summaryrefslogtreecommitdiffstats
path: root/usr.sbin
diff options
context:
space:
mode:
authordelphij <delphij@FreeBSD.org>2016-06-04 05:46:52 +0000
committerdelphij <delphij@FreeBSD.org>2016-06-04 05:46:52 +0000
commit1c978b35b9ee5349b17431da32fc8f413549f4ce (patch)
treea6138f764720bbcab22809c6c06ffa7c23bc2c26 /usr.sbin
parent86a921b1ab9596bf698d84429aab86a4be596a80 (diff)
downloadFreeBSD-src-1c978b35b9ee5349b17431da32fc8f413549f4ce.zip
FreeBSD-src-1c978b35b9ee5349b17431da32fc8f413549f4ce.tar.gz
Fix multiple ntp vulnerabilities.
Security: FreeBSD-SA-16:24.ntp Approved by: so
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/ntp/config.h10
-rw-r--r--usr.sbin/ntp/doc/ntp-keygen.84
-rw-r--r--usr.sbin/ntp/doc/ntp.conf.526
-rw-r--r--usr.sbin/ntp/doc/ntp.keys.54
-rw-r--r--usr.sbin/ntp/doc/ntpd.84
-rw-r--r--usr.sbin/ntp/doc/ntpdc.84
-rw-r--r--usr.sbin/ntp/doc/ntpq.84
-rw-r--r--usr.sbin/ntp/doc/sntp.84
-rwxr-xr-xusr.sbin/ntp/scripts/mkver2
9 files changed, 42 insertions, 20 deletions
diff --git a/usr.sbin/ntp/config.h b/usr.sbin/ntp/config.h
index 30988ea..d11819c 100644
--- a/usr.sbin/ntp/config.h
+++ b/usr.sbin/ntp/config.h
@@ -1449,7 +1449,7 @@
#define PACKAGE_NAME "ntp"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "ntp 4.2.8p7"
+#define PACKAGE_STRING "ntp 4.2.8p8"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "ntp"
@@ -1458,7 +1458,7 @@
#define PACKAGE_URL "http://www.ntp.org./"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "4.2.8p7"
+#define PACKAGE_VERSION "4.2.8p8"
/* data dir */
#define PERLLIBDIR "/usr/local/share/ntp/lib"
@@ -1639,7 +1639,7 @@ typedef unsigned int uintptr_t;
/* #undef USE_UDP_SIGPOLL */
/* Version number of package */
-#define VERSION "4.2.8p7"
+#define VERSION "4.2.8p8"
/* vsnprintf expands "%m" to strerror(errno) */
/* #undef VSNPRINTF_PERCENT_M */
@@ -1816,5 +1816,5 @@ typedef union mpinfou {
/*
* FreeBSD specific: Explicitly specify date/time for reproducible build.
*/
-#define MKREPRO_DATE "Apr 27 2016"
-#define MKREPRO_TIME "05:53:49"
+#define MKREPRO_DATE "Jun 03 2016"
+#define MKREPRO_TIME "06:34:37"
diff --git a/usr.sbin/ntp/doc/ntp-keygen.8 b/usr.sbin/ntp/doc/ntp-keygen.8
index 4b58a4c..bb7972a 100644
--- a/usr.sbin/ntp/doc/ntp-keygen.8
+++ b/usr.sbin/ntp/doc/ntp-keygen.8
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
.Dt NTP_KEYGEN 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed April 26, 2016 at 08:30:23 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed June 2, 2016 at 07:39:43 AM by AutoGen 5.18.5
.\" From the definitions ntp-keygen-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
diff --git a/usr.sbin/ntp/doc/ntp.conf.5 b/usr.sbin/ntp/doc/ntp.conf.5
index 4e45240..42af4a5 100644
--- a/usr.sbin/ntp/doc/ntp.conf.5
+++ b/usr.sbin/ntp/doc/ntp.conf.5
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
.Dt NTP_CONF 5 File Formats
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed April 26, 2016 at 08:28:36 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed June 2, 2016 at 07:36:16 AM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -2442,6 +2442,7 @@ The default value is 46, signifying Expedited Forwarding.
.Cm calibrate | Cm kernel |
.Cm mode7 | Cm monitor |
.Cm ntp | Cm stats |
+.Cm peer_clear_digest_early |
.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
@@ -2451,6 +2452,7 @@ The default value is 46, signifying Expedited Forwarding.
.Cm calibrate | Cm kernel |
.Cm mode7 | Cm monitor |
.Cm ntp | Cm stats |
+.Cm peer_clear_digest_early |
.Cm unpeer_crypto_early | Cm unpeer_crypto_nak_early | Cm unpeer_digest_early
.Oc
.Xc
@@ -2518,6 +2520,26 @@ closes the feedback loop, which is useful for testing.
The default for
this flag is
.Ic enable .
+.It Cm peer_clear_digest_early
+By default, if
+.Xr ntpd 8
+is using autokey and it
+receives a crypto\-NAK packet that
+passes the duplicate packet and origin timestamp checks
+the peer variables are immediately cleared.
+While this is generally a feature
+as it allows for quick recovery if a server key has changed,
+a properly forged and appropriately delivered crypto\-NAK packet
+can be used in a DoS attack.
+If you have active noticable problems with this type of DoS attack
+then you should consider
+disabling this option.
+You can check your
+.Cm peerstats
+file for evidence of any of these attacks.
+The
+default for this flag is
+.Ic enable .
.It Cm stats
Enables the statistics facility.
See the
diff --git a/usr.sbin/ntp/doc/ntp.keys.5 b/usr.sbin/ntp/doc/ntp.keys.5
index 6fb04bf..06cf644 100644
--- a/usr.sbin/ntp/doc/ntp.keys.5
+++ b/usr.sbin/ntp/doc/ntp.keys.5
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
.Dt NTP_KEYS 5 File Formats
.Os SunOS 5.10
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed April 26, 2016 at 08:28:39 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed June 2, 2016 at 07:36:20 AM by AutoGen 5.18.5
.\" From the definitions ntp.keys.def
.\" and the template file agmdoc-file.tpl
.Sh NAME
diff --git a/usr.sbin/ntp/doc/ntpd.8 b/usr.sbin/ntp/doc/ntpd.8
index d7e6650..bb51eb3 100644
--- a/usr.sbin/ntp/doc/ntpd.8
+++ b/usr.sbin/ntp/doc/ntpd.8
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
.Dt NTPD 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed April 26, 2016 at 08:28:41 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed June 2, 2016 at 07:36:22 AM by AutoGen 5.18.5
.\" From the definitions ntpd-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
diff --git a/usr.sbin/ntp/doc/ntpdc.8 b/usr.sbin/ntp/doc/ntpdc.8
index 7b73651..39de44d 100644
--- a/usr.sbin/ntp/doc/ntpdc.8
+++ b/usr.sbin/ntp/doc/ntpdc.8
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
.Dt NTPDC 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed April 26, 2016 at 08:29:08 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed June 2, 2016 at 07:36:58 AM by AutoGen 5.18.5
.\" From the definitions ntpdc-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
diff --git a/usr.sbin/ntp/doc/ntpq.8 b/usr.sbin/ntp/doc/ntpq.8
index 6f2d080..60e66de 100644
--- a/usr.sbin/ntp/doc/ntpq.8
+++ b/usr.sbin/ntp/doc/ntpq.8
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
.Dt NTPQ 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed April 26, 2016 at 08:29:41 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed June 2, 2016 at 07:37:48 AM by AutoGen 5.18.5
.\" From the definitions ntpq-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
diff --git a/usr.sbin/ntp/doc/sntp.8 b/usr.sbin/ntp/doc/sntp.8
index a0172a3..c0ab263 100644
--- a/usr.sbin/ntp/doc/sntp.8
+++ b/usr.sbin/ntp/doc/sntp.8
@@ -1,11 +1,11 @@
-.Dd April 26 2016
+.Dd June 2 2016
.Dt SNTP 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc)
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed April 26, 2016 at 08:21:15 PM by AutoGen 5.18.5
+.\" It has been AutoGen-ed June 2, 2016 at 07:20:03 AM by AutoGen 5.18.5
.\" From the definitions sntp-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
diff --git a/usr.sbin/ntp/scripts/mkver b/usr.sbin/ntp/scripts/mkver
index 373bb5f..5318024 100755
--- a/usr.sbin/ntp/scripts/mkver
+++ b/usr.sbin/ntp/scripts/mkver
@@ -6,7 +6,7 @@ PROG=${1-UNKNOWN}
ConfStr="$PROG"
-ConfStr="$ConfStr 4.2.8p7"
+ConfStr="$ConfStr 4.2.8p8"
case "$CSET" in
'') ;;
OpenPOWER on IntegriCloud