NTPsec version 0.9.7

Mark Atwood fallenpegasus at gmail.com
Wed Mar 22 00:47:16 UTC 2017


The NTPsec Project is pleased to announce the tagging of version 0.9.7.

The code size has been further reduced, to 60KLOC.

A shell script, buildprep, has been added to the top level source
directory. It prepares your system for an NTPsec source build by installing
all required dependencies on the build host.

Extra digits of precision are now output in numerous places.  The driftfile
now output 6 digits past the decimal point instead of 3.  The stats files
now output 9 digits past the decimal point instead of 6 for some fields.
ntpq and ntpmon also report extra digits of precision in multiple
places.  These
changes may break simple parsing scripts.

Four contrib programs: cpu-temp-log; smartctl-temp-log, temper-temp-log, and
zone-temp-log; have been combined into the new program ntplogtemp. The new
program allows for easy logging of system temperatures and is installed by
default.

The SHM refclock no longer limits the value of SHM time by default. This
allows SHM to work on systems with no RTC by default.

The following CVEs revealed by a Mozilla penetration test and reported in CERT
VU#325339 have been resolved:


CVE-2017-6464: Denial of Service via Malformed Config

CVE-2017-6463: Authenticated DoS via Malicious Config Option

CVE-2017-6458: Potential Overflows in ctl_put() functions

CVE-2017-6451: Improper use of snprintf() in mx4200_send()


The following CVEs, announced simultaneously, affected NTP Classic but not
NTPsec, because we had already removed the attack surface:


CVE-2017-6462: Buffer Overflow in DPTS Clock

CVE-2017-6455: Privileged execution of User Library code

CVE-2017-6452: Stack Buffer Overflow from Command Line

CVE-2017-6459: Data Structure terminated insufficiently

CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist


We gratefully acknowledge the work of of Dr.-Ing. Mario Hederich at Cure53
in detecting these problems and his cooperation in resolving them.


As always, you can download the release tarballs with sums and signatures from
ftp://ftp.ntpsec.org/pub/releases/

and can clone the git repo from https://gitlab.com/NTPsec/ntpsec.git
//end

-- 
Mark Atwood
http://about.me/markatwood
+1-206-604-2198 SMS & Signal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/announce/attachments/20170322/f7da7d4c/attachment.html>


More information about the announce mailing list