Merge 4.2.4p8 into contrib (r200452 & r200454).

Subversion is being difficult here so take a hammer and get it in.

MFC after:		2 weeks
Security:		CVE-2009-3563

1 files changed, 88 insertions, 0 deletions

diff --git a/contrib/ntp/NEWS b/contrib/ntp/NEWS
index 6290fb5..729a91f 100644
--- a/contrib/ntp/NEWS
+++ b/contrib/ntp/NEWS
@@ -1,3 +1,91 @@
+NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08)
+
+Focus: Security Fixes
+
+Severity: HIGH
+
+This release fixes the following high-severity vulnerability:
+
+* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
+
+  See http://support.ntp.org/security for more information.
+
+  NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility.
+  In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time
+  transfers use modes 1 through 5.  Upon receipt of an incorrect mode 7
+  request or a mode 7 error response from an address which is not listed
+  in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will
+  reply with a mode 7 error response (and log a message).  In this case:
+
+	* If an attacker spoofs the source address of ntpd host A in a
+	  mode 7 response packet sent to ntpd host B, both A and B will
+	  continuously send each other error responses, for as long as
+	  those packets get through.
+
+	* If an attacker spoofs an address of ntpd host A in a mode 7
+	  response packet sent to ntpd host A, A will respond to itself
+	  endlessly, consuming CPU and logging excessively.
+
+  Credit for finding this vulnerability goes to Robin Park and Dmitri
+  Vinokurov of Alcatel-Lucent.
+
+THIS IS A STRONGLY RECOMMENDED UPGRADE.
+
+---
+NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04)
+
+Focus: Security and Bug Fixes
+
+Severity: HIGH
+
+This release fixes the following high-severity vulnerability:
+
+* [Sec 1151] Remote exploit if autokey is enabled.  CVE-2009-1252
+
+  See http://support.ntp.org/security for more information.
+
+  If autokey is enabled (if ntp.conf contains a "crypto pw whatever"
+  line) then a carefully crafted packet sent to the machine will cause
+  a buffer overflow and possible execution of injected code, running
+  with the privileges of the ntpd process (often root).
+
+  Credit for finding this vulnerability goes to Chris Ries of CMU.
+
+This release fixes the following low-severity vulnerabilities:
+
+* [Sec 1144] limited (two byte) buffer overflow in ntpq.  CVE-2009-0159
+  Credit for finding this vulnerability goes to Geoff Keating of Apple.
+  
+* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows
+  Credit for finding this issue goes to Dave Hart.
+
+This release fixes a number of bugs and adds some improvements:
+
+* Improved logging
+* Fix many compiler warnings
+* Many fixes and improvements for Windows
+* Adds support for AIX 6.1
+* Resolves some issues under MacOS X and Solaris
+
+THIS IS A STRONGLY RECOMMENDED UPGRADE.
+
+---
+NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07)
+
+Focus: Security Fix
+
+Severity: Low
+
+This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting
+the OpenSSL library relating to the incorrect checking of the return
+value of EVP_VerifyFinal function.
+
+Credit for finding this issue goes to the Google Security Team for
+finding the original issue with OpenSSL, and to ocert.org for finding
+the problem in NTP and telling us about it.
+
+This is a recommended upgrade.
+---
 NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17)
 
 Focus: Minor Bugfixes