From: Harlan Stenn <stenn@ntp.org>
Date: Thu, 17 Nov 2016 05:25:49 +0000 (-0800)
Subject: NEWS file update
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88f713e3ecf79b6d20fd4c599968c9fd72abec56;p=thirdparty%2Fntp.git

NEWS file update

bk: 582d3f5dtlVtgSLqYD9-z2kfDxRoWA
---

diff --git a/NEWS b/NEWS
index c77b5f47e..14c26b70c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,16 +1,18 @@
 ---
-NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/10/xx) 
+NTP 4.2.8p9 (Harlan Stenn <stenn@ntp.org>, 2016/11/21) 
 
 Focus: Security, Bug fixes, enhancements.
 
 Severity: HIGH
 
 In addition to bug fixes and enhancements, this release fixes the
-following X high- and Y low-severity vulnerabilities:
+following 1 high- (Windows only), 2 medium-, 2 medium-/low, and
+5 low-severity vulnerabilities, and provides 27 other non-security
+fixes and improvements:
 
 * Trap crash
    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
-   References: Sec 3119 / CVE-2016-XXXX / VU#XXXXX
+   References: Sec 3119 / CVE-2016-9311 / VU#XXXXX
    Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
        and ntp-4.3.0 up to but not including ntp-4.3.94.
    CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
@@ -32,7 +34,7 @@ following X high- and Y low-severity vulnerabilities:
 
 * Mode 6 information disclosure and DDoS vector
    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
-   References: Sec 3118 / CVE-2016-XXXX / VU#XXXXX
+   References: Sec 3118 / CVE-2016-9310 / VU#XXXXX
    Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
        and ntp-4.3.0 up to but not including ntp-4.3.94.
    CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
@@ -80,23 +82,6 @@ following X high- and Y low-severity vulnerabilities:
 	    (without -g) if it stops running. 
    Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
 
-* Broadcast Mode Replay Prevention DoS
-   Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
-X  References: Sec 3114 / CVE-2016-XXXX / VU#XXXXX
-X  Affects: ntp-4.2.8p7, and ntp-4.3.92.
-X  CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
-X  CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
-X  Summary: 
-X  Mitigation:
-        Implement BCP-38.
-        Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
-	    or the NTP Public Services Project Download Page
-        If you cannot upgrade from 4.2.8p7, the only other alternatives
-	    are to patch your code or filter CRYPTO_NAK packets.
-        Properly monitor your ntpd instances, and auto-restart ntpd
-	    (without -g) if it stops running. 
-X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
-
 * Broadcast Mode Poll Interval Enforcement DoS
    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
    References: Sec 3113 / CVE-2016-7428 / VU#XXXXX
@@ -128,7 +113,7 @@ X  Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
 
 * Windows: ntpd DoS by oversized UDP packet
    Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
-   References: Sec 3110 / CVE-2016-XXXX / VU#XXXXX
+   References: Sec 3110 / CVE-2016-9312 / VU#XXXXX
    Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
 	and ntp-4.3.0 up to, but not including ntp-4.3.94. 
    CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)