diff options
author | Lorry Tar Creator <lorry-tar-importer@baserock.org> | 2014-12-02 09:01:21 +0000 |
---|---|---|
committer | <> | 2014-12-04 16:11:25 +0000 |
commit | bdab5265fcbf3f472545073a23f8999749a9f2b9 (patch) | |
tree | c6018dd03dea906f8f1fb5f105f05b71a7dc250a /NEWS | |
download | ntp-bdab5265fcbf3f472545073a23f8999749a9f2b9.tar.gz |
Imported from /home/lorry/working-area/delta_ntp/ntp-dev-4.2.7p482.tar.gz.ntp-dev-4.2.7p482
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 451 |
1 files changed, 451 insertions, 0 deletions
@@ -0,0 +1,451 @@ +--- +NTP 4.2.8- + +Important Changes + +* Internal NTP Era counters + +The internal counters that track which "era" (range of years) we are in +rolls over every 136 years'. The current "era" started at the stroke of +midnight on 1 Jan 1900, and ends just before the stroke of midnight on +1 Jan 2036. +In the past, we have used the "midpoint" of the range to decide which +era we were in. Given the longevity of some products, it became clear +that it would be more functional to "look back" less, and "look forward" +more. We now compile a timestamp into the ntpd executable and when we +get a timestamp we us the "built-on" to tell us what era we are in. +This check "looks back" 10 years, and "looks forward" 126 years. + +So if you have a system that ... + +* ntpdc responses disabled by default + +Dave Hart writes: + +For a long time, ntpq and its mostly text-based mode 6 (control) +protocol have been preferred over ntpdc and its mode 7 (private +request) protocol for runtime queries and configuration. There has +been a goal of deprecating ntpdc, previously held back by numerous +capabilities exposed by ntpdc with no ntpq equivalent. I have been +adding commands to ntpq to cover these cases, and I believe I've +covered them all, though I've not compared command-by-command +recently. + +As I've said previously, the binary mode 7 protocol involves a lot of +hand-rolled structure layout and byte-swapping code in both ntpd and +ntpdc which is hard to get right. As ntpd grows and changes, the +changes are difficult to expose via ntpdc while maintaining forward +and backward compatibility between ntpdc and ntpd. In contrast, +ntpq's text-based, label=value approach involves more code reuse and +allows compatible changes without extra work in most cases. + +Mode 7 has always been defined as vendor/implementation-specific while +mode 6 is described in RFC 1305 and intended to be open to interop +with other implementations. There is an early draft of an updated +mode 6 description that likely will join the other NTPv4 RFCs +eventually. (http://tools.ietf.org/html/draft-odonoghue-ntpv4-control-01) + +For these reasons, ntpd 4.2.7p230 by default disables processing of +ntpdc queries, reducing ntpd's attack surface and functionally +deprecating ntpdc. If you are in the habit of using ntpdc for certain +operations, please try the ntpq equivalent. If there's no equivalent, +please open a bug report at http://bugs.ntp.org./ + +--- +NTP 4.2.6p5 (Harlan Stenn <stenn@ntp.org>, 2011/12/24) + +Focus: Bug fixes + +Severity: Medium + +This is a recommended upgrade. + +This release updates sys_rootdisp and sys_jitter calculations to match the +RFC specification, fixes a potential IPv6 address matching error for the +"nic" and "interface" configuration directives, suppresses the creation of +extraneous ephemeral associations for certain broadcastclient and +multicastclient configurations, cleans up some ntpq display issues, and +includes improvements to orphan mode, minor bugs fixes and code clean-ups. + +New features / changes in this release: + +ntpd + + * Updated "nic" and "interface" IPv6 address handling to prevent + mismatches with localhost [::1] and wildcard [::] which resulted from + using the address/prefix format (e.g. fe80::/64) + * Fix orphan mode stratum incorrectly counting to infinity + * Orphan parent selection metric updated to includes missing ntohl() + * Non-printable stratum 16 refid no longer sent to ntp + * Duplicate ephemeral associations suppressed for broadcastclient and + multicastclient without broadcastdelay + * Exclude undetermined sys_refid from use in loopback TEST12 + * Exclude MODE_SERVER responses from KoD rate limiting + * Include root delay in clock_update() sys_rootdisp calculations + * get_systime() updated to exclude sys_residual offset (which only + affected bits "below" sys_tick, the precision threshold) + * sys.peer jitter weighting corrected in sys_jitter calculation + +ntpq + + * -n option extended to include the billboard "server" column + * IPv6 addresses in the local column truncated to prevent overruns + +--- +NTP 4.2.6p4 (Harlan Stenn <stenn@ntp.org>, 2011/09/22) + +Focus: Bug fixes and portability improvements + +Severity: Medium + +This is a recommended upgrade. + +This release includes build infrastructure updates, code +clean-ups, minor bug fixes, fixes for a number of minor +ref-clock issues, and documentation revisions. + +Portability improvements affect AIX, HP-UX, Linux, OS X and 64-bit time_t. + +New features / changes in this release: + +Build system + +* Fix checking for struct rtattr +* Update config.guess and config.sub for AIX +* Upgrade required version of autogen and libopts for building + from our source code repository + +ntpd + +* Back-ported several fixes for Coverity warnings from ntp-dev +* Fix a rare boundary condition in UNLINK_EXPR_SLIST() +* Allow "logconfig =allall" configuration directive +* Bind tentative IPv6 addresses on Linux +* Correct WWVB/Spectracom driver to timestamp CR instead of LF +* Improved tally bit handling to prevent incorrect ntpq peer status reports +* Exclude the Undisciplined Local Clock and ACTS drivers from the initial + candidate list unless they are designated a "prefer peer" +* Prevent the consideration of Undisciplined Local Clock or ACTS drivers for + selection during the 'tos orphanwait' period +* Prefer an Orphan Mode Parent over the Undisciplined Local Clock or ACTS + drivers +* Improved support of the Parse Refclock trusttime flag in Meinberg mode +* Back-port utility routines from ntp-dev: mprintf(), emalloc_zero() +* Added the NTPD_TICKADJ_PPM environment variable for specifying baseline + clock slew on Microsoft Windows +* Code cleanup in libntpq + +ntpdc + +* Fix timerstats reporting + +ntpdate + +* Reduce time required to set clock +* Allow a timeout greater than 2 seconds + +sntp + +* Backward incompatible command-line option change: + -l/--filelog changed -l/--logfile (to be consistent with ntpd) + +Documentation + +* Update html2man. Fix some tags in the .html files +* Distribute ntp-wait.html + +--- +NTP 4.2.6p3 (Harlan Stenn <stenn@ntp.org>, 2011/01/03) + +Focus: Bug fixes and portability improvements + +Severity: Medium + +This is a recommended upgrade. + +This release includes build infrastructure updates, code +clean-ups, minor bug fixes, fixes for a number of minor +ref-clock issues, and documentation revisions. + +Portability improvements in this release affect AIX, Atari FreeMiNT, +FreeBSD4, Linux and Microsoft Windows. + +New features / changes in this release: + +Build system +* Use lsb_release to get information about Linux distributions. +* 'test' is in /usr/bin (instead of /bin) on some systems. +* Basic sanity checks for the ChangeLog file. +* Source certain build files with ./filename for systems without . in PATH. +* IRIX portability fix. +* Use a single copy of the "libopts" code. +* autogen/libopts upgrade. +* configure.ac m4 quoting cleanup. + +ntpd +* Do not bind to IN6_IFF_ANYCAST addresses. +* Log the reason for exiting under Windows. +* Multicast fixes for Windows. +* Interpolation fixes for Windows. +* IPv4 and IPv6 Multicast fixes. +* Manycast solicitation fixes and general repairs. +* JJY refclock cleanup. +* NMEA refclock improvements. +* Oncore debug message cleanup. +* Palisade refclock now builds under Linux. +* Give RAWDCF more baud rates. +* Support Truetime Satellite clocks under Windows. +* Support Arbiter 1093C Satellite clocks under Windows. +* Make sure that the "filegen" configuration command defaults to "enable". +* Range-check the status codes (plus other cleanup) in the RIPE-NCC driver. +* Prohibit 'includefile' directive in remote configuration command. +* Fix 'nic' interface bindings. +* Fix the way we link with openssl if openssl is installed in the base + system. + +ntp-keygen +* Fix -V coredump. +* OpenSSL version display cleanup. + +ntpdc +* Many counters should be treated as unsigned. + +ntpdate +* Do not ignore replies with equal receive and transmit timestamps. + +ntpq +* libntpq warning cleanup. + +ntpsnmpd +* Correct SNMP type for "precision" and "resolution". +* Update the MIB from the draft version to RFC-5907. + +sntp +* Display timezone offset when showing time for sntp in the local + timezone. +* Pay proper attention to RATE KoD packets. +* Fix a miscalculation of the offset. +* Properly parse empty lines in the key file. +* Logging cleanup. +* Use tv_usec correctly in set_time(). +* Documentation cleanup. + +--- +NTP 4.2.6p2 (Harlan Stenn <stenn@ntp.org>, 2010/07/08) + +Focus: Bug fixes and portability improvements + +Severity: Medium + +This is a recommended upgrade. + +This release includes build infrastructure updates, code +clean-ups, minor bug fixes, fixes for a number of minor +ref-clock issues, improved KOD handling, OpenSSL related +updates and documentation revisions. + +Portability improvements in this release affect Irix, Linux, +Mac OS, Microsoft Windows, OpenBSD and QNX6 + +New features / changes in this release: + +ntpd +* Range syntax for the trustedkey configuration directive +* Unified IPv4 and IPv6 restrict lists + +ntpdate +* Rate limiting and KOD handling + +ntpsnmpd +* default connection to net-snmpd via a unix-domain socket +* command-line 'socket name' option + +ntpq / ntpdc +* support for the "passwd ..." syntax +* key-type specific password prompts + +sntp +* MD5 authentication of an ntpd +* Broadcast and crypto +* OpenSSL support + +--- +NTP 4.2.6p1 (Harlan Stenn <stenn@ntp.org>, 2010/04/09) + +Focus: Bug fixes, portability fixes, and documentation improvements + +Severity: Medium + +This is a recommended upgrade. + +--- +NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) + +Focus: enhancements and bug fixes. + +--- +NTP 4.2.4p8 (Harlan Stenn <stenn@ntp.org>, 2009/12/08) + +Focus: Security Fixes + +Severity: HIGH + +This release fixes the following high-severity vulnerability: + +* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563. + + See http://support.ntp.org/security for more information. + + NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. + In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time + transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 + request or a mode 7 error response from an address which is not listed + in a "restrict ... noquery" or "restrict ... ignore" statement, ntpd will + reply with a mode 7 error response (and log a message). In this case: + + * If an attacker spoofs the source address of ntpd host A in a + mode 7 response packet sent to ntpd host B, both A and B will + continuously send each other error responses, for as long as + those packets get through. + + * If an attacker spoofs an address of ntpd host A in a mode 7 + response packet sent to ntpd host A, A will respond to itself + endlessly, consuming CPU and logging excessively. + + Credit for finding this vulnerability goes to Robin Park and Dmitri + Vinokurov of Alcatel-Lucent. + +THIS IS A STRONGLY RECOMMENDED UPGRADE. + +--- +ntpd now syncs to refclocks right away. + +Backward-Incompatible changes: + +ntpd no longer accepts '-v name' or '-V name' to define internal variables. +Use '--var name' or '--dvar name' instead. (Bug 817) + +--- +NTP 4.2.4p7 (Harlan Stenn <stenn@ntp.org>, 2009/05/04) + +Focus: Security and Bug Fixes + +Severity: HIGH + +This release fixes the following high-severity vulnerability: + +* [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 + + See http://support.ntp.org/security for more information. + + If autokey is enabled (if ntp.conf contains a "crypto pw whatever" + line) then a carefully crafted packet sent to the machine will cause + a buffer overflow and possible execution of injected code, running + with the privileges of the ntpd process (often root). + + Credit for finding this vulnerability goes to Chris Ries of CMU. + +This release fixes the following low-severity vulnerabilities: + +* [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 + Credit for finding this vulnerability goes to Geoff Keating of Apple. + +* [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows + Credit for finding this issue goes to Dave Hart. + +This release fixes a number of bugs and adds some improvements: + +* Improved logging +* Fix many compiler warnings +* Many fixes and improvements for Windows +* Adds support for AIX 6.1 +* Resolves some issues under MacOS X and Solaris + +THIS IS A STRONGLY RECOMMENDED UPGRADE. + +--- +NTP 4.2.4p6 (Harlan Stenn <stenn@ntp.org>, 2009/01/07) + +Focus: Security Fix + +Severity: Low + +This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting +the OpenSSL library relating to the incorrect checking of the return +value of EVP_VerifyFinal function. + +Credit for finding this issue goes to the Google Security Team for +finding the original issue with OpenSSL, and to ocert.org for finding +the problem in NTP and telling us about it. + +This is a recommended upgrade. +--- +NTP 4.2.4p5 (Harlan Stenn <stenn@ntp.org>, 2008/08/17) + +Focus: Minor Bugfixes + +This release fixes a number of Windows-specific ntpd bugs and +platform-independent ntpdate bugs. A logging bugfix has been applied +to the ONCORE driver. + +The "dynamic" keyword and is now obsolete and deferred binding to local +interfaces is the new default. The minimum time restriction for the +interface update interval has been dropped. + +A number of minor build system and documentation fixes are included. + +This is a recommended upgrade for Windows. + +--- +NTP 4.2.4p4 (Harlan Stenn <stenn@ntp.org>, 2007/09/10) + +Focus: Minor Bugfixes + +This release updates certain copyright information, fixes several display +bugs in ntpdc, avoids SIGIO interrupting malloc(), cleans up file descriptor +shutdown in the parse refclock driver, removes some lint from the code, +stops accessing certain buffers immediately after they were freed, fixes +a problem with non-command-line specification of -6, and allows the loopback +interface to share addresses with other interfaces. + +--- +NTP 4.2.4p3 (Harlan Stenn <stenn@ntp.org>, 2007/06/29) + +Focus: Minor Bugfixes + +This release fixes a bug in Windows that made it difficult to +terminate ntpd under windows. +This is a recommended upgrade for Windows. + +--- +NTP 4.2.4p2 (Harlan Stenn <stenn@ntp.org>, 2007/06/19) + +Focus: Minor Bugfixes + +This release fixes a multicast mode authentication problem, +an error in NTP packet handling on Windows that could lead to +ntpd crashing, and several other minor bugs. Handling of +multicast interfaces and logging configuration were improved. +The required versions of autogen and libopts were incremented. +This is a recommended upgrade for Windows and multicast users. + +--- +NTP 4.2.4 (Harlan Stenn <stenn@ntp.org>, 2006/12/31) + +Focus: enhancements and bug fixes. + +Dynamic interface rescanning was added to simplify the use of ntpd in +conjunction with DHCP. GNU AutoGen is used for its command-line options +processing. Separate PPS devices are supported for PARSE refclocks, MD5 +signatures are now provided for the release files. Drivers have been +added for some new ref-clocks and have been removed for some older +ref-clocks. This release also includes other improvements, documentation +and bug fixes. + +K&R C is no longer supported as of NTP-4.2.4. We are now aiming for ANSI +C support. + +--- +NTP 4.2.0 (Harlan Stenn <stenn@ntp.org>, 2003/10/15) + +Focus: enhancements and bug fixes. |