Upgrade NTP to 4.2.8p4.

[FreeBSD/releng/10.2.git] / contrib / ntp / NEWS

---
NTP 4.2.8p4

Focus: Security, Bug fies, enhancements.

Severity: MEDIUM

In addition to bug fixes and enhancements, this release fixes the
following 13 low- and medium-severity vulnerabilities:

* Incomplete vallen (value length) checks in ntp_crypto.c, leading
  to potential crashes or potential code injection/information leakage.

    References: Sec 2899, Sec 2671, CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
        and 4.3.0 up to, but not including 4.3.77
    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
    Summary: The fix for CVE-2014-9750 was incomplete in that there were
        certain code paths where a packet with particular autokey operations
        that contained malicious data was not always being completely
        validated. Receipt of these packets can cause ntpd to crash.
    Mitigation:
        Don't use autokey.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page
        Monitor your ntpd instances. 
        Credit: This weakness was discovered by Tenable Network Security. 

* Clients that receive a KoD should validate the origin timestamp field.

    References: Sec 2901 / CVE-2015-7704, CVE-2015-7705
    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
        and 4.3.0 up to, but not including 4.3.77
    CVSS: (AV:N/AC:M/Au:N/C:N/I:N/A:P) Base Score: 4.3-5.0 at worst
    Summary: An ntpd client that honors Kiss-of-Death responses will honor
        KoD messages that have been forged by an attacker, causing it to
        delay or stop querying its servers for time updates. Also, an
        attacker can forge packets that claim to be from the target and
        send them to servers often enough that a server that implements
        KoD rate limiting will send the target machine a KoD response to
        attempt to reduce the rate of incoming packets, or it may also
        trigger a firewall block at the server for packets from the target
        machine. For either of these attacks to succeed, the attacker must
        know what servers the target is communicating with. An attacker
        can be anywhere on the Internet and can frequently learn the
        identity of the target's time source by sending the target a
        time query.
    Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download Page
            or the NTP Public Services Project Download Page
        If you can't upgrade, restrict who can query ntpd to learn who
            its servers are, and what IPs are allowed to ask your system
            for the time. This mitigation is heavy-handed.
        Monitor your ntpd instances. 
    Note:
        4.2.8p4 protects against the first attack. For the second attack,
        all we can do is warn when it is happening, which we do in 4.2.8p4.
    Credit: This weakness was discovered by Aanchal Malhotra,
        Issac E. Cohen, and Sharon Goldberg of Boston University. 

* configuration directives to change "pidfile" and "driftfile" should
  only be allowed locally. 

  References: Sec 2902 / CVE-2015-5196
  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
        and 4.3.0 up to, but not including 4.3.77
   CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.2 worst case
   Summary: If ntpd is configured to allow for remote configuration,
        and if the (possibly spoofed) source IP address is allowed to
        send remote configuration requests, and if the attacker knows
        the remote configuration password, it's possible for an attacker
        to use the "pidfile" or "driftfile" directives to potentially
        overwrite other files.
   Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page
        If you cannot upgrade, don't enable remote configuration.
        If you must enable remote configuration and cannot upgrade,
            remote configuration of NTF's ntpd requires:
            - an explicitly configured trustedkey, and you should also
                configure a controlkey.
            - access from a permitted IP. You choose the IPs.
            - authentication. Don't disable it. Practice secure key safety. 
        Monitor your ntpd instances. 
   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. 

* Slow memory leak in CRYPTO_ASSOC 

  References: Sec 2909 / CVE-2015-7701
  Affects: All ntp-4 releases that use autokey up to, but not
    including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 0.0 best/usual case,
        4.6 otherwise
  Summary: If ntpd is configured to use autokey, then an attacker can
        send packets to ntpd that will, after several days of ongoing
        attack, cause it to run out of memory.
  Mitigation:
        Don't use autokey.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page
        Monitor your ntpd instances. 
  Credit: This weakness was discovered by Tenable Network Security. 

* mode 7 loop counter underrun

  References:  Sec 2913 / CVE-2015-7848 / TALOS-CAN-0052
  Affects: All ntp-4 releases up to, but not including 4.2.8p4,
        and 4.3.0 up to, but not including 4.3.77
  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6
  Summary: If ntpd is configured to enable mode 7 packets, and if the
        use of mode 7 packets is not properly protected thru the use of
        the available mode 7 authentication and restriction mechanisms,
        and if the (possibly spoofed) source IP address is allowed to
        send mode 7 queries, then an attacker can send a crafted packet
        to ntpd that will cause it to crash.
  Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
              If you are unable to upgrade:
        In ntp-4.2.8, mode 7 is disabled by default. Don't enable it.
        If you must enable mode 7:
            configure the use of a requestkey to control who can issue
                mode 7 requests.
            configure restrict noquery to further limit mode 7 requests
                to trusted sources. 
        Monitor your ntpd instances. 
Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. 

* memory corruption in password store

  References: Sec 2916 / CVE-2015-7849 / TALOS-CAN-0054
  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
  CVSS: (AV:N/AC:H/Au:M/C:N/I:C/A:C) Base Score: 6.8, worst case
  Summary: If ntpd is configured to allow remote configuration, and if
        the (possibly spoofed) source IP address is allowed to send
        remote configuration requests, and if the attacker knows the
        remote configuration password or if ntpd was configured to
        disable authentication, then an attacker can send a set of
        packets to ntpd that may cause a crash or theoretically
        perform a code injection attack.
  Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade, remote configuration of NTF's
            ntpd requires:
                an explicitly configured "trusted" key. Only configure
                        this if you need it.
                access from a permitted IP address. You choose the IPs.
                authentication. Don't disable it. Practice secure key safety. 
        Monitor your ntpd instances. 
  Credit: This weakness was discovered by Yves Younan of Cisco Talos. 

* Infinite loop if extended logging enabled and the logfile and
  keyfile are the same.

    References: Sec 2917 / CVE-2015-7850 / TALOS-CAN-0055
    Affects: All ntp-4 releases up to, but not including 4.2.8p4,
        and 4.3.0 up to, but not including 4.3.77
    CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
    Summary: If ntpd is configured to allow remote configuration, and if
        the (possibly spoofed) source IP address is allowed to send
        remote configuration requests, and if the attacker knows the
        remote configuration password or if ntpd was configured to
        disable authentication, then an attacker can send a set of
        packets to ntpd that will cause it to crash and/or create a
        potentially huge log file. Specifically, the attacker could
        enable extended logging, point the key file at the log file,
        and cause what amounts to an infinite loop.
    Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade, remote configuration of NTF's ntpd
          requires:
            an explicitly configured "trusted" key. Only configure this
                if you need it.
            access from a permitted IP address. You choose the IPs.
            authentication. Don't disable it. Practice secure key safety. 
        Monitor your ntpd instances. 
    Credit: This weakness was discovered by Yves Younan of Cisco Talos. 

* Potential path traversal vulnerability in the config file saving of
  ntpd on VMS.

  References: Sec 2918 / CVE-2015-7851 / TALOS-CAN-0062
  Affects: All ntp-4 releases running under VMS up to, but not
        including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
  CVSS: (AV:N/AC:H/Au:M/C:N/I:P/A:C) Base Score: 5.2, worst case
  Summary: If ntpd is configured to allow remote configuration, and if
        the (possibly spoofed) IP address is allowed to send remote
        configuration requests, and if the attacker knows the remote
        configuration password or if ntpd was configured to disable
        authentication, then an attacker can send a set of packets to
        ntpd that may cause ntpd to overwrite files.
  Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade, remote configuration of NTF's ntpd
            requires:
                an explicitly configured "trusted" key. Only configure
                        this if you need it.
                access from permitted IP addresses. You choose the IPs.
                authentication. Don't disable it. Practice key security safety. 
        Monitor your ntpd instances. 
    Credit: This weakness was discovered by Yves Younan of Cisco Talos. 

* ntpq atoascii() potential memory corruption

  References: Sec 2919 / CVE-2015-7852 / TALOS-CAN-0063
  Affects: All ntp-4 releases running up to, but not including 4.2.8p4,
        and 4.3.0 up to, but not including 4.3.77
  CVSS: (AV:N/AC:H/Au:N/C:N/I:P/A:P) Base Score: 4.0, worst case
  Summary: If an attacker can figure out the precise moment that ntpq
        is listening for data and the port number it is listening on or
        if the attacker can provide a malicious instance ntpd that
        victims will connect to then an attacker can send a set of
        crafted mode 6 response packets that, if received by ntpq,
        can cause ntpq to crash.
  Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade and you run ntpq against a server
            and ntpq crashes, try again using raw mode. Build or get a
            patched ntpq and see if that fixes the problem. Report new
            bugs in ntpq or abusive servers appropriately.
        If you use ntpq in scripts, make sure ntpq does what you expect
            in your scripts. 
  Credit: This weakness was discovered by Yves Younan and
        Aleksander Nikolich of Cisco Talos. 

* Invalid length data provided by a custom refclock driver could cause
  a buffer overflow. 

  References: Sec 2920 / CVE-2015-7853 / TALOS-CAN-0064
  Affects: Potentially all ntp-4 releases running up to, but not
        including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
        that have custom refclocks
  CVSS: (AV:L/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 usual case,
        5.9 unusual worst case
  Summary: A negative value for the datalen parameter will overflow a
        data buffer. NTF's ntpd driver implementations always set this
        value to 0 and are therefore not vulnerable to this weakness.
        If you are running a custom refclock driver in ntpd and that
        driver supplies a negative value for datalen (no custom driver
        of even minimal competence would do this) then ntpd would
        overflow a data buffer. It is even hypothetically possible
        in this case that instead of simply crashing ntpd the attacker
        could effect a code injection attack.
  Mitigation:
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade:
                If you are running custom refclock drivers, make sure
                        the signed datalen value is either zero or positive. 
        Monitor your ntpd instances. 
  Credit: This weakness was discovered by Yves Younan of Cisco Talos. 

* Password Length Memory Corruption Vulnerability

  References: Sec 2921 / CVE-2015-7854 / TALOS-CAN-0065
  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
        4.3.0 up to, but not including 4.3.77
  CVSS: (AV:N/AC:H/Au:M/C:C/I:C/A:C) Base Score: 0.0 best case,
        1.7 usual case, 6.8, worst case
  Summary: If ntpd is configured to allow remote configuration, and if
        the (possibly spoofed) source IP address is allowed to send
        remote configuration requests, and if the attacker knows the
        remote configuration password or if ntpd was (foolishly)
        configured to disable authentication, then an attacker can
        send a set of packets to ntpd that may cause it to crash,
        with the hypothetical possibility of a small code injection.
  Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade, remote configuration of NTF's
            ntpd requires:
                an explicitly configured "trusted" key. Only configure
                        this if you need it.
                access from a permitted IP address. You choose the IPs.
                authentication. Don't disable it. Practice secure key safety. 
        Monitor your ntpd instances. 
  Credit: This weakness was discovered by Yves Younan and
        Aleksander Nikolich of Cisco Talos. 

* decodenetnum() will ASSERT botch instead of returning FAIL on some
  bogus values.

  References: Sec 2922 / CVE-2015-7855
  Affects: All ntp-4 releases up to, but not including 4.2.8p4, and
        4.3.0 up to, but not including 4.3.77
  CVSS: (AV:N/AC:H/Au:M/C:N/I:N/A:C) Base Score: 4.6, worst case
  Summary: If ntpd is fed a crafted mode 6 or mode 7 packet containing
        an unusually long data value where a network address is expected,
        the decodenetnum() function will abort with an assertion failure
        instead of simply returning a failure condition.
  Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade:
                mode 7 is disabled by default. Don't enable it.
                Use restrict noquery to limit who can send mode 6
                        and mode 7 requests.
                Configure and use the controlkey and requestkey
                        authentication directives to limit who can
                        send mode 6 and mode 7 requests. 
        Monitor your ntpd instances. 
  Credit: This weakness was discovered by John D "Doug" Birdwell of IDA.org. 

* NAK to the Future: Symmetric association authentication bypass via
  crypto-NAK.

  References: Sec 2941 / CVE-2015-7871
  Affects: All ntp-4 releases between 4.2.5p186 up to but not including
        4.2.8p4, and 4.3.0 up to but not including 4.3.77
  CVSS: (AV:N/AC:L/Au:N/C:N/I:P/A:P) Base Score: 6.4
  Summary: Crypto-NAK packets can be used to cause ntpd to accept time
        from unauthenticated ephemeral symmetric peers by bypassing the
        authentication required to mobilize peer associations. This
        vulnerability appears to have been introduced in ntp-4.2.5p186
        when the code handling mobilization of new passive symmetric
        associations (lines 1103-1165) was refactored.
  Mitigation:
        Implement BCP-38.
        Upgrade to 4.2.8p4, or later, from the NTP Project Download
            Page or the NTP Public Services Project Download Page.
        If you are unable to upgrade:
                Apply the patch to the bottom of the "authentic" check
                        block around line 1136 of ntp_proto.c. 
        Monitor your ntpd instances. 
  Credit: This weakness was discovered by Stephen Gray <stepgray@cisco.com>. 

Backward-Incompatible changes:
* [Bug 2817] Default on Linux is now "rlimit memlock -1".
While the general default of 32M is still the case, under Linux
the default value has been changed to -1 (do not lock ntpd into
  memory).  A value of 0 means "lock ntpd into memory with whatever
  memory it needs." If your ntp.conf file has an explicit "rlimit memlock"
  value in it, that value will continue to be used.

* [Bug 2886] Misspelling: "outlyer" should be "outlier".
  If you've written a script that looks for this case in, say, the
  output of ntpq, you probably want to change your regex matches
  from 'outlyer' to 'outl[iy]er'.

New features in this release:
* 'rlimit memlock' now has finer-grained control.  A value of -1 means
  "don't lock ntpd into memore".  This is the default for Linux boxes.
  A value of 0 means "lock ntpd into memory" with no limits.  Otherwise
  the value is the number of megabytes of memory to lock.  The default
  is 32 megabytes.

* The old Google Test framework has been replaced with a new framework,
  based on http://www.throwtheswitch.org/unity/ .

Bug Fixes and Improvements:
* [Bug 2332] (reopened) Exercise thread cancellation once before dropping
  privileges and limiting resources in NTPD removes the need to link
  forcefully against 'libgcc_s' which does not always work. J.Perlinger
* [Bug 2595] ntpdate man page quirks.  Hal Murray, Harlan Stenn.
* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
* [Bug 2817] Stop locking ntpd into memory by default under Linux.  H.Stenn.
* [Bug 2821] minor build issues: fixed refclock_gpsdjson.c.  perlinger@ntp.org
* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
* [Bug 2849] Systems with more than one default route may never
  synchronize.  Brian Utterback.  Note that this patch might need to
  be reverted once Bug 2043 has been fixed.
* [Bug 2864] 4.2.8p3 fails to compile on Windows. Juergen Perlinger
* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'. J.Perlinger
* [Bug 2873] libevent should not include .deps/ in the tarball.  H.Stenn
* [Bug 2874] Don't distribute generated sntp/tests/fileHandlingTest.h. H.Stenn
* [Bug 2875] sntp/Makefile.am: Get rid of DIST_SUBDIRS.  libevent must
  be configured for the distribution targets.  Harlan Stenn.
* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
* [Bug 2886] Mis-spelling: "outlyer" should be "outlier".  dave@horsfall.org
* [Bug 2888] streamline calendar functions.  perlinger@ntp.org
* [Bug 2889] ntp-dev-4.3.67 does not build on Windows.  perlinger@ntp.org
* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
* [Bug 2906] make check needs better support for pthreads.  Harlan Stenn.
* [Bug 2907] dist* build targets require our libevent/ to be enabled.  HStenn.
* [Bug 2912] no munlockall() under Windows.  David Taylor, Harlan Stenn.
* libntp/emalloc.c: Remove explicit include of stdint.h.  Harlan Stenn.
* Put Unity CPPFLAGS items in unity_config.h.  Harlan Stenn.
* tests/ntpd/g_leapsec.cpp typo fix.  Harlan Stenn.
* Phase 1 deprecation of google test in sntp/tests/.  Harlan Stenn.
* On some versions of HP-UX, inttypes.h does not include stdint.h.  H.Stenn.
* top_srcdir can change based on ntp v. sntp.  Harlan Stenn.
* sntp/tests/ function parameter list cleanup.  Damir Tomić.
* tests/libntp/ function parameter list cleanup.  Damir Tomić.
* tests/ntpd/ function parameter list cleanup.  Damir Tomić.
* sntp/unity/unity_config.h: handle stdint.h.  Harlan Stenn.
* sntp/unity/unity_internals.h: handle *INTPTR_MAX on old Solaris.  H.Stenn.
* tests/libntp/timevalops.c and timespecops.c fixed error printing.  D.Tomić.
* tests/libntp/ improvements in code and fixed error printing.  Damir Tomić.
* tests/libntp: a_md5encrypt.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
  caltontp.c, clocktime.c, humandate.c, hextolfp.c, decodenetnum.c - fixed
  formatting; first declaration, then code (C90); deleted unnecessary comments;
  changed from sprintf to snprintf; fixed order of includes. Tomasz Flendrich
* tests/libntp/lfpfunc.c remove unnecessary include, remove old comments,
  fix formatting, cleanup. Tomasz Flendrich
* tests/libntp/lfptostr.c remove unnecessary include, add consts, fix formatting.
  Tomasz Flendrich
* tests/libntp/statestr.c remove empty functions, remove unnecessary include,
  fix formatting. Tomasz Flendrich
* tests/libntp/modetoa.c fixed formatting. Tomasz Flendrich
* tests/libntp/msyslog.c fixed formatting. Tomasz Flendrich
* tests/libntp/numtoa.c deleted unnecessary empty functions, fixed formatting.
  Tomasz Flendrich
* tests/libntp/numtohost.c added const, fixed formatting. Tomasz Flendrich
* tests/libntp/refnumtoa.c fixed formatting. Tomasz Flendrich
* tests/libntp/ssl_init.c fixed formatting. Tomasz Flendrich
* tests/libntp/tvtots.c fixed a bug, fixed formatting. Tomasz Flendrich
* tests/libntp/uglydate.c removed an unnecessary include. Tomasz Flendrich
* tests/libntp/vi64ops.c removed an unnecessary comment, fixed formatting.
* tests/libntp/ymd3yd.c removed an empty function and an unnecessary include,
fixed formatting. Tomasz Flendrich
* tests/libntp/timespecops.c fixed formatting, fixed the order of includes,
  removed unnecessary comments, cleanup. Tomasz Flendrich
* tests/libntp/timevalops.c fixed the order of includes, deleted unnecessary
  comments, cleanup. Tomasz Flendrich
* tests/libntp/sockaddrtest.h making it agree to NTP's conventions of formatting.
  Tomasz Flendrich
* tests/libntp/lfptest.h cleanup. Tomasz Flendrich
* tests/libntp/test-libntp.c fix formatting. Tomasz Flendrich
* sntp/tests/crypto.c is now using proper Unity's assertions, fixed formatting.
  Tomasz Flendrich
* sntp/tests/kodDatabase.c added consts, deleted empty function,
  fixed formatting. Tomasz Flendrich
* sntp/tests/kodFile.c cleanup, fixed formatting. Tomasz Flendrich
* sntp/tests/packetHandling.c is now using proper Unity's assertions,
  fixed formatting, deleted unused variable. Tomasz Flendrich
* sntp/tests/keyFile.c is now using proper Unity's assertions, fixed formatting.
  Tomasz Flendrich
* sntp/tests/packetProcessing.c changed from sprintf to snprintf,
  fixed formatting. Tomasz Flendrich
* sntp/tests/utilities.c is now using proper Unity's assertions, changed
  the order of includes, fixed formatting, removed unnecessary comments.
  Tomasz Flendrich
* sntp/tests/sntptest.h fixed formatting. Tomasz Flendrich
* sntp/tests/fileHandlingTest.h.in fixed a possible buffer overflow problem,
  made one function do its job, deleted unnecessary prints, fixed formatting.
  Tomasz Flendrich
* sntp/unity/Makefile.am added a missing header. Tomasz Flendrich
* sntp/unity/unity_config.h: Distribute it.  Harlan Stenn.
* sntp/libevent/evconfig-private.h: remove generated filefrom SCM.  H.Stenn.
* sntp/unity/Makefile.am: fix some broken paths.  Harlan Stenn.
* sntp/unity/unity.c: Clean up a printf().  Harlan Stenn.
* Phase 1 deprecation of google test in tests/libntp/.  Harlan Stenn.
* Don't build sntp/libevent/sample/.  Harlan Stenn.
* tests/libntp/test_caltontp needs -lpthread.  Harlan Stenn.
* br-flock: --enable-local-libevent.  Harlan Stenn.
* Wrote tests for ntpd/ntp_prio_q.c. Tomasz Flendrich
* scripts/lib/NTP/Util.pm: stratum output is version-dependent.  Harlan Stenn.
* Get rid of the NTP_ prefix on our assertion macros.  Harlan Stenn.
* Code cleanup.  Harlan Stenn.
* libntp/icom.c: Typo fix.  Harlan Stenn.
* util/ntptime.c: initialization nit.  Harlan Stenn.
* ntpd/ntp_peer.c:newpeer(): added a DEBUG_REQUIRE(srcadr).  Harlan Stenn.
* Add std_unity_tests to various Makefile.am files.  Harlan Stenn.
* ntpd/ntp_restrict.c: added a few assertions, created tests for this file.
  Tomasz Flendrich
* Changed progname to be const in many files - now it's consistent. Tomasz
  Flendrich
* Typo fix for GCC warning suppression.  Harlan Stenn.
* Added tests/ntpd/ntp_scanner.c test. Damir Tomić.
* Added declarations to all Unity tests, and did minor fixes to them.
  Reduced the number of warnings by half. Damir Tomić.
* Updated generate_test_runner.rb and updated the sntp/unity/auto directory
  with the latest Unity updates from Mark. Damir Tomić.
* Retire google test - phase I.  Harlan Stenn.
* Unity test cleanup: move declaration of 'initializing'.  Harlan Stenn.
* Update the NEWS file.  Harlan Stenn.
* Autoconf cleanup.  Harlan Stenn.
* Unit test dist cleanup. Harlan Stenn.
* Cleanup various test Makefile.am files.  Harlan Stenn.
* Pthread autoconf macro cleanup.  Harlan Stenn.
* Fix progname definition in unity runner scripts.  Harlan Stenn.
* Clean trailing whitespace in tests/ntpd/Makefile.am.  Harlan Stenn.
* Update the patch for bug 2817.  Harlan Stenn.
* More updates for bug 2817.  Harlan Stenn.
* Fix bugs in tests/ntpd/ntp_prio_q.c.  Harlan Stenn.
* gcc on older HPUX may need +allowdups.  Harlan Stenn.
* Adding missing MCAST protection.  Harlan Stenn.
* Disable certain test programs on certain platforms.  Harlan Stenn.
* Implement --enable-problem-tests (on by default).  Harlan Stenn.
* build system tweaks.  Harlan Stenn.

---
NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29) 

Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.

Severity: MEDIUM

Security Fix:

* [Sec 2853] Crafted remote config packet can crash some versions of
  ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.

Under specific circumstances an attacker can send a crafted packet to
cause a vulnerable ntpd instance to crash. This requires each of the
following to be true:

1) ntpd set up to allow remote configuration (not allowed by default), and
2) knowledge of the configuration password, and
3) access to a computer entrusted to perform remote configuration. 

This vulnerability is considered low-risk.

New features in this release:

Optional (disabled by default) support to have ntpd provide smeared
leap second time.  A specially built and configured ntpd will only
offer smeared time in response to client packets.  These response
packets will also contain a "refid" of 254.a.b.c, where the 24 bits
of a, b, and c encode the amount of smear in a 2:22 integer:fraction 
format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
information.

   *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
   *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*

We've imported the Unity test framework, and have begun converting
the existing google-test items to this new framework.  If you want
to write new tests or change old ones, you'll need to have ruby
installed.  You don't need ruby to run the test suite.

Bug Fixes and Improvements:

* CID 739725: Fix a rare resource leak in libevent/listener.c.
* CID 1295478: Quiet a pedantic potential error from the fix for Bug 2776.
* CID 1296235: Fix refclock_jjy.c and correcting type of the driver40-ja.html
* CID 1269537: Clean up a line of dead code in getShmTime().
* [Bug 1060] Buffer overruns in libparse/clk_rawdcf.c.  Helge Oldach.
* [Bug 2590] autogen-5.18.5.
* [Bug 2612] restrict: Warn when 'monitor' can't be disabled because
  of 'limited'.
* [Bug 2650] fix includefile processing.
* [Bug 2745] ntpd -x steps clock on leap second
   Fixed an initial-value problem that caused misbehaviour in absence of
   any leapsecond information.
   Do leap second stepping only of the step adjustment is beyond the
   proper jump distance limit and step correction is allowed at all.
* [Bug 2750] build for Win64
  Building for 32bit of loopback ppsapi needs def file
* [Bug 2776] Improve ntpq's 'help keytype'.
* [Bug 2778] Implement "apeers"  ntpq command to include associd.
* [Bug 2782] Refactor refclock_shm.c, add memory barrier protection.
* [Bug 2792] If the IFF_RUNNING interface flag is supported then an
  interface is ignored as long as this flag is not set since the
  interface is not usable (e.g., no link).
* [Bug 2794] Clean up kernel clock status reports.
* [Bug 2800] refclock_true.c true_debug() can't open debug log because
  of incompatible open/fdopen parameters.
* [Bug 2804] install-local-data assumes GNU 'find' semantics.
* [Bug 2805] ntpd fails to join multicast group.
* [Bug 2806] refclock_jjy.c supports the Telephone JJY.
* [Bug 2808] GPSD_JSON driver enhancements, step 1.
  Fix crash during cleanup if GPS device not present and char device.
  Increase internal token buffer to parse all JSON data, even SKY.
  Defer logging of errors during driver init until the first unit is
  started, so the syslog is not cluttered when the driver is not used.
  Various improvements, see http://bugs.ntp.org/2808 for details.
  Changed libjsmn to a more recent version.
* [Bug 2810] refclock_shm.c memory barrier code needs tweaks for QNX.
* [Bug 2813] HP-UX needs -D__STDC_VERSION__=199901L and limits.h.
* [Bug 2815] net-snmp before v5.4 has circular library dependencies.
* [Bug 2821] Add a missing NTP_PRINTF and a missing const.
* [Bug 2822] New leap column in sntp broke NTP::Util.pm.
* [Bug 2824] Convert update-leap to perl. (also see 2769)
* [Bug 2825] Quiet file installation in html/ .
* [Bug 2830] ntpd doesn't always transfer the correct TAI offset via autokey
   NTPD transfers the current TAI (instead of an announcement) now.
   This might still needed improvement.
   Update autokey data ASAP when 'sys_tai' changes.
   Fix unit test that was broken by changes for autokey update.
   Avoid potential signature length issue and use DPRINTF where possible
     in ntp_crypto.c.
* [Bug 2832] refclock_jjy.c supports the TDC-300.
* [Bug 2834] Correct a broken html tag in html/refclock.html
* [Bug 2836] DFC77 patches from Frank Kardel to make decoding more
  robust, and require 2 consecutive timestamps to be consistent.
* [Bug 2837] Allow a configurable DSCP value.
* [Bug 2837] add test for DSCP to ntpd/complete.conf.in
* [Bug 2842] Glitch in ntp.conf.def documentation stanza.
* [Bug 2842] Bug in mdoc2man.
* [Bug 2843] make check fails on 4.3.36
   Fixed compiler warnings about numeric range overflow
   (The original topic was fixed in a byplay to bug#2830)
* [Bug 2845] Harden memory allocation in ntpd.
* [Bug 2852] 'make check' can't find unity.h.  Hal Murray.
* [Bug 2854] Missing brace in libntp/strdup.c.  Masanari Iida.
* [Bug 2855] Parser fix for conditional leap smear code.  Harlan Stenn.
* [Bug 2855] Report leap smear in the REFID.  Harlan Stenn.
* [Bug 2855] Implement conditional leap smear code.  Martin Burnicki.
* [Bug 2856] ntpd should wait() on terminated child processes.  Paul Green.
* [Bug 2857] Stratus VOS does not support SIGIO.  Paul Green.
* [Bug 2859] Improve raw DCF77 robustness deconding.  Frank Kardel.
* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
* html/drivers/driver22.html: typo fix.  Harlan Stenn.
* refidsmear test cleanup.  Tomasz Flendrich.
* refidsmear function support and tests.  Harlan Stenn.
* sntp/tests/Makefile.am: remove g_nameresolution.cpp as it tested
  something that was only in the 4.2.6 sntp.  Harlan Stenn.
* Modified tests/bug-2803/Makefile.am so it builds Unity framework tests.
  Damir Tomić
* Modified tests/libtnp/Makefile.am so it builds Unity framework tests.
  Damir Tomić
* Modified sntp/tests/Makefile.am so it builds Unity framework tests.
  Damir Tomić
* tests/sandbox/smeartest.c: Harlan Stenn, Damir Tomic, Juergen Perlinger.
* Converted from gtest to Unity: tests/bug-2803/. Damir Tomić
* Converted from gtest to Unity: tests/libntp/ a_md5encrypt, atoint.c,
  atouint.c, authkeys.c, buftvtots.c, calendar.c, caljulian.c,
  calyearstart.c, clocktime.c, hextoint.c, lfpfunc.c, modetoa.c,
  numtoa.c, numtohost.c, refnumtoa.c, ssl_init.c, statestr.c,
  timespecops.c, timevalops.c, uglydate.c, vi64ops.c, ymd2yd.c.
  Damir Tomić
* Converted from gtest to Unity: sntp/tests/ kodDatabase.c, kodFile.c,
  networking.c, keyFile.c, utilities.cpp, sntptest.h,
  fileHandlingTest.h. Damir Tomić
* Initial support for experimental leap smear code.  Harlan Stenn.
* Fixes to sntp/tests/fileHandlingTest.h.in.  Harlan Stenn.
* Report select() debug messages at debug level 3 now.
* sntp/scripts/genLocInfo: treat raspbian as debian.
* Unity test framework fixes.
  ** Requires ruby for changes to tests.
* Initial support for PACKAGE_VERSION tests.
* sntp/libpkgver belongs in EXTRA_DIST, not DIST_SUBDIRS.
* tests/bug-2803/Makefile.am must distribute bug-2803.h.
* Add an assert to the ntpq ifstats code.
* Clean up the RLIMIT_STACK code.
* Improve the ntpq documentation around the controlkey keyid.
* ntpq.c cleanup.
* Windows port build cleanup.

---
NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/07) 

Focus: Security and Bug fixes, enhancements.

Severity: MEDIUM
 
In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerabilities involving private key
authentication:

* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.

    References: Sec 2779 / CVE-2015-1798 / VU#374268
    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
        including ntp-4.2.8p2 where the installation uses symmetric keys
        to authenticate remote associations.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
    Summary: When ntpd is configured to use a symmetric key to authenticate
        a remote NTP server/peer, it checks if the NTP message
        authentication code (MAC) in received packets is valid, but not if
        there actually is any MAC included. Packets without a MAC are
        accepted as if they had a valid MAC. This allows a MITM attacker to
        send false packets that are accepted by the client/peer without
        having to know the symmetric key. The attacker needs to know the
        transmit timestamp of the client to match it in the forged reply
        and the false reply needs to reach the client before the genuine
        reply from the server. The attacker doesn't necessarily need to be
        relaying the packets between the client and the server.

        Authentication using autokey doesn't have this problem as there is
        a check that requires the key ID to be larger than NTP_MAXKEY,
        which fails for packets without a MAC.
    Mitigation:
        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
        or the NTP Public Services Project Download Page
        Configure ntpd with enough time sources and monitor it properly. 
    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 

* [Sec 2781] Authentication doesn't protect symmetric associations against
  DoS attacks.

    References: Sec 2781 / CVE-2015-1799 / VU#374268
    Affects: All NTP releases starting with at least xntp3.3wy up to but
        not including ntp-4.2.8p2 where the installation uses symmetric
        key authentication.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    Note: the CVSS base Score for this issue could be 4.3 or lower, and
        it could be higher than 5.4.
    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
    Summary: An attacker knowing that NTP hosts A and B are peering with
        each other (symmetric association) can send a packet to host A
        with source address of B which will set the NTP state variables
        on A to the values sent by the attacker. Host A will then send
        on its next poll to B a packet with originate timestamp that
        doesn't match the transmit timestamp of B and the packet will
        be dropped. If the attacker does this periodically for both
        hosts, they won't be able to synchronize to each other. This is
        a known denial-of-service attack, described at
        https://www.eecis.udel.edu/~mills/onwire.html .

        According to the document the NTP authentication is supposed to
        protect symmetric associations against this attack, but that
        doesn't seem to be the case. The state variables are updated even
        when authentication fails and the peers are sending packets with
        originate timestamps that don't match the transmit timestamps on
        the receiving side.

        This seems to be a very old problem, dating back to at least
        xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
        specifications, so other NTP implementations with support for
        symmetric associations and authentication may be vulnerable too.
        An update to the NTP RFC to correct this error is in-process.
    Mitigation:
        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
        or the NTP Public Services Project Download Page
        Note that for users of autokey, this specific style of MITM attack
        is simply a long-known potential problem.
        Configure ntpd with appropriate time sources and monitor ntpd.
        Alert your staff if problems are detected. 
    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. 

* New script: update-leap
The update-leap script will verify and if necessary, update the
leap-second definition file.
It requires the following commands in order to work:

        wget logger tr sed shasum

Some may choose to run this from cron.  It needs more portability testing.

Bug Fixes and Improvements:

* [Bug 1787] DCF77's formerly "antenna" bit is "call bit" since 2003.
* [Bug 1960] setsockopt IPV6_MULTICAST_IF: Invalid argument.
* [Bug 2346] "graceful termination" signals do not do peer cleanup.
* [Bug 2728] See if C99-style structure initialization works.
* [Bug 2747] Upgrade libevent to 2.1.5-beta.
* [Bug 2749] ntp/lib/NTP/Util.pm needs update for ntpq -w, IPv6, .POOL. .
* [Bug 2751] jitter.h has stale copies of l_fp macros.
* [Bug 2756] ntpd hangs in startup with gcc 3.3.5 on ARM.
* [Bug 2757] Quiet compiler warnings.
* [Bug 2759] Expose nonvolatile/clk_wander_threshold to ntpq.
* [Bug 2763] Allow different thresholds for forward and backward steps.
* [Bug 2766] ntp-keygen output files should not be world-readable.
* [Bug 2767] ntp-keygen -M should symlink to ntp.keys.
* [Bug 2771] nonvolatile value is documented in wrong units.
* [Bug 2773] Early leap announcement from Palisade/Thunderbolt
* [Bug 2774] Unreasonably verbose printout - leap pending/warning
* [Bug 2775] ntp-keygen.c fails to compile under Windows.
* [Bug 2777] Fixed loops and decoding of Meinberg GPS satellite info.
  Removed non-ASCII characters from some copyright comments.
  Removed trailing whitespace.
  Updated definitions for Meinberg clocks from current Meinberg header files.
  Now use C99 fixed-width types and avoid non-ASCII characters in comments.
  Account for updated definitions pulled from Meinberg header files.
  Updated comments on Meinberg GPS receivers which are not only called GPS16x.
  Replaced some constant numbers by defines from ntp_calendar.h
  Modified creation of parse-specific variables for Meinberg devices
  in gps16x_message().
  Reworked mk_utcinfo() to avoid printing of ambiguous leap second dates.
  Modified mbg_tm_str() which now expexts an additional parameter controlling
  if the time status shall be printed.
* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.
* [Sec 2781] Authentication doesn't protect symmetric associations against
  DoS attacks.
* [Bug 2783] Quiet autoconf warnings about missing AC_LANG_SOURCE.
* [Bug 2789] Quiet compiler warnings from libevent.
* [Bug 2790] If ntpd sets the Windows MM timer highest resolution
  pause briefly before measuring system clock precision to yield
  correct results.
* Comment from Juergen Perlinger in ntp_calendar.c to make the code clearer.
* Use predefined function types for parse driver functions
  used to set up function pointers.
  Account for changed prototype of parse_inp_fnc_t functions.
  Cast parse conversion results to appropriate types to avoid
  compiler warnings.
  Let ioctl() for Windows accept a (void *) to avoid compiler warnings
  when called with pointers to different types.

---
NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 

Focus: Security and Bug fixes, enhancements.

Severity: HIGH
 
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:

* vallen is not validated in several places in ntp_crypto.c, leading
  to a potential information leak or possibly a crash

    References: Sec 2671 / CVE-2014-9297 / VU#852879
    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
    Summary: The vallen packet value is not validated in several code
             paths in ntp_crypto.c which can lead to information leakage
             or perhaps a crash of the ntpd process.
    Mitigation - any of:
        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
                or the NTP Public Services Project Download Page.
        Disable Autokey Authentication by removing, or commenting out,
                all configuration directives beginning with the "crypto"
                keyword in your ntp.conf file. 
    Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team, with additional cases found by Sebastian
        Krahmer of the SUSE Security Team and Harlan Stenn of Network
        Time Foundation. 

* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
  can be bypassed.

    References: Sec 2672 / CVE-2014-9298 / VU#852879
    Affects: All NTP4 releases before 4.2.8p1, under at least some
        versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
    Summary: While available kernels will prevent 127.0.0.1 addresses
        from "appearing" on non-localhost IPv4 interfaces, some kernels
        do not offer the same protection for ::1 source addresses on
        IPv6 interfaces. Since NTP's access control is based on source
        address and localhost addresses generally have no restrictions,
        an attacker can send malicious control and configuration packets
        by spoofing ::1 addresses from the outside. Note Well: This is
        not really a bug in NTP, it's a problem with some OSes. If you
        have one of these OSes where ::1 can be spoofed, ALL ::1 -based
        ACL restrictions on any application can be bypassed!
    Mitigation:
        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
        or the NTP Public Services Project Download Page
        Install firewall rules to block packets claiming to come from
        ::1 from inappropriate network interfaces. 
    Credit: This vulnerability was discovered by Stephen Roettger of
        the Google Security Team. 

Additionally, over 30 bugfixes and improvements were made to the codebase.
See the ChangeLog for more information.

---
NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18) 
 
Focus: Security and Bug fixes, enhancements.
 
Severity: HIGH
 
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:

************************** vv NOTE WELL vv *****************************

The vulnerabilities listed below can be significantly mitigated by
following the BCP of putting

 restrict default ... noquery

in the ntp.conf file.  With the exception of:

   receive(): missing return on error
   References: Sec 2670 / CVE-2014-9296 / VU#852879

below (which is a limited-risk vulnerability), none of the recent
vulnerabilities listed below can be exploited if the source IP is
restricted from sending a 'query'-class packet by your ntp.conf file.

************************** ^^ NOTE WELL ^^ *****************************

* Weak default key in config_auth().

  References: [Sec 2665] / CVE-2014-9293 / VU#852879
  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
  Vulnerable Versions: all releases prior to 4.2.7p11
  Date Resolved: 28 Jan 2010

  Summary: If no 'auth' key is set in the configuration file, ntpd
        would generate a random key on the fly.  There were two
        problems with this: 1) the generated key was 31 bits in size,
        and 2) it used the (now weak) ntp_random() function, which was
        seeded with a 32-bit value and could only provide 32 bits of
        entropy.  This was sufficient back in the late 1990s when the
        code was written.  Not today.

  Mitigation - any of:
        - Upgrade to 4.2.7p11 or later.
        - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.

  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
        of the Google Security Team.

* Non-cryptographic random number generator with weak seed used by
  ntp-keygen to generate symmetric keys.

  References: [Sec 2666] / CVE-2014-9294 / VU#852879
  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
  Vulnerable Versions: All NTP4 releases before 4.2.7p230
  Date Resolved: Dev (4.2.7p230) 01 Nov 2011

  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
        prepare a random number generator that was of good quality back
        in the late 1990s. The random numbers produced was then used to
        generate symmetric keys. In ntp-4.2.8 we use a current-technology
        cryptographic random number generator, either RAND_bytes from
        OpenSSL, or arc4random(). 

  Mitigation - any of:
        - Upgrade to 4.2.7p230 or later.
        - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.

  Credit:  This vulnerability was discovered in ntp-4.2.6 by
        Stephen Roettger of the Google Security Team.

* Buffer overflow in crypto_recv()

  References: Sec 2667 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
        file contains a 'crypto pw ...' directive) a remote attacker
        can send a carefully crafted packet that can overflow a stack
        buffer and potentially allow malicious code to be executed
        with the privilege level of the ntpd process.

  Mitigation - any of:
        - Upgrade to 4.2.8, or later, or
        - Disable Autokey Authentication by removing, or commenting out,
          all configuration directives beginning with the crypto keyword
          in your ntp.conf file. 

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team. 

* Buffer overflow in ctl_putdata()

  References: Sec 2668 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
        can overflow a stack buffer and potentially allow malicious
        code to be executed with the privilege level of the ntpd process.

  Mitigation - any of:
        - Upgrade to 4.2.8, or later.
        - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team. 

* Buffer overflow in configure()

  References: Sec 2669 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
        can overflow a stack buffer and potentially allow malicious
        code to be executed with the privilege level of the ntpd process.

  Mitigation - any of:
        - Upgrade to 4.2.8, or later.
        - Follow BCP and put 'restrict ... noquery' in your ntp.conf file.

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team. 

* receive(): missing return on error

  References: Sec 2670 / CVE-2014-9296 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
        the code path where an error was detected, which meant
        processing did not stop when a specific rare error occurred.
        We haven't found a way for this bug to affect system integrity.
        If there is no way to affect system integrity the base CVSS
        score for this bug is 0. If there is one avenue through which
        system integrity can be partially affected, the base score
        becomes a 5. If system integrity can be partially affected
        via all three integrity metrics, the CVSS base score become 7.5.

  Mitigation - any of:
        - Upgrade to 4.2.8, or later,
        - Remove or comment out all configuration directives
          beginning with the crypto keyword in your ntp.conf file. 

  Credit: This vulnerability was discovered by Stephen Roettger of the
        Google Security Team. 

See http://support.ntp.org/security for more information.

New features / changes in this release:

Important Changes

* Internal NTP Era counters

The internal counters that track the "era" (range of years) we are in
rolls over every 136 years'.  The current "era" started at the stroke of
midnight on 1 Jan 1900, and ends just before the stroke of midnight on
1 Jan 2036.
In the past, we have used the "midpoint" of the  range to decide which
era we were in.  Given the longevity of some products, it became clear
that it would be more functional to "look back" less, and "look forward"
more.  We now compile a timestamp into the ntpd executable and when we
get a timestamp we us the "built-on" to tell us what era we are in.
This check "looks back" 10 years, and "looks forward" 126 years.

* ntpdc responses disabled by default

Dave Hart writes:

For a long time, ntpq and its mostly text-based mode 6 (control) 
protocol have been preferred over ntpdc and its mode 7 (private 
request) protocol for runtime queries and configuration.  There has 
been a goal of deprecating ntpdc, previously held back by numerous 
capabilities exposed by ntpdc with no ntpq equivalent.  I have been 
adding commands to ntpq to cover these cases, and I believe I've 
covered them all, though I've not compared command-by-command 
recently. 

As I've said previously, the binary mode 7 protocol involves a lot of 
hand-rolled structure layout and byte-swapping code in both ntpd and 
ntpdc which is hard to get right.  As ntpd grows and changes, the 
changes are difficult to expose via ntpdc while maintaining forward 
and backward compatibility between ntpdc and ntpd.  In contrast, 
ntpq's text-based, label=value approach involves more code reuse and 
allows compatible changes without extra work in most cases. 

Mode 7 has always been defined as vendor/implementation-specific while 
mode 6 is described in RFC 1305 and intended to be open to interoperate 
with other implementations.  There is an early draft of an updated 
mode 6 description that likely will join the other NTPv4 RFCs 
eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01)

For these reasons, ntpd 4.2.7p230 by default disables processing of 
ntpdc queries, reducing ntpd's attack surface and functionally 
deprecating ntpdc.  If you are in the habit of using ntpdc for certain 
operations, please try the ntpq equivalent.  If there's no equivalent, 
please open a bug report at http://bugs.ntp.org./

In addition to the above, over 1100 issues have been resolved between
the 4.2.6 branch and 4.2.8.  The ChangeLog file in the distribution
lists these.

--- 
NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) 
 
Focus: Bug fixes
 
Severity: Medium 
 
This is a recommended upgrade. 

This release updates sys_rootdisp and sys_jitter calculations to match the
RFC specification, fixes a potential IPv6 address matching error for the
"nic" and "interface" configuration directives, suppresses the creation of
extraneous ephemeral associations for certain broadcastclient and
multicastclient configurations, cleans up some ntpq display issues, and
includes improvements to orphan mode, minor bugs fixes and code clean-ups.

New features / changes in this release:

ntpd

 * Updated "nic" and "interface" IPv6 address handling to prevent 
   mismatches with localhost [::1] and wildcard [::] which resulted from
   using the address/prefix format (e.g. fe80::/64)
 * Fix orphan mode stratum incorrectly counting to infinity
 * Orphan parent selection metric updated to includes missing ntohl()
 * Non-printable stratum 16 refid no longer sent to ntp
 * Duplicate ephemeral associations suppressed for broadcastclient and
   multicastclient without broadcastdelay
 * Exclude undetermined sys_refid from use in loopback TEST12
 * Exclude MODE_SERVER responses from KoD rate limiting
 * Include root delay in clock_update() sys_rootdisp calculations
 * get_systime() updated to exclude sys_residual offset (which only
   affected bits "below" sys_tick, the precision threshold)
 * sys.peer jitter weighting corrected in sys_jitter calculation

ntpq

 * -n option extended to include the billboard "server" column
 * IPv6 addresses in the local column truncated to prevent overruns

--- 
NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) 
 
Focus: Bug fixes and portability improvements 
 
Severity: Medium 
 
This is a recommended upgrade. 
 
This release includes build infrastructure updates, code 
clean-ups, minor bug fixes, fixes for a number of minor 
ref-clock issues, and documentation revisions. 
 
Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. 
 
New features / changes in this release: 
 
Build system 
 
* Fix checking for struct rtattr 
* Update config.guess and config.sub for AIX 
* Upgrade required version of autogen and libopts for building 
  from our source code repository 
 
ntpd 
 
* Back-ported several fixes for Coverity warnings from ntp-dev 
* Fix a rare boundary condition in UNLINK_EXPR_SLIST() 
* Allow "logconfig =allall" configuration directive 
* Bind tentative IPv6 addresses on Linux 
* Correct WWVB/Spectracom driver to timestamp CR instead of LF 
* Improved tally bit handling to prevent incorrect ntpq peer status reports 
* Exclude the Undisciplined Local Clock and ACTS drivers from the initial 
  candidate list unless they are designated a "prefer peer" 
* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for 
  selection during the 'tos orphanwait' period 
* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS 
  drivers 
* Improved support of the Parse Refclock trusttime flag in Meinberg mode 
* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() 
* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline 
  clock slew on Microsoft Windows 
* Code cleanup in libntpq 
 
ntpdc 
 
* Fix timerstats reporting 
 
ntpdate 
 
* Reduce time required to set clock 
* Allow a timeout greater than 2 seconds 
 
sntp 
 
* Backward incompatible command-line option change: 
  -l/--filelog changed -l/--logfile (to be consistent with ntpd) 
 
Documentation 
 
* Update html2man. Fix some tags in the .html files 
* Distribute ntp-wait.html 

---
NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03)

Focus: Bug fixes and portability improvements

Severity: Medium

This is a recommended upgrade.

This release includes build infrastructure updates, code
clean-ups, minor bug fixes, fixes for a number of minor
ref-clock issues, and documentation revisions.

Portability improvements in this release affect AIX, Atari FreeMiNT,
FreeBSD4, Linux and Microsoft Windows.

New features / changes in this release:

Build system
* Use lsb_release to get information about Linux distributions.
* 'test' is in /usr/bin (instead of /bin) on some systems.
* Basic sanity checks for the ChangeLog file.
* Source certain build files with ./filename for systems without . in PATH.
* IRIX portability fix.
* Use a single copy of the "libopts" code.
* autogen/libopts upgrade.
* configure.ac m4 quoting cleanup.

ntpd
* Do not bind to IN6_IFF_ANYCAST addresses.
* Log the reason for exiting under Windows.
* Multicast fixes for Windows.
* Interpolation fixes for Windows.
* IPv4 and IPv6 Multicast fixes.
* Manycast solicitation fixes and general repairs.
* JJY refclock cleanup.
* NMEA refclock improvements.
* Oncore debug message cleanup.
* Palisade refclock now builds under Linux.
* Give RAWDCF more baud rates.
* Support Truetime Satellite clocks under Windows.
* Support Arbiter 1093C Satellite clocks under Windows.
* Make sure that the "filegen" configuration command defaults to "enable".
* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver.
* Prohibit 'includefile' directive in remote configuration command.
* Fix 'nic' interface bindings.
* Fix the way we link with openssl if openssl is installed in the base
  system.

ntp-keygen
* Fix -V coredump.
* OpenSSL version display cleanup.

ntpdc
* Many counters should be treated as unsigned.

ntpdate
* Do not ignore replies with equal receive and transmit timestamps.

ntpq
* libntpq warning cleanup.

ntpsnmpd
* Correct SNMP type for "precision" and "resolution".
* Update the MIB from the draft version to RFC-5907.

sntp
* Display timezone offset when showing time for sntp in the local
  timezone.
* Pay proper attention to RATE KoD packets.
* Fix a miscalculation of the offset.
* Properly parse empty lines in the key file.
* Logging cleanup.
* Use tv_usec correctly in set_time().
* Documentation cleanup.

---
NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08)

Focus: Bug fixes and portability improvements

Severity: Medium

This is a recommended upgrade.

This release includes build infrastructure updates, code
clean-ups, minor bug fixes, fixes for a number of minor
ref-clock issues, improved KOD handling, OpenSSL related
updates and documentation revisions.

Portability improvements in this release affect Irix, Linux,
Mac OS, Microsoft Windows, OpenBSD and QNX6

New features / changes in this release:

ntpd
* Range syntax for the trustedkey configuration directive
* Unified IPv4 and IPv6 restrict lists

ntpdate
* Rate limiting and KOD handling

ntpsnmpd
* default connection to net-snmpd via a unix-domain socket
* command-line 'socket name' option

ntpq / ntpdc
* support for the "passwd ..." syntax
* key-type specific password prompts

sntp
* MD5 authentication of an ntpd
* Broadcast and crypto
* OpenSSL support

---
NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09)

Focus: Bug fixes, portability fixes, and documentation improvements

Severity: Medium

This is a recommended upgrade.

---
NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)

Focus: enhancements and bug fixes.

---
NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)

Focus: Security Fixes

Severity: HIGH

This release fixes the following high-severity vulnerability:

* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.

  See http://support.ntp.org/security for more information.

  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
  request or a mode 7 error response from an address which is not listed
  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
  reply with a mode 7 error response (and log a message).  In this case:

        * If an attacker spoofs the source address of ntpd host A in a
          mode 7 response packet sent to ntpd host B, both A and B will
          continuously send each other error responses, for as long as
          those packets get through.

        * If an attacker spoofs an address of ntpd host A in a mode 7
          response packet sent to ntpd host A, A will respond to itself
          endlessly, consuming CPU and logging excessively.

  Credit for finding this vulnerability goes to Robin Park and Dmitri
  Vinokurov of Alcatel-Lucent.

THIS IS A STRONGLY RECOMMENDED UPGRADE.

---
ntpd now syncs to refclocks right away.

Backward-Incompatible changes:

ntpd no longer accepts '-v name' or '-V name' to define internal variables.
Use '--var name' or '--dvar name' instead. (Bug 817)

---
NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)

Focus: Security and Bug Fixes

Severity: HIGH

This release fixes the following high-severity vulnerability:

* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252

  See http://support.ntp.org/security for more information.

  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
  line) then a carefully crafted packet sent to the machine will cause
  a buffer overflow and possible execution of injected code, running
  with the privileges of the ntpd process (often root).

  Credit for finding this vulnerability goes to Chris Ries of CMU.

This release fixes the following low-severity vulnerabilities:

* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
  Credit for finding this vulnerability goes to Geoff Keating of Apple.
  
* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
  Credit for finding this issue goes to Dave Hart.

This release fixes a number of bugs and adds some improvements:

* Improved logging
* Fix many compiler warnings
* Many fixes and improvements for Windows
* Adds support for AIX 6.1
* Resolves some issues under MacOS X and Solaris

THIS IS A STRONGLY RECOMMENDED UPGRADE.

---
NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)

Focus: Security Fix

Severity: Low

This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
the OpenSSL library relating to the incorrect checking of the return
value of EVP_VerifyFinal function.

Credit for finding this issue goes to the Google Security Team for
finding the original issue with OpenSSL, and to ocert.org for finding
the problem in NTP and telling us about it.

This is a recommended upgrade.
---
NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)

Focus: Minor Bugfixes 

This release fixes a number of Windows-specific ntpd bugs and 
platform-independent ntpdate bugs. A logging bugfix has been applied
to the ONCORE driver.

The "dynamic" keyword and is now obsolete and deferred binding to local 
interfaces is the new default. The minimum time restriction for the 
interface update interval has been dropped. 

A number of minor build system and documentation fixes are included. 

This is a recommended upgrade for Windows. 

---
NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)

Focus: Minor Bugfixes

This release updates certain copyright information, fixes several display
bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
shutdown in the parse refclock driver, removes some lint from the code,
stops accessing certain buffers immediately after they were freed, fixes
a problem with non-command-line specification of -6, and allows the loopback
interface to share addresses with other interfaces.

---
NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)

Focus: Minor Bugfixes

This release fixes a bug in Windows that made it difficult to
terminate ntpd under windows.
This is a recommended upgrade for Windows.

---
NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)

Focus: Minor Bugfixes

This release fixes a multicast mode authentication problem, 
an error in NTP packet handling on Windows that could lead to 
ntpd crashing, and several other minor bugs. Handling of 
multicast interfaces and logging configuration were improved. 
The required versions of autogen and libopts were incremented.
This is a recommended upgrade for Windows and multicast users.

---
NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)

Focus: enhancements and bug fixes.

Dynamic interface rescanning was added to simplify the use of ntpd in 
conjunction with DHCP. GNU AutoGen is used for its command-line options 
processing. Separate PPS devices are supported for PARSE refclocks, MD5 
signatures are now provided for the release files. Drivers have been 
added for some new ref-clocks and have been removed for some older 
ref-clocks. This release also includes other improvements, documentation 
and bug fixes. 

K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 
C support.

---
NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)

Focus: enhancements and bug fixes.