From: Harlan Stenn Date: Tue, 23 Jan 2018 12:43:17 +0000 (+0000) Subject: Update NEWS file X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12e82dbe0f5c65dcd375ba7789a5ff350438a465;p=thirdparty%2Fntp.git Update NEWS file bk: 5a672de59aqTx9V2SmQlOP3LPig9Dg --- diff --git a/NEWS b/NEWS index 048a0a1e4..cef60db76 100644 --- a/NEWS +++ b/NEWS @@ -1,12 +1,48 @@ -- +NTP 4.2.8p11 (Harlan Stenn , 2018/02/06) -update-leap needs: +NOTE: this NEWS file will be undergoing more revisions. + +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM ? + +This release fixes 1 medium-, 2 low-/medium-, and 1 informational/medum-severity +vulnerabilities, and provides 58 other non-security fixes and improvements: + +update-leap needs the following perl modules: Net::SSLeay IO::Socket::SSL -New sysstats variables: sys_lamport, sys_tsrounding -See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" - +Likely no longer needed: + New sysstats variables: sys_lamport, sys_tsrounding + See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" + sys_lamport counts the number of observed Lamport violations, while + sys_tsrounding counts observed timestamp rounding events. + +New ntp.conf items: + +- restrict ... noepeer +- restrict ... ippeerlimit N + +The 'noepeer' directive will disallow all ephemeral/passive peer +requests. + +The 'ippeerlimit' directive limits the number of peer associations +for each IP in the designated set of addresses. This limit does not +apply to explicitly-configured peers. A value of -1, the current +default, means an unlimited number of peers may connect from a single +IP. 0 means "none", etc. Ordinarily the only way multiple peers would +come from the same IP would be if the remote side was using a proxy. +But a trusted peer might become compromised, in which case an attacker +might be able to spin up multiple authenticated peering sessions +from different ports. This directive should be helpful in this case. + +New ntp.keys feature: Each IP in the optional list of IPs in the 4th +field may contain a /subnetbits specification, which 'widens the scope' +of IPs that may use this key. This IP/subnet restriction can be used +to limit the IPs that may use the key in most all situations where a +key is used. -- NTP 4.2.8p10 (Harlan Stenn , 2017/03/21)