Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
ntpsec/NEWS
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
493 lines (371 sloc)
20.3 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| = NTPsec project news = | |
| For historic news from NTP Classic, see devel/HISTORIC-NEWS in the | |
| distribution. | |
| Not all news features are described here; see docs/ntpsec.adoc in the | |
| distribution. | |
| Much of the traditional function of a news file is now better addressed | |
| by browsing the comments in the revision history. This file will focus | |
| on user-visible changes. | |
| == 2019-01-13: 1.1.3 == | |
| Lots of typo fixes, documentation cleanups, test targets. | |
| In memory of Arland D. Williams Jr. | |
| == 2018-08-28: 1.1.2 == | |
| Use data minimization on client requests | |
| https://datatracker.ietf.org/doc/draft-ietf-ntp-data-minimization/ | |
| Support AES-128-CMAC for authentication | |
| https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/ | |
| == 2018-06-11: 1.1.1 == | |
| Log timestamps now include the year. This is useful when | |
| investigating bugs involving time-setting and -g. | |
| Many internal cleanups to clear the way for upcoming major features. | |
| They should generally not be user visible. Refer to the git-log if | |
| you are interested. | |
| == 2018-03-14: 1.1.0 == | |
| RIP Stephen William Hawking, CH CBE FRS FRSA. 1942-01-08 - 2018-03-14 | |
| You gave us a Brief History of Time. We will just count it. | |
| Enough user visible changes have been made that this is the 1.1.0 release | |
| instead of a 1.0.1. | |
| The code size is now 55KLOC in C, 15KLOC in Python. | |
| Digests longer then 20 bytes will be truncated. | |
| We have merged NTP Classic's fix for CVE-2018-7182. | |
| The following NTP Classic CVEs announced in February 2018 do not affect NTPsec: | |
| * CVE-2016-1549: Sybil vulnerability: ephemeral association attack | |
| * CVE-2018-7170: Multiple authenticated ephemeral associations | |
| * CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state | |
| * CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association | |
| * CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit | |
| We have dropped support for Broadcast servers. We had kept it for | |
| older desktop operating systems listening on the local network | |
| broadcast domain, a use case that is no longer employed in sane | |
| environments, and no longer necessary for modern desktop OSs. | |
| It is now possible to unpeer refclocks using a type/unit specification | |
| rather than a magic IP address. This was the last obligatory use of | |
| magic IP addresses in the configuration grammar. | |
| OpenBSD has been removed from the list of supported platforms for | |
| ntpd. It will be restored if and when its clock API supports drift | |
| adjustment via ntp_adjtime() or equivalent facility. | |
| Mac OS X support has been dropped pending the implementation of | |
| ntp_adjtime(2). | |
| A bug that caused the rejection of 33% of packets from Amazon time | |
| service has been fixed. | |
| == 2017-10-10: 1.0.0 == | |
| This is the 1.0 release. | |
| It has been a long road, getting from there to here. | |
| The code size has been further reduced, to 55KLOC. | |
| A bug inherited from Classic that could cause bad jitter from bad | |
| peers to be incorrectly zeroed, producing erratic or slow startup, has | |
| been fixed. | |
| The dependency of local refclocks returning 4-digit years on | |
| pre-synchronization to a network peer has been removed. It is | |
| thus possible to run in a fully-autonomous mode using multiple | |
| refclocks and no network peers. | |
| ntpmon now reports units on time figures. | |
| ntpq now reports a count of Mode 6 messages received under sysstats. | |
| You can now turn off restriction flags with an _unrestrict_ statement | |
| that takes arguments exactly like a _restrict_, except that with no | |
| argument flags it removes any filter rule associated with the | |
| address/mask (as opposed to creating one with unrestricted | |
| access). This is expected to be useful mainly with the "ntpq :config" | |
| command. | |
| Builds are fully reproducible; see SOURCE_DATE_EPOCH and BUILD_EPOCH. | |
| == 2017-03-21: 0.9.7 == | |
| The code size has been further reduced, to 60KLOC. | |
| A shell script, buildprep, has been added to the top level source directory. | |
| It prepares your system for an NTPsec source build by installing all required | |
| dependencies on the build host. | |
| Extra digits of precision are now output in numerous places. The | |
| driftfile now stores 6 digits past the decimal point instead of 3. The | |
| stats files now stores 9 digits past the decimal point instead of 6 for | |
| some fields. ntpq and ntpmon also report extra digits of precision in | |
| multiple places. These changes may break simple parsing scripts. | |
| Four contrib programs: cpu-temp-log; smartctl-temp-log, temper-temp-log, | |
| and zone-temp-log; have been combined into the new program ntplogtemp. | |
| The new program allows for easy logging of system temperatures and is | |
| installed by default. | |
| The SHM refclock no longer limits the value of SHM time by default. | |
| This allows SHM to work on systems with no RTC by default. | |
| The following CVEs revealed by a Mozilla penetration test and reported in | |
| CERT VU#325339 have been resolved: | |
| CVE-2017-6464: Denial of Service via Malformed Config | |
| CVE-2017-6463: Authenticated DoS via Malicious Config Option | |
| CVE-2017-6458: Potential Overflows in ctl_put() functions | |
| CVE-2017-6451: Improper use of snprintf() in mx4200_send() | |
| The following CVEs, announced simultaneously, affected NTP Classic but | |
| not NTPsec, because we had already removed the attack surface: | |
| CVE-2017-6462: Buffer Overflow in DPTS Clock | |
| CVE-2017-6455: Privileged execution of User Library code | |
| CVE-2017-6452: Stack Buffer Overflow from Command Line | |
| CVE-2017-6459: Data Structure terminated insufficiently | |
| CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist | |
| We gratefully acknowledge the work of of Dr.-Ing. Mario Hederich | |
| at cure53 in detecting these problems and his cooperation in resolving them. | |
| == 2016-12-30: 0.9.6 == | |
| ntpkeygen has been moved from C to Python. This is not a functional | |
| change, just another move to improve maintainability and reduce attack | |
| surface by decreasing line count. | |
| ntpdig has also been moved from C to Python. Though this is also | |
| mostly a move to reduce line count, the new version does have some | |
| functional changes. Obsolete options have been dropped, logging is | |
| done a bit differently, and the synchronization-distance computation has | |
| been brought up to date with ntpd's. Also, this version can be told to | |
| collect multiple samples and use whichever has the lowest combination | |
| of stratum and synchronization distance. | |
| A new tool for time-service operators, ntpmon, supports real-time | |
| monitoring of your NTP installation's status. | |
| == 2016-11-23: 0.9.5 == | |
| This release includes a substantial refactoring of the core protocol | |
| implementation. Due to unresolvable security issues, support for | |
| broadcast/multicast clients has been dropped; broadcast servers are | |
| still supported. Likewise, symmetric mode is now only partially | |
| supported. The `peer` directive has become a synonym for `server`. | |
| Servers which receive symmetric-active mode packets will immediately | |
| give a symmetric-passive-mode response, but will not mobilize a new | |
| association. | |
| All remaining Perl code in the distribution has been moved to Python. | |
| The trap feature, broken in NTP Classic at the time of the NTPSec fork, | |
| has been removed. So has its only known client, the ntptrap script in the | |
| distribution. | |
| A new visualization tool, ntpviz, generates graphical summaries of | |
| logfile data that can be helpful for identifying problems such as | |
| misconfigured servers. It replaces a messy and poorly documented pile | |
| of ancient Perl, awk, and S scripts; those have been removed. | |
| It is now possible (and sometimes useful) to say "minpoll 0" for a | |
| 1-second interval. | |
| The ntpq tool for querying and configuring a running ntpd has been | |
| moved from C to Python. About the only visible effect this has is | |
| that ntpq now resizes its peers display to accommodate wide | |
| terminal-emulator windows. | |
| This release includes fixes for four low and medium-severity | |
| vulnerabilities: | |
| CVE-2016-7434: Null pointer dereference on malformed mrulist request | |
| CVE-2016-7429: Interface selection DoS | |
| CVE-2016-9311: Trap crash | |
| CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector | |
| Note that the "fixes" for CVE-2016-9310/9311 consist of complete | |
| removal of the broken trap feature. This removal occurred post-0.9.4 | |
| but prior to the discovery of these issues. | |
| Further, an additional low-severity issue impacting 0.9.0 through | |
| 0.9.3 has come to our attention: | |
| CVE-2016-7433: Reboot sync calculation problem | |
| This issue was already addressed in 0.9.4 but not treated as a | |
| vulnerability. | |
| The following NTP Classic CVEs do not impact NTPsec: CVE-2016-7427, | |
| CVE-2016-7428, CVE-2016-9312, CVE-2016-7431. We reject CVE-2016-7426, | |
| as it describes known and intended behavior which is a necessary | |
| logical consequence of rate-limiting. | |
| For more information on these security issues, see: | |
| https://lists.ntpsec.org/pipermail/devel/2016-November/002589.html | |
| http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se | |
| == 2016-08-16: 0.9.4 == | |
| usestats has been added to the statistics collection to record | |
| system resource usage statistics. | |
| A new, simpler configuration syntax for refclocks has been | |
| implemented. Configuration examples in the new syntax have been added | |
| to each driver page. | |
| Refclocks are now designated by name, not number. A list is available | |
| from "./waf configure --list". | |
| The rarely-used saveconfig feature in ntpd, and various associated | |
| configuration directives, have been removed for security reasons. The | |
| ntpd --saveconfigquit option, undocumented in NTP Classic, has | |
| also been removed. | |
| The ARCRON MSF refclock has been removed on the advice of last maintainer. | |
| The Spectracom TSYNC PCI refclock has been removed. It required a | |
| proprietary driver. As a matter of good security policy, NTPsec will | |
| not trust nor attempt to support code it cannot audit. | |
| The Conrad Parallel Port radio refclock has been removed. It required | |
| a third-party parallel-port driver for Linux that no longer exists. | |
| Both Hopf refclocks have been removed. The 6039 driver required a | |
| kernel driver that no longer exists; the 6021 driver duplicated | |
| support in the generic driver. | |
| The Austron refclock has been removed, on the grounds that it was | |
| EOLed more than 20 years ago and there's been no aftermarket activity | |
| or web chatter around it for a decade. | |
| The audio-path drivers (IRIG and CHU) have been removed. The class | |
| of hardware required to support them has gone essentially extinct due | |
| to cheap DSP. The complexity/maintenance overhead of this code | |
| was high enough to motivate dropping them. | |
| This release contains a fix for one vulnerability inherited from | |
| NTP Classic: | |
| [Bug 3044] (CVE-2016-4954) Processing spoofed server packets | |
| https://lists.ntpsec.org/pipermail/devel/2016-June/001299.html provides | |
| additional information on this issue. | |
| It also includes the following fix cross-ported from Classic: | |
| [Bug 3047] refclock_jjy does not work with C-DEX JST2000 | |
| == 2016-05-17: 0.9.3 == | |
| The long-deprecated Autokey feature has been removed. | |
| This release contains fixes for three vulnerabilities inherited from | |
| NTP Classic: | |
| [Bug 3020] (CVE-2016-1551) Refclock impersonation vulnerability | |
| (Credit: Matt Street et. al. of Cisco ASIG) | |
| [Bug 3008] (CVE-2016-2519) ctl_getitem() return value not always checked | |
| (Credit: Yihan Lian of the Qihoo 360 cloud security team) | |
| [Bug 2978] (CVE-2016-1548) Interleave-pivot | |
| (Credit: Miroslav Lichvar of RedHat and Jonathan Gardner of Cisco ASIG) | |
| The following non-security fixes have been | |
| forward-ported from Classic: | |
| [Bug 2772] adj_systime overflows tv_usec | |
| [Bug 2814] msyslog deadlock when signaled. | |
| [Bug 2829] Look at pipe_fds in ntpd.c | |
| [Bug 2887] fudge stratum only accepts values [0..16]. | |
| [Bug 2958] ntpq: fatal error messages need a final newline. | |
| [Bug 2965] Local clock didn't work since 4.2.8p4. | |
| [Bug 2969] Segfault from ntpq/mrulist when looking at server with lots of clients | |
| We regard the following NTP Classic bug - | |
| [Bug 3012] (CVE-2016-1549) Sybil vulnerability: ephemeral association attack | |
| (Credit: Matthew van Gundy of Cisco ASIG) | |
| as a duplicate of CVE-2015-7974 (see 0.9.1 release | |
| notes) and it is WONTFIX for the time being: it is | |
| correct-but-unfortunate behavior consequent to confusing and | |
| inflexible semantics of ntp.conf's access control language, and we | |
| will address it with a future redesign effort. NTP Classic has | |
| partially addressed this pair of issues by extending the syntax of | |
| ntp.keys to support IP ACLing. We are not currently aware of any | |
| demand for this feature among NTPsec users and have no plans to | |
| implement it; if you have a need for it, please file a bug at | |
| https://gitlab.com/groups/NTPsec/issues to let us know you're out | |
| there. | |
| The remainder of the security issues patched in NTP Classic 4.2.8p7 | |
| either are not believed to impact NTPsec or were already fixed in a | |
| previous release. | |
| == 2016-03-15: 0.9.2 == | |
| Point release. | |
| * can now cross-compile | |
| * many documentation fixes | |
| * Coverity is even more strict | |
| * remove WWV, transmitter protocol changed, nobody builds receivers | |
| * remove updwtmpx stuff, no longer useful | |
| == 2016-01-25: 0.9.1 == | |
| Point release for security. Fixes: | |
| * CVE-2015-7973: Replay attack on authenticated broadcast mode | |
| (Aanchal Malhotra) | |
| * CVE-2015-7975: nextvar() missing length check (Jonathan Gardner) | |
| * CVE-2015-7979: Off-path Denial of Service (DoS) attack on | |
| authenticated broadcast and other preemptable modes (Aanchal | |
| Malhotra) | |
| * CVE-2015-8138: Zero Origin Timestamp Bypass (Matthew van Gundy & | |
| Jonathan Gardner) | |
| * CVE-2015-8139: Origin Leak: ntpq and ntpdc Disclose Origin Timestamp | |
| to Unauthenticated Clients (Matthew van Gundy) | |
| * CVE-2015-8158: Potential Infinite Loop in ntpq (Jonathan Gardner) | |
| * CVE-2016-1550: Timing attack on MAC verification (Daniel Franke) | |
| * Missing length checks in decodearr() and outputarr() (Daniel Franke) | |
| Two additional security issues have been reported to us for which we | |
| are not implementing code changes, but the user should be aware of | |
| their impact. | |
| The first (CVE-2015-8140) pertains to NTP's dynamic reconfiguration | |
| feature, which permits on-the-fly modification of NTP's configuration | |
| via ntpq. This feature is rarely used, typically disabled, and can | |
| only be enabled when authentication is configured. ntpd has no means | |
| of detecting that a request to change its configuration is a replay of | |
| an old packet. Therefore, if an administrator sets ntpd to | |
| configuration A and then to configuration B, an attacker who captures | |
| the packets commanding these changes can replay the first one and | |
| restore ntpd's state to configuration A. This is only a concern when | |
| the configuration commands are sent over an untrusted | |
| network. Configuration changes made via localhost are not susceptible. | |
| This is an inherent design flaw in NTP cryptography and in the remote | |
| reconfiguration protocol, and can be fixed only with a considerable | |
| reworking and by changing the protocol in a way that is neither | |
| forward nor backward compatible. This cryptographic rework is on the | |
| horizon in the form of Network Time Security (currently a draft in the | |
| IETF network time working group). Given that this vulnerability | |
| impacts few if any real users, we have chosen to defer fixing it until | |
| we have tools more suitable to the task. For the mean time, if you | |
| rely on NTP's reconfiguration support, we recommend either restricting | |
| its use to localhost or trusted networks, or tunneling through SSH or | |
| a VPN. The 'nomodify' option to the 'restrict' directive may be used | |
| to enforce this policy. | |
| The second (CVE-2015-7974) pertains to the fact that when multiple | |
| trusted keys are configured, no mechanism exists to associate | |
| particular keys with particular peers or assign particular privileges. | |
| This is not a bug, per se, but rather a lack of expressiveness in | |
| NTP's configuration language. We intend to address in a future release | |
| as part of a larger redesign aimed at giving clearer semantics to the | |
| configuration language and making it easier to write safe | |
| configurations. | |
| Note that NTPsec is not impacted by CVE-2015-7976, CVE-2015-7977, or | |
| CVE-2015-7978. CVE-2015-7977 and CVE-2015-7978 both pertain to mode 7 | |
| packets, support for which was completely removed before NTPsec's | |
| first beta. CVE-2015-7976 is a feature request to restrict the format | |
| of filenames used in saveconfig commands. Saveconfig support is | |
| disabled at compile time in NTPsec and will not be re-enabled without | |
| much more extensive hardening. | |
| Other fixes: | |
| Coverity found a slow memory leak in the asynchronous-DNS code. | |
| == 2015-11-16: 0.9.0 == | |
| Initial NTPsec beta release. | |
| * Canonical forge for git clones and issue tracking is | |
| https://gitlab.com/NTPsec/ntpsec | |
| * The documentation has been extensively updated and revised. One | |
| important change is that manual pages are now generated from the | |
| same masters as this web documentation, so the two will no longer | |
| drift out of synchronization. | |
| * Internally, there is more consistent use of nanosecond precision. | |
| A visible effect of this is that time stepping with sufficiently | |
| high-precision time sources could be accurate down to nanoseconds | |
| rather than microseconds; this might actually matter for GPSDOs | |
| and high-quality radio clocks. | |
| * The deprecated 'ntpdc' utility, long since replaced by 'ntpq', has | |
| been removed. | |
| * The 'ntpsnmpd' daemon, incomplete and not conformant with RFC 5907, | |
| has been removed. | |
| * A number of obsolete refclocks have been removed. | |
| * The 'sntp' program has been renamed 'ntpdig' in order to make | |
| NTP installables have a uniform name prefix and take up less | |
| namespace. Also, ntp-keygen is now 'ntpkeygen', ntp-wait | |
| is 'ntpwait', and update-leap is now 'ntpleapfetch'. | |
| * A new utility, 'ntpfrob', collects several small diagnostic functions | |
| for reading and tweaking the local clock hardware, including reading | |
| the clock tick rate, precision, and jitter. Part of it formerly | |
| traveled as 'tickadj'. | |
| * The deprecated 'ntpdate' program has been replaced with a shell | |
| wrapper around 'ntpdig'. | |
| * Log timestamps look a little different; they are now in ISO 8601 format. | |
| * Autokey is not supported in this release. | |
| == Bugfixes either ported from NTP Classic or fixed by NTPsec changes == | |
| These reflect fixes to NTP Classic between the 2015-06-06 fork point and | |
| the 0.9.0 beta release. | |
| * [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn. | |
| * [Bug 2778] Implement "apeers" ntpq command to include associd. | |
| * [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn. | |
| * [Bug 2836] DCF77 patches from Frank Kardel to make decoding more | |
| robust, and require 2 consecutive timestamps to be consistent. | |
| * [Bug 2845] Harden memory allocation in ntpd; implement and | |
| use 'eallocarray(...)' where appropriate. | |
| * [Bug 2846] Report 'unsynchronized' status during the leap second. | |
| * [Bug 2849] Systems with more than one default route may never | |
| synchronize. Brian Utterback. Note that this patch might need to | |
| be reverted once Bug 2043 has been fixed. | |
| * [Bug 2855] Implement conditional leap smear feature; includes | |
| later fixes for parser support and reporting leap smear in the REFID. | |
| * [Bug 2859] Improve raw DCF77 robustness decoding. Frank Kardel. | |
| * [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel. | |
| * [Bug 2866] segmentation fault at initgroups(). Harlan Stenn. | |
| * [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv' | |
| * [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar. | |
| * [Bug 2886] Misspelling: "outlyer" should be "outlier" | |
| * [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov. | |
| * [Bug 2901] Clients that receive a KoD should validate the origin | |
| timestamp field (CVE-2015-7704, CVE-2015-7705) | |
| * [Bug 2902] configuration directives "pidfile" and "driftfile" | |
| should be local-only. (patch by Miroslav Lichvar) (CVE-2015-7703) | |
| * [Bug 2909] Slow memory leak in CRYPTO_ASSOC (CVE-2015-7701) | |
| * [Bug 2916] trusted key use-after-free (CVE-2015-7849) | |
| * [Bug 2918] saveconfig Directory Traversal Vulnerability. (OpenVMS) | |
| (CVE-2015-7851) | |
| * [Bug 2919] ntpq atoascii() potential memory corruption (CVE-2015-7852) | |
| * [Bug 2920] Invalid length data provided by a custom refclock driver | |
| could cause a buffer overflow (CVE-2015-7853) | |
| * [Bug 2921] Password Length Memory Corruption Vulnerability (CVE-2015-7854) | |
| * [Bug 2922] decodenetnum() will ASSERT botch instead of returning | |
| FAIL on some bogus values (CVE-2015-7855) | |
| * [Bug 2941] NAK to the Future: Symmetric association authentication | |
| bypass via crypto-NAK (CVE-2015-7871) | |
| Additionally the NTPsec team is aware of the following vulnerabilities | |
| impacting autokey: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702. NTPsec | |
| does not support building with autokey support and therefore is not | |
| exposed; the vulnerable code will not be fixed, but will be removed in | |
| a future release. | |
| NTPsec is not impacted by CVE-2015-7848 (mode 7 loop counter underrun) | |
| because ntpdc and support for mode 7 packets have been removed. | |
| // end |