ntp-4.2.8

[Fernando de Oliveira]

​http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8.tar.gz

​http://lists.ntp.org/pipermail/announce/2014-December/000122.html

Summary of the announcement:

Harlan Stenn stenn at ntp.org
Mon Dec 22 00:42:24 UTC 2014

...

NTP 4.2.8 (Harlan Stenn <stenn at ntp.org>, 2014/12/18) 
 
Focus: Security and Bug fixes, enhancements.
 
Severity: HIGH
 
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:

************************** vv NOTE WELL vv *****************************

The vulnerabilities listed below can be significantly mitigated by
following the BCP of putting

 restrict default ... noquery

in the ntp.conf file.  With the exception of:

   receive(): missing return on error
   References: Sec 2670 / CVE-2014-9296 / VU#852879

below (which is a limited-risk vulnerability), none of the recent
vulnerabilities listed below can be exploited if the source IP is
restricted from sending a 'query'-class packet by your ntp.conf file.

************************** ^^ NOTE WELL ^^ *****************************

* Weak default key in config_auth().
...
* Non-cryptographic random number generator with weak seed used by
  ntp-keygen to generate symmetric keys.
...
* Buffer overflow in crypto_recv()
...
* Buffer overflow in ctl_putdata()
...
* Buffer overflow in configure()
...
* receive(): missing return on error
...

See http://support.ntp.org/security for more information.

New features / changes in this release:

Important Changes

* Internal NTP Era counters
...
* ntpdc responses disabled by default
...

[Fernando de Oliveira]

Fixed at r15247.