ntp-4.2.8p2

[Fernando de Oliveira]

​https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p2.tar.gz

Not yet announced, but the relese, yesterday, was planned:

​http://lists.ntp.org/pipermail/announce/2015-April/000124.html

Update: News better to read at (txt):

​http://bk1.ntp.org/ntp-stable/NEWS?PAGE=cat&REV=55238dcfGZNu25GhPofHJav8Hz9EvQ

April 2015 NTP Security Vulnerability Announcement

​http://support.ntp.org/bin/view/Main/SecurityNotice#April_2015_NTP_Security_Vulnerab

Partially reproduced below

April 2015 NTP Security Vulnerability Announcement

NTF's NTP Project has been notified of two vulnerabilities in the
processing of crafted packets using private key authentication. These
issues were discovered and reported by Miroslav Lichvar of Red Hat.

    Bug 2279: ntpd accepts unauthenticated packets with symmetric key
    crypto.
    Bug 2281: Authentication doesn't protect symmetric
    associations against DoS attacks. 

CERT and Mitre have been notified, and CVE/VU numbers have been
assigned.

NTP Consortium members at the Partner and Premier levels received access
to patches that resolve these issues on 22 March 2015.

These issues (along with other bugfixes and improvements) will be
released on 7 April 2015 in ntp-4.2.8p2 .

Timeline:

    150407: ntp-4.2.8p2 released.
    150329: pre-release patch availability announced to CERT.
    150323: CERT assigns VU#374268 to these issues.
    150322: pre-release patches sent to authorized NTP Consortium members.
    150317: CVSS scoring collaboration requested. 150317: CERT notified.
    150316: Red Hat provides CVE-2015-1798 for NtpBug2779 , and
            CVE-2015-2781 for NtpBug2781 .
    150315: Advance notification sent to authorized NTP Consortium members.
    150315: Mitre tells us to get the CVE numbers from Red Hat.
    150313: CVE numbers requested from Mitre.
    150306: Initial notification of 2779 and 2781. Analysis begins. 

ntpd accepts unauthenticated packets with symmetric key crypto.

    References: Sec 2779 / CVE-2015-1798 / VU#374268
    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
    including ntp-4.2.8p2 where the installation uses symmetric keys to
    authenticate remote associations.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    ...
    Mitigation:

        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
        or the NTP Public Services Project Download Page
        Configure ntpd with enough time sources and monitor it properly.

Authentication doesn't protect symmetric associations against DoS attacks.

    References: Sec 2781 / CVE-2015-1799 / VU#374268
    Affects: All NTP releases starting with at least xntp3.3wy up to but
    not including ntp-4.2.8p2 where the installation uses symmetric key
    authentication.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    Note: the CVSS base Score for this issue could be 4.3 or lower, and
    it could be higher than 5.4.
    ...
    Mitigation:

    Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or
    the NTP Public Services Project Download Page
    Note that for users of autokey, this specific style of MITM attack
    is simply a long-known potential problem.
    Configure ntpd with appropriate time sources and monitor ntpd. Alert
    your staff if problems are detected. 

[Fernando de Oliveira]

I have been searching about the ntp checks and it seems that they are intended for its developers.

Going to replace ... make check ... by

This package does not come with a useful test suite.

Reason is it only pass through several directories and writes the message:

Nothing to be done for 'check-something'

before leaving each directory, exception for two checks.

First one:

make  check-local
make[4]: Entering directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/ntpd'
./ntpd --configfile complete.conf --saveconfigquit compsave.conf
 8 Apr 09:55:54 ntpd[22651]: ntpd 4.2.8p2@1.3265-o Wed Apr  8 12:49:22 UTC 2015 (1): Starting
 8 Apr 09:55:54 ntpd[22651]: Command line: ./ntpd --configfile complete.conf --saveconfigquit compsave.conf
 8 Apr 09:55:54 ntpd[22651]: Cannot set RLIMIT_MEMLOCK: Operation not permitted
 8 Apr 09:55:54 ntpd[22651]: proto: precision = 0.060 usec (-24)
configuration saved to compsave.conf
diff -u complete.conf compsave.conf
cmp complete.conf compsave.conf && echo stamp > check-saveconfig
test -z "" || ./
make[4]: Leaving directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/ntpd'
make[3]: Leaving directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/ntpd'
make[2]: Leaving directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/ntpd'

where apparently set RLIMIT_MEMLOCK needs root privilege and don't think it is wise to allow it.

Second exception:

make  check-local
make[4]: Entering directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/parseutil'
case "" in	\
 *dcfd*) ./dcfd -Y ;;		\
esac
make[4]: Leaving directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/parseutil'
make[3]: Leaving directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/parseutil'
make[2]: Leaving directory '/tmp/porg-build-2015.04.08-09h48m09s/ntp-4.2.8p2/parseutil'

doesn't seem relevant.

Please, if someone thinks otherwise, please, either tell em or revert what I will do (also, please, give some explanation so people like me would learn from).

[Fernando de Oliveira]

Almost fixed at r15809.

It is recommended by the ntp developers that a cron job with three week frequency be created to update the leap-second definition file, with the new script update-leap.

They also recommend that for cron-friendly behavior, define CRONJOB=1 in the crontab.

I couldn't understand this sentence, even after searching in the internet and in the man pages..

Someone please, fix this and the text I've included in the configuration section, if necessary, perhaps including the necessary crontab lines, as we do in other pages.

Due to the medium security severity, I decided to update the page without further research or discussion.

Thanks.