-
-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathNEWS
493 lines (371 loc) · 20.3 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
= NTPsec project news =
For historic news from NTP Classic, see devel/HISTORIC-NEWS in the
distribution.
Not all news features are described here; see docs/ntpsec.adoc in the
distribution.
Much of the traditional function of a news file is now better addressed
by browsing the comments in the revision history. This file will focus
on user-visible changes.
== 2019-01-13: 1.1.3 ==
Lots of typo fixes, documentation cleanups, test targets.
In memory of Arland D. Williams Jr.
== 2018-08-28: 1.1.2 ==
Use data minimization on client requests
https://datatracker.ietf.org/doc/draft-ietf-ntp-data-minimization/
Support AES-128-CMAC for authentication
https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/
== 2018-06-11: 1.1.1 ==
Log timestamps now include the year. This is useful when
investigating bugs involving time-setting and -g.
Many internal cleanups to clear the way for upcoming major features.
They should generally not be user visible. Refer to the git-log if
you are interested.
== 2018-03-14: 1.1.0 ==
RIP Stephen William Hawking, CH CBE FRS FRSA. 1942-01-08 - 2018-03-14
You gave us a Brief History of Time. We will just count it.
Enough user visible changes have been made that this is the 1.1.0 release
instead of a 1.0.1.
The code size is now 55KLOC in C, 15KLOC in Python.
Digests longer then 20 bytes will be truncated.
We have merged NTP Classic's fix for CVE-2018-7182.
The following NTP Classic CVEs announced in February 2018 do not affect NTPsec:
* CVE-2016-1549: Sybil vulnerability: ephemeral association attack
* CVE-2018-7170: Multiple authenticated ephemeral associations
* CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state
* CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association
* CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit
We have dropped support for Broadcast servers. We had kept it for
older desktop operating systems listening on the local network
broadcast domain, a use case that is no longer employed in sane
environments, and no longer necessary for modern desktop OSs.
It is now possible to unpeer refclocks using a type/unit specification
rather than a magic IP address. This was the last obligatory use of
magic IP addresses in the configuration grammar.
OpenBSD has been removed from the list of supported platforms for
ntpd. It will be restored if and when its clock API supports drift
adjustment via ntp_adjtime() or equivalent facility.
Mac OS X support has been dropped pending the implementation of
ntp_adjtime(2).
A bug that caused the rejection of 33% of packets from Amazon time
service has been fixed.
== 2017-10-10: 1.0.0 ==
This is the 1.0 release.
It has been a long road, getting from there to here.
The code size has been further reduced, to 55KLOC.
A bug inherited from Classic that could cause bad jitter from bad
peers to be incorrectly zeroed, producing erratic or slow startup, has
been fixed.
The dependency of local refclocks returning 4-digit years on
pre-synchronization to a network peer has been removed. It is
thus possible to run in a fully-autonomous mode using multiple
refclocks and no network peers.
ntpmon now reports units on time figures.
ntpq now reports a count of Mode 6 messages received under sysstats.
You can now turn off restriction flags with an _unrestrict_ statement
that takes arguments exactly like a _restrict_, except that with no
argument flags it removes any filter rule associated with the
address/mask (as opposed to creating one with unrestricted
access). This is expected to be useful mainly with the "ntpq :config"
command.
Builds are fully reproducible; see SOURCE_DATE_EPOCH and BUILD_EPOCH.
== 2017-03-21: 0.9.7 ==
The code size has been further reduced, to 60KLOC.
A shell script, buildprep, has been added to the top level source directory.
It prepares your system for an NTPsec source build by installing all required
dependencies on the build host.
Extra digits of precision are now output in numerous places. The
driftfile now stores 6 digits past the decimal point instead of 3. The
stats files now stores 9 digits past the decimal point instead of 6 for
some fields. ntpq and ntpmon also report extra digits of precision in
multiple places. These changes may break simple parsing scripts.
Four contrib programs: cpu-temp-log; smartctl-temp-log, temper-temp-log,
and zone-temp-log; have been combined into the new program ntplogtemp.
The new program allows for easy logging of system temperatures and is
installed by default.
The SHM refclock no longer limits the value of SHM time by default.
This allows SHM to work on systems with no RTC by default.
The following CVEs revealed by a Mozilla penetration test and reported in
CERT VU#325339 have been resolved:
CVE-2017-6464: Denial of Service via Malformed Config
CVE-2017-6463: Authenticated DoS via Malicious Config Option
CVE-2017-6458: Potential Overflows in ctl_put() functions
CVE-2017-6451: Improper use of snprintf() in mx4200_send()
The following CVEs, announced simultaneously, affected NTP Classic but
not NTPsec, because we had already removed the attack surface:
CVE-2017-6462: Buffer Overflow in DPTS Clock
CVE-2017-6455: Privileged execution of User Library code
CVE-2017-6452: Stack Buffer Overflow from Command Line
CVE-2017-6459: Data Structure terminated insufficiently
CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist
We gratefully acknowledge the work of of Dr.-Ing. Mario Hederich
at cure53 in detecting these problems and his cooperation in resolving them.
== 2016-12-30: 0.9.6 ==
ntpkeygen has been moved from C to Python. This is not a functional
change, just another move to improve maintainability and reduce attack
surface by decreasing line count.
ntpdig has also been moved from C to Python. Though this is also
mostly a move to reduce line count, the new version does have some
functional changes. Obsolete options have been dropped, logging is
done a bit differently, and the synchronization-distance computation has
been brought up to date with ntpd's. Also, this version can be told to
collect multiple samples and use whichever has the lowest combination
of stratum and synchronization distance.
A new tool for time-service operators, ntpmon, supports real-time
monitoring of your NTP installation's status.
== 2016-11-23: 0.9.5 ==
This release includes a substantial refactoring of the core protocol
implementation. Due to unresolvable security issues, support for
broadcast/multicast clients has been dropped; broadcast servers are
still supported. Likewise, symmetric mode is now only partially
supported. The `peer` directive has become a synonym for `server`.
Servers which receive symmetric-active mode packets will immediately
give a symmetric-passive-mode response, but will not mobilize a new
association.
All remaining Perl code in the distribution has been moved to Python.
The trap feature, broken in NTP Classic at the time of the NTPSec fork,
has been removed. So has its only known client, the ntptrap script in the
distribution.
A new visualization tool, ntpviz, generates graphical summaries of
logfile data that can be helpful for identifying problems such as
misconfigured servers. It replaces a messy and poorly documented pile
of ancient Perl, awk, and S scripts; those have been removed.
It is now possible (and sometimes useful) to say "minpoll 0" for a
1-second interval.
The ntpq tool for querying and configuring a running ntpd has been
moved from C to Python. About the only visible effect this has is
that ntpq now resizes its peers display to accommodate wide
terminal-emulator windows.
This release includes fixes for four low and medium-severity
vulnerabilities:
CVE-2016-7434: Null pointer dereference on malformed mrulist request
CVE-2016-7429: Interface selection DoS
CVE-2016-9311: Trap crash
CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector
Note that the "fixes" for CVE-2016-9310/9311 consist of complete
removal of the broken trap feature. This removal occurred post-0.9.4
but prior to the discovery of these issues.
Further, an additional low-severity issue impacting 0.9.0 through
0.9.3 has come to our attention:
CVE-2016-7433: Reboot sync calculation problem
This issue was already addressed in 0.9.4 but not treated as a
vulnerability.
The following NTP Classic CVEs do not impact NTPsec: CVE-2016-7427,
CVE-2016-7428, CVE-2016-9312, CVE-2016-7431. We reject CVE-2016-7426,
as it describes known and intended behavior which is a necessary
logical consequence of rate-limiting.
For more information on these security issues, see:
https://lists.ntpsec.org/pipermail/devel/2016-November/002589.html
http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se
== 2016-08-16: 0.9.4 ==
usestats has been added to the statistics collection to record
system resource usage statistics.
A new, simpler configuration syntax for refclocks has been
implemented. Configuration examples in the new syntax have been added
to each driver page.
Refclocks are now designated by name, not number. A list is available
from "./waf configure --list".
The rarely-used saveconfig feature in ntpd, and various associated
configuration directives, have been removed for security reasons. The
ntpd --saveconfigquit option, undocumented in NTP Classic, has
also been removed.
The ARCRON MSF refclock has been removed on the advice of last maintainer.
The Spectracom TSYNC PCI refclock has been removed. It required a
proprietary driver. As a matter of good security policy, NTPsec will
not trust nor attempt to support code it cannot audit.
The Conrad Parallel Port radio refclock has been removed. It required
a third-party parallel-port driver for Linux that no longer exists.
Both Hopf refclocks have been removed. The 6039 driver required a
kernel driver that no longer exists; the 6021 driver duplicated
support in the generic driver.
The Austron refclock has been removed, on the grounds that it was
EOLed more than 20 years ago and there's been no aftermarket activity
or web chatter around it for a decade.
The audio-path drivers (IRIG and CHU) have been removed. The class
of hardware required to support them has gone essentially extinct due
to cheap DSP. The complexity/maintenance overhead of this code
was high enough to motivate dropping them.
This release contains a fix for one vulnerability inherited from
NTP Classic:
[Bug 3044] (CVE-2016-4954) Processing spoofed server packets
https://lists.ntpsec.org/pipermail/devel/2016-June/001299.html provides
additional information on this issue.
It also includes the following fix cross-ported from Classic:
[Bug 3047] refclock_jjy does not work with C-DEX JST2000
== 2016-05-17: 0.9.3 ==
The long-deprecated Autokey feature has been removed.
This release contains fixes for three vulnerabilities inherited from
NTP Classic:
[Bug 3020] (CVE-2016-1551) Refclock impersonation vulnerability
(Credit: Matt Street et. al. of Cisco ASIG)
[Bug 3008] (CVE-2016-2519) ctl_getitem() return value not always checked
(Credit: Yihan Lian of the Qihoo 360 cloud security team)
[Bug 2978] (CVE-2016-1548) Interleave-pivot
(Credit: Miroslav Lichvar of RedHat and Jonathan Gardner of Cisco ASIG)
The following non-security fixes have been
forward-ported from Classic:
[Bug 2772] adj_systime overflows tv_usec
[Bug 2814] msyslog deadlock when signaled.
[Bug 2829] Look at pipe_fds in ntpd.c
[Bug 2887] fudge stratum only accepts values [0..16].
[Bug 2958] ntpq: fatal error messages need a final newline.
[Bug 2965] Local clock didn't work since 4.2.8p4.
[Bug 2969] Segfault from ntpq/mrulist when looking at server with lots of clients
We regard the following NTP Classic bug -
[Bug 3012] (CVE-2016-1549) Sybil vulnerability: ephemeral association attack
(Credit: Matthew van Gundy of Cisco ASIG)
as a duplicate of CVE-2015-7974 (see 0.9.1 release
notes) and it is WONTFIX for the time being: it is
correct-but-unfortunate behavior consequent to confusing and
inflexible semantics of ntp.conf's access control language, and we
will address it with a future redesign effort. NTP Classic has
partially addressed this pair of issues by extending the syntax of
ntp.keys to support IP ACLing. We are not currently aware of any
demand for this feature among NTPsec users and have no plans to
implement it; if you have a need for it, please file a bug at
https://gitlab.com/groups/NTPsec/issues to let us know you're out
there.
The remainder of the security issues patched in NTP Classic 4.2.8p7
either are not believed to impact NTPsec or were already fixed in a
previous release.
== 2016-03-15: 0.9.2 ==
Point release.
* can now cross-compile
* many documentation fixes
* Coverity is even more strict
* remove WWV, transmitter protocol changed, nobody builds receivers
* remove updwtmpx stuff, no longer useful
== 2016-01-25: 0.9.1 ==
Point release for security. Fixes:
* CVE-2015-7973: Replay attack on authenticated broadcast mode
(Aanchal Malhotra)
* CVE-2015-7975: nextvar() missing length check (Jonathan Gardner)
* CVE-2015-7979: Off-path Denial of Service (DoS) attack on
authenticated broadcast and other preemptable modes (Aanchal
Malhotra)
* CVE-2015-8138: Zero Origin Timestamp Bypass (Matthew van Gundy &
Jonathan Gardner)
* CVE-2015-8139: Origin Leak: ntpq and ntpdc Disclose Origin Timestamp
to Unauthenticated Clients (Matthew van Gundy)
* CVE-2015-8158: Potential Infinite Loop in ntpq (Jonathan Gardner)
* CVE-2016-1550: Timing attack on MAC verification (Daniel Franke)
* Missing length checks in decodearr() and outputarr() (Daniel Franke)
Two additional security issues have been reported to us for which we
are not implementing code changes, but the user should be aware of
their impact.
The first (CVE-2015-8140) pertains to NTP's dynamic reconfiguration
feature, which permits on-the-fly modification of NTP's configuration
via ntpq. This feature is rarely used, typically disabled, and can
only be enabled when authentication is configured. ntpd has no means
of detecting that a request to change its configuration is a replay of
an old packet. Therefore, if an administrator sets ntpd to
configuration A and then to configuration B, an attacker who captures
the packets commanding these changes can replay the first one and
restore ntpd's state to configuration A. This is only a concern when
the configuration commands are sent over an untrusted
network. Configuration changes made via localhost are not susceptible.
This is an inherent design flaw in NTP cryptography and in the remote
reconfiguration protocol, and can be fixed only with a considerable
reworking and by changing the protocol in a way that is neither
forward nor backward compatible. This cryptographic rework is on the
horizon in the form of Network Time Security (currently a draft in the
IETF network time working group). Given that this vulnerability
impacts few if any real users, we have chosen to defer fixing it until
we have tools more suitable to the task. For the mean time, if you
rely on NTP's reconfiguration support, we recommend either restricting
its use to localhost or trusted networks, or tunneling through SSH or
a VPN. The 'nomodify' option to the 'restrict' directive may be used
to enforce this policy.
The second (CVE-2015-7974) pertains to the fact that when multiple
trusted keys are configured, no mechanism exists to associate
particular keys with particular peers or assign particular privileges.
This is not a bug, per se, but rather a lack of expressiveness in
NTP's configuration language. We intend to address in a future release
as part of a larger redesign aimed at giving clearer semantics to the
configuration language and making it easier to write safe
configurations.
Note that NTPsec is not impacted by CVE-2015-7976, CVE-2015-7977, or
CVE-2015-7978. CVE-2015-7977 and CVE-2015-7978 both pertain to mode 7
packets, support for which was completely removed before NTPsec's
first beta. CVE-2015-7976 is a feature request to restrict the format
of filenames used in saveconfig commands. Saveconfig support is
disabled at compile time in NTPsec and will not be re-enabled without
much more extensive hardening.
Other fixes:
Coverity found a slow memory leak in the asynchronous-DNS code.
== 2015-11-16: 0.9.0 ==
Initial NTPsec beta release.
* Canonical forge for git clones and issue tracking is
https://gitlab.com/NTPsec/ntpsec
* The documentation has been extensively updated and revised. One
important change is that manual pages are now generated from the
same masters as this web documentation, so the two will no longer
drift out of synchronization.
* Internally, there is more consistent use of nanosecond precision.
A visible effect of this is that time stepping with sufficiently
high-precision time sources could be accurate down to nanoseconds
rather than microseconds; this might actually matter for GPSDOs
and high-quality radio clocks.
* The deprecated 'ntpdc' utility, long since replaced by 'ntpq', has
been removed.
* The 'ntpsnmpd' daemon, incomplete and not conformant with RFC 5907,
has been removed.
* A number of obsolete refclocks have been removed.
* The 'sntp' program has been renamed 'ntpdig' in order to make
NTP installables have a uniform name prefix and take up less
namespace. Also, ntp-keygen is now 'ntpkeygen', ntp-wait
is 'ntpwait', and update-leap is now 'ntpleapfetch'.
* A new utility, 'ntpfrob', collects several small diagnostic functions
for reading and tweaking the local clock hardware, including reading
the clock tick rate, precision, and jitter. Part of it formerly
traveled as 'tickadj'.
* The deprecated 'ntpdate' program has been replaced with a shell
wrapper around 'ntpdig'.
* Log timestamps look a little different; they are now in ISO 8601 format.
* Autokey is not supported in this release.
== Bugfixes either ported from NTP Classic or fixed by NTPsec changes ==
These reflect fixes to NTP Classic between the 2015-06-06 fork point and
the 0.9.0 beta release.
* [Bug 2625] Deprecate flag1 in local refclock. Hal Murray, Harlan Stenn.
* [Bug 2778] Implement "apeers" ntpq command to include associd.
* [Bug 2823] ntpsweep with recursive peers option doesn't work. H.Stenn.
* [Bug 2836] DCF77 patches from Frank Kardel to make decoding more
robust, and require 2 consecutive timestamps to be consistent.
* [Bug 2845] Harden memory allocation in ntpd; implement and
use 'eallocarray(...)' where appropriate.
* [Bug 2846] Report 'unsynchronized' status during the leap second.
* [Bug 2849] Systems with more than one default route may never
synchronize. Brian Utterback. Note that this patch might need to
be reverted once Bug 2043 has been fixed.
* [Bug 2855] Implement conditional leap smear feature; includes
later fixes for parser support and reporting leap smear in the REFID.
* [Bug 2859] Improve raw DCF77 robustness decoding. Frank Kardel.
* [Bug 2860] ntpq ifstats sanity check is too stringent. Frank Kardel.
* [Bug 2866] segmentation fault at initgroups(). Harlan Stenn.
* [Bug 2867] ntpd with autokey active crashed by 'ntpq -crv'
* [Bug 2883] ntpd crashes on exit with empty driftfile. Miroslav Lichvar.
* [Bug 2886] Misspelling: "outlyer" should be "outlier"
* [Bug 2890] Ignore ENOBUFS on routing netlink socket. Konstantin Khlebnikov.
* [Bug 2901] Clients that receive a KoD should validate the origin
timestamp field (CVE-2015-7704, CVE-2015-7705)
* [Bug 2902] configuration directives "pidfile" and "driftfile"
should be local-only. (patch by Miroslav Lichvar) (CVE-2015-7703)
* [Bug 2909] Slow memory leak in CRYPTO_ASSOC (CVE-2015-7701)
* [Bug 2916] trusted key use-after-free (CVE-2015-7849)
* [Bug 2918] saveconfig Directory Traversal Vulnerability. (OpenVMS)
(CVE-2015-7851)
* [Bug 2919] ntpq atoascii() potential memory corruption (CVE-2015-7852)
* [Bug 2920] Invalid length data provided by a custom refclock driver
could cause a buffer overflow (CVE-2015-7853)
* [Bug 2921] Password Length Memory Corruption Vulnerability (CVE-2015-7854)
* [Bug 2922] decodenetnum() will ASSERT botch instead of returning
FAIL on some bogus values (CVE-2015-7855)
* [Bug 2941] NAK to the Future: Symmetric association authentication
bypass via crypto-NAK (CVE-2015-7871)
Additionally the NTPsec team is aware of the following vulnerabilities
impacting autokey: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702. NTPsec
does not support building with autokey support and therefore is not
exposed; the vulnerable code will not be fixed, but will be removed in
a future release.
NTPsec is not impacted by CVE-2015-7848 (mode 7 loop counter underrun)
because ntpdc and support for mode 7 packets have been removed.
// end