Network Time Foundation Publishes NTP 4.2.8p12

August 14, 2018 by Steve Sullivan

This release improves on one security issue in ntpd:

  • LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / CVE-2018-7170: Sybil vulnerability: ephemeral association attack

    • While fixed in ntp-4.2.8p7 and with significant additional protections for this issue in 4.2.8p11, ntp-4.2.8p12 includes a fix for an edge case in the new noepeer support.

    • Originally reported by Matt Van Gundy of Cisco. Edge-case hole reported by Martin Burnicki of Meinberg.

one security issue in ntpq and ntpdc:

  • LOW: Sec 3505 / CVE-2018-12327: The openhost() function used during command-line hostname processing by ntpq and ntpdc can write beyond its buffer limit.

    • Reported by Fakhri Zulkifli.

and provides 27 bugfixes and 4 other improvements.

E- Notification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

  • 2018 Aug 14: Public release

  • 2018 Jul 25: Release to Advance Security Partners

Share on: