From: Harlan Stenn Date: Tue, 18 Feb 2020 03:32:51 +0000 (+0000) Subject: Update the NEWS file for p14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4de809955b65501b14171a9f8a18c65f6346199f;p=thirdparty%2Fntp.git Update the NEWS file for p14 bk: 5e4b5ae3hXiN5KB_YA0NWQdW1sytng --- diff --git a/NEWS b/NEWS index 5cae9372a..69b49fbd7 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,110 @@ +--- +NTP 4.2.8p14 (Harlan Stenn , 2020 Mar 03) + +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM + +This release fixes three vulnerabilities: a bug that causes causes an ntpd +instance that is explicitly configured to override the default and allow +ntpdc (mode 7) connections to be made to a server to read some uninitialized +memory; fixes the case where an unmonitored ntpd using an unauthenticated +association to its servers may be susceptible to a forged packet DoS attack; +and fixes an attack against a single unauthenticated unsynchronized +symmetric peer. It also fixes 46 other bugs and addresses 4 other issues. + +* [Sec 3610] process_control() should bail earlier on short packets. stenn@ + - Reported by Philippe Antoine +* [Sec 3596] Highly predictable timestamp attack. + - Reported by Miroslav Lichvar +* [Sec 3592] DoS attack on client ntpd + - Reported by Miroslav Lichvar +* [Bug 3637] Emit the version of ntpd in saveconfig. stenn@ +* [Bug 3636] NMEA: combine time/date from multiple sentences +* [Bug 3635] Make leapsecond file hash check optional +* [Bug 3634] Typo in discipline.html, reported by Jason Harrison. stenn@ +* [Bug 3628] raw DCF decoding - improve robustness with Zeller's congruence + - implement Zeller's congruence in libparse and libntp +* [Bug 3627] SIGSEGV on FreeBSD-12 with stack limit and stack gap + - integrated patch by Cy Schubert +* [Bug 3620] memory leak in ntpq sysinfo + - applied patch by Gerry Garvey +* [Bug 3619] Honour drefid setting in cooked mode and sysinfo + - applied patch by Gerry Garvey +* [Bug 3617] Add support for ACE III and Copernicus II receivers + - integrated patch by Richard Steedman +* [Bug 3615] accelerate refclock startup +* [Bug 3613] Propagate noselect to mobilized pool servers + - Reported by Martin Burnicki +* [Bug 3612] Use-of-uninitialized-value in receive function + - Reported by Philippe Antoine +* [Bug 3611] NMEA time interpreted incorrectly + - officially document new "trust date" mode bit for NMEA driver + - restore the (previously undocumented) "trust date" feature lost with [bug 3577] +* [Bug 3609] Fixing wrong falseticker in case of non-statistic jitter + - mostly based on a patch by Michael Haardt, implementing 'fudge minjitter' +* [Bug 3608] libparse fails to compile on S11.4SRU13 and later + - removed ffs() and fls() prototypes as per Brian Utterback +* [Bug 3604] Wrong param byte order passing into record_raw_stats() in + ntp_io.c + - fixed byte and paramter order as suggested by wei6410@sina.com +* [Bug 3601] Tests fail to link on platforms with ntp_cv_gc_sections_runs=no +* [Bug 3599] Build fails on linux-m68k due to alignment issues + - added padding as suggested by John Paul Adrian Glaubitz +* [Bug 3594] ntpd discards messages coming through nmead +* [Bug 3593] ntpd discards silently nmea messages after the 5th string +* [Bug 3590] Update refclock_oncore.c to the new GPS date API +* [Bug 3585] Unity tests mix buffered and unbuffered output + - stdout+stderr are set to line buffered during test setup now +* [Bug 3583] synchronization error + - set clock to base date if system time is before that limit +* [Bug 3582] gpsdjson refclock fudgetime1 adjustment is doubled +* [Bug 3580] Possible bug ntpq-subs (NULL dereference in dogetassoc) + - Reported by Paulo Neves +* [Bug 3577] Update refclock_zyfer.c to the new GPS date API + - also updates for refclock_nmea.c and refclock_jupiter.c +* [Bug 3576] New GPS date function API +* [Bug 3573] nptdate: missleading error message +* [Bug 3570] NMEA driver docs: talker ID not mentioned, typo +* [Bug 3569] cleanup MOD_NANO/STA_NANO handling for 'ntpadjtimex()' + - sidekick: service port resolution in 'ntpdate' +* [Bug 3550] Reproducible build: Respect SOURCE_DATE_EPOCH + - applied patch by Douglas Royds +* [Bug 3542] ntpdc monlist parameters cannot be set +* [Bug 3533] ntpdc peer_info ipv6 issues + - applied patch by Gerry Garvey +* [Bug 3531] make check: test-decodenetnum fails + - try to harden 'decodenetnum()' against 'getaddrinfo()' errors + - fix wrong cond-compile tests in unit tests +* [Bug 3517] Reducing build noise +* [Bug 3516] Require tooling from this decade + - patch by Philipp Prindeville +* [Bug 3515] Refactor ntpdmain() dispatcher loop and group common code + - patch by Philipp Prindeville +* [Bug 3511] Get rid of AC_LANG_SOURCE() warnings + - patch by Philipp Prindeville +* [Bug 3510] Flatten out the #ifdef nesting in ntpdmain() + - partial application of patch by Philipp Prindeville +* [Bug 3491] Signed values of LFP datatypes should always display a sign + - applied patch by Gerry Garvey & fixed unit tests +* [Bug 3490] Patch to support Trimble Resolution Receivers + - applied (modified) patch by Richard Steedman +* [Bug 3473] RefID of refclocks should always be text format + - applied patch by Gerry Garvey (with minor formatting changes) +* [Bug 3132] Building 4.2.8p8 with disabled local libopts fails + - applied patch by Miroslav Lichvar +* [Bug 3094] ntpd trying to listen for broadcasts on a completely ipv6 network + +* [Bug 2420] ntpd doesn't run and exits with retval 0 when invalid user + is specified with -u + - monitor daemon child startup & propagate exit codes +* [Bug 1433] runtime check whether the kernel really supports capabilities + - (modified) patch by Kurt Roeckx +* Clean up sntp/networking.c:sendpkt() error message. +* Provide more detail on unrecognized config file parser tokens. +* Startup log improvements. +* Update the copyright year. + --- NTP 4.2.8p13 (Harlan Stenn , 2019 Mar 07)