Concerning the ntp-4.2.8p8 security fixes

Eric S. Raymond esr at
Thu Jun 2 18:13:48 UTC 2016

Daniel Franke <dfoxfranke at>:
> NTP Classic 4.2.8-p8 was released today, containing fixes for one
> high-severity and four low-severity vulnerabilities. Four of these
> five vulnerabilities, including the high-severity one, do not impact
> NTPsec. CVE-2016-4956 and CVE-2016-4957 were introduced into NTP
> Classic by the patches for previous vulnerabilities; in both cases,
> NTPsec fixed these earlier vulnerabilities in a different fashion and
> resultingly did not introduce the new ones. CVE-2016-4953 and
> CVE-2016-4955 are Autokey-related; Autokey was removed from NTPsec as
> of 0.9.3 and was already forcibly compiled out in all earlier
> releases. (Note, though, that NTP Classic users can be impacted by
> CVE-2016-4953 even if they do not use Autokey; they need only have
> support for it enabled at compile time).
> The remaining, low-severity vulnerability, CVE-2016-4954
> ( does affect NTPsec;
> its most significant impact is that packets which fail anti-spoofing
> sanity checks may nonetheless be sufficient to inject bogus leap
> seconds into a client's clock. I've ported and pushed the fix.

You sent this to an archived public list.  I take it that means the
embargo is up and I can talk about this in public?

4 of 5 dodged including two because we got the fix right the first
time seems like it's woth a mention on NANOG, backing up rather
dramatically our previous claim to be doing a dramatically better job
on security.

Mark, part of my premise here is that it's time to start raising our
visibility in anticipation of a 1.0 release.
		<a href="">Eric S. Raymond</a>

More information about the devel mailing list