Network Time Foundation Publishes NTP 4.2.8p9

Network Time Foundation publishes NTP 4.2.8p9, with security, bug fixes, and enhancements

NTF’s Network Time Protocol (NTP) Project released ntp-4.2.8p9 on 21 November 2016, its first update since ntp-4.2.8p8 was released in June. The latest version addresses the following:

  • 1 HIGH severity vulnerability that only affects Windows
  • 2 MEDIUM severity vulnerabilities
  • 2 MEDIUM/LOW severity vulnerabilities
  • 5 LOW severity vulnerabilities
  • 28 non-security fixes and improvements

All of the security issues in this release are included in VU#633847.

  • Sec 3119 / CVE-2016-9311: Trap crash
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3118 / CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3114 / CVE-2016-7427: Broadcast Mode Replay Prevention DoS
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3113 / CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3110 / CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet
    • Reported by Robert Pajak of ABB.
  • Sec 3102 / CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass
    • Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.
  • Sec 3082 / CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()
    • Reported by Magnus Stubman.
  • Sec 3072 / CVE-2016-7429: Interface selection attack
    • Reported by Miroslav Lichvar of Red Hat.
  • Sec 3071 / CVE-2016-7426: Client rate limiting and server responses
    • Reported by Miroslav Lichvar of Red Hat.
  • Sec 3067 / CVE-2016-7433: Reboot sync calculation problem
    • Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University.

Timeline:

  • 20161121 Public release
  • 20161118 Updated NEWS file
  • 20161115 CERT notified
  • 20161114 NTP Consortium Partner and Premier level members received access to patches

To get a copy of ntp-4.2.8p9, please visit our download page.

Please review our NTF Security Policy and Procedure page for details on this latest announcement as well as our security patch policy, issue reporting instructions, and past security advisories.

We would have preferred to give much more notice to our members and CERT, however, NTF’s NTP project remains severely under-funded. Google was unable to sponsor us this year and, currently, the Linux Foundation’s Core Internet Initiative only supports Harlan for about 25% of his hours per week and is restricted to NTP development only. We sincerely appreciate the support of our members and donors; much more support is needed to continue to improve NTP, complete the Network Time Security (NTS) project, continue our standards work, improve documentation, start on General Timestamp API and so much more. If accurate, secure time is important to you or your organization, help us help you: Donate today or become a member. Thank you!

 

Share This!