From: Harlan Stenn Date: Wed, 4 Feb 2015 07:16:30 +0000 (+0000) Subject: Update the ChangeLog and NEWS files X-Git-Tag: NTP_4_2_8P1~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=261033f76615439586287ace0731a511e8eddab4;p=thirdparty%2Fntp.git Update the ChangeLog and NEWS files bk: 54d1c74ezlwSd6R6h6Q5q-kYMyyRXQ --- diff --git a/ChangeLog b/ChangeLog index 5d2de229b..8c4e90593 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,8 @@ --- + +* Update the NEWS file. +* [Sec 2671] vallen in extension fields are not validated. +--- (4.2.8p1-RC2) 2015/01/29 Released by Harlan Stenn * [Bug 2627] shm refclock allows only two units with owner-only access @@ -19,7 +23,6 @@ * Start the RC for 4.2.8p1. * [Bug 2187] Update version number generation scripts. * [Bug 2617] Fix sntp Usage documentation section. -* [Sec 2671] vallen in extension fields are not validated. * [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed... * [Bug 2736] Show error message if we cannot open the config file. * Copyright update. diff --git a/NEWS b/NEWS index 9761435a6..d33f05998 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,63 @@ +--- +NTP 4.2.8p1 (Harlan Stenn , 2015/02/04) + +Focus: Security and Bug fixes, enhancements. + +Severity: HIGH + +In addition to bug fixes and enhancements, this release fixes the +following high-severity vulnerabilities: + +* vallen is not validated in several places in ntp_crypto.c, leading + to a potential information leak or possibly a crash + + References: Sec 2671 / CVE-2014-9297 / VU#852879 + Affects: All NTP4 releases before 4.2.8p1 that are running autokey. + CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 + Date Resolved: Stable (4.2.8p1) 04 Feb 2015 + Summary: The vallen packet value is not validated in several code + paths in ntp_crypto.c which can lead to information leakage + or perhaps a crash of the ntpd process. + Mitigation - any of: + Upgrade to 4.2.8p1, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Disable Autokey Authentication by removing, or commenting out, + all configuration directives beginning with the "crypto" + keyword in your ntp.conf file. + Credit: This vulnerability was discovered by Stephen Roettger of the + Google Security Team, with additional cases found by Sebastian + Krahmer of the SUSE Security Team and Harlan Stenn of Network + Time Foundation. + +* ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses + can be bypassed. + + References: Sec 2672 / CVE-2014-9298 / VU#852879 + Affects: All NTP4 releases before 4.2.8p1, under at least some + versions of MacOS and Linux. *BSD has not been seen to be vulnerable. + CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:C) Base Score: 9 + Date Resolved: Stable (4.2.8p1) 04 Feb 2014 + Summary: While available kernels will prevent 127.0.0.1 addresses + from "appearing" on non-localhost IPv4 interfaces, some kernels + do not offer the same protection for ::1 source addresses on + IPv6 interfaces. Since NTP's access control is based on source + address and localhost addresses generally have no restrictions, + an attacker can send malicious control and configuration packets + by spoofing ::1 addresses from the outside. Note Well: This is + not really a bug in NTP, it's a problem with some OSes. If you + have one of these OSes where ::1 can be spoofed, ALL ::1 -based + ACL restrictions on any application can be bypassed! + Mitigation: + Upgrade to 4.2.8p1, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Install firewall rules to block packets claiming to come from + ::1 from inappropriate network interfaces. + Credit: This vulnerability was discovered by Stephen Roettger of + the Google Security Team. + +Additionally, over 30 bugfixes and improvements were made to the codebase. +See the ChangeLog for more information. + --- NTP 4.2.8 (Harlan Stenn , 2014/12/18)