head 1.36; access; symbols pkgsrc-2023Q4:1.36.0.18 pkgsrc-2023Q4-base:1.36 pkgsrc-2023Q3:1.36.0.16 pkgsrc-2023Q3-base:1.36 pkgsrc-2023Q2:1.36.0.14 pkgsrc-2023Q2-base:1.36 pkgsrc-2023Q1:1.36.0.12 pkgsrc-2023Q1-base:1.36 pkgsrc-2022Q4:1.36.0.10 pkgsrc-2022Q4-base:1.36 pkgsrc-2022Q3:1.36.0.8 pkgsrc-2022Q3-base:1.36 pkgsrc-2022Q2:1.36.0.6 pkgsrc-2022Q2-base:1.36 pkgsrc-2022Q1:1.36.0.4 pkgsrc-2022Q1-base:1.36 pkgsrc-2021Q4:1.36.0.2 pkgsrc-2021Q4-base:1.36 pkgsrc-2021Q3:1.34.0.8 pkgsrc-2021Q3-base:1.34 pkgsrc-2021Q2:1.34.0.6 pkgsrc-2021Q2-base:1.34 pkgsrc-2021Q1:1.34.0.4 pkgsrc-2021Q1-base:1.34 pkgsrc-2020Q4:1.34.0.2 pkgsrc-2020Q4-base:1.34 pkgsrc-2020Q3:1.32.0.2 pkgsrc-2020Q3-base:1.32 pkgsrc-2020Q2:1.31.0.2 pkgsrc-2020Q2-base:1.31 pkgsrc-2020Q1:1.30.0.8 pkgsrc-2020Q1-base:1.30 pkgsrc-2019Q4:1.30.0.10 pkgsrc-2019Q4-base:1.30 pkgsrc-2019Q3:1.30.0.6 pkgsrc-2019Q3-base:1.30 pkgsrc-2019Q2:1.30.0.4 pkgsrc-2019Q2-base:1.30 pkgsrc-2019Q1:1.30.0.2 pkgsrc-2019Q1-base:1.30 pkgsrc-2018Q4:1.29.0.18 pkgsrc-2018Q4-base:1.29 pkgsrc-2018Q3:1.29.0.16 pkgsrc-2018Q3-base:1.29 pkgsrc-2018Q2:1.29.0.14 pkgsrc-2018Q2-base:1.29 pkgsrc-2018Q1:1.29.0.12 pkgsrc-2018Q1-base:1.29 pkgsrc-2017Q4:1.29.0.10 pkgsrc-2017Q4-base:1.29 pkgsrc-2017Q3:1.29.0.8 pkgsrc-2017Q3-base:1.29 pkgsrc-2017Q2:1.29.0.4 pkgsrc-2017Q2-base:1.29 pkgsrc-2017Q1:1.29.0.2 pkgsrc-2017Q1-base:1.29 pkgsrc-2016Q4:1.28.0.2 pkgsrc-2016Q4-base:1.28 pkgsrc-2016Q3:1.27.0.4 pkgsrc-2016Q3-base:1.27 pkgsrc-2016Q2:1.27.0.2 pkgsrc-2016Q2-base:1.27 pkgsrc-2016Q1:1.25.0.2 pkgsrc-2016Q1-base:1.25 pkgsrc-2015Q4:1.24.0.2 pkgsrc-2015Q4-base:1.24 pkgsrc-2015Q3:1.22.0.2 pkgsrc-2015Q3-base:1.22 pkgsrc-2015Q2:1.21.0.2 pkgsrc-2015Q2-base:1.21 pkgsrc-2015Q1:1.20.0.2 pkgsrc-2015Q1-base:1.20 pkgsrc-2014Q4:1.19.0.2 pkgsrc-2014Q4-base:1.19 pkgsrc-2014Q3:1.18.0.6 pkgsrc-2014Q3-base:1.18 pkgsrc-2014Q2:1.18.0.4 pkgsrc-2014Q2-base:1.18 pkgsrc-2014Q1:1.18.0.2 pkgsrc-2014Q1-base:1.18 pkgsrc-2013Q4:1.16.0.34 pkgsrc-2013Q4-base:1.16 pkgsrc-2013Q3:1.16.0.32 pkgsrc-2013Q3-base:1.16 pkgsrc-2013Q2:1.16.0.30 pkgsrc-2013Q2-base:1.16 pkgsrc-2013Q1:1.16.0.28 pkgsrc-2013Q1-base:1.16 pkgsrc-2012Q4:1.16.0.26 pkgsrc-2012Q4-base:1.16 pkgsrc-2012Q3:1.16.0.24 pkgsrc-2012Q3-base:1.16 pkgsrc-2012Q2:1.16.0.22 pkgsrc-2012Q2-base:1.16 pkgsrc-2012Q1:1.16.0.20 pkgsrc-2012Q1-base:1.16 pkgsrc-2011Q4:1.16.0.18 pkgsrc-2011Q4-base:1.16 pkgsrc-2011Q3:1.16.0.16 pkgsrc-2011Q3-base:1.16 pkgsrc-2011Q2:1.16.0.14 pkgsrc-2011Q2-base:1.16 pkgsrc-2011Q1:1.16.0.12 pkgsrc-2011Q1-base:1.16 pkgsrc-2010Q4:1.16.0.10 pkgsrc-2010Q4-base:1.16 pkgsrc-2010Q3:1.16.0.8 pkgsrc-2010Q3-base:1.16 pkgsrc-2010Q2:1.16.0.6 pkgsrc-2010Q2-base:1.16 pkgsrc-2010Q1:1.16.0.4 pkgsrc-2010Q1-base:1.16 pkgsrc-2009Q4:1.16.0.2 pkgsrc-2009Q4-base:1.16 pkgsrc-2009Q3:1.13.0.2 pkgsrc-2009Q3-base:1.13 pkgsrc-2009Q2:1.12.0.4 pkgsrc-2009Q2-base:1.12 pkgsrc-2009Q1:1.12.0.2 pkgsrc-2009Q1-base:1.12 pkgsrc-2008Q4:1.11.0.10 pkgsrc-2008Q4-base:1.11 pkgsrc-2008Q3:1.11.0.8 pkgsrc-2008Q3-base:1.11 cube-native-xorg:1.11.0.6 cube-native-xorg-base:1.11 pkgsrc-2008Q2:1.11.0.4 pkgsrc-2008Q2-base:1.11 cwrapper:1.11.0.2 pkgsrc-2008Q1:1.10.0.22 pkgsrc-2008Q1-base:1.10 pkgsrc-2007Q4:1.10.0.20 pkgsrc-2007Q4-base:1.10 pkgsrc-2007Q3:1.10.0.18 pkgsrc-2007Q3-base:1.10 pkgsrc-2007Q2:1.10.0.16 pkgsrc-2007Q2-base:1.10 pkgsrc-2007Q1:1.10.0.14 pkgsrc-2007Q1-base:1.10 pkgsrc-2006Q4:1.10.0.12 pkgsrc-2006Q4-base:1.10 pkgsrc-2006Q3:1.10.0.10 pkgsrc-2006Q3-base:1.10 pkgsrc-2006Q2:1.10.0.8 pkgsrc-2006Q2-base:1.10 pkgsrc-2006Q1:1.10.0.6 pkgsrc-2006Q1-base:1.10 pkgsrc-2005Q4:1.10.0.4 pkgsrc-2005Q4-base:1.10 pkgsrc-2005Q3:1.10.0.2 pkgsrc-2005Q3-base:1.10 pkgsrc-2005Q2:1.9.0.4 pkgsrc-2005Q2-base:1.9 pkgsrc-2005Q1:1.9.0.2 pkgsrc-2005Q1-base:1.9 pkgsrc-2004Q4:1.8.0.10 pkgsrc-2004Q4-base:1.8 pkgsrc-2004Q3:1.8.0.8 pkgsrc-2004Q3-base:1.8 pkgsrc-2004Q2:1.8.0.6 pkgsrc-2004Q2-base:1.8 pkgsrc-2004Q1:1.8.0.4 pkgsrc-2004Q1-base:1.8 pkgsrc-2003Q4:1.8.0.2 pkgsrc-2003Q4-base:1.8 netbsd-1-6-1:1.7.0.4 netbsd-1-6-1-base:1.7 netbsd-1-6:1.7.0.6 netbsd-1-6-RELEASE-base:1.7 pkgviews:1.7.0.2 pkgviews-base:1.7 buildlink2:1.6.0.2 buildlink2-base:1.6 netbsd-1-5-PATCH003:1.6 netbsd-1-5-PATCH001:1.2; locks; strict; comment @# @; 1.36 date 2021.10.26.11.06.10; author nia; state Exp; branches; next 1.35; commitid G83yJyZF8er6kjeD; 1.35 date 2021.10.07.14.42.00; author nia; state Exp; branches; next 1.34; commitid EMvsIaZgYm1t8TbD; 1.34 date 2020.10.07.10.15.02; author jperkin; state Exp; branches; next 1.33; commitid Yfe5HkHGwprCoXqC; 1.33 date 2020.10.07.09.09.39; author sjmulder; state Exp; branches; next 1.32; commitid VWvBISAZTUf02XqC; 1.32 date 2020.08.15.02.09.25; author tnn; state Exp; branches; next 1.31; commitid f78CQFBdKJaCp6kC; 1.31 date 2020.06.21.15.10.47; author taca; state Exp; branches; next 1.30; commitid qGo5iTmE719iv6dC; 1.30 date 2019.03.25.17.19.59; author tnn; state Exp; branches; next 1.29; commitid ONAW5uKvbeKVNLgB; 1.29 date 2017.03.24.03.41.08; author taca; state Exp; branches; next 1.28; commitid FEujqBq0M0U6MKKz; 1.28 date 2016.12.05.15.49.59; author taca; state Exp; branches; next 1.27; commitid VAR5t6JVDM87iOwz; 1.27 date 2016.06.03.09.45.08; author taca; state Exp; branches; next 1.26; commitid Y1w49EkAablYe09z; 1.26 date 2016.04.27.15.59.19; author wen; state Exp; branches; next 1.25; commitid CCFWXVmBSzSYuh4z; 1.25 date 2016.01.09.15.49.26; author taca; state Exp; branches 1.25.2.1; next 1.24; commitid TkyLTkmlw4dPWgQy; 1.24 date 2015.10.29.11.28.44; author christos; state Exp; branches 1.24.2.1; next 1.23; commitid 9J3SF6aXA594PZGy; 1.23 date 2015.10.23.03.43.31; author taca; state Exp; branches; next 1.22; commitid bE8tuUj0volSqbGy; 1.22 date 2015.06.30.16.08.21; author taca; state Exp; branches 1.22.2.1; next 1.21; commitid yfSH8sU9hfjqftry; 1.21 date 2015.04.08.03.31.33; author taca; state Exp; branches 1.21.2.1; next 1.20; commitid TiamVyeAI4bPJJgy; 1.20 date 2015.03.21.20.49.28; author bsiegert; state Exp; branches 1.20.2.1; next 1.19; commitid YZcp3zBsoGt03wey; 1.19 date 2014.12.20.09.45.46; author taca; state Exp; branches 1.19.2.1; next 1.18; commitid GqADPr2oZqikjL2y; 1.18 date 2014.02.18.22.18.48; author joerg; state Exp; branches; next 1.17; commitid sjV6ZNCsTDSChDpx; 1.17 date 2014.01.12.17.01.02; author spz; state Exp; branches; next 1.16; commitid CxhPBewaB7fqHQkx; 1.16 date 2009.12.21.14.48.21; author tnn; state Exp; branches; next 1.15; 1.15 date 2009.12.21.14.19.58; author tnn; state Exp; branches; next 1.14; 1.14 date 2009.12.15.10.53.20; author tnn; state Exp; branches; next 1.13; 1.13 date 2009.09.06.10.20.21; author tnn; state Exp; branches 1.13.2.1; next 1.12; 1.12 date 2009.01.26.20.06.15; author kefren; state Exp; branches; next 1.11; 1.11 date 2008.06.08.04.53.27; author obache; state Exp; branches 1.11.10.1; next 1.10; 1.10 date 2005.09.10.10.43.42; author adrianp; state Exp; branches; next 1.9; 1.9 date 2005.02.24.12.13.57; author agc; state Exp; branches; next 1.8; 1.8 date 2003.10.24.04.52.26; author fredb; state Exp; branches; next 1.7; 1.7 date 2002.07.16.14.57.08; author fredb; state Exp; branches; next 1.6; 1.6 date 2002.02.28.13.51.24; author fredb; state Exp; branches; next 1.5; 1.5 date 2001.08.14.17.55.18; author fredb; state Exp; branches; next 1.4; 1.4 date 2001.08.14.06.10.41; author fredb; state Exp; branches; next 1.3; 1.3 date 2001.07.12.16.24.58; author fredb; state Exp; branches; next 1.2; 1.2 date 2001.04.21.11.23.26; author wiz; state Exp; branches; next 1.1; 1.1 date 2001.04.17.11.52.29; author agc; state Exp; branches; next ; 1.25.2.1 date 2016.05.13.12.33.51; author bsiegert; state Exp; branches; next 1.25.2.2; commitid 8idRZash02CQQj6z; 1.25.2.2 date 2016.06.06.18.29.05; author spz; state Exp; branches; next ; commitid y5j26AfJqv9T2r9z; 1.24.2.1 date 2016.01.18.20.38.25; author bsiegert; state Exp; branches; next ; commitid nGOfgWCJvR8ggsRy; 1.22.2.1 date 2015.10.27.19.07.02; author bsiegert; state Exp; branches; next 1.22.2.2; commitid 2ETjHD2rbFqkqMGy; 1.22.2.2 date 2015.11.24.18.25.38; author bsiegert; state Exp; branches; next ; commitid sJKgr8P3BkgjinKy; 1.21.2.1 date 2015.07.12.08.58.43; author tron; state Exp; branches; next ; commitid W0RfcXGL3LoSuYsy; 1.20.2.1 date 2015.04.21.21.44.22; author tron; state Exp; branches; next ; commitid 65VGwotIuXeXmviy; 1.19.2.1 date 2015.04.01.18.11.56; author hiramatsu; state Exp; branches; next ; commitid Rrp14Jg7xFrcPUfy; 1.13.2.1 date 2009.12.15.21.37.54; author spz; state Exp; branches; next ; 1.11.10.1 date 2009.01.27.13.29.18; author tron; state Exp; branches; next ; desc @@ 1.36 log @ net: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts...): net/radsecproxy/distinfo The following distfiles could not be fetched (fetched conditionally?): ./net/citrix_ica/distinfo citrix_ica-10.6.115659/en.linuxx86.tar.gz ./net/djbdns/distinfo dnscache-1.05-multiple-ip.patch ./net/djbdns/distinfo djbdns-1.05-test28.diff.xz ./net/djbdns/distinfo djbdns-1.05-ignoreip2.patch ./net/djbdns/distinfo djbdns-1.05-multiip.diff ./net/djbdns/distinfo djbdns-cachestats.patch @ text @$NetBSD: distinfo,v 1.35 2021/10/07 14:42:00 nia Exp $ BLAKE2s (ntp-4.2.8p15.tar.gz) = 15969a3800e9101384082723382a7ec44a71b9cfc590585d4af2956758f62533 SHA512 (ntp-4.2.8p15.tar.gz) = f5ad765e45fc302263dd40e94c287698fd235b94f3684e49f1d5d09d7d8bdd6b8c0fb96ecdabffea3d233e1e79b3c9687b76dc204ba76bad3f554682f4a97794 Size (ntp-4.2.8p15.tar.gz) = 7015970 bytes SHA1 (patch-configure) = cd2b6d9353282b574eea117b4b6e391a39a6267b SHA1 (patch-include-ntp__syscall.h) = b0587655e707b9a2e0eb9c937be47fd27e8d5435 SHA1 (patch-include_ntp__md5.h) = 1bde85704e539ab40133f498409294d071df0cc8 SHA1 (patch-include_ntp__request.h) = f76caeaaed595d32f249d493571f24410170e7bd SHA1 (patch-include_refclock__atom.h) = 72ab4f018356a006c41d041ed064072d99e75bbb SHA1 (patch-lib_isc_inet__ntop.c) = 8feef4a19e7762d0739345fa45aecea5b68c834a SHA1 (patch-lib_isc_unix_net.c) = abbe0dbc424666ef4c564870a65155cf5d355504 SHA1 (patch-libntp_ntp__calendar.c) = f7e6a1cd37026a51288825a8a41d6337e0e10d86 SHA1 (patch-libntp_socktoa.c) = ff469782951666834b753a55993fdd6a2f1f4f74 SHA1 (patch-libntp_timexsup.c) = 385461d1049611921e19e7c75b94ed2788f7b1b7 SHA1 (patch-libntp_work__fork.c) = f46501017291a0764db2240e258ae511a55baba7 SHA1 (patch-ntpd_ntp__config.c) = 5b2107ab8ea5cac590b897b1e6709c47bce5b5d8 SHA1 (patch-ntpd_ntp__control.c) = 3c6267aa5c36bd1d2e0fa729be86875436812783 SHA1 (patch-ntpd_ntp__io.c) = 0ad70fe53d3c0f779842fb71ba60b8c2cbb1e456 SHA1 (patch-ntpd_ntp__keyword.h) = 158f7e93459ea30bbf87830b939a81071fa13eaa SHA1 (patch-ntpd_ntp__loopfilter.c) = 381e44622a25351c470dbc7bfaef353e47370d79 SHA1 (patch-ntpd_ntp__proto.c) = 5e5629cc5b8dc785427bc9b267d0cac6fc7b1b39 SHA1 (patch-ntpd_ntp__restrict.c) = b659db3d7913a72f3a36c3a33ef47cfaf4545095 SHA1 (patch-ntpd_refclock__jjy.c) = c3e506722c0040b8173220482bc3abcd449c95a5 SHA1 (patch-ntpd_refclock__jupiter.c) = bb248d2766cadddacdf9cb56bf9b29cbc538bbcb SHA1 (patch-ntpd_refclock__neoclock4x.c) = 66c38ba21572cb8804a39766f3b32d1b65cb0946 SHA1 (patch-ntpd_refclock__oncore.c) = d93efa11cadc37fd9e600f80f2cbf0280be969c6 SHA1 (patch-ntpd_refclock__ulink.c) = 55003f758fd71621db60ffad8a1880588098389e SHA1 (patch-ntpd_refclock__wwvb.c) = 3a8003bcd94f74a4e1914054d5d30751feb97825 SHA1 (patch-ntpdate_ntpdate.c) = 17e2534ab7a54e5af16059ca8c02c9995d79d83c SHA1 (patch-ntpdc_Makefile.in) = 6afaf915ee8c6b244f94d3733545231e69dfd14d SHA1 (patch-ntpq_ntpq.c) = 0776827a712e2f6636b9d322ae7445d184f3709f SHA1 (patch-sntp_libevent_build-aux_config.guess) = 5f5fff42d04daef5fcbba2bc09b015fb4489ca59 SHA1 (patch-sntp_libevent_build-aux_config.sub) = 178e8b39138e49db7702c4bb84fe92550d14a978 SHA1 (patch-sntp_libevent_evutil__rand.c) = b9fbeae496be49860910c1fcab98cc0519bb6645 SHA1 (patch-sntp_libopts_autoopts.h) = 9f46171eb6982d1ee57b70286e9436aef763554d SHA1 (patch-sntp_libopts_enum.c) = 7d6624ed84a6ea6f85b4de4c37480041a7603252 SHA1 (patch-sntp_libopts_usage.c) = ec77942c98965c13de625b930db3458d5b81d28b SHA1 (patch-sntp_loc_pkgsrc) = 6e46ffc0cc2afcfdc1d01297cbe04cb80d103575 SHA1 (patch-util_ntp-keygen.c) = e66348e2fcf7da4bf9ee35e66e3f891cb436f338 SHA1 (patch-util_ntptime.c) = 897c3986661a9e655eeb7a7eeb10816996c31301 @ 1.35 log @net: Remove SHA1 hashes for distfiles @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.34 2020/10/07 10:15:02 jperkin Exp $ d3 1 a3 1 RMD160 (ntp-4.2.8p15.tar.gz) = 4653211d8c258a4a9edf1b2445a77223330176a2 @ 1.34 log @ntp4: Don't assume arc4random_addrandom() is available. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.33 2020/10/07 09:09:39 sjmulder Exp $ a2 1 SHA1 (ntp-4.2.8p15.tar.gz) = e34e5b6f48c3ed1bbcfb03080dec1b8f91e19381 @ 1.33 log @net/ntp4: Fix Linux build @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.32 2020/08/15 02:09:25 tnn Exp $ d36 1 @ 1.32 log @net/ntp4: update to ntp-4.2.8p15 Fixes Sec 3661: Memory leak with CMAC keys + additional 13 bugfixes. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.31 2020/06/21 15:10:47 taca Exp $ d30 1 a30 1 SHA1 (patch-ntpd_refclock__wwvb.c) = e1a7fc80df6dba9595788a8b8c56729619048ee4 d36 1 a36 1 SHA1 (patch-sntp_libopts_autoopts.h) = d4cbaa31df97e04f3637349a3d5eb1addfa847db @ 1.31 log @net/ntp4: update to 4.2.8p14 Updaet ntp4 to 4.2.8p14. pkgsrc changes: * Incorporate several changes from NetBSD base. * few pkglint fixes. Quote from release announce: NTP 4.2.8p14 (Harlan Stenn , 2020 Mar 03) Focus: Security, Bug fixes, enhancements. Severity: MEDIUM This release fixes three vulnerabilities: a bug that causes causes an ntpd instance that is explicitly configured to override the default and allow ntpdc (mode 7) connections to be made to a server to read some uninitialized memory; fixes the case where an unmonitored ntpd using an unauthenticated association to its servers may be susceptible to a forged packet DoS attack; and fixes an attack against a client instance that uses a single unauthenticated time source. It also fixes 46 other bugs and addresses 4 other issues. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.30 2019/03/25 17:19:59 tnn Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p14.tar.gz) = c6f353278cd5b7c8aa11e1189d3ac80985370b8f RMD160 (ntp-4.2.8p14.tar.gz) = c49cb8138678b246661cc1afe68d38f255756a7e SHA512 (ntp-4.2.8p14.tar.gz) = b0183b4b2f2c6ea0a49d0aca1fa28a7b5cd21e20696a2f633f5afa37c4ea2c59fa7769af82a55c626db49b9eb5a531608710dc1977c4d518583577ef95940ae8 Size (ntp-4.2.8p14.tar.gz) = 7007263 bytes d25 1 a25 1 SHA1 (patch-ntpd_refclock__jjy.c) = 592d010d2e19bb47beefdcb3fe5645271e2645bb @ 1.30 log @ntp4: update to ntp-4.2.8p13 NTP 4.2.8p13 2019-03-07 This release fixes a bug that allows an attacker with access to an explicitly trusted source to send a crafted malicious mode 6 (ntpq) packet that can trigger a NULL pointer dereference, crashing ntpd. It also provides 17 other bugfixes and 1 other improvement. NTP 4.2.8p12 2018-04-09 This release fixes a "hole" in the noepeer capability introduced to ntpd in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements. NTP 4.2.8p11 2018-02-27 This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and provides 65 other non-security fixes and improvements. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.29 2017/03/24 03:41:08 taca Exp $ d3 36 a38 5 SHA1 (ntp-4.2.8p13.tar.gz) = cff200a987d64e891fb349a22313ecb0feaea090 RMD160 (ntp-4.2.8p13.tar.gz) = 5d85e2a01bafa0bb755ab49e462f6dd7f96ce3d0 SHA512 (ntp-4.2.8p13.tar.gz) = afbdbb8a37b8f4040a8a6939a3a85ad0350d359c153c297b32b8a013c7b7061fd925fa3e6e103671c5901e169156e22497813c654195ba50f890a7170b2f2075 Size (ntp-4.2.8p13.tar.gz) = 6949363 bytes SHA1 (patch-include-ntp__syscall.h) = b247569339d09a88f2e143e355033ce7635ffe92 d40 2 @ 1.29 log @Update ntp4 to 4.2.8p10 including security fixes. NTF's NTP Project is releasing ntp-4.2.8p10, which addresses: * 6 MEDIUM severity vulnerabilities (1 is about the Windows PPSAPI DLL) * 5 LOW severity vulnerabilities (2 are in the Windows Installer) * 4 Informational-level vulnerabilities * 15 other non-security fixes and improvements All of the security issues in this release are listed in VU#633849. ntp-4.2.8p10 was released on 21 March 2017. * Sec 3389 / CVE-2017-6464 / VU#325339: NTP-01-016 NTP: Denial of Service via Malformed Config (Pentest report 01.2017) - Reported by Cure53. * Sec 3388 / CVE-2017-6462 / VU#325339: NTP-01-014 NTP: Buffer Overflow in DPTS Clock (Pentest report 01.2017) - Reported by Cure53. * Sec 3387 / CVE-2017-6463 / VU#325339: NTP-01-012 NTP: Authenticated DoS via Malicious Config Option (Pentest report 01.2017) - Reported by Cure53. * Sec 3386: NTP-01-011 NTP: ntpq_stripquotes() returns incorrect Value (Pentest report 01.2017) - Reported by Cure53. * Sec 3385: NTP-01-010 NTP: ereallocarray()/eallocarray() underused (Pentest report 01.2017) - Reported by Cure53. * Sec 3384 / CVE-2017-6455 / VU#325339: NTP-01-009 NTP: Windows: Privileged execution of User Library code (Pentest report 01.2017) - Reported by Cure53. * Sec 3383 / CVE-2017-6452 / VU#325339: NTP-01-008 NTP: Windows Installer: Stack Buffer Overflow from Command Line (Pentest report 01.2017) - Reported by Cure53. * Sec 3382 / CVE-2017-6459 / VU#325339: NTP-01-007 NTP: Windows Installer: Data Structure terminated insufficiently (Pentest report 01.2017) - Reported by Cure53. * Sec 3381: NTP-01-006 NTP: Copious amounts of Unused Code (Pentest report 01.2017) - Reported by Cure53. * Sec 3380: NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Pentest report 01.2017) - Reported by Cure53. * Sec 3379 / CVE-2017-6458 / VU#325339: NTP-01-004 NTP: Potential Overflows in ctl_put() functions (Pentest report 01.2017) - Reported by Cure53. * Sec 3378 / CVE-2017-6451 / VU#325339: NTP-01-003 Improper use of snprintf() in mx4200_send() (Pentest report 01.2017) - Reported by Cure53. * Sec 3377 / CVE-2017-6460 / VU#325339: NTP-01-002 Buffer Overflow in ntpq when fetching reslist (Pentest report 01.2017) - Reported by Cure53. * Sec 3376: NTP-01-001 Makefile does not enforce Security Flags (Pentest report 01.2017) - Reported by Cure53. * Sec 3361 / CVE-2016-9042 / VU#325339: 0rigin - Reported by Matthew Van Gundy of Cisco ASIG. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.28 2016/12/05 15:49:59 taca Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p10.tar.gz) = 503d68cfd3e6a9354e0e28dd38b39d850b1228b2 RMD160 (ntp-4.2.8p10.tar.gz) = c341340b93a5e1b5d88621a9e9d7eb6551f26c5e SHA512 (ntp-4.2.8p10.tar.gz) = 67e01ab533c3dfabb0bdd3ced848bdd239980bde28fdb2791d167b7e9690ab3b3759e1bd99e9fddcce03ddef4cd63a47eb85941bb127ceb79b7ecff22cce9c05 Size (ntp-4.2.8p10.tar.gz) = 6998648 bytes @ 1.28 log @Update ntp4 to 4.2.8p9. Here is quote from NEWS file and please refer it in detail. --- NTP 4.2.8p9 (Harlan Stenn , 2016/11/21) Focus: Security, Bug fixes, enhancements. Severity: HIGH In addition to bug fixes and enhancements, this release fixes the following 1 high- (Windows only), 2 medium-, 2 medium-/low, and 5 low-severity vulnerabilities, and provides 28 other non-security fixes and improvements: @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.27 2016/06/03 09:45:08 taca Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p9.tar.gz) = 032e58e7e416ffa1cbdcbb81021785fce4ed4d4b RMD160 (ntp-4.2.8p9.tar.gz) = 73dcdf8c1c13d26b3eda18123cc95014d8b13ce3 SHA512 (ntp-4.2.8p9.tar.gz) = ffd9e34060210d1cfb8ca0d89f2577df1c5fbe3ba63c620cdadc3ccc3c9d07f518783c6b91e57bffc77b08f449fdbab12faf226672ebd2dde5a0b4a783322a04 Size (ntp-4.2.8p9.tar.gz) = 7231884 bytes @ 1.27 log @Update ntp4 package to 4.2.8p8, security fix. (4.2.8p8) 2016/06/02 Released by Harlan Stenn * [Sec 3042] Broadcast Interleave. HStenn. * [Sec 3043] Autokey association reset. perlinger@@ntp.org, stenn@@ntp.org - validate origin timestamps on bad MACs, too. stenn@@ntp.org * [Sec 3044] Spoofed server packets are partially processed. HStenn. * [Sec 3045] Bad authentication demobilizes ephemeral associations. JPerlinger. * [Sec 3046] CRYPTO_NAK crash. stenn@@ntp.org * [Bug 3038] NTP fails to build in VS2015. perlinger@@ntp.org - provide build environment - 'wint_t' and 'struct timespec' defined by VS2015 - fixed print()/scanf() format issues * [Bug 3052] Add a .gitignore file. Edmund Wong. * [Bug 3054] miscopt.html documents the allan intercept in seconds. SWhite. * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian Utterback, JPerlinger, HStenn. * Update the NEWS file for 4.2.8p8. HStenn. * Fix typo in ntp-wait and plot_summary. HStenn. * Make sure we have an "author" file for git imports. HStenn. * Update the sntp problem tests for MacOS. HStenn. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.26 2016/04/27 15:59:19 wen Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p8.tar.gz) = 208ae3e2ce1237ad684c3bc818b6314d28636e46 RMD160 (ntp-4.2.8p8.tar.gz) = 45d393abb749c46bbd3a5fd93a53c892613587c8 SHA512 (ntp-4.2.8p8.tar.gz) = 253675667f78ad8855e961d02f6a120b68b75233c18ddb92cb6c9510fb3847f1672d0d6f93ad1eb11b14e3bdf78fdbc1458e516d906b763e8599490da6a4f225 Size (ntp-4.2.8p8.tar.gz) = 7205710 bytes @ 1.26 log @Update to 4.2.8p7 Upstream changes: (4.2.8p7) 2016/04/26 Released by Harlan Stenn * [Sec 2901] KoD packets must have non-zero transmit timestamps. HStenn. * [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve time. Include passive servers in this check. HStenn. * [Sec 2945] Additional KoD packet checks. HStenn. * [Sec 2978] Interleave can be partially triggered. HStenn. * [Sec 3007] Validate crypto-NAKs. Danny Mayer. * [Sec 3008] Always check the return value of ctl_getitem(). - initial work by HStenn - Additional cleanup of ctl_getitem by perlinger@@ntp.org * [Sec 3009] Crafted addpeer with hmode > 7 causes OOB error. perlinger@@ntp.org - added more stringent checks on packet content * [Sec 3010] remote configuration trustedkey/requestkey values are not properly validated. perlinger@@ntp.org - sidekick: Ignore keys that have an unsupported MAC algorithm but are otherwise well-formed * [Sec 3011] Duplicate IPs on unconfig directives will cause an assertion botch - graciously accept the same IP multiple times. perlinger@@ntp.org * [Sec 3020] Refclock impersonation. HStenn. * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@@ntp.org - fixed yet another race condition in the threaded resolver code. * [Bug 2858] bool support. Use stdbool.h when available. HStenn. * [Bug 2879] Improve NTP security against timing attacks. perlinger@@ntp.org - integrated patches by Loganaden Velvidron with some modifications & unit tests * [Bug 2952] Symmetric active/passive mode is broken. HStenn. * [Bug 2960] async name resolution fixes for chroot() environments. Reinhard Max. * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@@ntp.org * [Bug 2995] Fixes to compile on Windows * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@@ntp.org * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@@ntp.org - Patch provided by Ch. Weisgerber * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" - A change related to [Bug 2853] forbids trailing white space in remote config commands. perlinger@@ntp.org * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE - report and patch from Aleksandr Kostikov. - Overhaul of Windows IO completion port handling. perlinger@@ntp.org * [Bug 3022] authkeys.c should be refactored. perlinger@@ntp.org - fixed memory leak in access list (auth[read]keys.c) - refactored handling of key access lists (auth[read]keys.c) - reduced number of error branches (authreadkeys.c) * [Bug 3023] ntpdate cannot correct dates in the future. perlinger@@ntp.org * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. * [Bug 3031] ntp broadcastclient unable to synchronize to an server when the time of server changed. perlinger@@ntp.org - Check the initial delay calculation and reject/unpeer the broadcast server if the delay exceeds 50ms. Retry again after the next broadcast packet. * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. * Update html/xleave.html documentation. Harlan Stenn. * Update ntp.conf documentation. Harlan Stenn. * Fix some Credit: attributions in the NEWS file. Harlan Stenn. * Fix typo in html/monopt.html. Harlan Stenn. * Add README.pullrequests. Harlan Stenn. * Cleanup to include/ntp.h. Harlan Stenn. --- (4.2.8p6) 2016/01/20 Released by Harlan Stenn * [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode. HStenn. * [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn. * [Sec 2937] ntpq: nextvar() missing length check. perlinger@@ntp.org * [Sec 2938] ntpq saveconfig command allows dangerous characters in filenames. perlinger@@ntp.org * [Sec 2939] reslist NULL pointer dereference. perlinger@@ntp.org * [Sec 2940] Stack exhaustion in recursive traversal of restriction list. perlinger@@ntp.org * [Sec 2942]: Off-path DoS attack on auth broadcast mode. HStenn. * [Sec 2945] Zero Origin Timestamp Bypass. perlinger@@ntp.org * [Sec 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@@ntp.org * [Bug 2772] adj_systime overflows tv_usec. perlinger@@ntp.org * [Bug 2814] msyslog deadlock when signaled. perlinger@@ntp.org - applied patch by shenpeng11@@huawei.com with minor adjustments * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@@ntp.org * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@@ntp.org * [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build. perlinger@@ntp.org - Found this already fixed, but validation led to cleanup actions. * [Bug 2905] DNS lookups broken. perlinger@@ntp.org - added limits to stack consumption, fixed some return code handling * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call - changed stacked/nested handling of CTRL-C. perlinger@@ntp.org - make CTRL-C work for retrieval and printing od MRU list. perlinger@@ntp.org * [Bug 2980] reduce number of warnings. perlinger@@ntp.org - integrated several patches from Havard Eidnes (he@@uninett.no) * [Bug 2985] bogus calculation in authkeys.c perlinger@@ntp.org - implement 'auth_log2()' using integer bithack instead of float calculation * Make leapsec_query debug messages less verbose. Harlan Stenn. * Disable incomplete t-ntp_signd.c test. Harlan Stenn. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.25 2016/01/09 15:49:26 taca Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p7.tar.gz) = a1f6300132cf1fc6884990353aca7340daf0be0d RMD160 (ntp-4.2.8p7.tar.gz) = d138a8a36cb0e20ae5a9cda2e0e9771fae4e1380 SHA512 (ntp-4.2.8p7.tar.gz) = 7b80192f0e3c4a05cc05f167ab85593acca685d514dcd46fb8f42b4cd2a5525e76ba5e15fd7ff13220e4155de6aab5661554e0ded60bfb1d27a969c589958f55 Size (ntp-4.2.8p7.tar.gz) = 7175313 bytes @ 1.25 log @Update ntp4 to 4.2.8p5. NTP 4.2.8p5 Focus: Security, Bug fixes, enhancements. Severity: MEDIUM In addition to bug fixes and enhancements, this release fixes the following medium-severity vulnerability: * Small-step/big-step. Close the panic gate earlier. References: Sec 2956, CVE-2015-5300 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 4.3.0 up to, but not including 4.3.78 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM Summary: If ntpd is always started with the -g option, which is common and against long-standing recommendation, and if at the moment ntpd is restarted an attacker can immediately respond to enough requests from enough sources trusted by the target, which is difficult and not common, there is a window of opportunity where the attacker can cause ntpd to set the time to an arbitrary value. Similarly, if an attacker is able to respond to enough requests from enough sources trusted by the target, the attacker can cause ntpd to abort and restart, at which point it can tell the target to set the time to an arbitrary value if and only if ntpd was re-started against long-standing recommendation with the -g flag, or if ntpd was not given the -g flag, the attacker can move the target system's time by at most 900 seconds' time per attack. Mitigation: Configure ntpd to get time from multiple sources. Upgrade to 4.2.8p5, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page As we've long documented, only use the -g option to ntpd in cold-start situations. Monitor your ntpd instances. Credit: This weakness was discovered by Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg at Boston University. NOTE WELL: The -g flag disables the limit check on the panic_gate in ntpd, which is 900 seconds by default. The bug identified by the researchers at Boston University is that the panic_gate check was only re-enabled after the first change to the system clock that was greater than 128 milliseconds, by default. The correct behavior is that the panic_gate check should be re-enabled after any initial time correction. If an attacker is able to inject consistent but erroneous time responses to your systems via the network or "over the air", perhaps by spoofing radio, cellphone, or navigation satellite transmissions, they are in a great position to affect your system's clock. There comes a point where your very best defenses include: Configure ntpd to get time from multiple sources. Monitor your ntpd instances. Other fixes: * Coverity submission process updated from Coverity 5 to Coverity 7. The NTP codebase has been undergoing regular Coverity scans on an ongoing basis since 2006. As part of our recent upgrade from Coverity 5 to Coverity 7, Coverity identified 16 nits in some of the newly-written Unity test programs. These were fixed. * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@@ntp.org * [Bug 2887] stratum -1 config results as showing value 99 - fudge stratum should only accept values [0..16]. perlinger@@ntp.org * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. - applied patch by Christos Zoulas. perlinger@@ntp.org * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. - fixed data race conditions in threaded DNS worker. perlinger@@ntp.org - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@@ntp.org * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@@ntp.org - accept key file only if there are no parsing errors - fixed size_t/u_int format clash - fixed wrong use of 'strlcpy' * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@@ntp.org - fixed several other warnings (cast-alignment, missing const, missing prototypes) - promote use of 'size_t' for values that express a size - use ptr-to-const for read-only arguments - make sure SOCKET values are not truncated (win32-specific) - format string fixes * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. * [Bug 2967] ntpdate command suffers an assertion failure - fixed ntp_rfc2553.c to return proper address length. perlinger@@ntp.org * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with lots of clients. perlinger@@ntp.org * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call - changed stacked/nested handling of CTRL-C. perlinger@@ntp.org * Unity cleanup for FreeBSD-6.4. Harlan Stenn. * Unity test cleanup. Harlan Stenn. * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. * Quiet a warning from clang. Harlan Stenn. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.24 2015/10/29 11:28:44 christos Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p5.tar.gz) = 95152c9bca8b5229a4db05943f181365bf738ab2 RMD160 (ntp-4.2.8p5.tar.gz) = a5991d126722fb80bac6a0552feb14403b8d0a0d SHA512 (ntp-4.2.8p5.tar.gz) = 8df3e51027f6bfc5e77b81317b67e75263cb429dc532d21bb5924852f77ea39314a06b94944804991185f93155063cee7c1f28024698ec893c353a4d5561750e Size (ntp-4.2.8p5.tar.gz) = 7138233 bytes @ 1.25.2.1 log @Pullup ticket #5010 - requested by taca net/ntp4: security fix Revisions pulled up: - net/ntp4/Makefile 1.92 - net/ntp4/PLIST 1.21 - net/ntp4/distinfo 1.26 --- Module Name: pkgsrc Committed By: wen Date: Wed Apr 27 15:59:19 UTC 2016 Modified Files: pkgsrc/net/ntp4: Makefile PLIST distinfo Log Message: Update to 4.2.8p7 Upstream changes: (4.2.8p7) 2016/04/26 Released by Harlan Stenn * [Sec 2901] KoD packets must have non-zero transmit timestamps. HStenn. * [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve time. Include passive servers in this check. HStenn. * [Sec 2945] Additional KoD packet checks. HStenn. * [Sec 2978] Interleave can be partially triggered. HStenn. * [Sec 3007] Validate crypto-NAKs. Danny Mayer. * [Sec 3008] Always check the return value of ctl_getitem(). - initial work by HStenn - Additional cleanup of ctl_getitem by perlinger@@ntp.org * [Sec 3009] Crafted addpeer with hmode > 7 causes OOB error. perlinger@@ntp.org - added more stringent checks on packet content * [Sec 3010] remote configuration trustedkey/requestkey values are not properly validated. perlinger@@ntp.org - sidekick: Ignore keys that have an unsupported MAC algorithm but are otherwise well-formed * [Sec 3011] Duplicate IPs on unconfig directives will cause an assertion botch - graciously accept the same IP multiple times. perlinger@@ntp.org * [Sec 3020] Refclock impersonation. HStenn. * [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@@ntp.org - fixed yet another race condition in the threaded resolver code. * [Bug 2858] bool support. Use stdbool.h when available. HStenn. * [Bug 2879] Improve NTP security against timing attacks. perlinger@@ntp.org - integrated patches by Loganaden Velvidron with some modifications & unit tests * [Bug 2952] Symmetric active/passive mode is broken. HStenn. * [Bug 2960] async name resolution fixes for chroot() environments. Reinhard Max. * [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@@ntp.org * [Bug 2995] Fixes to compile on Windows * [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@@ntp.org * [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@@ntp.org - Patch provided by Ch. Weisgerber * [Bug 3015] ntpq: config-from-file: "request contains an unprintable character" - A change related to [Bug 2853] forbids trailing white space in remote config commands. perlinger@@ntp.org * [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE - report and patch from Aleksandr Kostikov. - Overhaul of Windows IO completion port handling. perlinger@@ntp.org * [Bug 3022] authkeys.c should be refactored. perlinger@@ntp.org - fixed memory leak in access list (auth[read]keys.c) - refactored handling of key access lists (auth[read]keys.c) - reduced number of error branches (authreadkeys.c) * [Bug 3023] ntpdate cannot correct dates in the future. perlinger@@ntp.org * [Bug 3030] ntpq needs a general way to specify refid output format. HStenn. * [Bug 3031] ntp broadcastclient unable to synchronize to an server when the time of server changed. perlinger@@ntp.org - Check the initial delay calculation and reject/unpeer the broadcast server if the delay exceeds 50ms. Retry again after the next broadcast packet. * [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn. * Document ntp.key's optional IP list in authenetic.html. Harlan Stenn. * Update html/xleave.html documentation. Harlan Stenn. * Update ntp.conf documentation. Harlan Stenn. * Fix some Credit: attributions in the NEWS file. Harlan Stenn. * Fix typo in html/monopt.html. Harlan Stenn. * Add README.pullrequests. Harlan Stenn. * Cleanup to include/ntp.h. Harlan Stenn. --- (4.2.8p6) 2016/01/20 Released by Harlan Stenn * [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode. HStenn. * [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn. * [Sec 2937] ntpq: nextvar() missing length check. perlinger@@ntp.org * [Sec 2938] ntpq saveconfig command allows dangerous characters in filenames. perlinger@@ntp.org * [Sec 2939] reslist NULL pointer dereference. perlinger@@ntp.org * [Sec 2940] Stack exhaustion in recursive traversal of restriction list. perlinger@@ntp.org * [Sec 2942]: Off-path DoS attack on auth broadcast mode. HStenn. * [Sec 2945] Zero Origin Timestamp Bypass. perlinger@@ntp.org * [Sec 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@@ntp.org * [Bug 2772] adj_systime overflows tv_usec. perlinger@@ntp.org * [Bug 2814] msyslog deadlock when signaled. perlinger@@ntp.org - applied patch by shenpeng11@@huawei.com with minor adjustments * [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@@ntp.org * [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@@ntp.org * [Bug 2892] Several test cases assume IPv6 capabilities even when IPv6 is disabled in the build. perlinger@@ntp.org - Found this already fixed, but validation led to cleanup actions. * [Bug 2905] DNS lookups broken. perlinger@@ntp.org - added limits to stack consumption, fixed some return code handling * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call - changed stacked/nested handling of CTRL-C. perlinger@@ntp.org - make CTRL-C work for retrieval and printing od MRU list. perlinger@@ntp.org * [Bug 2980] reduce number of warnings. perlinger@@ntp.org - integrated several patches from Havard Eidnes (he@@uninett.no) * [Bug 2985] bogus calculation in authkeys.c perlinger@@ntp.org - implement 'auth_log2()' using integer bithack instead of float calculation * Make leapsec_query debug messages less verbose. Harlan Stenn. * Disable incomplete t-ntp_signd.c test. Harlan Stenn. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.25 2016/01/09 15:49:26 taca Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p7.tar.gz) = a1f6300132cf1fc6884990353aca7340daf0be0d RMD160 (ntp-4.2.8p7.tar.gz) = d138a8a36cb0e20ae5a9cda2e0e9771fae4e1380 SHA512 (ntp-4.2.8p7.tar.gz) = 7b80192f0e3c4a05cc05f167ab85593acca685d514dcd46fb8f42b4cd2a5525e76ba5e15fd7ff13220e4155de6aab5661554e0ded60bfb1d27a969c589958f55 Size (ntp-4.2.8p7.tar.gz) = 7175313 bytes @ 1.25.2.2 log @Pullup ticket #5037 - requested by bsiegert net/ntp4: security update Revisions pulled up: - net/ntp4/Makefile 1.95 - net/ntp4/distinfo 1.27 ------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Fri Jun 3 09:45:09 UTC 2016 Modified Files: pkgsrc/net/ntp4: Makefile distinfo Log Message: Update ntp4 package to 4.2.8p8, security fix. (4.2.8p8) 2016/06/02 Released by Harlan Stenn * [Sec 3042] Broadcast Interleave. HStenn. * [Sec 3043] Autokey association reset. perlinger@@ntp.org, = stenn@@ntp.org - validate origin timestamps on bad MACs, too. stenn@@ntp.org * [Sec 3044] Spoofed server packets are partially processed. HStenn. * [Sec 3045] Bad authentication demobilizes ephemeral associations. = JPerlinger. * [Sec 3046] CRYPTO_NAK crash. stenn@@ntp.org * [Bug 3038] NTP fails to build in VS2015. perlinger@@ntp.org - provide build environment - 'wint_t' and 'struct timespec' defined by VS2015 - fixed print()/scanf() format issues * [Bug 3052] Add a .gitignore file. Edmund Wong. * [Bug 3054] miscopt.html documents the allan intercept in seconds. = SWhite. * [Bug 3058] fetch_timestamp() mishandles 64-bit alignment. Brian = Utterback, JPerlinger, HStenn. * Update the NEWS file for 4.2.8p8. HStenn. * Fix typo in ntp-wait and plot_summary. HStenn. * Make sure we have an "author" file for git imports. HStenn. * Update the sntp problem tests for MacOS. HStenn. To generate a diff of this commit: cvs rdiff -u -r1.94 -r1.95 pkgsrc/net/ntp4/Makefile cvs rdiff -u -r1.26 -r1.27 pkgsrc/net/ntp4/distinfo @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (ntp-4.2.8p8.tar.gz) = 208ae3e2ce1237ad684c3bc818b6314d28636e46 RMD160 (ntp-4.2.8p8.tar.gz) = 45d393abb749c46bbd3a5fd93a53c892613587c8 SHA512 (ntp-4.2.8p8.tar.gz) = 253675667f78ad8855e961d02f6a120b68b75233c18ddb92cb6c9510fb3847f1672d0d6f93ad1eb11b14e3bdf78fdbc1458e516d906b763e8599490da6a4f225 Size (ntp-4.2.8p8.tar.gz) = 7205710 bytes @ 1.24 log @update checksum and bump revision @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.23 2015/10/23 03:43:31 taca Exp $ d3 4 a6 4 SHA1 (ntp-4.2.8p4.tar.gz) = a30f61f87b219ab3613def9e27f5c8e91ce38b0a RMD160 (ntp-4.2.8p4.tar.gz) = 94ab0e190f37c55700978a1555473a308e7175e6 SHA512 (ntp-4.2.8p4.tar.gz) = e5ad7b44921e49b5546aa804dc56c320a3a0beb32b0e6fde40c900bf5e3af40b354a0cecc869b4605b59b5ab58219b9940789b50d747e0f5b50b4e73513d9f23 Size (ntp-4.2.8p4.tar.gz) = 7104852 bytes a7 1 SHA1 (patch-ntpd-ntpd.c) = 5a5bf9c8939752e1b3f5d04cea3daabdc34081cf @ 1.24.2.1 log @Pullup ticket #4895 - requested by taca net/ntp4: security fix Revisions pulled up: - net/ntp4/Makefile 1.90 - net/ntp4/distinfo 1.25 - net/ntp4/patches/patch-ntpd-ntpd.c deleted --- Module Name: pkgsrc Committed By: taca Date: Sat Jan 9 15:49:27 UTC 2016 Modified Files: pkgsrc/net/ntp4: Makefile distinfo Removed Files: pkgsrc/net/ntp4/patches: patch-ntpd-ntpd.c Log Message: Update ntp4 to 4.2.8p5. NTP 4.2.8p5 Focus: Security, Bug fixes, enhancements. Severity: MEDIUM In addition to bug fixes and enhancements, this release fixes the following medium-severity vulnerability: * Small-step/big-step. Close the panic gate earlier. References: Sec 2956, CVE-2015-5300 Affects: All ntp-4 releases up to, but not including 4.2.8p5, and 4.3.0 up to, but not including 4.3.78 CVSS3: (AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:L) Base Score: 4.0, MEDIUM Summary: If ntpd is always started with the -g option, which is common and against long-standing recommendation, and if at the moment ntpd is restarted an attacker can immediately respond to enough requests from enough sources trusted by the target, which is difficult and not common, there is a window of opportunity where the attacker can cause ntpd to set the time to an arbitrary value. Similarly, if an attacker is able to respond to enough requests from enough sources trusted by the target, the attacker can cause ntpd to abort and restart, at which point it can tell the target to set the time to an arbitrary value if and only if ntpd was re-started against long-standing recommendation with the -g flag, or if ntpd was not given the -g flag, the attacker can move the target system's time by at most 900 seconds' time per attack. Mitigation: Configure ntpd to get time from multiple sources. Upgrade to 4.2.8p5, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page As we've long documented, only use the -g option to ntpd in cold-start situations. Monitor your ntpd instances. Credit: This weakness was discovered by Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg at Boston University. NOTE WELL: The -g flag disables the limit check on the panic_gate in ntpd, which is 900 seconds by default. The bug identified by the researchers at Boston University is that the panic_gate check was only re-enabled after the first change to the system clock that was greater than 128 milliseconds, by default. The correct behavior is that the panic_gate check should be re-enabled after any initial time correction. If an attacker is able to inject consistent but erroneous time responses to your systems via the network or "over the air", perhaps by spoofing radio, cellphone, or navigation satellite transmissions, they are in a great position to affect your system's clock. There comes a point where your very best defenses include: Configure ntpd to get time from multiple sources. Monitor your ntpd instances. Other fixes: * Coverity submission process updated from Coverity 5 to Coverity 7. The NTP codebase has been undergoing regular Coverity scans on an ongoing basis since 2006. As part of our recent upgrade from Coverity 5 to Coverity 7, Coverity identified 16 nits in some of the newly-written Unity test programs. These were fixed. * [Bug 2829] Clean up pipe_fds in ntpd.c perlinger@@ntp.org * [Bug 2887] stratum -1 config results as showing value 99 - fudge stratum should only accept values [0..16]. perlinger@@ntp.org * [Bug 2932] Update leapsecond file info in miscopt.html. CWoodbury, HStenn. * [Bug 2934] tests/ntpd/t-ntp_scanner.c has a magic constant wired in. HMurray * [Bug 2944] errno is not preserved properly in ntpdate after sendto call. - applied patch by Christos Zoulas. perlinger@@ntp.org * [Bug 2952] Peer associations broken by fix for Bug 2901/CVE-2015-7704. * [Bug 2954] Version 4.2.8p4 crashes on startup on some OSes. - fixed data race conditions in threaded DNS worker. perlinger@@ntp.org - limit threading warm-up to linux; FreeBSD bombs on it. perlinger@@ntp.org * [Bug 2957] 'unsigned int' vs 'size_t' format clash. perlinger@@ntp.org - accept key file only if there are no parsing errors - fixed size_t/u_int format clash - fixed wrong use of 'strlcpy' * [Bug 2958] ntpq: fatal error messages need a final newline. Craig Leres. * [Bug 2962] truncation of size_t/ptrdiff_t on 64bit targets. perlinger@@ntp.org - fixed several other warnings (cast-alignment, missing const, missing prototypes) - promote use of 'size_t' for values that express a size - use ptr-to-const for read-only arguments - make sure SOCKET values are not truncated (win32-specific) - format string fixes * [Bug 2965] Local clock didn't work since 4.2.8p4. Martin Burnicki. * [Bug 2967] ntpdate command suffers an assertion failure - fixed ntp_rfc2553.c to return proper address length. perlinger@@ntp.org * [Bug 2969] Seg fault from ntpq/mrulist when looking at server with lots of clients. perlinger@@ntp.org * [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call - changed stacked/nested handling of CTRL-C. perlinger@@ntp.org * Unity cleanup for FreeBSD-6.4. Harlan Stenn. * Unity test cleanup. Harlan Stenn. * Libevent autoconf pthread fixes for FreeBSD-10. Harlan Stenn. * Header cleanup in tests/sandbox/uglydate.c. Harlan Stenn. * Header cleanup in tests/libntp/sfptostr.c. Harlan Stenn. * Quiet a warning from clang. Harlan Stenn. @ text @d1 1 a1 1 $NetBSD$ d3 4 a6 4 SHA1 (ntp-4.2.8p5.tar.gz) = 95152c9bca8b5229a4db05943f181365bf738ab2 RMD160 (ntp-4.2.8p5.tar.gz) = a5991d126722fb80bac6a0552feb14403b8d0a0d SHA512 (ntp-4.2.8p5.tar.gz) = 8df3e51027f6bfc5e77b81317b67e75263cb429dc532d21bb5924852f77ea39314a06b94944804991185f93155063cee7c1f28024698ec893c353a4d5561750e Size (ntp-4.2.8p5.tar.gz) = 7138233 bytes d8 1 @ 1.23 log @Update ntp4 to 4.2.8p4. pkgsrc change: * Remove duplicated HTML documents. * Install some addtional documents. Changes are too many to write here, please refer NEWS files and this release fixes security problems. October 2015 NTP Security Vulnerability Announcement (Medium) NTF's NTP Project has been notified of the following 13 low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on Wednesday, 21 October 2015: * Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) * Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) * Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) * Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) * Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) * Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) * Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) * Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) * Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) * Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) * Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable) The only generally-exploitable bug in the above list is the crypto-NAK bug, which has a CVSS2 score of 6.4. Additionally, three bugs that have already been fixed in ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all below 1.8 CVSS score, so we're reporting them here: * Bug 2382 : Peer precision < -31 gives division by zero * Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL * Bug 1593 : ntpd abort in free() with logconfig syntax error @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22 2015/06/30 16:08:21 taca Exp $ d7 2 a8 3 SHA1 (patch-aa) = b247569339d09a88f2e143e355033ce7635ffe92 SHA1 (patch-configure) = 21466ffa5d0334957a1a93b2a99087e7edaaa4d5 SHA1 (patch-sntp_configure) = 38357046af0f0c1aeb8b57bb9c653e330d3feadd @ 1.22 log @Update ntp4 to 4.2.8p3. Please refer NEWS and ChangeLog for full changes. NTP 4.2.8p3 (Harlan Stenn , 2015/06/29) Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. Severity: MEDIUM Security Fix: * [Sec 2853] Crafted remote config packet can crash some versions of ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. Under specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true: 1) ntpd set up to allow remote configuration (not allowed by default), and 2) knowledge of the configuration password, and 3) access to a computer entrusted to perform remote configuration. This vulnerability is considered low-risk. New features in this release: Optional (disabled by default) support to have ntpd provide smeared leap second time. A specially built and configured ntpd will only offer smeared time in response to client packets. These response packets will also contain a "refid" of 254.a.b.c, where the 24 bits of a, b, and c encode the amount of smear in a 2:22 integer:fraction format. See README.leapsmear and http://bugs.ntp.org/2855 for more information. *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* We've imported the Unity test framework, and have begun converting the existing google-test items to this new framework. If you want to write new tests or change old ones, you'll need to have ruby installed. You don't need ruby to run the test suite. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.21 2015/04/08 03:31:33 taca Exp $ d3 4 a6 3 SHA1 (ntp-4.2.8p3.tar.gz) = fc624396f8d9f9bc282da30c8e8e527ade7d420f RMD160 (ntp-4.2.8p3.tar.gz) = 86b7156d36462cfa10e57eed45805814cb7e35bd Size (ntp-4.2.8p3.tar.gz) = 7099575 bytes @ 1.22.2.1 log @Pullup ticket #4846 - requested by taca net/ntp4: security fix Revisions pulled up: - net/ntp4/Makefile 1.88 - net/ntp4/PLIST 1.20 - net/ntp4/distinfo 1.23 - net/ntp4/patches/patch-configure deleted - net/ntp4/patches/patch-sntp_configure deleted --- Module Name: pkgsrc Committed By: taca Date: Fri Oct 23 03:43:31 UTC 2015 Modified Files: pkgsrc/net/ntp4: Makefile PLIST distinfo Removed Files: pkgsrc/net/ntp4/patches: patch-configure patch-sntp_configure Log Message: Update ntp4 to 4.2.8p4. pkgsrc change: * Remove duplicated HTML documents. * Install some addtional documents. Changes are too many to write here, please refer NEWS files and this release fixes security problems. October 2015 NTP Security Vulnerability Announcement (Medium) NTF's NTP Project has been notified of the following 13 low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on Wednesday, 21 October 2015: * Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) * Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) * Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) * Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) * Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) * Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) * Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) * Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) * Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) * Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) * Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable) The only generally-exploitable bug in the above list is the crypto-NAK bug, which has a CVSS2 score of 6.4. Additionally, three bugs that have already been fixed in ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all below 1.8 CVSS score, so we're reporting them here: * Bug 2382 : Peer precision < -31 gives division by zero * Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL * Bug 1593 : ntpd abort in free() with logconfig syntax error @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 4 SHA1 (ntp-4.2.8p4.tar.gz) = a30f61f87b219ab3613def9e27f5c8e91ce38b0a RMD160 (ntp-4.2.8p4.tar.gz) = 94ab0e190f37c55700978a1555473a308e7175e6 SHA512 (ntp-4.2.8p4.tar.gz) = e5ad7b44921e49b5546aa804dc56c320a3a0beb32b0e6fde40c900bf5e3af40b354a0cecc869b4605b59b5ab58219b9940789b50d747e0f5b50b4e73513d9f23 Size (ntp-4.2.8p4.tar.gz) = 7104852 bytes @ 1.22.2.2 log @Pullup ticket #4861 - requested by taca net/ntp4: build fix Revisions pulled up: - net/ntp4/Makefile 1.89 - net/ntp4/distinfo 1.24 - net/ntp4/patches/patch-aa deleted - net/ntp4/patches/patch-include-ntp__syscall.h 1.1 - net/ntp4/patches/patch-ntpd-ntpd.c 1.1 --- Module Name: pkgsrc Committed By: christos Date: Thu Oct 29 11:23:47 UTC 2015 Added Files: pkgsrc/net/ntp4/patches: patch-include-ntp__syscall.h patch-ntpd-ntpd.c Removed Files: pkgsrc/net/ntp4/patches: patch-aa Log Message: - rename patch-aa to follow not so new anymore convention - apply the "warmup" patch only on linux. should fix the build on netbsd-6 --- Module Name: pkgsrc Committed By: christos Date: Thu Oct 29 11:28:44 UTC 2015 Modified Files: pkgsrc/net/ntp4: Makefile distinfo Log Message: update checksum and bump revision @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.22.2.1 2015/10/27 19:07:02 bsiegert Exp $ d7 3 a9 2 SHA1 (patch-include-ntp__syscall.h) = b247569339d09a88f2e143e355033ce7635ffe92 SHA1 (patch-ntpd-ntpd.c) = 5a5bf9c8939752e1b3f5d04cea3daabdc34081cf @ 1.21 log @Update ntp4 package to 4.2.8p2. NTP 4.2.8p2 (Harlan Stenn , 2015/04/xx) Focus: Security and Bug fixes, enhancements. Severity: MEDIUM In addition to bug fixes and enhancements, this release fixes the following medium-severity vulnerabilities involving private key authentication: * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. References: Sec 2779 / CVE-2015-1798 / VU#374268 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses symmetric keys to authenticate remote associations. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 Summary: When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server. Authentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without a MAC. Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Configure ntpd with enough time sources and monitor it properly. Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. * [Sec 2781] Authentication doesn't protect symmetric associations against DoS attacks. References: Sec 2781 / CVE-2015-1799 / VU#374268 Affects: All NTP releases starting with at least xntp3.3wy up to but not including ntp-4.2.8p2 where the installation uses symmetric key authentication. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 Note: the CVSS base Score for this issue could be 4.3 or lower, and it could be higher than 5.4. Date Resolved: Stable (4.2.8p2) 07 Apr 2015 Summary: An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack, described at https://www.eecis.udel.edu/~mills/onwire.html . According to the document the NTP authentication is supposed to protect symmetric associations against this attack, but that doesn't seem to be the case. The state variables are updated even when authentication fails and the peers are sending packets with originate timestamps that don't match the transmit timestamps on the receiving side. This seems to be a very old problem, dating back to at least xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) specifications, so other NTP implementations with support for symmetric associations and authentication may be vulnerable too. An update to the NTP RFC to correct this error is in-process. Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Note that for users of autokey, this specific style of MITM attack is simply a long-known potential problem. Configure ntpd with appropriate time sources and monitor ntpd. Alert your staff if problems are detected. Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. * New script: update-leap The update-leap script will verify and if necessary, update the leap-second definition file. It requires the following commands in order to work: wget logger tr sed shasum Some may choose to run this from cron. It needs more portability testing. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.20 2015/03/21 20:49:28 bsiegert Exp $ d3 3 a5 3 SHA1 (ntp-4.2.8p2.tar.gz) = 51d014c4a38383692d0895f5b8247004942e3b38 RMD160 (ntp-4.2.8p2.tar.gz) = 5e2bec1f296f6d1528694167da2229cae13ebf47 Size (ntp-4.2.8p2.tar.gz) = 6820869 bytes @ 1.21.2.1 log @Pullup ticket #4764 - requested by taca net/ntp4: security update Revisions pulled up: - net/ntp4/Makefile 1.87 - net/ntp4/PLIST 1.19 - net/ntp4/distinfo 1.22 --- Module Name: pkgsrc Committed By: taca Date: Tue Jun 30 16:08:21 UTC 2015 Modified Files: pkgsrc/net/ntp4: Makefile PLIST distinfo Log Message: Update ntp4 to 4.2.8p3. Please refer NEWS and ChangeLog for full changes. NTP 4.2.8p3 (Harlan Stenn , 2015/06/29) Focus: 1 Security fix. Bug fixes and enhancements. Leap-second improvements. Severity: MEDIUM Security Fix: * [Sec 2853] Crafted remote config packet can crash some versions of ntpd. Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn. Under specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true: 1) ntpd set up to allow remote configuration (not allowed by default), and 2) knowledge of the configuration password, and 3) access to a computer entrusted to perform remote configuration. This vulnerability is considered low-risk. New features in this release: Optional (disabled by default) support to have ntpd provide smeared leap second time. A specially built and configured ntpd will only offer smeared time in response to client packets. These response packets will also contain a "refid" of 254.a.b.c, where the 24 bits of a, b, and c encode the amount of smear in a 2:22 integer:fraction format. See README.leapsmear and http://bugs.ntp.org/2855 for more information. *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME* *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.* We've imported the Unity test framework, and have begun converting the existing google-test items to this new framework. If you want to write new tests or change old ones, you'll need to have ruby installed. You don't need ruby to run the test suite. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (ntp-4.2.8p3.tar.gz) = fc624396f8d9f9bc282da30c8e8e527ade7d420f RMD160 (ntp-4.2.8p3.tar.gz) = 86b7156d36462cfa10e57eed45805814cb7e35bd Size (ntp-4.2.8p3.tar.gz) = 7099575 bytes @ 1.20 log @SECURITY: Update ntpd to 4.2.8p1. * [Sec 2671] vallen in extension fields are not validated. * [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.19 2014/12/20 09:45:46 taca Exp $ d3 3 a5 3 SHA1 (ntp-4.2.8p1.tar.gz) = 1e6d8894bbd3456bd71aa890b02f802f2e611e86 RMD160 (ntp-4.2.8p1.tar.gz) = f61569230e876faf9271607aff9dcbd242ea4f69 Size (ntp-4.2.8p1.tar.gz) = 6791852 bytes @ 1.20.2.1 log @Pullup ticket #4678 - requested by taca net/ntp4: security update Revisions pulled up: - net/ntp4/Makefile 1.85 - net/ntp4/PLIST 1.18 - net/ntp4/distinfo 1.21 --- Module Name: pkgsrc Committed By: taca Date: Wed Apr 8 03:31:34 UTC 2015 Modified Files: pkgsrc/net/ntp4: Makefile PLIST distinfo Log Message: Update ntp4 package to 4.2.8p2. NTP 4.2.8p2 (Harlan Stenn , 2015/04/xx) Focus: Security and Bug fixes, enhancements. Severity: MEDIUM In addition to bug fixes and enhancements, this release fixes the following medium-severity vulnerabilities involving private key authentication: * [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. References: Sec 2779 / CVE-2015-1798 / VU#374268 Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not including ntp-4.2.8p2 where the installation uses symmetric keys to authenticate remote associations. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 Date Resolved: Stable (4.2.8p2) 07 Apr 2015 Summary: When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server. Authentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without a MAC. Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Configure ntpd with enough time sources and monitor it properly. Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. * [Sec 2781] Authentication doesn't protect symmetric associations against DoS attacks. References: Sec 2781 / CVE-2015-1799 / VU#374268 Affects: All NTP releases starting with at least xntp3.3wy up to but not including ntp-4.2.8p2 where the installation uses symmetric key authentication. CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4 Note: the CVSS base Score for this issue could be 4.3 or lower, and it could be higher than 5.4. Date Resolved: Stable (4.2.8p2) 07 Apr 2015 Summary: An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack, described at https://www.eecis.udel.edu/~mills/onwire.html . According to the document the NTP authentication is supposed to protect symmetric associations against this attack, but that doesn't seem to be the case. The state variables are updated even when authentication fails and the peers are sending packets with originate timestamps that don't match the transmit timestamps on the receiving side. This seems to be a very old problem, dating back to at least xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905) specifications, so other NTP implementations with support for symmetric associations and authentication may be vulnerable too. An update to the NTP RFC to correct this error is in-process. Mitigation: Upgrade to 4.2.8p2, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Note that for users of autokey, this specific style of MITM attack is simply a long-known potential problem. Configure ntpd with appropriate time sources and monitor ntpd. Alert your staff if problems are detected. Credit: This issue was discovered by Miroslav Lichvar, of Red Hat. * New script: update-leap The update-leap script will verify and if necessary, update the leap-second definition file. It requires the following commands in order to work: wget logger tr sed shasum Some may choose to run this from cron. It needs more portability testing. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (ntp-4.2.8p2.tar.gz) = 51d014c4a38383692d0895f5b8247004942e3b38 RMD160 (ntp-4.2.8p2.tar.gz) = 5e2bec1f296f6d1528694167da2229cae13ebf47 Size (ntp-4.2.8p2.tar.gz) = 6820869 bytes @ 1.19 log @Update ntpd4 pacakge to 4.2.8, here is summary for security related fixes. NTP 4.2.8 (Harlan Stenn , 2014/12/18) Focus: Security and Bug fixes, enhancements. Severity: HIGH In addition to bug fixes and enhancements, this release fixes the following high-severity vulnerabilities: * Weak default key in config_auth(). References: [Sec 2665] / CVE-2014-9293 / VU#852879 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 Vulnerable Versions: all releases prior to 4.2.7p11 Date Resolved: 28 Jan 2010 Summary: If no 'auth' key is set in the configuration file, ntpd would generate a random key on the fly. There were two problems with this: 1) the generated key was 31 bits in size, and 2) it used the (now weak) ntp_random() function, which was seeded with a 32-bit value and could only provide 32 bits of entropy. This was sufficient back in the late 1990s when the code was written. Not today. Mitigation: Upgrade to 4.2.7p11 or later. Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta of the Google Security Team. * Non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys. References: [Sec 2666] / CVE-2014-9294 / VU#852879 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 Vulnerable Versions: All NTP4 releases before 4.2.7p230 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to prepare a random number generator that was of good quality back in the late 1990s. The random numbers produced was then used to generate symmetric keys. In ntp-4.2.8 we use a current-technology cryptographic random number generator, either RAND_bytes from OpenSSL, or arc4random(). Mitigation: Upgrade to 4.2.7p230 or later. Credit: This vulnerability was discovered in ntp-4.2.6 by Stephen Roettger of the Google Security Team. * Buffer overflow in crypto_recv() References: Sec 2667 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf file contains a 'crypto pw ...' directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later, or Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. * Buffer overflow in ctl_putdata() References: Sec 2668 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. * Buffer overflow in configure() References: Sec 2669 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. * receive(): missing return on error References: Sec 2670 / CVE-2014-9296 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in the code path where an error was detected, which meant processing did not stop when a specific rare error occurred. We haven't found a way for this bug to affect system integrity. If there is no way to affect system integrity the base CVSS score for this bug is 0. If there is one avenue through which system integrity can be partially affected, the base score becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5. Mitigation: Upgrade to 4.2.8, or later, or Remove or comment out all configuration directives beginning with the crypto keyword in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. See http://support.ntp.org/security for more information. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.18 2014/02/18 22:18:48 joerg Exp $ d3 3 a5 3 SHA1 (ntp-4.2.8.tar.gz) = 6d1c017a8a0e97d5cf8bf4e5e38333973ffd22d5 RMD160 (ntp-4.2.8.tar.gz) = d68edfca4dd65ccca8ccc40a90b0ec1110982dc3 Size (ntp-4.2.8.tar.gz) = 6750364 bytes a7 1 SHA1 (patch-ntpd_ntp__io.c) = 261e35988107de1c49d1723eb47de9c50a1642ae @ 1.19.2.1 log @Pullup ticket #4649 - requested by bsiegert net/ntp4: security update Revisions pulled up: - net/ntp4/Makefile 1.84 - net/ntp4/PLIST 1.17 - net/ntp4/distinfo 1.20 - net/ntp4/patches/patch-ntpd_ntp__io.c deleted --- Module Name: pkgsrc Committed By: bsiegert Date: Sat Mar 21 20:49:28 UTC 2015 Modified Files: pkgsrc/net/ntp4: Makefile PLIST distinfo Removed Files: pkgsrc/net/ntp4/patches: patch-ntpd_ntp__io.c Log Message: SECURITY: Update ntpd to 4.2.8p1. * [Sec 2671] vallen in extension fields are not validated. * [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.20 2015/03/21 20:49:28 bsiegert Exp $ d3 3 a5 3 SHA1 (ntp-4.2.8p1.tar.gz) = 1e6d8894bbd3456bd71aa890b02f802f2e611e86 RMD160 (ntp-4.2.8p1.tar.gz) = f61569230e876faf9271607aff9dcbd242ea4f69 Size (ntp-4.2.8p1.tar.gz) = 6791852 bytes d8 1 @ 1.18 log @Restrict the explicit -lgcc_s to Linux as the comment indicates where it is aimed at. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.17 2014/01/12 17:01:02 spz Exp $ d3 3 a5 3 SHA1 (ntp-dev-4.2.7p410.tar.gz) = d93719047fdd9e67287edaabb1653735ffaf28f3 RMD160 (ntp-dev-4.2.7p410.tar.gz) = 309f7c6ba088b9c4ac0b2bd018ea3918fb837d4f Size (ntp-dev-4.2.7p410.tar.gz) = 6334536 bytes d7 3 a9 2 SHA1 (patch-configure) = a244467f886a8fedfa7a84864898fa6d84e0a6a3 SHA1 (patch-sntp_configure) = c0c3d8bc9a23f3ef3ecfc369298df71f0da55943 @ 1.17 log @update to ntp latest dev version to deal with CVE-2013-5211 (amplification attacks using monlist queries) tickadj for Solaris is a guess (and probably version dependent) the bulk builds will tell :) @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.16 2009/12/21 14:48:21 tnn Exp $ d7 2 @ 1.16 log @patch-aa: fix copy-paste error patch-ab: don't install man1/sntp.1 twice @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.15 2009/12/21 14:19:58 tnn Exp $ d3 5 a7 5 SHA1 (ntp-4.2.4p8.tar.gz) = 0aa9bd4f451a35586843ccd5eb8391f061beb960 RMD160 (ntp-4.2.4p8.tar.gz) = 63e684b1f92b93a7d972706286c335abcceb54bd Size (ntp-4.2.4p8.tar.gz) = 3389646 bytes SHA1 (patch-aa) = 57f3173b9b7a6918d7146162d9878ba84e730245 SHA1 (patch-ab) = 9d4deb7ecd26053cc40228ecc57d23bbc26acc85 @ 1.15 log @fix build with glibc-2.10.1+ patch from gentoo bug 270483 @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2009/12/15 10:53:20 tnn Exp $ d6 2 a7 1 SHA1 (patch-aa) = e9b592d4ab1cb939cfe89d4d62f7d00b02acd121 @ 1.14 log @Update to ntp-4.2.4p8. Security fix for CVE-2009-3563 DoS vulnerability. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.13 2009/09/06 10:20:21 tnn Exp $ d6 1 @ 1.13 log @NTP 4.2.4p7, 2009/05/04 Focus: Security and Bug Fixes Severity: HIGH This release fixes the following high-severity vulnerability: * [Sec 1151] Remote exploit if autokey is enabled. CVE-2009-1252 See http://support.ntp.org/security for more information. If autokey is enabled (if ntp.conf contains a "crypto pw whatever" line) then a carefully crafted packet sent to the machine will cause a buffer overflow and possible execution of injected code, running with the privileges of the ntpd process (often root). Credit for finding this vulnerability goes to Chris Ries of CMU. This release fixes the following low-severity vulnerabilities: * [Sec 1144] limited (two byte) buffer overflow in ntpq. CVE-2009-0159 Credit for finding this vulnerability goes to Geoff Keating of Apple. * [Sec 1149] use SO_EXCLUSIVEADDRUSE on Windows Credit for finding this issue goes to Dave Hart. This release fixes a number of bugs and adds some improvements: * Improved logging * Fix many compiler warnings * Many fixes and improvements for Windows * Adds support for AIX 6.1 * Resolves some issues under MacOS X and Solaris @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.12 2009/01/26 20:06:15 kefren Exp $ d3 3 a5 3 SHA1 (ntp-4.2.4p7.tar.gz) = 8476f75daffe9851cc6f33d170902bce77637499 RMD160 (ntp-4.2.4p7.tar.gz) = 11d69176c8cb4b95f7e9f468c37ab8fc53a28876 Size (ntp-4.2.4p7.tar.gz) = 3382146 bytes @ 1.13.2.1 log @Pullup ticket 2949 - requested by tnn security update Revisions pulled up: - pkgsrc/net/ntp4/Makefile 1.66 - pkgsrc/net/ntp4/distinfo 1.14 ------------------------------------------------------------------------- Module Name: pkgsrc Committed By: tnn Date: Tue Dec 15 10:53:21 UTC 2009 Modified Files: pkgsrc/net/ntp4: Makefile distinfo Log Message: Update to ntp-4.2.4p8. Security fix for CVE-2009-3563 DoS vulnerability. To generate a diff of this commit: cvs rdiff -u -r1.65 -r1.66 pkgsrc/net/ntp4/Makefile cvs rdiff -u -r1.13 -r1.14 pkgsrc/net/ntp4/distinfo @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.14 2009/12/15 10:53:20 tnn Exp $ d3 3 a5 3 SHA1 (ntp-4.2.4p8.tar.gz) = 0aa9bd4f451a35586843ccd5eb8391f061beb960 RMD160 (ntp-4.2.4p8.tar.gz) = 63e684b1f92b93a7d972706286c335abcceb54bd Size (ntp-4.2.4p8.tar.gz) = 3389646 bytes @ 1.12 log @Update to 4.2.4p6. Highlights from 4.2.4p4: * fix CVE-2009-0021 * fix build against latest OpenSSL versions * obsolete "dynamic" keyword * fix memory leak when fetching system messages * several fixes in ntpdate @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.11 2008/06/08 04:53:27 obache Exp $ d3 3 a5 3 SHA1 (ntp-4.2.4p6.tar.gz) = ad4b068cc03ce346a6276ed6b31c026b6ffc3d92 RMD160 (ntp-4.2.4p6.tar.gz) = d3853bdd593b49c435ec19b95066097ef5e71acc Size (ntp-4.2.4p6.tar.gz) = 3443787 bytes @ 1.11 log @Update ntp to 4.2.4p4. --- (4.2.4p4) Released by Harlan Stenn * [Bug 902] Fix problems with the -6 flag. * Updated include/copyright.def (owner and year). * [Bug 878] Avoid ntpdc use of refid value as unterminated string. * [Bug 881] Corrected display of pll offset on 64bit systems. * [Bug 886] Corrected sign handling on 64bit in ntpdc loopinfo command. * [Bug 889] avoid malloc() interrupted by SIGIO risk * ntpd/refclock_parse.c: cleanup shutdown while the file descriptor is still open. * [Bug 885] use emalloc() to get a message at the end of the memory unsigned types cannot be less than 0 default_ai_family is a short lose trailing , from enum list clarify ntp_restrict.c for easier automated analysis * [Bug 884] don't access recv buffers after having them passed to the free list. * [Bug 882] allow loopback interfaces to share addresses with other interfaces. --- (4.2.4p3) Released by Harlan Stenn * [Bug 863] unable to stop ntpd on Windows as the handle reference for events changed --- (4.2.4p2) Released by Harlan Stenn * [Bug 854] Broadcast address was not correctly set for interface addresses * [Bug 829] reduce syslog noise, while there fix Enabled/Disable logging to reflect the actual configuration. * [Bug 795] Moved declaration of variable to top of function. * [Bug 789] Fix multicast client crypto authentication and make sure arriving multicast packets do not disturb the autokey dance. * [Bug 785] improve handling of multicast interfaces (multicast routers still need to run a multicast routing software/daemon) * [Bug 527] Don't write from source address length to wrong location * Upgraded autogen and libopts. * [Bug 811] ntpd should not read a .ntprc file. --- (4.2.4p1) (skipped) --- (4.2.4p0) Released by Harlan Stenn * [Bug 793] Update Hans Lambermont's email address in ntpsweep. * [Bug 776] Remove unimplemented "rate" flag from ntpdate. * [Bug 586] Avoid lookups if AI_NUMERICHOST is set. * [Bug 770] Fix numeric parameters to ntp-keygen (Alain Guibert). * [Bug 768] Fix io_setbclient() error message. * [Bug 765] Use net_bind_service capability on linux. * [Bug 760] The background resolver must be aware of the 'dynamic' keyword. * [Bug 753] make union timestamp anonymous (Philip Prindeville). * confopt.html: move description for "dynamic" keyword into the right section. * pick the right type for the recv*() length argument. --- (4.2.4) Released by Harlan Stenn * monopt.html fixes from Dave Mills. * [Bug 452] Do not report kernel PLL/FLL flips. * [Bug 746] Expert mouseCLOCK USB v2.0 support added.' * driver8.html updates. * [Bug 747] Drop tags from ntpdc.html. * sntp now uses the returned precision to control decimal places. * sntp -u will use an unprivileged port for its queries. * [Bug 741] "burst" doesn't work with !unfit peers. * [Bug 735] Fix a make/gmake VPATH issue on Solaris. * [Bug 739] ntpd -x should not take an argument. * [Bug 737] Some systems need help providing struct iovec. * [Bug 717] Fix libopts compile problem. * [Bug 728] parse documentation fixes. * [Bug 734] setsockopt(..., IP_MULTICAST_IF, ...) fails on 64-bit platforms. * [Bug 732] C-DEX JST2000 patch from Hideo Kuramatsu. * [Bug 721] check for __ss_family and __ss_len separately. * [Bug 666] ntpq opeers displays jitter rather than dispersion. * [Bug 718] Use the recommended type for the saddrlen arg to getsockname(). * [Bug 715] Fix a multicast issue under Linux. * [Bug 690] Fix a Windows DNS lookup buffer overflow. * [Bug 670] Resolved a Windows issue with the dynamic interface rescan code. * K&R C support is being deprecated. * [Bug 714] ntpq -p should conflict with -i, not -c. * WWV refclock improvements from Dave Mills. * [Bug 708] Use thread affinity only for the clock interpolation thread. * [Bug 706] ntpd can be running several times in parallel. * [Bug 704] Documentation typos. * [Bug 701] coverity: NULL dereference in ntp_peer.c * [Bug 695] libopts does not protect against macro collisions. * [Bug 693] __adjtimex is independent of ntp_{adj,get}time. * [Bug 692] sys_limitrejected was not being incremented. * [Bug 691] restrictions() assumption not always valid. * [Bug 689] Deprecate HEATH GC-1001 II; the driver never worked. * [Bug 688] Fix documentation typos. * [Bug 686] Handle leap seconds better under Windows. * [Bug 685] Use the Windows multimedia timer. * [Bug 684] Only allow debug options if debugging is enabled. * [Bug 683] Use the right version string. * [Bug 680] Fix the generated version string on Windows. * [Bug 678] Use the correct size for control messages. * [Bug 677] Do not check uint_t in configure.ac. * [Bug 676] Use the right value for msg_namelen. * [Bug 675] Make sure ntpd builds without debugging. * [Bug 672] Fix cross-platform structure padding/size differences. * [Bug 660] New TIMESTAMP code fails tp build on Solaris Express. * [Bug 659] libopts does not build under Windows. * [Bug 658] HP-UX with cc needs -Wp,-H8166 in CFLAGS. * [Bug 656] ntpdate doesn't work with multicast address. * [Bug 638] STREAMS_TLI is deprecated - remove it. * [Bug 635] Fix tOptions definition. * [Bug 628] Fallback to ntp discipline not working for large offsets. * [Bug 622] Dynamic interface tracking for ntpd. * [Bug 603] Don't link with libelf if it's not needed. * [Bug 523] ntpd service under Windows does't shut down properly. * [Bug 500] sntp should always be built. * [Bug 479] Fix the -P option. * [Bug 421] Support the bc637PCI-U card. * [Bug 342] Deprecate broken TRAK refclock driver. * [Bug 340] Deprecate broken MSF EES refclock driver. * [Bug 153] Don't do DNS lookups on address masks. * [Bug 143] Fix interrupted system call on HP-UX. * [Bug 42] Distribution tarballs should be signed. * Support separate PPS devices for PARSE refclocks. * [Bug 637, 51?] Dynamic interface scanning can now be done. * Options processing now uses GNU AutoGen. --- (4.2.2p4) Released by Harlan Stenn * [Bug 710] compat getnameinfo() has off-by-one error * [Bug 690] Buffer overflow in Windows when doing DNS Lookups --- (4.2.2p3) Released by Harlan Stenn * Make the ChangeLog file cleaner and easier to read * [Bug 601] ntpq's decodeint uses an extra level of indirection * [Bug 657] Different OSes need different sized args for IP_MULTICAST_LOOP * release engineering/build changes * Documentation fixes * Get sntp working under AIX-5 --- (4.2.2p2) (broken) * Get sntp working under AIX-5 --- (4.2.2p1) * [Bug 661] Use environment variable to specify the base path to openssl. * Resolve an ambiguity in the copyright notice * Added some new documentation files * URL cleanup in the documentation * [Bug 657]: IP_MULTICAST_LOOP uses a u_char value/size * quiet gcc4 complaints * more Coverity fixes * [Bug 614] manage file descriptors better * [Bug 632] update kernel PPS offsets when PPS offset is re-configured * [Bug 637] Ignore UP in*addr_any interfaces * [Bug 633] Avoid writing files in srcdir * release engineering/build changes --- (4.2.2) * SNTP * Many bugfixes * Implements the current "goal state" of NTPv4 * Autokey improvements * Much better IPv6 support * [Bug 360] ntpd loses handles with LAN connection disabled. * [Bug 239] Fix intermittent autokey failure with multicast clients. * Rewrite of the multicast code * New version numbering scheme @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.10 2005/09/10 10:43:42 adrianp Exp $ d3 3 a5 3 SHA1 (ntp-4.2.4p4.tar.gz) = 886a7c6819c148cc1f832d43a3446526488b1b5e RMD160 (ntp-4.2.4p4.tar.gz) = b5667d72e970ddb66b3a4e09bddcb713c7e743f0 Size (ntp-4.2.4p4.tar.gz) = 3436148 bytes @ 1.11.10.1 log @Pullup ticket #2657 - requested by ntp4: security update Revisions pulled up: - net/ntp4/Makefile 1.59 - net/ntp4/distinfo 1.12 --- Module Name: pkgsrc Committed By: kefren Date: Mon Jan 26 20:06:15 UTC 2009 Modified Files: pkgsrc/net/ntp4: Makefile distinfo Log Message: Update to 4.2.4p6. Highlights from 4.2.4p4: * fix CVE-2009-0021 * fix build against latest OpenSSL versions * obsolete "dynamic" keyword * fix memory leak when fetching system messages * several fixes in ntpdate @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 3 SHA1 (ntp-4.2.4p6.tar.gz) = ad4b068cc03ce346a6276ed6b31c026b6ffc3d92 RMD160 (ntp-4.2.4p6.tar.gz) = d3853bdd593b49c435ec19b95066097ef5e71acc Size (ntp-4.2.4p6.tar.gz) = 3443787 bytes @ 1.10 log @Update nb6->nb7 for security fix: http://secunia.com/advisories/16602/ @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.9 2005/02/24 12:13:57 agc Exp $ d3 3 a5 4 SHA1 (ntp-4.2.0.tar.gz) = 38343a4ebfc0b8d9aff3bec4c6a93f4c59071ce3 RMD160 (ntp-4.2.0.tar.gz) = 73de5671ea583f6699c8052ea9f8270a8455c295 Size (ntp-4.2.0.tar.gz) = 2514502 bytes SHA1 (patch-aa) = 6a6825604de9345001731c7d8b728f56602f15cc @ 1.9 log @Add RMD160 digests. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.8 2003/10/24 04:52:26 fredb Exp $ d6 1 @ 1.8 log @Update to ntp 4.2.0. All platforms: Autokey, using OpenSSL. IPv6 support. Bugfixes in loopfilter and refclocks. NetBSD: Support for editline command line editing in "ntpq" and "ntpdc". NetBSD-current: Use nanosecond resolution POSIX timers. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.7 2002/07/16 14:57:08 fredb Exp $ d4 1 @ 1.7 log @Update to 4.1.1a. Add drivers for TrueTime 560 IRIG-B decoder and Zyfer GPStarplus, minor documentation updates. @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.6 2002/02/28 13:51:24 fredb Exp $ d3 2 a4 2 SHA1 (ntp-4.1.1a.tar.gz) = a55ae3ae3aed8d8a37651bfa7b63dc622a33a52a Size (ntp-4.1.1a.tar.gz) = 2023986 bytes @ 1.6 log @Update to ntp-4.1.1. From the "NEWS" file: * Lose the source port check on incoming packets * (x)ntpdc compatibility patch * Virtual IP improvements * ntp_loopfilter fixes and improvements * ntpdc improvements * GOES refclock fix * JJY driver * bsdi port fixes * HP MPE/iX port * Win/NT port upgrade * Dynix PTX port fixes * Document conversion from CVS to BK * readline support for ntpq @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.5 2001/08/14 17:55:18 fredb Exp $ d3 2 a4 2 SHA1 (ntp-4.1.1.tar.gz) = 1759f1023df960a78d9c3f56039fda8ce86cb4b4 Size (ntp-4.1.1.tar.gz) = 2019495 bytes @ 1.5 log @Add missing "-u" flag to ntpdate usage message. Culled from NetBSD-current. [Committed by Hubert Feyrer.] @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.4 2001/08/14 06:10:41 fredb Exp $ d3 2 a4 3 SHA1 (ntp-4.1.0.tar.gz) = 9f68b2ed84f6424b3fa09a81657d60223b10f31a Size (ntp-4.1.0.tar.gz) = 1991312 bytes SHA1 (patch-aa) = 0f7b51ff56c1af049ba9bb6f747ba7995361dc65 @ 1.4 log @Finally! NTP 4.1.0 is released. Very few changes from 4.0.99m-rc3 (excerpts from the "ChangeLog" file below). Also, this NetBSD package now installs the HTML docs into "/usr/pkg/share/doc/html". * ntpd/refclock_oncore.c (oncore_start): Set pps_enable=1, just like the atom driver does. From: reg@@dwf.com * ntpd/refclock_nmea.c (nmea_ppsapi): Set pps_enable=1, just like the atom driver does. From: Scott Allendorf * ntpd/ntp_config.c (getconfig): CONF_CLOCK_PANIC was using the wrong config flag. From: @ text @d1 1 a1 1 $NetBSD: distinfo,v 1.3 2001/07/12 16:24:58 fredb Exp $ d5 1 @ 1.3 log @Update to latest release candidate, ntp-4.0.99m-rc3. Continued refinements since 4.0.99k, a new feature -- an experimental "huff-n-puff" filter (optionally enabled in /etc/ntp.conf) -- which discards samples with the highest delays, and new drivers for: Forum Graphic GPS, WWV/H, Heath GC-100 II, HOPF serial and PCI, ONCORE, ulink331. Drop the packages's requirement for GNU readline. It turns out that command line editing in "ntpq" is not all that useful, as you can alway let your shell recall "ntpq -c ". @ text @d1 1 a1 1 $NetBSD$ d3 2 a4 2 SHA1 (ntp-4.0.99m-rc3.tar.gz) = 967ff44db1e262e83f7a918601a732e2c9d00edf Size (ntp-4.0.99m-rc3.tar.gz) = 1991434 bytes @ 1.2 log @Move to sha1 checksum, and/or add distfile sizes. @ text @d3 2 a4 3 SHA1 (ntp-4.0.99k.tar.gz) = c79b1cefa321ff2827c5863f38ef16ba55b3d946 Size (ntp-4.0.99k.tar.gz) = 1961418 bytes SHA1 (patch-aa) = 2ba2b21de71a6855e4290aa8a0ab96216e156937 @ 1.1 log @+ move the distfile digest/checksum value from files/md5 to distinfo + move the patch digest/checksum values from files/patch-sum to distinfo @ text @d1 1 a1 1 $NetBSD: md5,v 1.9 2000/08/18 19:39:54 fredb Exp $ d3 2 a4 1 MD5 (ntp-4.0.99k.tar.gz) = 6335d5b9b04a2d4670c4eed7300cdb82 @