NEWS.adoc 26.9 KB
Newer Older
Eric S. Raymond's avatar
Eric S. Raymond committed
1
2
= NTPsec project news =

Richard Laager's avatar
Richard Laager committed
3
4
For historic news from NTP Classic, see devel/HISTORIC-NEWS in the
distribution.
Eric S. Raymond's avatar
Eric S. Raymond committed
5

6
Not all news features are described here; see docs/ntpsec.adoc in the
7
8
distribution.

Eric S. Raymond's avatar
Eric S. Raymond committed
9
10
11
12
Much of the traditional function of a news file is now better addressed
by browsing the comments in the revision history.  This file will focus
on user-visible changes.

13
14
== Reposatory Head ==

Hal Murray's avatar
Hal Murray committed
15
16
17
18
rawstats now logs dropped packets and their BOGON code
  Only one per request to avoid DoSing the log file
  This lets you see packets that take too long.

19
20
21
Add 4 or 6 to DNS/NTS RefID tags to indicate that the
DNS or NTS-KE has succeeded but NTP has not worked yet.

22
23
Add --enable-attic (default off)

Hal Murray's avatar
Hal Murray committed
24
25
Works with OpenSSL 3.0

26
27
Fix hash validation in ntpleapfetch again.

28
29
FreeBSD now gets ns resolution on receive time stamps.

Mark Atwood's avatar
Mark Atwood committed
30
== 2021-06-06: 1.2.1 ==
Mark Atwood's avatar
Mark Atwood committed
31

Matt Selsky's avatar
Add CVE    
Matt Selsky committed
32
Update ntpkeygen/keygone to properly filter `#` characters. (CVE-2021-22212)
33
34
35
36
37
38
39
40
41
42
43

Add dextral peers mode in ntpq and ntpmon.

Drop NTPv1 as the support was not RFC compliant, maybe v2 except mode 6 next.

Fix argument P for ntpd parsing fixed and ntpdate improvements.

Fix crash for raw ntpq readvar.

Add processor usage to NTS-KE logging except on NetBSD.

44
45
46
47
48
49
50
51
Remove --build-epoch and replace it with arbitrary --build-desc text.
Passing '--build-desc=$(date -u +%Y-%m-%dT%H:%M:%Sz)' restores the previous
default extended version.

The build epoch has been replaced with a hardcoded timestamp which will be
manually updated every nine years or so (approx 512w).  This makes the
binaries reproducible by default.

52
Compare versions of ntp.ntpc and libntpc printing a warning if
53
54
mismatched. Fix libntpc install path if using it.

55
Reduce maxclocks default to 5 to reduce the NTP pool load.
56
57
58

Print LIBDIR during ./waf configure.

59
Add documentation, new GPG key, and other cleanups.
60

Mark Atwood's avatar
Mark Atwood committed
61
== 2020-10-06: 1.2.0 ==
Mark Atwood's avatar
Mark Atwood committed
62

Mark Atwood's avatar
Mark Atwood committed
63
64
65
66
67
68
69
70
The minor version bump is to indicate official official support of
RFC8915 "Network Time Security for the Network Time Protocol" which
was released 2020-09-30.

On this day in 1783, Benjamin Hanks received a patent for a
self-winding clock he planned to install in the Old Dutch Church in
Kingston, New York, supposedly making it the first public clock in
what became the New York City metropolitan area.
71

72
NTS-KE client now defaults to port 4460.
73

74
75
NTS-KE server now listens on port 4460.
(Listening on port 123 has been removed.)
76

Richard Laager's avatar
Richard Laager committed
77
78
79
80
81
82
The shebang of installed Python scripts can now be customized with:
  waf configure --pyshebang="..."
This has multiple uses, but one example is for distros (like CentOS 8 or
Ubuntu 20.04) with no `python` executable:
  python3 waf configure --pyshebang="/usr/bin/env python3"

83
84
85
86
87
88
NTP clients now use a shared library with Python instead of an extension.

Add flakiness option to ntpq and fixed limit=1 in mrulist.

Fixed a minor formatting issue in rate page.

Mark Atwood's avatar
Mark Atwood committed
89
90
91
== 2020-05-23: 1.1.9 ==

Today is Blursday, Maprilay 84th, 2020, of the COVID-19 panic.
92

93
Correctly parse ntpq :config output on Python 3 and check return MACs.
James Browning's avatar
James Browning committed
94

95
Add AES and other algorithm support to ntpq and ntpdig, from OpenSSL.
James Browning's avatar
James Browning committed
96

Matt Selsky's avatar
Matt Selsky committed
97
98
Remove support for NetInfo. NetInfo was last supported in Mac OS X v10.4

Hal Murray's avatar
Hal Murray committed
99
100
101
102
The configure step now supports --disable-nts for running
on systems with older versions of OpenSSL.

The default restrictions now start with noquery and limited
103
104
to reduce the opportunities for being used for DDoS-ing.

105
The draft RFC for NTS has dropped support for TLSv1.2
106
  We now need OpenSSL with TLSv1.3 support (version 1.1.1 or newer).
107
108
109
110
111
112
113
114
115
116
  The config keyword +tlsciphers+ has been removed.

Additional filtering and sort options have been added to ntpq/mrulist
  Details are in the man page.

Rate limiting has been cleaned up.
  With "restrict limited", traffic is now limited to
  an average of 1 packet per second with bursts of 20.
  (needs doc and maybe config)

Hal Murray's avatar
Hal Murray committed
117
118
119
120
121
122
SIGHUP and hourly checks have been unified.  Both now
  check for a new log file
  check for a new certificate file
  check for a new leap file
SIGHUP also restarts all pending DNS and NTS probes.

123
124
NTS client now requires ALPN on TLSv1.3.

125
126
127
128
129
asciidoctor (1.5.8 or newer) is now supported and is the preferred AsciiDoc
processor.  asciidoc is still supported, but the minimum supported version
has been raised from 8.6.0 to 8.6.8.  asciidoc3 (3.0.2 or newer) is also
supported.

Richard Laager's avatar
Richard Laager committed
130
131
132
HTML docs are now built by default if an AsciiDoc processor is installed.  If
you do not want HTML docs, configure with --disable-doc.  (Note:  Man pages
are controlled by a separate --disable-manpage.)
133

Eric S. Raymond's avatar
Eric S. Raymond committed
134
135
136
Analysis shows that CVE-2020-11868, affecting NTP Classic,
cannot affect us, as the peer mode involved has been removed.

137
138
== 2019-11-17: 1.1.8 ==

Hal Murray's avatar
Hal Murray committed
139
140
141
142
Fix bug in NTS-KE client so that NTP server names work.

Fix/tweak several NTS logging messages.

Mark Atwood's avatar
Mark Atwood committed
143
== 2019-09-02: 1.1.7 ==
144

145
146
147
148
149
150
The numeric literal argument of the 'time1' fudge option on a clock
can now have one or more letter suffixes that compensate for era
rollover in a GPS device.  Each "g" adds the number of seconds in a
1024-week (10-bit) GPS era. Each "G" adds the number of seconds in a
8192-week (13-bit) GPS era.

Eric S. Raymond's avatar
Eric S. Raymond committed
151
152
153
154
The neoclock4x driver has been removed, due to the hardware and the
vendor having utterly vanished from the face of the earth.

The NTS ALPN negotiation sequence has been modified for improved
Matt Selsky's avatar
Typos    
Matt Selsky committed
155
interoperability with other NTS implementations.
Eric S. Raymond's avatar
Eric S. Raymond committed
156

157
158
159
NTS key rotation now happens every 24 hours.  It used to rotate
every hour to enable testing of recovery from stale cookies.

Mark Atwood's avatar
Mark Atwood committed
160
161
162
On this day in 1945, some important paperwork was signed by
General MacArthur aboard the USS Missouri.

Mark Atwood's avatar
Mark Atwood committed
163
== 2019-07-10: 1.1.6 ==
Mark Atwood's avatar
Mark Atwood committed
164

Mark Atwood's avatar
Mark Atwood committed
165
Fixes to code quality checks.
Mark Atwood's avatar
Mark Atwood committed
166

Mark Atwood's avatar
Mark Atwood committed
167
168
169
170
171
172
Fixes to NTS server list.

Fix to bug #600.

On this day in 1913, in Death Valley, the temperature was 56.7°C,
officially world's highest recorded temperature.
Mark Atwood's avatar
Mark Atwood committed
173

Mark Atwood's avatar
Mark Atwood committed
174
175
176
== 2019-06-30: 1.1.5 ==

Add ALPN for the NTS server, as required by the NTP draft.
Mark Atwood's avatar
Mark Atwood committed
177
178
179
180
181

Revert some ntpq behavior.

On this day in 1972 the first leap second is added to the UTC time system.

Mark Atwood's avatar
Mark Atwood committed
182
183
184
185
186
187
188
189
== 2019-06-21: 1.1.4 ==

NTS is now implemented.  See .../devel/nts.adoc
https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp

We thank Cisco for sponsoring the NTS development.

Lots of fixes and cleanups to PPS, both implementation and documentation.
190

191
192
Pthread support is now required.  --disable-dns-lookup is gone.

193
194
195
NIST lockclock mode is now a runtime option set by the (previously unused)
flag1 mode bit of the local-clock driver.

Mark Atwood's avatar
Mark Atwood committed
196
197
198
199
As always, lots of minor fixups and cleanups everywhere.  See the git log.

Today marks the summer solstice in the Northern Hemisphere.

Mark Atwood's avatar
Mark Atwood committed
200
201
== 2019-01-13: 1.1.3 ==

202
Security fixes for bugs inherited from NTP Classic:
Matt Selsky's avatar
Matt Selsky committed
203

204
205
206
207
* CVE-2019-6443: OOB read in ctl_getitem() in ntp_control.c (GitLab #507)
* CVE-2019-6444: OOB read in process_control() in ntp_control.c (GitLab #508)
* CVE-2019-6445: Remotely triggerable crash in ntp_control.c (GitLab #509)
* CVE-2019-6442: Authenticated OOB write in ntp_parser.y (GitLab #510)
Matt Selsky's avatar
Matt Selsky committed
208

Mark Atwood's avatar
Mark Atwood committed
209
210
211
Lots of typo fixes, documentation cleanups, test targets.

In memory of Arland D. Williams Jr.
Mark Atwood's avatar
Mark Atwood committed
212
213

== 2018-08-28: 1.1.2 ==
Mark Atwood's avatar
Mark Atwood committed
214

215
216
217
218
Use data minimization on client requests
  https://datatracker.ietf.org/doc/draft-ietf-ntp-data-minimization/

Support AES-128-CMAC for authentication
219
  https://www.rfc-editor.org/info/rfc8573
220

Mark Atwood's avatar
Mark Atwood committed
221
== 2018-06-11: 1.1.1 ==
222

Mark Atwood's avatar
Mark Atwood committed
223
224
225
226
227
228
Log timestamps now include the year.  This is useful when
investigating bugs involving time-setting and -g.

Many internal cleanups to clear the way for upcoming major features.
They should generally not be user visible.  Refer to the git-log if
you are interested.
229

Mark Atwood's avatar
Mark Atwood committed
230
231
232
233
234
235
236
237
238
== 2018-03-14: 1.1.0 ==

RIP Stephen William Hawking, CH CBE FRS FRSA. 1942-01-08 - 2018-03-14
You gave us a Brief History of Time.  We will just count it.

Enough user visible changes have been made that this is the 1.1.0 release
instead of a 1.0.1.

The code size is now 55KLOC in C, 15KLOC in Python.
Mark Atwood's avatar
Mark Atwood committed
239

Hal Murray's avatar
Hal Murray committed
240
241
Digests longer then 20 bytes will be truncated.

Mark Atwood's avatar
Mark Atwood committed
242
We have merged NTP Classic's fix for CVE-2018-7182.
243

244
245
246
247
248
249
250
251
The following NTP Classic CVEs announced in February 2018 do not affect NTPsec:

* CVE-2016-1549: Sybil vulnerability: ephemeral association attack
* CVE-2018-7170: Multiple authenticated ephemeral associations
* CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state
* CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association
* CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit

Mark Atwood's avatar
Mark Atwood committed
252
253
We have dropped support for Broadcast servers.  We had kept it for
older desktop operating systems listening on the local network
254
broadcast domain, a use case that is no longer employed in sane
Eric S. Raymond's avatar
Eric S. Raymond committed
255
environments, and no longer necessary for modern desktop OSs.
Hal Murray's avatar
Hal Murray committed
256

257
258
259
260
It is now possible to unpeer refclocks using a type/unit specification
rather than a magic IP address.  This was the last obligatory use of
magic IP addresses in the configuration grammar.

261
262
263
264
OpenBSD has been removed from the list of supported platforms for
ntpd. It will be restored if and when its clock API supports drift
adjustment via ntp_adjtime() or equivalent facility.

265
266
Mac OS X support has been dropped pending the implementation of
ntp_adjtime(2).
267

268
269
270
A bug that caused the rejection of 33% of packets from Amazon time
service has been fixed.

Mark Atwood's avatar
Mark Atwood committed
271
272
273
274
== 2017-10-10: 1.0.0 ==

This is the 1.0 release.
It has been a long road, getting from there to here.
275

276
277
The code size has been further reduced, to 55KLOC.

Mark Atwood's avatar
Mark Atwood committed
278
279
280
A bug inherited from Classic that could cause bad jitter from bad
peers to be incorrectly zeroed, producing erratic or slow startup, has
been fixed.
Eric S. Raymond's avatar
Eric S. Raymond committed
281

282
The dependency of local refclocks returning 4-digit years on
Eric S. Raymond's avatar
Eric S. Raymond committed
283
pre-synchronization to a network peer has been removed.  It is
Matt Selsky's avatar
Matt Selsky committed
284
thus possible to run in a fully-autonomous mode using multiple
285
refclocks and no network peers.
Eric S. Raymond's avatar
Eric S. Raymond committed
286

Eric S. Raymond's avatar
Eric S. Raymond committed
287
288
ntpmon now reports units on time figures.

Eric S. Raymond's avatar
Eric S. Raymond committed
289
290
ntpq now reports a count of Mode 6 messages received under sysstats.

291
You can now turn off restriction flags with an _unrestrict_ statement
Eric S. Raymond's avatar
Eric S. Raymond committed
292
293
294
that takes arguments exactly like a _restrict_, except that with no
argument flags it removes any filter rule associated with the
address/mask (as opposed to creating one with unrestricted
Eric S. Raymond's avatar
Eric S. Raymond committed
295
access). This is expected to be useful mainly with the "ntpq :config"
Eric S. Raymond's avatar
Eric S. Raymond committed
296
command.
297

Eric S. Raymond's avatar
Eric S. Raymond committed
298
299
Builds are fully reproducible; see SOURCE_DATE_EPOCH and BUILD_EPOCH.

300
301
== 2017-03-21: 0.9.7 ==

302
303
The code size has been further reduced, to 60KLOC.

Gary E. Miller's avatar
Gary E. Miller committed
304
305
306
307
A shell script, buildprep, has been added to the top level source directory.
It prepares your system for an NTPsec source build by installing all required
dependencies on the build host.

308
Extra digits of precision are now output in numerous places.  The
309
310
driftfile now stores 6 digits past the decimal point instead of 3.  The
stats files now stores 9 digits past the decimal point instead of 6 for
311
312
313
some fields. ntpq and ntpmon also report extra digits of precision in
multiple places.  These changes may break simple parsing scripts.

314
Four contrib programs: cpu-temp-log; smartctl-temp-log, temper-temp-log,
315
316
317
and zone-temp-log; have been combined into the new program ntplogtemp.
The new program allows for easy logging of system temperatures and is
installed by default.
318

Matt Selsky's avatar
Typos    
Matt Selsky committed
319
The SHM refclock no longer limits the value of SHM time by default.
Gary E. Miller's avatar
Gary E. Miller committed
320
321
This allows SHM to work on systems with no RTC by default.

322
323
324
325
326
327
328
329
The following CVEs revealed by a Mozilla penetration test and reported in
CERT VU#325339 have been resolved:

CVE-2017-6464: Denial of Service via Malformed Config
CVE-2017-6463: Authenticated DoS via Malicious Config Option
CVE-2017-6458: Potential Overflows in ctl_put() functions
CVE-2017-6451: Improper use of snprintf() in mx4200_send()

330
331
332
333
334
A Pentest report by Cure53 noted that a previously fixed CVE had been
reintroduced into the code.  This was resolved, again.

CVE-2014-9295: Multiple stack-based buffer overflows in ntpd

335
336
337
338
339
340
341
342
343
344
345
346
The following CVEs, announced simultaneously, affected NTP Classic but
not NTPsec, because we had already removed the attack surface:

CVE-2017-6462: Buffer Overflow in DPTS Clock
CVE-2017-6455: Privileged execution of User Library code
CVE-2017-6452: Stack Buffer Overflow from Command Line
CVE-2017-6459: Data Structure terminated insufficiently
CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist

We gratefully acknowledge the work of of Dr.-Ing. Mario Hederich
at cure53 in detecting these problems and his cooperation in resolving them.

Mark Atwood's avatar
Mark Atwood committed
347
== 2016-12-30: 0.9.6 ==
348

Eric S. Raymond's avatar
Eric S. Raymond committed
349
350
351
352
ntpkeygen has been moved from C to Python.  This is not a functional
change, just another move to improve maintainability and reduce attack
surface by decreasing line count.

Eric S. Raymond's avatar
Eric S. Raymond committed
353
354
355
356
357
358
ntpdig has also been moved from C to Python. Though this is also
mostly a move to reduce line count, the new version does have some
functional changes.  Obsolete options have been dropped, logging is
done a bit differently, and the synchronization-distance computation has
been brought up to date with ntpd's. Also, this version can be told to
collect multiple samples and use whichever has the lowest combination
359
of stratum and synchronization distance.
Eric S. Raymond's avatar
Eric S. Raymond committed
360
361

A new tool for time-service operators, ntpmon, supports real-time
362
363
monitoring of your NTP installation's status.

Mark Atwood's avatar
Mark Atwood committed
364
== 2016-11-23: 0.9.5 ==
Mark Atwood's avatar
Mark Atwood committed
365

Daniel Fox Franke's avatar
Daniel Fox Franke committed
366
367
368
369
370
371
372
373
374
This release includes a substantial refactoring of the core protocol
implementation. Due to unresolvable security issues, support for
broadcast/multicast clients has been dropped; broadcast servers are
still supported. Likewise, symmetric mode is now only partially
supported. The `peer` directive has become a synonym for `server`.
Servers which receive symmetric-active mode packets will immediately
give a symmetric-passive-mode response, but will not mobilize a new
association.

Eric S. Raymond's avatar
Eric S. Raymond committed
375
376
377
378
379
All remaining Perl code in the distribution has been moved to Python.

The trap feature, broken in NTP Classic at the time of the NTPSec fork,
has been removed. So has its only known client, the ntptrap script in the
distribution.
380

Eric S. Raymond's avatar
Eric S. Raymond committed
381
A new visualization tool, ntpviz, generates graphical summaries of
382
logfile data that can be helpful for identifying problems such as
Eric S. Raymond's avatar
Eric S. Raymond committed
383
384
385
misconfigured servers.  It replaces a messy and poorly documented pile
of ancient Perl, awk, and S scripts; those have been removed.

Matt Selsky's avatar
Typos    
Matt Selsky committed
386
It is now possible (and sometimes useful) to say "minpoll 0" for a
387
388
1-second interval.

Eric S. Raymond's avatar
Eric S. Raymond committed
389
390
391
392
393
The ntpq tool for querying and configuring a running ntpd has been
moved from C to Python.  About the only visible effect this has is
that ntpq now resizes its peers display to accommodate wide
terminal-emulator windows.

Daniel Fox Franke's avatar
Daniel Fox Franke committed
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
This release includes fixes for four low and medium-severity
vulnerabilities:

CVE-2016-7434: Null pointer dereference on malformed mrulist request
CVE-2016-7429: Interface selection DoS
CVE-2016-9311: Trap crash
CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector

Note that the "fixes" for CVE-2016-9310/9311 consist of complete
removal of the broken trap feature. This removal occurred post-0.9.4
but prior to the discovery of these issues.

Further, an additional low-severity issue impacting 0.9.0 through
0.9.3 has come to our attention:

CVE-2016-7433: Reboot sync calculation problem

This issue was already addressed in 0.9.4 but not treated as a
vulnerability.

The following NTP Classic CVEs do not impact NTPsec: CVE-2016-7427,
CVE-2016-7428, CVE-2016-9312, CVE-2016-7431. We reject CVE-2016-7426,
as it describes known and intended behavior which is a necessary
logical consequence of rate-limiting.

For more information on these security issues, see:
https://lists.ntpsec.org/pipermail/devel/2016-November/002589.html
http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se

Eric S. Raymond's avatar
Eric S. Raymond committed
423
== 2016-08-16: 0.9.4 ==
Eric S. Raymond's avatar
Eric S. Raymond committed
424

425
426
427
usestats has been added to the statistics collection to record
system resource usage statistics.

Eric S. Raymond's avatar
Eric S. Raymond committed
428
429
430
431
432
A new, simpler configuration syntax for refclocks has been
implemented.  Configuration examples in the new syntax have been added
to each driver page.

Refclocks are now designated by name, not number. A list is available
Matt Selsky's avatar
Matt Selsky committed
433
from "./waf configure --list".
Eric S. Raymond's avatar
Eric S. Raymond committed
434

Eric S. Raymond's avatar
Eric S. Raymond committed
435
The rarely-used saveconfig feature in ntpd, and various associated
436
437
438
439
configuration directives, have been removed for security reasons. The
ntpd --saveconfigquit option, undocumented in NTP Classic, has
also been removed.

Eric S. Raymond's avatar
Eric S. Raymond committed
440
The ARCRON MSF refclock has been removed on the advice of last maintainer.
441

Eric S. Raymond's avatar
Eric S. Raymond committed
442
The Spectracom TSYNC PCI refclock has been removed. It required a
443
444
445
proprietary driver.  As a matter of good security policy, NTPsec will
not trust nor attempt to support code it cannot audit.

Eric S. Raymond's avatar
Eric S. Raymond committed
446
The Conrad Parallel Port radio refclock has been removed.  It required
447
448
a third-party parallel-port driver for Linux that no longer exists.

Eric S. Raymond's avatar
Eric S. Raymond committed
449
450
451
452
Both Hopf refclocks have been removed.  The 6039 driver required a
kernel driver that no longer exists; the 6021 driver duplicated
support in the generic driver.

453
454
455
456
457
458
The Austron refclock has been removed, on the grounds that it was
EOLed more than 20 years ago and there's been no aftermarket activity
or web chatter around it for a decade.

The audio-path drivers (IRIG and CHU) have been removed. The class
of hardware required to support them has gone essentially extinct due
Matt Selsky's avatar
Matt Selsky committed
459
to cheap DSP. The complexity/maintenance overhead of this code
460
461
was high enough to motivate dropping them.

462
463
464
465
466
467
468
469
This release contains a fix for one vulnerability inherited from
NTP Classic:

[Bug 3044] (CVE-2016-4954) Processing spoofed server packets

https://lists.ntpsec.org/pipermail/devel/2016-June/001299.html provides
additional information on this issue.

470
471
472
473
It also includes the following fix cross-ported from Classic:

[Bug 3047] refclock_jjy does not work with C-DEX JST2000

Mark Atwood's avatar
Mark Atwood committed
474
475
== 2016-05-17: 0.9.3 ==

Matt Selsky's avatar
Typos.    
Matt Selsky committed
476
The long-deprecated Autokey feature has been removed.
477

478
479
480
481
482
483
484
This release contains fixes for three vulnerabilities inherited from
NTP Classic:

[Bug 3020] (CVE-2016-1551) Refclock impersonation vulnerability
  (Credit: Matt Street et. al. of Cisco ASIG)
[Bug 3008] (CVE-2016-2519) ctl_getitem() return value not always checked
  (Credit: Yihan Lian of the Qihoo 360 cloud security team)
485
486
[Bug 2978] (CVE-2016-1548) Interleave-pivot
  (Credit: Miroslav Lichvar of RedHat and Jonathan Gardner of Cisco ASIG)
487
488
489

The following non-security fixes have been
forward-ported from Classic:
490
491

[Bug 2772] adj_systime overflows tv_usec
492
[Bug 2814] msyslog deadlock when signaled.
493
494
[Bug 2829] Look at pipe_fds in ntpd.c
[Bug 2887] fudge stratum only accepts values [0..16].
495
[Bug 2958] ntpq: fatal error messages need a final newline.
496
[Bug 2965] Local clock didn't work since 4.2.8p4.
497
[Bug 2969] Segfault from ntpq/mrulist when looking at server with lots of clients
498

499
500
501
502
503
504
We regard the following NTP Classic bug -

[Bug 3012] (CVE-2016-1549) Sybil vulnerability: ephemeral association attack
(Credit: Matthew van Gundy of Cisco ASIG)

as a duplicate of CVE-2015-7974 (see 0.9.1 release
505
506
notes) and it is WONTFIX for the time being: it is
correct-but-unfortunate behavior consequent to confusing and
Matt Selsky's avatar
Matt Selsky committed
507
inflexible semantics of ntp.conf's access control language, and we
508
509
510
511
512
513
514
515
516
517
518
519
will address it with a future redesign effort. NTP Classic has
partially addressed this pair of issues by extending the syntax of
ntp.keys to support IP ACLing. We are not currently aware of any
demand for this feature among NTPsec users and have no plans to
implement it; if you have a need for it, please file a bug at
https://gitlab.com/groups/NTPsec/issues to let us know you're out
there.

The remainder of the security issues patched in NTP Classic 4.2.8p7
either are not believed to impact NTPsec or were already fixed in a
previous release.

Mark Atwood's avatar
Mark Atwood committed
520
521
522
523
524
525
526
527
528
529
== 2016-03-15: 0.9.2 ==

Point release.

* can now cross-compile
* many documentation fixes
* Coverity is even more strict
* remove WWV, transmitter protocol changed, nobody builds receivers
* remove updwtmpx stuff, no longer useful

Mark Atwood's avatar
Mark Atwood committed
530
== 2016-01-25: 0.9.1 ==
531

532
533
534
535
536
537
538
539
540
541
542
543
544
Point release for security. Fixes:

* CVE-2015-7973: Replay attack on authenticated broadcast mode
  (Aanchal Malhotra)
* CVE-2015-7975: nextvar() missing length check (Jonathan Gardner)
* CVE-2015-7979: Off-path Denial of Service (DoS) attack on
  authenticated broadcast and other preemptable modes (Aanchal
  Malhotra)
* CVE-2015-8138: Zero Origin Timestamp Bypass (Matthew van Gundy &
  Jonathan Gardner)
* CVE-2015-8139: Origin Leak: ntpq and ntpdc Disclose Origin Timestamp
  to Unauthenticated Clients (Matthew van Gundy)
* CVE-2015-8158: Potential Infinite Loop in ntpq (Jonathan Gardner)
545
* CVE-2016-1550: Timing attack on MAC verification (Daniel Franke)
546
547
* Missing length checks in decodearr() and outputarr() (Daniel Franke)

Matt Selsky's avatar
Matt Selsky committed
548
Two additional security issues have been reported to us for which we
549
550
551
552
553
554
are not implementing code changes, but the user should be aware of
their impact.

The first (CVE-2015-8140) pertains to NTP's dynamic reconfiguration
feature, which permits on-the-fly modification of NTP's configuration
via ntpq. This feature is rarely used, typically disabled, and can
Matt Selsky's avatar
Matt Selsky committed
555
only be enabled when authentication is configured. ntpd has no means
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
of detecting that a request to change its configuration is a replay of
an old packet. Therefore, if an administrator sets ntpd to
configuration A and then to configuration B, an attacker who captures
the packets commanding these changes can replay the first one and
restore ntpd's state to configuration A. This is only a concern when
the configuration commands are sent over an untrusted
network. Configuration changes made via localhost are not susceptible.

This is an inherent design flaw in NTP cryptography and in the remote
reconfiguration protocol, and can be fixed only with a considerable
reworking and by changing the protocol in a way that is neither
forward nor backward compatible. This cryptographic rework is on the
horizon in the form of Network Time Security (currently a draft in the
IETF network time working group). Given that this vulnerability
impacts few if any real users, we have chosen to defer fixing it until
we have tools more suitable to the task. For the mean time, if you
rely on NTP's reconfiguration support, we recommend either restricting
its use to localhost or trusted networks, or tunneling through SSH or
a VPN. The 'nomodify' option to the 'restrict' directive may be used
to enforce this policy.

The second (CVE-2015-7974) pertains to the fact that when multiple
trusted keys are configured, no mechanism exists to associate
particular keys with particular peers or assign particular privileges.
This is not a bug, per se, but rather a lack of expressiveness in
NTP's configuration language. We intend to address in a future release
as part of a larger redesign aimed at giving clearer semantics to the
configuration language and making it easier to write safe
configurations.

Note that NTPsec is not impacted by CVE-2015-7976, CVE-2015-7977, or
CVE-2015-7978. CVE-2015-7977 and CVE-2015-7978 both pertain to mode 7
packets, support for which was completely removed before NTPsec's
first beta. CVE-2015-7976 is a feature request to restrict the format
of filenames used in saveconfig commands. Saveconfig support is
disabled at compile time in NTPsec and will not be re-enabled without
much more extensive hardening.
593

Eric S. Raymond's avatar
Eric S. Raymond committed
594
595
596
597
Other fixes:

Coverity found a slow memory leak in the asynchronous-DNS code.

598
599
600
601
== 2015-11-16: 0.9.0 ==

Initial NTPsec beta release.

Mark Atwood's avatar
Mark Atwood committed
602
603
604
* Canonical forge for git clones and issue tracking is
  https://gitlab.com/NTPsec/ntpsec

605
606
607
* The documentation has been extensively updated and revised.  One
  important change is that manual pages are now generated from the
  same masters as this web documentation, so the two will no longer
608
  drift out of synchronization.
609
610
611
612
613
614
615

* Internally, there is more consistent use of nanosecond precision.
  A visible effect of this is that time stepping with sufficiently
  high-precision time sources could be accurate down to nanoseconds
  rather than microseconds; this might actually matter for GPSDOs
  and high-quality radio clocks.

616
617
* The deprecated 'ntpdc' utility, long since replaced by 'ntpq', has
  been removed.
618

619
* The 'ntpsnmpd' daemon, incomplete and not conformant with RFC 5907,
620
621
622
623
  has been removed.

* A number of obsolete refclocks have been removed.

624
* The 'sntp' program has been renamed 'ntpdig' in order to make
625
  NTP installables have a uniform name prefix and take up less
626
627
  namespace. Also, ntp-keygen is now 'ntpkeygen', ntp-wait
  is 'ntpwait', and update-leap is now 'ntpleapfetch'.
628

629
* A new utility, 'ntpfrob', collects several small diagnostic functions
630
631
  for reading and tweaking the local clock hardware, including reading
  the clock tick rate, precision, and jitter. Part of it formerly
632
  traveled as 'tickadj'.
633

634
635
* The deprecated 'ntpdate' program has been replaced with a shell
  wrapper around 'ntpdig'.
636

637
* Log timestamps look a little different; they are now in ISO 8601 format.
638
639
640

* Autokey is not supported in this release.

641
== Bugfixes either ported from NTP Classic or fixed by NTPsec changes ==
642

643
644
These reflect fixes to NTP Classic between the 2015-06-06 fork point and
the 0.9.0 beta release.
645

646
* [Bug 2625] Deprecate flag1 in local refclock.  Hal Murray, Harlan Stenn.
647
* [Bug 2778] Implement "apeers"  ntpq command to include associd.
648
* [Bug 2823] ntpsweep with recursive peers option doesn't work.  H.Stenn.
Sanjeev Gupta's avatar
Sanjeev Gupta committed
649
* [Bug 2836] DCF77 patches from Frank Kardel to make decoding more
650
  robust, and require 2 consecutive timestamps to be consistent.
651
652
* [Bug 2845] Harden memory allocation in ntpd; implement and
  use 'eallocarray(...)' where appropriate.
653
* [Bug 2846] Report 'unsynchronized' status during the leap second.
654
655
656
* [Bug 2849] Systems with more than one default route may never
  synchronize.  Brian Utterback.  Note that this patch might need to
  be reverted once Bug 2043 has been fixed.
657
658
* [Bug 2855] Implement conditional leap smear feature; includes
  later fixes for parser support and reporting leap smear in the REFID.
659
* [Bug 2859] Improve raw DCF77 robustness decoding.  Frank Kardel.
660
* [Bug 2860] ntpq ifstats sanity check is too stringent.  Frank Kardel.
661
* [Bug 2866] segmentation fault at initgroups().  Harlan Stenn.
662
* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'
663
* [Bug 2883] ntpd crashes on exit with empty driftfile.  Miroslav Lichvar.
664
* [Bug 2886] Misspelling: "outlyer" should be "outlier"
665
* [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
666
667
* [Bug 2901] Clients that receive a KoD should validate the origin
  timestamp field (CVE-2015-7704, CVE-2015-7705)
668
* [Bug 2902] configuration directives "pidfile" and "driftfile"
669
670
  should be local-only. (patch by Miroslav Lichvar) (CVE-2015-7703)
* [Bug 2909] Slow memory leak in CRYPTO_ASSOC (CVE-2015-7701)
671
* [Bug 2916] trusted key use-after-free (CVE-2015-7849)
672
673
* [Bug 2918] saveconfig Directory Traversal Vulnerability. (OpenVMS)
  (CVE-2015-7851)
674
675
676
677
678
679
680
681
* [Bug 2919] ntpq atoascii() potential memory corruption (CVE-2015-7852)
* [Bug 2920] Invalid length data provided by a custom refclock driver
  could cause a buffer overflow (CVE-2015-7853)
* [Bug 2921] Password Length Memory Corruption Vulnerability (CVE-2015-7854)
* [Bug 2922] decodenetnum() will ASSERT botch instead of returning
  FAIL on some bogus values (CVE-2015-7855)
* [Bug 2941] NAK to the Future: Symmetric association authentication
  bypass via crypto-NAK (CVE-2015-7871)
682
683
684
685
686
687
688
689
690

Additionally the NTPsec team is aware of the following vulnerabilities
impacting autokey: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702. NTPsec
does not support building with autokey support and therefore is not
exposed; the vulnerable code will not be fixed, but will be removed in
a future release.

NTPsec is not impacted by CVE-2015-7848 (mode 7 loop counter underrun)
because ntpdc and support for mode 7 packets have been removed.
691

692
693
694
695
== HISTORIC-NEWS ==

For older NEWS items, see the file devel/HISTORIC-NEWS.

Eric S. Raymond's avatar
Eric S. Raymond committed
696
// end