Concerning the ntp-4.2.8p8 security fixes

Daniel Franke dfoxfranke at gmail.com
Thu Jun 2 18:00:43 UTC 2016


NTP Classic 4.2.8-p8 was released today, containing fixes for one
high-severity and four low-severity vulnerabilities. Four of these
five vulnerabilities, including the high-severity one, do not impact
NTPsec. CVE-2016-4956 and CVE-2016-4957 were introduced into NTP
Classic by the patches for previous vulnerabilities; in both cases,
NTPsec fixed these earlier vulnerabilities in a different fashion and
resultingly did not introduce the new ones. CVE-2016-4953 and
CVE-2016-4955 are Autokey-related; Autokey was removed from NTPsec as
of 0.9.3 and was already forcibly compiled out in all earlier
releases. (Note, though, that NTP Classic users can be impacted by
CVE-2016-4953 even if they do not use Autokey; they need only have
support for it enabled at compile time).

The remaining, low-severity vulnerability, CVE-2016-4954
(http://support.ntp.org/bin/view/Main/NtpBug3044) does affect NTPsec;
its most significant impact is that packets which fail anti-spoofing
sanity checks may nonetheless be sufficient to inject bogus leap
seconds into a client's clock. I've ported and pushed the fix.


More information about the devel mailing list