PageRenderTime 50ms CodeModel.GetById 41ms app.highlight 3ms RepoModel.GetById 1ms app.codeStats 1ms

/contrib/ntp/NEWS

https://bitbucket.org/freebsd/freebsd-head/
#! | 157 lines | 107 code | 50 blank | 0 comment | 0 complexity | d5357235a443a995ceece8e1187cc02d MD5 | raw file
  1NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
  2
  3Focus: Security Fixes
  4
  5Severity: HIGH
  6
  7This release fixes the following high-severity vulnerability:
  8
  9* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
 10
 11  See http://support.ntp.org/security for more information.
 12
 13  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
 14  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
 15  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
 16  request or a mode 7 error response from an address which is not listed
 17  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
 18  reply with a mode 7 error response (and log a message).  In this case:
 19
 20	* If an attacker spoofs the source address of ntpd host A in a
 21	  mode 7 response packet sent to ntpd host B, both A and B will
 22	  continuously send each other error responses, for as long as
 23	  those packets get through.
 24
 25	* If an attacker spoofs an address of ntpd host A in a mode 7
 26	  response packet sent to ntpd host A, A will respond to itself
 27	  endlessly, consuming CPU and logging excessively.
 28
 29  Credit for finding this vulnerability goes to Robin Park and Dmitri
 30  Vinokurov of Alcatel-Lucent.
 31
 32THIS IS A STRONGLY RECOMMENDED UPGRADE.
 33
 34---
 35NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
 36
 37Focus: Security and Bug Fixes
 38
 39Severity: HIGH
 40
 41This release fixes the following high-severity vulnerability:
 42
 43* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
 44
 45  See http://support.ntp.org/security for more information.
 46
 47  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
 48  line) then a carefully crafted packet sent to the machine will cause
 49  a buffer overflow and possible execution of injected code, running
 50  with the privileges of the ntpd process (often root).
 51
 52  Credit for finding this vulnerability goes to Chris Ries of CMU.
 53
 54This release fixes the following low-severity vulnerabilities:
 55
 56* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
 57  Credit for finding this vulnerability goes to Geoff Keating of Apple.
 58  
 59* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
 60  Credit for finding this issue goes to Dave Hart.
 61
 62This release fixes a number of bugs and adds some improvements:
 63
 64* Improved logging
 65* Fix many compiler warnings
 66* Many fixes and improvements for Windows
 67* Adds support for AIX 6.1
 68* Resolves some issues under MacOS X and Solaris
 69
 70THIS IS A STRONGLY RECOMMENDED UPGRADE.
 71
 72---
 73NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
 74
 75Focus: Security Fix
 76
 77Severity: Low
 78
 79This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
 80the OpenSSL library relating to the incorrect checking of the return
 81value of EVP_VerifyFinal function.
 82
 83Credit for finding this issue goes to the Google Security Team for
 84finding the original issue with OpenSSL, and to ocert.org for finding
 85the problem in NTP and telling us about it.
 86
 87This is a recommended upgrade.
 88---
 89NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
 90
 91Focus: Minor Bugfixes 
 92
 93This release fixes a number of Windows-specific ntpd bugs and 
 94platform-independent ntpdate bugs. A logging bugfix has been applied
 95to the ONCORE driver.
 96
 97The "dynamic" keyword and is now obsolete and deferred binding to local 
 98interfaces is the new default. The minimum time restriction for the 
 99interface update interval has been dropped. 
100
101A number of minor build system and documentation fixes are included. 
102
103This is a recommended upgrade for Windows. 
104
105---
106NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10)
107
108Focus: Minor Bugfixes
109
110This release updates certain copyright information, fixes several display
111bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor
112shutdown in the parse refclock driver, removes some lint from the code,
113stops accessing certain buffers immediately after they were freed, fixes
114a problem with non-command-line specification of -6, and allows the loopback
115interface to share addresses with other interfaces.
116
117---
118NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29)
119
120Focus: Minor Bugfixes
121
122This release fixes a bug in Windows that made it difficult to
123terminate ntpd under windows.
124This is a recommended upgrade for Windows.
125
126---
127NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19)
128
129Focus: Minor Bugfixes
130
131This release fixes a multicast mode authentication problem, 
132an error in NTP packet handling on Windows that could lead to 
133ntpd crashing, and several other minor bugs. Handling of 
134multicast interfaces and logging configuration were improved. 
135The required versions of autogen and libopts were incremented.
136This is a recommended upgrade for Windows and multicast users.
137
138---
139NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31)
140
141Focus: enhancements and bug fixes.
142
143Dynamic interface rescanning was added to simplify the use of ntpd in 
144conjunction with DHCP. GNU AutoGen is used for its command-line options 
145processing. Separate PPS devices are supported for PARSE refclocks, MD5 
146signatures are now provided for the release files. Drivers have been 
147added for some new ref-clocks and have been removed for some older 
148ref-clocks. This release also includes other improvements, documentation 
149and bug fixes. 
150
151K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI 
152C support.
153
154---
155NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15)
156
157Focus: enhancements and bug fixes.