From: Harlan Stenn Date: Tue, 24 May 2016 23:31:36 +0000 (+0000) Subject: Update the NEWS file for 4.2.8p8. HStenn. X-Git-Tag: NTP_4_2_8P8~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b11587b232b96c46db59446502f49fa37f422baa;p=thirdparty%2Fntp.git Update the NEWS file for 4.2.8p8. HStenn. bk: 5744e4587s-_vBYNiwGuB6cpTbmEDg --- diff --git a/ChangeLog b/ChangeLog index 2c8e61dab..05fd404d5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,7 @@ - fixed print()/scanf() format issues * [Bug 3052] Add a .gitignore file. Edmund Wong. * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. +* Update the NEWS file for 4.2.8p8. HStenn. * Fix typo in ntp-wait and plot_summary. HStenn. * Make sure we have an "author" file for git imports. HStenn. * Update the sntp problem tests for MacOS. HStenn. diff --git a/NEWS b/NEWS index ae7f0afab..17aef6071 100644 --- a/NEWS +++ b/NEWS @@ -1,11 +1,112 @@ --- -NTP 4.2.8p8 (Harlan Stenn , 2016/05/xx) +NTP 4.2.8p8 (Harlan Stenn , 2016/06/02) Focus: Security, Bug fixes, enhancements. -Severity: MEDIUM +Severity: HIGH +In addition to bug fixes and enhancements, this release fixes the +following 1 high- and 4 low-severity vulnerabilities" + +* CRYPTO_NAK crash + Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 + References: Sec 3046 / CVE-2016-4957 / VU#BBBBB + Affects: ntp-4.2.8p7, and ntp-4.3.92. + CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) + CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H + Summary: The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that + could cause ntpd to crash. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p8, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + If you cannot upgrade from 4.2.8p7, the only other alternatives + are to patch your code or filter CRYPTO_NAK packets. + Properly monitor your ntpd instances, and auto-restart ntpd + (without -g) if it stops running. + Credit: This weakness was discovered by Nicolas Edet of Cisco. + +* Bad authentication demobilizes ephemeral associations + Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 + References: Sec 3045 / CVE-2016-4953 + Affects: ntp-4, up to but not including ntp-4.2.8p8, and + ntp-4.3.0 up to, but not including ntp-4.3.93. + CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) + CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + Summary: An attacker who knows the origin timestamp and can send a + spoofed packet containing a CRYPTO-NAK to an ephemeral peer + target before any other response is sent can demobilize that + association. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p8, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. + +* Processing spoofed server packets + Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 + References: Sec 3044 / CVE-2016-4954 + Affects: ntp-4, up to but not including ntp-4.2.8p8, and + ntp-4.3.0 up to, but not including ntp-4.3.93. + CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) + CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + Summary: An attacker who is able to spoof packets with correct origin + timestamps from enough servers before the expected response + packets arrive at the target machine can affect some peer + variables and, for example, cause a false leap indication to be set. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p8, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. + +* Autokey association reset + Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 + References: Sec 3043 / CVE-2016-4955 + Affects: ntp-4, up to but not including ntp-4.2.8p8, and + ntp-4.3.0 up to, but not including ntp-4.3.93. + CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) + CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + Summary: An attacker who is able to spoof a packet with a correct + origin timestamp before the expected response packet arrives at + the target machine can send a CRYPTO_NAK and cause the + association's peer variables to be cleared. If this can be done + often enough, it will prevent that association from working. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p8, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. + +* Broadcast interleave + Date Resolved: 02 June 2016; Dev (4.3.93) 02 June 2016 + References: Sec 3042 / CVE-2016-4956 + Affects: ntp-4, up to but not including ntp-4.2.8p8, and + ntp-4.3.0 up to, but not including ntp-4.3.93. + CVSS2: LOW 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) + CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L + Summary: The fix for NtpBug2978 does not cover broadcast associations, + so broadcast clients can be triggered to flip into interleave mode. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p8, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page + Properly monitor your ntpd instances. + Credit: This weakness was discovered by Miroslav Lichvar of Red Hat. + +Other fixes: * [Bug 3038] NTP fails to build in VS2015. perlinger@ntp.org + - provide build environment + - 'wint_t' and 'struct timespec' defined by VS2015 + - fixed print()/scanf() format issues +* [Bug 3052] Add a .gitignore file. Edmund Wong. +* [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. +* Fix typo in ntp-wait and plot_summary. HStenn. +* Make sure we have an "author" file for git imports. HStenn. +* Update the sntp problem tests for MacOS. HStenn. --- NTP 4.2.8p7 (Harlan Stenn , 2016/04/26)