpd should wait() on terminated child processes. Paul Green.
110 * [Bug 2857] Stratus VOS does not support SIGIO. Paul Green.
111 * [Bug 2859] Improve raw DCF77 robustness deconding. Frank Kardel.
112 * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
113 * html/drivers/driver22.html: typo fix. Harlan Stenn.
114 * refidsmear test cleanup. Tomasz Flendrich.
115 * refidsmear function support and tests. Harlan Stenn.
116 * sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
117 something that was only in the 4.2.6 sntp. Harlan Stenn.
118 * Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
120 * Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
122 * Modified sntp/tests/Makefile.am so it builds Unity framework tests.
124 * tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
125 * Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
126 * Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
127 atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
128 calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
129 numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
130 timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
132 * Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
133 networking.c, keyFile.c, utilities.cpp, sntptest.h,
134 fileHandlingTest.h. Damir Tomić
135 * Initial support for experimental leap smear code. Harlan Stenn.
136 * Fixes to sntp/tests/fileHandlingTest.h.in. Harlan Stenn.
137 * Report select() debug messages at debug level 3 now.
138 * sntp/scripts/genLocInfo: treat raspbian as debian.
139 * Unity test framework fixes.
140 ** Requires ruby for changes to tests.
141 * Initial support for PACKAGE_VERSION tests.
142 * sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
143 * tests/bug-2803/Makefile.am must distribute bug-2803.h.
144 * Add an assert to the ntpq ifstats code.
145 * Clean up the RLIMIT_STACK code.
146 * Improve the ntpq documentation around the controlkey keyid.
148 * Windows port build cleanup.
151 NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07)
153 Focus: Security and Bug fixes, enhancements.
157 In addition to bug fixes and enhancements, this release fixes the
158 following medium-severity vulnerabilities involving private key
161 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
163 References: Sec 2779 / CVE-2015-1798 / VU#374268
164 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
165 including ntp-4.2.8p2 where the installation uses symmetric keys
166 to authenticate remote associations.
167 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
168 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
169 Summary: When ntpd is configured to use a symmetric key to authenticate
170 a remote NTP server/peer, it checks if the NTP message
171 authentication code (MAC) in received packets is valid, but not if
172 there actually is any MAC included. Packets without a MAC are
173 accepted as if they had a valid MAC. This allows a MITM attacker to
174 send false packets that are accepted by the client/peer without
175 having to know the symmetric key. The attacker needs to know the
176 transmit timestamp of the client to match it in the forged reply
177 and the false reply needs to reach the client before the genuine
178 reply from the server. The attacker doesn't necessarily need to be
179 relaying the packets between the client and the server.
181 Authentication using autokey doesn't have this problem as there is
182 a check that requires the key ID to be larger than NTP_MAXKEY,
183 which fails for packets without a MAC.
185 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
186 or the NTP Public Services Project Download Page
187 Configure ntpd with enough time sources and monitor it properly.
188 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
190 * [Sec 2781] Authentication doesn't protect symmetric associations against
193 References: Sec 2781 / CVE-2015-1799 / VU#374268
194 Affects: All NTP releases starting with at least xntp3.3wy up to but
195 not including ntp-4.2.8p2 where the installation uses symmetric
197 CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
198 Note: the CVSS base Score for this issue could be 4.3 or lower, and
199 it could be higher than 5.4.
200 Date Resolved: Stable (4.2.8p2) 07 Apr 2015
201 Summary: An attacker knowing that NTP hosts A and B are peering with
202 each other (symmetric association) can send a packet to host A
203 with source address of B which will set the NTP state variables
204 on A to the values sent by the attacker. Host A will then send
205 on its next poll to B a packet with originate timestamp that
206 doesn't match the transmit timestamp of B and the packet will
207 be dropped. If the attacker does this periodically for both
208 hosts, they won't be able to synchronize to each other. This is
209 a known denial-of-service attack, described at
210 https://www.eecis.udel.edu/~mills/onwire.html .
212 According to the document the NTP authentication is supposed to
213 protect symmetric associations against this attack, but that
214 doesn't seem to be the case. The state variables are updated even
215 when authentication fails and the peers are sending packets with
216 originate timestamps that don't match the transmit timestamps on
219 This seems to be a very old problem, dating back to at least
220 xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
221 specifications, so other NTP implementations with support for
222 symmetric associations and authentication may be vulnerable too.
223 An update to the NTP RFC to correct this error is in-process.
225 Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
226 or the NTP Public Services Project Download Page
227 Note that for users of autokey, this specific style of MITM attack
228 is simply a long-known potential problem.
229 Configure ntpd with appropriate time sources and monitor ntpd.
230 Alert your staff if problems are detected.
231 Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.
233 * New script: update-leap
234 The update-leap script will verify and if necessary, update the
235 leap-second definition file.
236 It requires the following commands in order to work:
238 wget logger tr sed shasum
240 Some may choose to run this from cron. It needs more portability testing.
242 Bug Fixes and Improvements:
244 * [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
245 * [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
246 * [Bug 2346] "graceful termination" signals do not do peer cleanup.
247 * [Bug 2728] See if C99-style structure initialization works.
248 * [Bug 2747] Upgrade libevent to 2.1.5-beta.
249 * [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
250 * [Bug 2751] jitter.h has stale copies of l_fp macros.
251 * [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
252 * [Bug 2757] Quiet compiler warnings.
253 * [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
254 * [Bug 2763] Allow different thresholds for forward and backward steps.
255 * [Bug 2766] ntp-keygen output files should not be world-readable.
256 * [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
257 * [Bug 2771] nonvolatile value is documented in wrong units.
258 * [Bug 2773] Early leap announcement from Palisade/Thunderbolt
259 * [Bug 2774] Unreasonably verbose printout - leap pending/warning
260 * [Bug 2775] ntp-keygen.c fails to compile under Windows.
261 * [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
262 Removed non-ASCII characters from some copyright comments.
263 Removed trailing whitespace.
264 Updated definitions for Meinberg clocks from current Meinberg header files.
265 Now use C99 fixed-width types and avoid non-ASCII characters in comments.
266 Account for updated definitions pulled from Meinberg header files.
267 Updated comments on Meinberg GPS receivers which are not only called GPS16x.
268 Replaced some constant numbers by defines from ntp_calendar.h
269 Modified creation of parse-specific variables for Meinberg devices
271 Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
272 Modified mbg_tm_str() which now expexts an additional parameter controlling
273 if the time status shall be printed.
274 * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
275 * [Sec 2781] Authentication doesn't protect symmetric associations against
277 * [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
278 * [Bug 2789] Quiet compiler warnings from libevent.
279 * [Bug 2790] If ntpd sets the Windows MM timer highest resolution
280 pause briefly before measuring system clock precision to yield
282 * Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
283 * Use predefined function types for parse driver functions
284 used to set up function pointers.
285 Account for changed prototype of parse_inp_fnc_t functions.
286 Cast parse conversion results to appropriate types to avoid
288 Let ioctl() for Windows accept a (void *) to avoid compiler warnings
289 when called with pointers to different types.
292 NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04)
294 Focus: Security and Bug fixes, enhancements.
298 In addition to bug fixes and enhancements, this release fixes the
299 following high-severity vulnerabilities:
301 * vallen is not validated in several places in ntp_crypto.c, leading
302 to a potential information leak or possibly a crash
304 References: Sec 2671 / CVE-2014-9297 / VU#852879
305 Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
306 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
307 Date Resolved: Stable (4.2.8p1) 04 Feb 2015
308 Summary: The vallen packet value is not validated in several code
309 paths in ntp_crypto.c which can lead to information leakage
310 or perhaps a crash of the ntpd process.
312 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
313 or the NTP Public Services Project Download Page.
314 Disable Autokey Authentication by removing, or commenting out,
315 all configuration directives beginning with the "crypto"
316 keyword in your ntp.conf file.
317 Credit: This vulnerability was discovered by Stephen Roettger of the
318 Google Security Team, with additional cases found by Sebastian
319 Krahmer of the SUSE Security Team and Harlan Stenn of Network
322 * ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
325 References: Sec 2672 / CVE-2014-9298 / VU#852879
326 Affects: All NTP4 releases before 4.2.8p1, under at least some
327 versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
328 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
329 Date Resolved: Stable (4.2.8p1) 04 Feb 2014
330 Summary: While available kernels will prevent 127.0.0.1 addresses
331 from "appearing" on non-localhost IPv4 interfaces, some kernels
332 do not offer the same protection for ::1 source addresses on
333 IPv6 interfaces. Since NTP's access control is based on source
334 address and localhost addresses generally have no restrictions,
335 an attacker can send malicious control and configuration packets
336 by spoofing ::1 addresses from the outside. Note Well: This is
337 not really a bug in NTP, it's a problem with some OSes. If you
338 have one of these OSes where ::1 can be spoofed, ALL ::1 -based
339 ACL restrictions on any application can be bypassed!
341 Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
342 or the NTP Public Services Project Download Page
343 Install firewall rules to block packets claiming to come from
344 ::1 from inappropriate network interfaces.
345 Credit: This vulnerability was discovered by Stephen Roettger of
346 the Google Security Team.
348 Additionally, over 30 bugfixes and improvements were made to the codebase.
349 See the ChangeLog for more information.
352 NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)
354 Focus: Security and Bug fixes, enhancements.
358 In addition to bug fixes and enhancements, this release fixes the
359 following high-severity vulnerabilities:
361 ************************** vv NOTE WELL vv *****************************
363 The vulnerabilities listed below can be significantly mitigated by
364 following the BCP of putting
366 restrict default ... noquery
368 in the ntp.conf file. With the exception of:
370 receive(): missing return on error
371 References: Sec 2670 / CVE-2014-9296 / VU#852879
373 below (which is a limited-risk vulnerability), none of the recent
374 vulnerabilities listed below can be exploited if the source IP is
375 restricted from sending a 'query'-class packet by your ntp.conf file.
377 ************************** ^^ NOTE WELL ^^ *****************************
379 * Weak default key in config_auth().
381 References: [Sec 2665] / CVE-2014-9293 / VU#852879
382 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
383 Vulnerable Versions: all releases prior to 4.2.7p11
384 Date Resolved: 28 Jan 2010
386 Summary: If no 'auth' key is set in the configuration file, ntpd
387 would generate a random key on the fly. There were two
388 problems with this: 1) the generated key was 31 bits in size,
389 and 2) it used the (now weak) ntp_random() function, which was
390 seeded with a 32-bit value and could only provide 32 bits of
391 entropy. This was sufficient back in the late 1990s when the
392 code was written. Not today.
395 - Upgrade to 4.2.7p11 or later.
396 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
398 Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
399 of the Google Security Team.
401 * Non-cryptographic random number generator with weak seed used by
402 ntp-keygen to generate symmetric keys.
404 References: [Sec 2666] / CVE-2014-9294 / VU#852879
405 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
406 Vulnerable Versions: All NTP4 releases before 4.2.7p230
407 Date Resolved: Dev (4.2.7p230) 01 Nov 2011
409 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
410 prepare a random number generator that was of good quality back
411 in the late 1990s. The random numbers produced was then used to
412 generate symmetric keys. In ntp-4.2.8 we use a current-technology
413 cryptographic random number generator, either RAND_bytes from
414 OpenSSL, or arc4random().
417 - Upgrade to 4.2.7p230 or later.
418 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
420 Credit: This vulnerability was discovered in ntp-4.2.6 by
421 Stephen Roettger of the Google Security Team.
423 * Buffer overflow in crypto_recv()
425 References: Sec 2667 / CVE-2014-9295 / VU#852879
426 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
427 Versions: All releases before 4.2.8
428 Date Resolved: Stable (4.2.8) 18 Dec 2014
430 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
431 file contains a 'crypto pw ...' directive) a remote attacker
432 can send a carefully crafted packet that can overflow a stack
433 buffer and potentially allow malicious code to be executed
434 with the privilege level of the ntpd process.
437 - Upgrade to 4.2.8, or later, or
438 - Disable Autokey Authentication by removing, or commenting out,
439 all configuration directives beginning with the crypto keyword
440 in your ntp.conf file.
442 Credit: This vulnerability was discovered by Stephen Roettger of the
443 Google Security Team.
445 * Buffer overflow in ctl_putdata()
447 References: Sec 2668 / CVE-2014-9295 / VU#852879
448 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
449 Versions: All NTP4 releases before 4.2.8
450 Date Resolved: Stable (4.2.8) 18 Dec 2014
452 Summary: A remote attacker can send a carefully crafted packet that
453 can overflow a stack buffer and potentially allow malicious
454 code to be executed with the privilege level of the ntpd process.
457 - Upgrade to 4.2.8, or later.
458 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
460 Credit: This vulnerability was discovered by Stephen Roettger of the
461 Google Security Team.
463 * Buffer overflow in configure()
465 References: Sec 2669 / CVE-2014-9295 / VU#852879
466 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
467 Versions: All NTP4 releases before 4.2.8
468 Date Resolved: Stable (4.2.8) 18 Dec 2014
470 Summary: A remote attacker can send a carefully crafted packet that
471 can overflow a stack buffer and potentially allow malicious
472 code to be executed with the privilege level of the ntpd process.
475 - Upgrade to 4.2.8, or later.
476 - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.
478 Credit: This vulnerability was discovered by Stephen Roettger of the
479 Google Security Team.
481 * receive(): missing return on error
483 References: Sec 2670 / CVE-2014-9296 / VU#852879
484 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
485 Versions: All NTP4 releases before 4.2.8
486 Date Resolved: Stable (4.2.8) 18 Dec 2014
488 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
489 the code path where an error was detected, which meant
490 processing did not stop when a specific rare error occurred.
491 We haven't found a way for this bug to affect system integrity.
492 If there is no way to affect system integrity the base CVSS
493 score for this bug is 0. If there is one avenue through which
494 system integrity can be partially affected, the base score
495 becomes a 5. If system integrity can be partially affected
496 via all three integrity metrics, the CVSS base score become 7.5.
499 - Upgrade to 4.2.8, or later,
500 - Remove or comment out all configuration directives
501 beginning with the crypto keyword in your ntp.conf file.
503 Credit: This vulnerability was discovered by Stephen Roettger of the
504 Google Security Team.
506 See http://support.ntp.org/security for more information.
508 New features / changes in this release:
512 * Internal NTP Era counters
514 The internal counters that track the "era" (range of years) we are in
515 rolls over every 136 years'. The current "era" started at the stroke of
516 midnight on 1 Jan 1900, and ends just before the stroke of midnight on
518 In the past, we have used the "midpoint" of the range to decide which
519 era we were in. Given the longevity of some products, it became clear
520 that it would be more functional to "look back" less, and "look forward"
521 more. We now compile a timestamp into the ntpd executable and when we
522 get a timestamp we us the "built-on" to tell us what era we are in.
523 This check "looks back" 10 years, and "looks forward" 126 years.
525 * ntpdc responses disabled by default
529 For a long time, ntpq and its mostly text-based mode 6 (control)
530 protocol have been preferred over ntpdc and its mode 7 (private
531 request) protocol for runtime queries and configuration. There has
532 been a goal of deprecating ntpdc, previously held back by numerous
533 capabilities exposed by ntpdc with no ntpq equivalent. I have been
534 adding commands to ntpq to cover these cases, and I believe I've
535 covered them all, though I've not compared command-by-command
538 As I've said previously, the binary mode 7 protocol involves a lot of
539 hand-rolled structure layout and byte-swapping code in both ntpd and
540 ntpdc which is hard to get right. As ntpd grows and changes, the
541 changes are difficult to expose via ntpdc while maintaining forward
542 and backward compatibility between ntpdc and ntpd. In contrast,
543 ntpq's text-based, label=value approach involves more code reuse and
544 allows compatible changes without extra work in most cases.
546 Mode 7 has always been defined as vendor/implementation-specific while
547 mode 6 is described in RFC 1305 and intended to be open to interoperate
548 with other implementations. There is an early draft of an updated
549 mode 6 description that likely will join the other NTPv4 RFCs
550 eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)
552 For these reasons, ntpd 4.2.7p230 by default disables processing of
553 ntpdc queries, reducing ntpd's attack surface and functionally
554 deprecating ntpdc. If you are in the habit of using ntpdc for certain
555 operations, please try the ntpq equivalent. If there's no equivalent,
556 please open a bug report at http://bugs.ntp.org./
558 In addition to the above, over 1100 issues have been resolved between
559 the 4.2.6 branch and 4.2.8. The ChangeLog file in the distribution
563 NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24)
569 This is a recommended upgrade.
571 This release updates sys_rootdisp and sys_jitter calculations to match the
572 RFC specification, fixes a potential IPv6 address matching error for the
573 "nic" and "interface" configuration directives, suppresses the creation of
574 extraneous ephemeral associations for certain broadcastclient and
575 multicastclient configurations, cleans up some ntpq display issues, and
576 includes improvements to orphan mode, minor bugs fixes and code clean-ups.
578 New features / changes in this release:
582 * Updated "nic" and "interface" IPv6 address handling to prevent
583 mismatches with localhost [::1] and wildcard [::] which resulted from
584 using the address/prefix format (e.g. fe80::/64)
585 * Fix orphan mode stratum incorrectly counting to infinity
586 * Orphan parent selection metric updated to includes missing ntohl()
587 * Non-printable stratum 16 refid no longer sent to ntp
588 * Duplicate ephemeral associations suppressed for broadcastclient and
589 multicastclient without broadcastdelay
590 * Exclude undetermined sys_refid from use in loopback TEST12
591 * Exclude MODE_SERVER responses from KoD rate limiting
592 * Include root delay in clock_update() sys_rootdisp calculations
593 * get_systime() updated to exclude sys_residual offset (which only
594 affected bits "below" sys_tick, the precision threshold)
595 * sys.peer jitter weighting corrected in sys_jitter calculation
599 * -n option extended to include the billboard "server" column
600 * IPv6 addresses in the local column truncated to prevent overruns
603 NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22)
605 Focus: Bug fixes and portability improvements
609 This is a recommended upgrade.
611 This release includes build infrastructure updates, code
612 clean-ups, minor bug fixes, fixes for a number of minor
613 ref-clock issues, and documentation revisions.
615 Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t.
617 New features / changes in this release:
621 * Fix checking for struct rtattr
622 * Update config.guess and config.sub for AIX
623 * Upgrade required version of autogen and libopts for building
624 from our source code repository
628 * Back-ported several fixes for Coverity warnings from ntp-dev
629 * Fix a rare boundary condition in UNLINK_EXPR_SLIST()
630 * Allow "logconfig =allall" configuration directive
631 * Bind tentative IPv6 addresses on Linux
632 * Correct WWVB/Spectracom driver to timestamp CR instead of LF
633 * Improved tally bit handling to prevent incorrect ntpq peer status reports
634 * Exclude the Undisciplined Local Clock and ACTS drivers from the initial
635 candidate list unless they are designated a "prefer peer"
636 * Prevent the consideration of Undisciplined Local Clock or ACTS drivers for
637 selection during the 'tos orphanwait' period
638 * Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS
640 * Improved support of the Parse Refclock trusttime flag in Meinberg mode
641 * Back-port utility routines from ntp-dev: mprintf(), emalloc_zero()
642 * Added the NTPD_TICKADJ_PPM environment variable for specifying baseline
643 clock slew on Microsoft Windows
644 * Code cleanup in libntpq
648 * Fix timerstats reporting
652 * Reduce time required to set clock
653 * Allow a timeout greater than 2 seconds
657 * Backward incompatible command-line option change:
658 -l/--filelog changed -l/--logfile (to be consistent with ntpd)
662 * Update html2man. Fix some tags in the .html files
663 * Distribute ntp-wait.html
666 NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)
668 Focus: Bug fixes and portability improvements
672 This is a recommended upgrade.
674 This release includes build infrastructure updates, code
675 clean-ups, minor bug fixes, fixes for a number of minor
676 ref-clock issues, and documentation revisions.
678 Portability improvements in this release affect AIX, Atari FreeMiNT,
679 FreeBSD4, Linux and Microsoft Windows.
681 New features / changes in this release:
684 * Use lsb_release to get information about Linux distributions.
685 * 'test' is in /usr/bin (instead of /bin) on some systems.
686 * Basic sanity checks for the ChangeLog file.
687 * Source certain build files with ./filename for systems without . in PATH.
688 * IRIX portability fix.
689 * Use a single copy of the "libopts" code.
690 * autogen/libopts upgrade.
691 * configure.ac m4 quoting cleanup.
694 * Do not bind to IN6_IFF_ANYCAST addresses.
695 * Log the reason for exiting under Windows.
696 * Multicast fixes for Windows.
697 * Interpolation fixes for Windows.
698 * IPv4 and IPv6 Multicast fixes.
699 * Manycast solicitation fixes and general repairs.
700 * JJY refclock cleanup.
701 * NMEA refclock improvements.
702 * Oncore debug message cleanup.
703 * Palisade refclock now builds under Linux.
704 * Give RAWDCF more baud rates.
705 * Support Truetime Satellite clocks under Windows.
706 * Support Arbiter 1093C Satellite clocks under Windows.
707 * Make sure that the "filegen" configuration command defaults to "enable".
708 * Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
709 * Prohibit 'includefile' directive in remote configuration command.
710 * Fix 'nic' interface bindings.
711 * Fix the way we link with openssl if openssl is installed in the base
716 * OpenSSL version display cleanup.
719 * Many counters should be treated as unsigned.
722 * Do not ignore replies with equal receive and transmit timestamps.
725 * libntpq warning cleanup.
728 * Correct SNMP type for "precision" and "resolution".
729 * Update the MIB from the draft version to RFC-5907.
732 * Display timezone offset when showing time for sntp in the local
734 * Pay proper attention to RATE KoD packets.
735 * Fix a miscalculation of the offset.
736 * Properly parse empty lines in the key file.
738 * Use tv_usec correctly in set_time().
739 * Documentation cleanup.
742 NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)
744 Focus: Bug fixes and portability improvements
748 This is a recommended upgrade.
750 This release includes build infrastructure updates, code
751 clean-ups, minor bug fixes, fixes for a number of minor
752 ref-clock issues, improved KOD handling, OpenSSL related
753 updates and documentation revisions.
755 Portability improvements in this release affect Irix, Linux,
756 Mac OS, Microsoft Windows, OpenBSD and QNX6
758 New features / changes in this release:
761 * Range syntax for the trustedkey configuration directive
762 * Unified IPv4 and IPv6 restrict lists
765 * Rate limiting and KOD handling
768 * default connection to net-snmpd via a unix-domain socket
769 * command-line 'socket name' option
772 * support for the "passwd ..." syntax
773 * key-type specific password prompts
776 * MD5 authentication of an ntpd
777 * Broadcast and crypto
781 NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)
783 Focus: Bug fixes, portability fixes, and documentation improvements
787 This is a recommended upgrade.
790 NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
792 Focus: enhancements and bug fixes.
795 NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
797 Focus: Security Fixes
801 This release fixes the following high-severity vulnerability:
803 * [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
805 See http://support.ntp.org/security for more information.
807 NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
808 In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
809 transfers use modes 1 through 5. Upon receipt of an incorrect mode 7
810 request or a mode 7 error response from an address which is not listed
811 in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
812 reply with a mode 7 error response (and log a message). In this case:
814 * If an attacker spoofs the source address of ntpd host A in a
815 mode 7 response packet sent to ntpd host B, both A and B will
816 continuously send each other error responses, for as long as
817 those packets get through.
819 * If an attacker spoofs an address of ntpd host A in a mode 7
820 response packet sent to ntpd host A, A will respond to itself
821 endlessly, consuming CPU and logging excessively.
823 Credit for finding this vulnerability goes to Robin Park and Dmitri
824 Vinokurov of Alcatel-Lucent.
826 THIS IS A STRONGLY RECOMMENDED UPGRADE.
829 ntpd now syncs to refclocks right away.
831 Backward-Incompatible changes:
833 ntpd no longer accepts '-v name' or '-V name' to define internal variables.
834 Use '--var name' or '--dvar name' instead. (Bug 817)
837 NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
839 Focus: Security and Bug Fixes
843 This release fixes the following high-severity vulnerability:
845 * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252
847 See http://support.ntp.org/security for more information.
849 If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
850 line) then a carefully crafted packet sent to the machine will cause
851 a buffer overflow and possible execution of injected code, running
852 with the privileges of the ntpd process (often root).
854 Credit for finding this vulnerability goes to Chris Ries of CMU.
856 This release fixes the following low-severity vulnerabilities:
858 * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159
859 Credit for finding this vulnerability goes to Geoff Keating of Apple.
861 * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
862 Credit for finding this issue goes to Dave Hart.
864 This release fixes a number of bugs and adds some improvements:
867 * Fix many compiler warnings
868 * Many fixes and improvements for Windows
869 * Adds support for AIX 6.1
870 * Resolves some issues under MacOS X and Solaris
872 THIS IS A STRONGLY RECOMMENDED UPGRADE.
875 NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
881 This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
882 the OpenSSL library relating to the incorrect checking of the return
883 value of EVP_VerifyFinal function.
885 Credit for finding this issue goes to the Google Security Team for
886 finding the original issue with OpenSSL, and to ocert.org for finding
887 the problem in NTP and telling us about it.
889 This is a recommended upgrade.
891 NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
893 Focus: Minor Bugfixes
895 This release fixes a number of Windows-specific ntpd bugs and
896 platform-independent ntpdate bugs. A logging bugfix has been applied
897 to the ONCORE driver.
899 The "dynamic" keyword and is now obsolete and deferred binding to local
900 interfaces is the new default. The minimum time restriction for the
901 interface update interval has been dropped.
903 A number of minor build system and documentation fixes are included.
905 This is a recommended upgrade for Windows.
908 NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
910 Focus: Minor Bugfixes
912 This release updates certain copyright information, fixes several display
913 bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
914 shutdown in the parse refclock driver, removes some lint from the code,
915 stops accessing certain buffers immediately after they were freed, fixes
916 a problem with non-command-line specification of -6, and allows the loopback
917 interface to share addresses with other interfaces.
920 NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
922 Focus: Minor Bugfixes
924 This release fixes a bug in Windows that made it difficult to
925 terminate ntpd under windows.
926 This is a recommended upgrade for Windows.
929 NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
931 Focus: Minor Bugfixes
933 This release fixes a multicast mode authentication problem,
934 an error in NTP packet handling on Windows that could lead to
935 ntpd crashing, and several other minor bugs. Handling of
936 multicast interfaces and logging configuration were improved.
937 The required versions of autogen and libopts were incremented.
938 This is a recommended upgrade for Windows and multicast users.
941 NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
943 Focus: enhancements and bug fixes.
945 Dynamic interface rescanning was added to simplify the use of ntpd in
946 conjunction with DHCP. GNU AutoGen is used for its command-line options
947 processing. Separate PPS devices are supported for PARSE refclocks, MD5
948 signatures are now provided for the release files. Drivers have been
949 added for some new ref-clocks and have been removed for some older
950 ref-clocks. This release also includes other improvements, documentation
953 K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI
957 NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
959 Focus: enhancements and bug fixes.