From: Harlan Stenn <stenn@ntp.org>
Date: Tue, 8 Dec 2009 10:36:47 +0000 (-0500)
Subject: [Sec 1331] DoS with mode 7 packets - CVE-2009-3563
X-Git-Tag: NTP_4_2_4P9_RC1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=352e3a0850f6782348300e1f86aa65ebce6fc7a4;p=thirdparty%2Fntp.git

[Sec 1331] DoS with mode 7 packets - CVE-2009-3563

bk: 4b1e2c3froEZ61lPUk5xrnXxdCpsKg
---

diff --git a/NEWS b/NEWS
index bbd4939ba..729a91f0f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,37 @@
+NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
+
+Focus: Security Fixes
+
+Severity: HIGH
+
+This release fixes the following high-severity vulnerability:
+
+* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
+
+  See http://support.ntp.org/security for more information.
+
+  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
+  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
+  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
+  request or a mode 7 error response from an address which is not listed
+  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
+  reply with a mode 7 error response (and log a message).  In this case:
+
+	* If an attacker spoofs the source address of ntpd host A in a
+	  mode 7 response packet sent to ntpd host B, both A and B will
+	  continuously send each other error responses, for as long as
+	  those packets get through.
+
+	* If an attacker spoofs an address of ntpd host A in a mode 7
+	  response packet sent to ntpd host A, A will respond to itself
+	  endlessly, consuming CPU and logging excessively.
+
+  Credit for finding this vulnerability goes to Robin Park and Dmitri
+  Vinokurov of Alcatel-Lucent.
+
+THIS IS A STRONGLY RECOMMENDED UPGRADE.
+
+---
 NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
 
 Focus: Security and Bug Fixes
diff --git a/packageinfo.sh b/packageinfo.sh
index 693618e7b..98966dc9e 100644
--- a/packageinfo.sh
+++ b/packageinfo.sh
@@ -9,7 +9,7 @@ version=${proto}.${major}.${minor}
 # - Numeric values increment
 # - empty 'increments' to 1
 # - NEW 'increments' to empty
-point=7
+point=8
 # Special.  Normally unused.  A suffix.
 #special=ag
 special=
@@ -23,7 +23,7 @@ CLTAG=NTP_4_2_0
 ###
 # The following is for ntp-stable.  2 cases:
 # - Numeric values increment
-# - GO triggers a release
+# - GO triggers a release (from releasecandidate=yes)
 # - - rcpoint gets set to 0
 # - - releasecandidate gets set to no
 # - GRONK is for -dev