Update the ChangeLog and NEWS files

bk: 54d1c74ezlwSd6R6h6Q5q-kYMyyRXQ

diff --git a/ChangeLog b/ChangeLog
index 5d2de229beb770335682721161e9dc6a3b6db507..8c4e905939c00ba502d69d619b14f127ad0c7f2f 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
 ---
+
+* Update the NEWS file.
+* [Sec 2671] vallen in extension fields are not validated.
+---
 (4.2.8p1-RC2) 2015/01/29 Released by Harlan Stenn <stenn@ntp.org>
 
 * [Bug 2627] shm refclock allows only two units with owner-only access
@@ -19,7 +23,6 @@
 * Start the RC for 4.2.8p1.
 * [Bug 2187] Update version number generation scripts.
 * [Bug 2617] Fix sntp Usage documentation section.
-* [Sec 2671] vallen in extension fields are not validated.
 * [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...
 * [Bug 2736] Show error message if we cannot open the config file.
 * Copyright update.

diff --git a/NEWS b/NEWS
index 9761435a6173f64402d4dddd0b6d5b3ac34a6bb5..d33f059985e4a0089424c23ddd641c1cfc3094a2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,63 @@
+---
+NTP 4.2.8p1 (Harlan Stenn <stenn@ntp.org>, 2015/02/04) 
+
+Focus: Security and Bug fixes, enhancements.
+
+Severity: HIGH
+ 
+In addition to bug fixes and enhancements, this release fixes the
+following high-severity vulnerabilities:
+
+* vallen is not validated in several places in ntp_crypto.c, leading
+  to a potential information leak or possibly a crash
+
+    References: Sec 2671 / CVE-2014-9297 / VU#852879
+    Affects: All NTP4 releases before 4.2.8p1 that are running autokey.
+    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
+    Date Resolved: Stable (4.2.8p1) 04 Feb 2015
+    Summary: The vallen packet value is not validated in several code
+             paths in ntp_crypto.c which can lead to information leakage
+            or perhaps a crash of the ntpd process.
+    Mitigation - any of:
+       Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
+               or the NTP Public Services Project Download Page.
+       Disable Autokey Authentication by removing, or commenting out,
+               all configuration directives beginning with the "crypto"
+               keyword in your ntp.conf file. 
+    Credit: This vulnerability was discovered by Stephen Roettger of the
+       Google Security Team, with additional cases found by Sebastian
+       Krahmer of the SUSE Security Team and Harlan Stenn of Network
+       Time Foundation. 
+
+* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses
+  can be bypassed.
+
+    References: Sec 2672 / CVE-2014-9298 / VU#852879
+    Affects: All NTP4 releases before 4.2.8p1, under at least some
+       versions of MacOS and Linux. *BSD has not been seen to be vulnerable.
+    CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9
+    Date Resolved: Stable (4.2.8p1) 04 Feb 2014
+    Summary: While available kernels will prevent 127.0.0.1 addresses
+       from "appearing" on non-localhost IPv4 interfaces, some kernels
+       do not offer the same protection for ::1 source addresses on
+       IPv6 interfaces. Since NTP's access control is based on source
+       address and localhost addresses generally have no restrictions,
+       an attacker can send malicious control and configuration packets
+       by spoofing ::1 addresses from the outside. Note Well: This is
+       not really a bug in NTP, it's a problem with some OSes. If you
+       have one of these OSes where ::1 can be spoofed, ALL ::1 -based
+       ACL restrictions on any application can be bypassed!
+    Mitigation:
+        Upgrade to 4.2.8p1, or later, from the NTP Project Download Page
+       or the NTP Public Services Project Download Page
+        Install firewall rules to block packets claiming to come from
+       ::1 from inappropriate network interfaces. 
+    Credit: This vulnerability was discovered by Stephen Roettger of
+       the Google Security Team. 
+
+Additionally, over 30 bugfixes and improvements were made to the codebase.
+See the ChangeLog for more information.
+
 ---
 NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)