Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

NTP 4.2.6 Released

1 view

Skip to first unread message

NTP Public Services Project

unread,

Dec 12, 2009, 12:02:33 PM12/12/09

Redwood City, CA - 2009/12/12 - The NTP Public Services Project
(http://support.ntp.org/) is pleased to announce that NTP 4.2.6,
a Stable Release of the NTP Reference Implementation from the
NTP Project, is now available at http://www.ntp.org/downloads.html and
http://support.ntp.org/download.

File-size: 4322055 bytes

MD5 sum: 4d64a99592b818aa9419fc9dcb149746

Focus: Security Fixes

Severity: HIGH

This release includes numerous enhancements, updates, and bugfixes
applied during the last development cycle and fixes the following
high-severity vulnerability:

* [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
http://bugs.ntp.org/1331

See http://support.ntp.org/security for more information.

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control
utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine
NTP time transfers use modes 1 through 5. Upon receipt of an incorrect
mode 7 request or a mode 7 error response from an address which is not
listed in a "restrict ... noquery" or "restrict ... ignore" statement,
ntpd will reply with a mode 7 error response (and log a message). In
this case:

* If an attacker spoofs the source address of ntpd host A in a mode 7
response packet sent to ntpd host B, both A and B will continuously send
each other error responses, for as long as those packets get through.

* If an attacker spoofs an address of ntpd host A in a mode 7 response
packet sent to ntpd host A, A will respond to itself endlessly,
consuming CPU and logging excessively.

Credit for finding this vulnerability goes to Robin Park and Dmitri
Vinokurov of Alcatel-Lucent.

THIS IS A STRONGLY RECOMMENDED UPGRADE.

The complete ChangeLog is available at
http://archive.ntp.org/ntp4/ChangeLog-stable

Please report any bugs, issues, or desired enhancements at
http://bugs.ntp.org/.

NTP is a protocol designed to synchronize the clocks of computers over a
network.

The NTP (Network Time Protocol) Public Services Project, which is
hosted by Internet Systems Consortium, Inc. (http://www.isc.org/),
provides support and additional development resources for the
Reference Implementation of NTP produced by the NTP Project
(http://www.ntp.org/).

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

##########################################################################
# Send submissions for comp.os.linux.announce to: co...@stump.algebra.com #
# PLEASE remember a short description of the software and the LOCATION. #
# This group is archived at http://stump.algebra.com/~cola/ #
##########################################################################

0 new messages