diff options
author | glebius <glebius@FreeBSD.org> | 2016-01-14 09:11:16 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2016-01-14 09:11:16 +0000 |
commit | 5af8834e70ae2dde58ee682e1a3e9c6998d9a683 (patch) | |
tree | 1e5481635eb55b26f294d24dec98781d1c83334a /contrib/ntp/NEWS | |
parent | c39b63eeb8c9e8ba43f68882cb2dd3a108800f25 (diff) | |
download | FreeBSD-src-5af8834e70ae2dde58ee682e1a3e9c6998d9a683.zip FreeBSD-src-5af8834e70ae2dde58ee682e1a3e9c6998d9a683.tar.gz |
o Fix invalid TCP checksums with pf(4). [EN-16:02.pf]
o Fix YP/NIS client library critical bug. [EN-16:03.yplib]
o Fix SCTP ICMPv6 error message vulnerability. [SA-16:01.sctp]
o Fix ntp panic threshold bypass vulnerability. [SA-16:02.ntp]
o Fix Linux compatibility layer incorrect futex handling. [SA-16:03.linux]
o Fix Linux compatibility layer setgroups(2) system call. [SA-16:04.linux]
o Fix TCP MD5 signature denial of service. [SA-16:05.tcp]
o Fix insecure default bsnmpd.conf permissions. [SA-16:06.bsnmpd]
Errata: FreeBSD-EN-16:02.pf
Errata: FreeBSD-EN-16:03.yplib
Security: FreeBSD-SA-16:01.sctp, CVE-2016-1879
Security: FreeBSD-SA-16:02.ntp, CVE-2015-5300
Security: FreeBSD-SA-16:03.linux, CVE-2016-1880
Security: FreeBSD-SA-16:04.linux, CVE-2016-1881
Security: FreeBSD-SA-16:05.tcp, CVE-2016-1882
Security: FreeBSD-SA-16:06.bsnmpd, CVE-2015-5677
Approved by: so
Diffstat (limited to 'contrib/ntp/NEWS')
-rw-r--r-- | contrib/ntp/NEWS | 107 |
1 files changed, 104 insertions, 3 deletions
diff --git a/contrib/ntp/NEWS b/contrib/ntp/NEWS index e16d937..32c9288 100644 --- a/contrib/ntp/NEWS +++ b/contrib/ntp/NEWS @@ -1,7 +1,108 @@ --- + +NTP 4.2.8p5 + +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM + +In addition to bug fixes and enhancements, this release fixes the +following medium-severity vulnerability: + +* Small-step/big-step. Close the panic gate earlier. + References: Sec 2956, CVE-2015-5300 + Affects: All ntp-4 releases up to, but not including 4.2.8p5, and + 4.3.0 up to, but not including 4.3.78 + CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM + Summary: If ntpd is always started with the -g option, which is + common and against long-standing recommendation, and if at the + moment ntpd is restarted an attacker can immediately respond to + enough requests from enough sources trusted by the target, which + is difficult and not common, there is a window of opportunity + where the attacker can cause ntpd to set the time to an + arbitrary value. Similarly, if an attacker is able to respond + to enough requests from enough sources trusted by the target, + the attacker can cause ntpd to abort and restart, at which + point it can tell the target to set the time to an arbitrary + value if and only if ntpd was re-started against long-standing + recommendation with the -g flag, or if ntpd was not given the + -g flag, the attacker can move the target system's time by at + most 900 seconds' time per attack. + Mitigation: + Configure ntpd to get time from multiple sources. + Upgrade to 4.2.8p5, or later, from the NTP Project Download + Page or the NTP Public Services Project Download Page + As we've long documented, only use the -g option to ntpd in + cold-start situations. + Monitor your ntpd instances. + Credit: This weakness was discovered by Aanchal Malhotra, + Isaac E. Cohen, and Sharon Goldberg at Boston University. + + NOTE WELL: The -g flag disables the limit check on the panic_gate + in ntpd, which is 900 seconds by default. The bug identified by + the researchers at Boston University is that the panic_gate + check was only re-enabled after the first change to the system + clock that was greater than 128 milliseconds, by default. The + correct behavior is that the panic_gate check should be + re-enabled after any initial time correction. + + If an attacker is able to inject consistent but erroneous time + responses to your systems via the network or "over the air", + perhaps by spoofing radio, cellphone, or navigation satellite + transmissions, they are in a great position to affect your + system's clock. There comes a point where your very best + defenses include: + + Configure ntpd to get time from multiple sources. + Monitor your ntpd instances. + +Other fixes: + +* Coverity submission process updated from Coverity 5 to Coverity 7. + The NTP codebase has been undergoing regular Coverity scans on an + ongoing basis since 2006. As part of our recent upgrade from + Coverity 5 to Coverity 7, Coverity identified 16 nits in some of + the newly-written Unity test programs. These were fixed. +* [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@ntp.org +* [Bug 2887] stratum -1 config results as showing value 99 + - fudge stratum should only accept values [0..16]. perlinger@ntp.org +* [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. +* [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray +* [Bug 2944] errno is not preserved properly in ntpdate after sendto call. + - applied patch by Christos Zoulas. perlinger@ntp.org +* [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. +* [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. + - fixed data race conditions in threaded DNS worker. perlinger@ntp.org + - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@ntp.org +* [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@ntp.org + - accept key file only if there are no parsing errors + - fixed size_t/u_int format clash + - fixed wrong use of 'strlcpy' +* [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. +* [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@ntp.org + - fixed several other warnings (cast-alignment, missing const, missing prototypes) + - promote use of 'size_t' for values that express a size + - use ptr-to-const for read-only arguments + - make sure SOCKET values are not truncated (win32-specific) + - format string fixes +* [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. +* [Bug 2967] ntpdate command suffers an assertion failure + - fixed ntp_rfc2553.c to return proper address length. perlinger@ntp.org +* [Bug 2969] Seg fault from ntpq/mrulist when looking at server with + lots of clients. perlinger@ntp.org +* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call + - changed stacked/nested handling of CTRL-C. perlinger@ntp.org +* Unity cleanup for FreeBSD-6.4. Harlan Stenn. +* Unity test cleanup. Harlan Stenn. +* Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. +* Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. +* Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. +* Quiet a warning from clang. Harlan Stenn. + +--- NTP 4.2.8p4 -Focus: Security, Bug fies, enhancements. +Focus: Security, Bug fixes, enhancements. Severity: MEDIUM @@ -339,8 +440,8 @@ Credit: This weakness was discovered by Aleksandar Nikolic of Cisco Talos. Backward-Incompatible changes: * [Bug 2817] Default on Linux is now "rlimit memlock -1". -While the general default of 32M is still the case, under Linux -the default value has been changed to -1 (do not lock ntpd into + While the general default of 32M is still the case, under Linux + the default value has been changed to -1 (do not lock ntpd into memory). A value of 0 means "lock ntpd into memory with whatever memory it needs." If your ntp.conf file has an explicit "rlimit memlock" value in it, that value will continue to be used. |