Network Time Foundation Publishes NTP 4.2.8-p10

Network Time Foundation publishes NTP 4.2.8p10, with security, bug and information fixes, and enhancements

As part of the Mozilla Foundation’s Secure Open Source (SOS) program they conducted a security audit of the NTP codebase.
This release addresses the issues found along with a zero origin security bug.

NTF’s Network Time Protocol (NTP) Project released ntp-428p10 on 21 March 2016. This latest version addresses the following:

  • 6 MEDIUM security vulnerabilities
  • 4 LOW security vulnerabilities
  • 5 INFORMATIONAL security vulnerabilities
  • 15 non-security fixes and improvements

All of the security issues in the release are included in VU#325539. All the Cure53-discovered bugs used Pentest report 01.2017.

Security Informational fixes:

  • Sec 3386: ntpq_stripquotes() returns incorrect Value
    • Reported by Cure53.
  • Sec 3385: ereallocarray()/eallocarray() underused
    • Reported by Cure53.
  • Sec 3381: Copious amounts of Unused Code
    • Reported by Cure53.
  • Sec 3380: Off-by-one in Oncore GPS Receiver
    • Reported by Cure53.
  • Sec 3376: Makefile does not enforce Security Flags
    • Reported by Cure53.

Timeline:

  • 2017Mar21 – Public Release
  • 2017Mar13 – CERT Notified
  • 2017Mar06 – All of NTF’s NTP Consortium members were notified. Partner and Premier levels received access to the patches as well
  • 2017Feb010 – Mozilla/Cure53 completed audit received

To get a copy of ntp-4.2.8p10, please visit our downloads page.

Please review our NTF Security Policy and Procedure page for details on this latest announcement as well as our security patch policy, issue reporting instructions and past security advisories.

We wish to thank the Mozilla Foundation for funding this audit of the NTP codebase. We would have preferred to give much more notice to our members and CERT, however, NTF’s NTP project remains severely under-funded. We sincerely appreciate the support of our members and donors; much more support is needed to continue to improve NTP, complete the Network Time Security (NTS) project, continue our standards work, improve documentation, start on General Timestamp API and so much more. If accurate, secure time is important to you or your organization, help us help you: Donate today or become a member. Thank you!

 

Share This!