summaryrefslogtreecommitdiffstats
path: root/usr.sbin
diff options
context:
space:
mode:
authordelphij <delphij@FreeBSD.org>2016-01-22 15:55:21 +0000
committerdelphij <delphij@FreeBSD.org>2016-01-22 15:55:21 +0000
commit0e1dba9a0aa72f6f27001a50552a8c67575da336 (patch)
treedbb1c1e8cb8058b52ef547a1f18b9751613aeb04 /usr.sbin
parent7a67cba86b1ced9982ebb0dd11a9a987829efe9e (diff)
downloadFreeBSD-src-0e1dba9a0aa72f6f27001a50552a8c67575da336.zip
FreeBSD-src-0e1dba9a0aa72f6f27001a50552a8c67575da336.tar.gz
MFC r294554: MFV r294491: ntp 4.2.8p6.
Security: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975 Security: CVE-2015-7976, CVE-2015-7977, CVE-2015-7978 Security: CVE-2015-7979, CVE-2015-8138, CVE-2015-8139 Security: CVE-2015-8140, CVE-2015-8158 With hat: so
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/ntp/config.h12
-rw-r--r--usr.sbin/ntp/doc/ntp-keygen.86
-rw-r--r--usr.sbin/ntp/doc/ntp.conf.577
-rw-r--r--usr.sbin/ntp/doc/ntp.keys.518
-rw-r--r--usr.sbin/ntp/doc/ntpd.86
-rw-r--r--usr.sbin/ntp/doc/ntpdc.86
-rw-r--r--usr.sbin/ntp/doc/ntpq.86
-rw-r--r--usr.sbin/ntp/doc/sntp.86
-rw-r--r--usr.sbin/ntp/libntp/Makefile1
-rwxr-xr-xusr.sbin/ntp/scripts/mkver2
10 files changed, 106 insertions, 34 deletions
diff --git a/usr.sbin/ntp/config.h b/usr.sbin/ntp/config.h
index 73f83a3..ae3efba 100644
--- a/usr.sbin/ntp/config.h
+++ b/usr.sbin/ntp/config.h
@@ -182,7 +182,7 @@
/* #undef C_ALLOCA */
/* Enable debugging code? */
-#define DEBUG 1
+/* #undef DEBUG */
/* Enable processing time debugging? */
/* #undef DEBUG_TIMING */
@@ -1437,7 +1437,7 @@
#define PACKAGE_NAME "ntp"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "ntp 4.2.8p5"
+#define PACKAGE_STRING "ntp 4.2.8p6"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "ntp"
@@ -1446,7 +1446,7 @@
#define PACKAGE_URL "http://www.ntp.org./"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "4.2.8p5"
+#define PACKAGE_VERSION "4.2.8p6"
/* data dir */
#define PERLLIBDIR "/usr/local/share/ntp/lib"
@@ -1627,7 +1627,7 @@ typedef unsigned int uintptr_t;
/* #undef USE_UDP_SIGPOLL */
/* Version number of package */
-#define VERSION "4.2.8p5"
+#define VERSION "4.2.8p6"
/* vsnprintf expands "%m" to strerror(errno) */
/* #undef VSNPRINTF_PERCENT_M */
@@ -1804,5 +1804,5 @@ typedef union mpinfou {
/*
* FreeBSD specific: Explicitly specify date/time for reproducible build.
*/
-#define MKREPRO_DATE "Jan 8 2016"
-#define MKREPRO_TIME "12:37:48"
+#define MKREPRO_DATE "Jan 21 2016"
+#define MKREPRO_TIME "01:03:28"
diff --git a/usr.sbin/ntp/doc/ntp-keygen.8 b/usr.sbin/ntp/doc/ntp-keygen.8
index a0c0954..e18940e 100644
--- a/usr.sbin/ntp/doc/ntp-keygen.8
+++ b/usr.sbin/ntp/doc/ntp-keygen.8
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt NTP_KEYGEN 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:32:43 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:51 AM by AutoGen 5.18.5
.\" From the definitions ntp-keygen-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -1055,7 +1055,7 @@ it to autogen\-users@lists.sourceforge.net. Thank you.
.Sh "AUTHORS"
The University of Delaware and Network Time Foundation
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
It can take quite a while to generate some cryptographic values,
diff --git a/usr.sbin/ntp/doc/ntp.conf.5 b/usr.sbin/ntp/doc/ntp.conf.5
index 3f075a1..343f574 100644
--- a/usr.sbin/ntp/doc/ntp.conf.5
+++ b/usr.sbin/ntp/doc/ntp.conf.5
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt NTP_CONF 5 File Formats
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:30:57 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:18:07 AM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -2395,16 +2395,18 @@ a 6\-bit code. The default value is 46, signifying Expedited Forwarding.
.Oo
.Cm auth | Cm bclient |
.Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
.It Xo Ic disable
.Oo
.Cm auth | Cm bclient |
.Cm calibrate | Cm kernel |
-.Cm mode7 | monitor |
-.Cm ntp | Cm stats
+.Cm mode7 | Cm monitor |
+.Cm ntp | Cm stats |
+.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
Provides a way to enable or disable various server options.
@@ -2478,6 +2480,67 @@ See the
section for further information.
The default for this flag is
.Ic disable .
+.It Cm unpeer_crypto_early
+By default, if
+.Xr ntpd 8
+receives an autokey packet that fails TEST9,
+a crypto failure,
+the association is immediately cleared.
+This is almost certainly a feature,
+but if, in spite of the current recommendation of not using autokey,
+you are
+.B still
+using autokey
+.B and
+you are seeing this sort of DoS attack
+disabling this flag will delay
+tearing down the association until the reachability counter
+becomes zero.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_crypto_nak_early
+By default, if
+.Xr ntpd 8
+receives a crypto\-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto\-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
+.It Cm unpeer_digest_early
+By default, if
+.Xr ntpd 8
+receives what should be an authenticated packet
+that passes other packet sanity checks but
+contains an invalid digest
+the association is immediately cleared.
+While this is generally a feature
+as it allows for quick recovery,
+if this type of packet is carefully forged and sent
+during an appropriate window it can be used for a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
.El
.It Ic includefile Ar includefile
This command allows additional configuration commands
@@ -2836,7 +2899,7 @@ A snapshot of this documentation is available in HTML format in
.Sh "AUTHORS"
The University of Delaware and Network Time Foundation
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
The syntax checking is not picky; some combinations of
diff --git a/usr.sbin/ntp/doc/ntp.keys.5 b/usr.sbin/ntp/doc/ntp.keys.5
index 04dfbcd..6f711b9 100644
--- a/usr.sbin/ntp/doc/ntp.keys.5
+++ b/usr.sbin/ntp/doc/ntp.keys.5
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt NTP_KEYS 5 File Formats
.Os SunOS 5.10
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:31:00 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:18:10 AM by AutoGen 5.18.5
.\" From the definitions ntp.keys.def
.\" and the template file agmdoc-file.tpl
.Sh NAME
@@ -46,7 +46,7 @@ The key file uses the same comment conventions
as the configuration file.
Key entries use a fixed format of the form
.Pp
-.D1 Ar keyno type key
+.D1 Ar keyno type key opt_IP_list
.Pp
where
.Ar keyno
@@ -55,7 +55,15 @@ is a positive integer (between 1 and 65534),
is the message digest algorithm,
and
.Ar key
-is the key itself.
+is the key itself, and
+.Ar opt_IP_list
+is an optional comma\-separated list of IPs
+that are allowed to serve time.
+If
+.Ar opt_IP_list
+is empty,
+any properly\-authenticated server message will be
+accepted.
.Pp
The
.Ar key
@@ -149,7 +157,7 @@ it to autogen\-users@lists.sourceforge.net. Thank you.
.Sh "AUTHORS"
The University of Delaware and Network Time Foundation
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh "BUGS"
Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/usr.sbin/ntp/doc/ntpd.8 b/usr.sbin/ntp/doc/ntpd.8
index 70ab88e..3f6b673 100644
--- a/usr.sbin/ntp/doc/ntpd.8
+++ b/usr.sbin/ntp/doc/ntpd.8
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt NTPD 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:31:02 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:18:12 AM by AutoGen 5.18.5
.\" From the definitions ntpd-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -888,7 +888,7 @@ A snapshot of this documentation is available in HTML format in
.Sh "AUTHORS"
The University of Delaware and Network Time Foundation
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
The
diff --git a/usr.sbin/ntp/doc/ntpdc.8 b/usr.sbin/ntp/doc/ntpdc.8
index 3561f2a..36511dc 100644
--- a/usr.sbin/ntp/doc/ntpdc.8
+++ b/usr.sbin/ntp/doc/ntpdc.8
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt NTPDC 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:31:29 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:18:39 AM by AutoGen 5.18.5
.\" From the definitions ntpdc-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -789,7 +789,7 @@ it to autogen\-users@lists.sourceforge.net. Thank you.
.Sh AUTHORS
The formatting directives in this document came from FreeBSD.
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
The
diff --git a/usr.sbin/ntp/doc/ntpq.8 b/usr.sbin/ntp/doc/ntpq.8
index e71a84b..a1e1c64 100644
--- a/usr.sbin/ntp/doc/ntpq.8
+++ b/usr.sbin/ntp/doc/ntpq.8
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt NTPQ 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:32:02 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:19:12 AM by AutoGen 5.18.5
.\" From the definitions ntpq-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -957,7 +957,7 @@ it to autogen\-users@lists.sourceforge.net. Thank you.
.Sh "AUTHORS"
The University of Delaware and Network Time Foundation
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh "BUGS"
Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/usr.sbin/ntp/doc/sntp.8 b/usr.sbin/ntp/doc/sntp.8
index 0d2dd64..b800b9e 100644
--- a/usr.sbin/ntp/doc/sntp.8
+++ b/usr.sbin/ntp/doc/sntp.8
@@ -1,11 +1,11 @@
-.Dd January 7 2016
+.Dd January 20 2016
.Dt SNTP 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed January 7, 2016 at 11:23:27 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed January 20, 2016 at 04:06:45 AM by AutoGen 5.18.5
.\" From the definitions sntp-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -305,7 +305,7 @@ it to autogen\-users@lists.sourceforge.net. Thank you.
.An "Harlan Stenn"
.An "Dave Hart"
.Sh "COPYRIGHT"
-Copyright (C) 1992\-2015 The University of Delaware and Network Time Foundation all rights reserved.
+Copyright (C) 1992\-2016 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh "BUGS"
Please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
diff --git a/usr.sbin/ntp/libntp/Makefile b/usr.sbin/ntp/libntp/Makefile
index 1e48483..6a58cdb 100644
--- a/usr.sbin/ntp/libntp/Makefile
+++ b/usr.sbin/ntp/libntp/Makefile
@@ -16,6 +16,7 @@ NTP_SRCS= systime.c a_md5encrypt.c adjtime.c atoint.c \
clocktypes.c decodenetnum.c dofptoa.c dolfptoa.c \
emalloc.c findconfig.c getopt.c hextoint.c \
hextolfp.c humandate.c icom.c iosignal.c \
+ is_ip_address.c \
lib_strbuf.c machines.c mktime.c modetoa.c \
mstolfp.c msyslog.c netof.c ntp_calendar.c \
ntp_crypto_rnd.c ntp_intres.c ntp_libopts.c \
diff --git a/usr.sbin/ntp/scripts/mkver b/usr.sbin/ntp/scripts/mkver
index 6a99756..c200a1b 100755
--- a/usr.sbin/ntp/scripts/mkver
+++ b/usr.sbin/ntp/scripts/mkver
@@ -6,7 +6,7 @@ PROG=${1-UNKNOWN}
ConfStr="$PROG"
-ConfStr="$ConfStr 4.2.8p5"
+ConfStr="$ConfStr 4.2.8p6"
case "$CSET" in
'') ;;
OpenPOWER on IntegriCloud