From: Harlan Stenn <stenn@ntp.org>
Date: Mon, 14 Nov 2016 05:59:31 +0000 (-0800)
Subject: cleanup
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6832f65c2c2f64aef646ff8cc0c486bd0ae54560;p=thirdparty%2Fntp.git

cleanup

bk: 582952c3au0YftIwLRJQINgM3j33RA
---

diff --git a/NEWS b/NEWS
index e93e92c2b..0f10de2f7 100644
--- a/NEWS
+++ b/NEWS
@@ -9,127 +9,247 @@ In addition to bug fixes and enhancements, this release fixes the
 following X high- and Y low-severity vulnerabilities:
 
 * Trap crash
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3119 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3119 / CVE-2016-XXXX / VU#XXXXX
+   Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
+       and ntp-4.3.0 up to but not including ntp-4.3.94.
+   CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
+   CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
+   Summary: 
+	ntpd does not enable trap service by default. If trap service
+	has been explicitly enabled, an attacker can send a specially
+	crafted packet to cause a null pointer dereference that will
+	crash ntpd, resulting in a denial of service. 
+   Mitigation:
         Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+	Use "restrict default noquery ..." in your ntp.conf file. Only
+	    allow mode 6 queries from trusted networks and hosts. 
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
 	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
         Properly monitor your ntpd instances, and auto-restart ntpd
 	    (without -g) if it stops running. 
-X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
 
 * Mode 6 information disclosure and DDoS vector
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3118 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3118 / CVE-2016-XXXX / VU#XXXXX
+   Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
+       and ntp-4.3.0 up to but not including ntp-4.3.94.
+   CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+   CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+   Summary: 
+	An exploitable configuration modification vulnerability exists
+	in the control mode (mode 6) functionality of ntpd. If, against
+	long-standing BCP recommendations, "restrict default noquery ..."
+	is not specified, a specially crafted control mode packet can set
+	ntpd traps, providing information disclosure and DDoS
+	amplification, and unset ntpd traps, disabling legitimate
+	monitoring. A remote, unauthenticated, network attacker can
+	trigger this vulnerability. 
+   Mitigation:
         Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+	Use "restrict default noquery ..." in your ntp.conf file.
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page
+        Properly monitor your ntpd instances, and auto-restart ntpd
+	    (without -g) if it stops running. 
+   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
+
+* Broadcast Mode Replay Prevention DoS
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3114 / CVE-2016-7427 / VU#XXXXX
+   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and 
+	ntp-4.3.90 up to, but not including ntp-4.3.94.
+   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+   CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+   Summary: 
+	The broadcast mode of NTP is expected to only be used in a
+	trusted network. If the broadcast network is accessible to an
+	attacker, a potentially exploitable denial of service
+	vulnerability in ntpd's broadcast mode replay prevention
+	functionality can be abused. An attacker with access to the NTP
+	broadcast domain can periodically inject specially crafted
+	broadcast mode NTP packets into the broadcast domain which,
+	while being logged by ntpd, can cause ntpd to reject broadcast
+	mode packets from legitimate NTP broadcast servers. 
+   Mitigation:
+        Implement BCP-38.
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
 	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
         Properly monitor your ntpd instances, and auto-restart ntpd
 	    (without -g) if it stops running. 
-X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
 
 * Broadcast Mode Poll Interval Enforcement DoS
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3113 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3113 / CVE-2016-7428 / VU#XXXXX
+   Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
+	ntp-4.3.90 up to, but not including ntp-4.3.94
+   CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+   CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+   Summary: 
+	The broadcast mode of NTP is expected to only be used in a
+	trusted network. If the broadcast network is accessible to an
+	attacker, a potentially exploitable denial of service
+	vulnerability in ntpd's broadcast mode poll interval enforcement
+	functionality can be abused. To limit abuse, ntpd restricts the
+	rate at which each broadcast association will process incoming
+	packets. ntpd will reject broadcast mode packets that arrive
+	before the poll interval specified in the preceding broadcast
+	packet expires. An attacker with access to the NTP broadcast
+	domain can send specially crafted broadcast mode NTP packets to
+	the broadcast domain which, while being logged by ntpd, will
+	cause ntpd to reject broadcast mode packets from legitimate NTP
+	broadcast servers. 
+   Mitigation:
         Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
 	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
         Properly monitor your ntpd instances, and auto-restart ntpd
 	    (without -g) if it stops running. 
-X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+   Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
 
 * Windows: ntpd DoS by oversized UDP packet
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3110 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3110 / CVE-2016-XXXX / VU#XXXXX
+   Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
+	and ntp-4.3.0 up to, but not including ntp-4.3.94. 
+   CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
+   CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+   Summary: 
+	If a vulnerable instance of ntpd on Windows receives a crafted
+	malicious packet that is "too big", ntpd will stop working. 
+   Mitigation:
         Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
 	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
         Properly monitor your ntpd instances, and auto-restart ntpd
 	    (without -g) if it stops running. 
    Credit: This weakness was discovered by Robert Pajak
 
 * 0rigin (zero origin) issues
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3102 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3102 / CVE-2016-7431 / VU#XXXXX
+   Affects: ntp-4.2.8p8, and ntp-4.3.93.
+   CVSS2: MED 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
+   CVSS3: MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
+   Summary: 
+	Zero Origin timestamp problems were fixed by Bug 2945 in
+	ntp-4.2.8p6. However, subsequent timestamp validation checks
+	introduced a regression in the handling of some Zero origin
+	timestamp checks.
+   Mitigation:
         Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
 	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
         Properly monitor your ntpd instances, and auto-restart ntpd
 	    (without -g) if it stops running. 
-X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
-
-* null pointer dereference in _IO_str_init_static_internal()
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3082 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
+   Credit: This weakness was discovered by Sharon Goldberg and Aanchal
+	Malhotra of Boston University.
+
+* read_mru_list() does inadequate incoming packet checks
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3082 / CVE-2016-7434 / VU#XXXXX
+   Affects: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and
+	ntp-4.3.0 up to, but not including ntp-4.3.94.
+   CVSS2: LOW 3.8 (AV:L/AC:H/Au:S/C:N/I:N/A:C)
+   CVSS3: LOW 3.8 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
+   Summary: 
+	If ntpd is configured to allow mrulist query requests from a
+	server that sends a crafted malicious packet, ntpd will crash
+	on receipt of that crafted malicious mrulist query packet.
+   Mitigation:
         Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
 	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
         Properly monitor your ntpd instances, and auto-restart ntpd
 	    (without -g) if it stops running. 
-X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+   Credit: This weakness was discovered by Magnus Stubman.
 
 * Attack on interface selection
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3072 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3072 / CVE-2016-7429 / VU#XXXXX
+   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
+	ntp-4.3.0 up to, but not including ntp-4.3.94
+   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
+   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
+   Summary: 
+	When ntpd receives a server response on a socket that corresponds
+	to a different interface than was used for the request, the peer
+	structure is updated to use the interface for new requests. If
+	ntpd is running on a host with multiple interfaces in separate
+	networks and the operating system doesn't check source address in
+	received packets (e.g. rp_filter on Linux is set to 0), an
+	attacker that knows the address of the source can send a packet
+	with spoofed source address which will cause ntpd to select wrong
+	interface for the source and prevent it from sending new requests
+	until the list of interfaces is refreshed, which happens on
+	routing changes or every 5 minutes by default. If the attack is
+	repeated often enough (once per second), ntpd will not be able to
+	synchronize with the source.
+   Mitigation:
         Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page
+        Properly monitor your ntpd instances, and auto-restart ntpd
+	    (without -g) if it stops running. 
+   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+
+* Client rate limiting and server responses
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3071 / CVE-2016-7426 / VU#XXXXX
+   Affects: ntp-4.2.5p203, up to but not including ntp-4.2.8p9, and
+	ntp-4.3.0 up to, but not including ntp-4.3.94
+   CVSS2: LOW 1.0 (AV:L/AC:H/Au:S/C:N/I:N/A:P)
+   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L
+   Summary: 
+	When ntpd is configured with rate limiting for all associations
+	(restrict default limited in ntp.conf), the limits are applied
+	also to responses received from its configured sources. An
+	attacker who knows the sources (e.g., from an IPv4 refid in
+	server response) and knows the system is (mis)configured in this
+	way can periodically send packets with spoofed source address to
+	keep the rate limiting activated and prevent ntpd from accepting
+	valid responses from its sources. 
+   Mitigation:
+        Implement BCP-38.
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
+	    or the NTP Public Services Project Download Page
+        Properly monitor your ntpd instances, and auto-restart ntpd
+	    (without -g) if it stops running. 
+   Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+
+* Fix for bug 2085 broke initial sync calculations 
+   Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+   References: Sec 3067 / CVE-2016-7433 / VU#XXXXX
+   Affects: ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
+	ntp-4.3.0 up to, but not including ntp-4.3.94. But the
+	root-distance calculation in general is incorrect in all versions
+	of ntp-4 until this release. 
+	and ntp-4.3.0 up to, but not including ntp-4.3.94
+   CVSS2: LOW 1.2 (AV:L/AC:H/Au:N/C:N/I:N/A:P)
+   CVSS3: LOW 1.6 CVSS:3.0/AV:P/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
+   Summary: 
+	Bug 2085 described a condition where the root delay was included
+	twice, causing the jitter value to be higher than expected. Due
+	to a misinterpretation of a small-print variable in The Book, the
+	fix for this problem was incorrect, resulting in a root distance
+	that did not include the peer dispersion. The calculations and
+	formulae have been reviewed and reconciled, and the code has been
+	updated accordingly. 
+   Mitigation:
+        Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
 	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
         Properly monitor your ntpd instances, and auto-restart ntpd
 	    (without -g) if it stops running. 
-X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+   Credit: This weakness was discovered independently by Brian Utterback of
+	Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University. 
 
 Other fixes:
 
 * [Bug 3138] gpsdjson refclock should honor fudgetime1. stenn@ntp.org
+* [Bug 3129] Unknown hosts can put resolver thread into a hard loop
+  - moved retry decision where it belongs. <perlinger@ntp.org>
 * [Bug 3125] NTPD doesn't fully start when ntp.conf entries are out of order
   using the loopback-ppsapi-provider.dll <perlinger@ntp.org>
 * [Bug 3116] unit tests for NTP time stamp expansion. <perlinger@ntp.org>
@@ -138,6 +258,8 @@ Other fixes:
 * [Bug 3095] Compatibility with openssl 1.1 <perlinger@ntp.org>
   - applied patches by Kurt Roeckx <kurt@roeckx.be> to source
   - added shim layer for SSL API calls with issues (both directions)
+* [Bug 3089] Serial Parser does not work anymore for hopfser like device
+  - simplified / refactored hex-decoding in driver. <perlinger@ntp.org>
 * [Bug 3084] update-leap mis-parses the leapfile name.  HStenn.
 * [Bug 3068] Linker warnings when building on Solaris. perlinger@ntp.org
   - applied patch thanks to Andrew Stormont <andyjstormont@gmail.com>
@@ -166,9 +288,11 @@ Other fixes:
              even if it is very old <perlinger@ntp.org>
   - make sure PPS source is alive before processing samples
   - improve stability close to the 500ms phase jump (phase gate)
+* Fix typos in include/ntp.h.
 * Shim X509_get_signature_nid() if needed
 * git author attribution cleanup
 * bk ignore file cleanup
+* remove locks in Windows IO, use rpc-like thread synchronisation instead
 
 ---
 NTP 4.2.8p8 (Harlan Stenn <stenn@ntp.org>, 2016/06/02)