The NTP Project at Network Time Foundation publicly released ntp-4.2.8p15 on Tuesday, 23 June 2020.
This release fixes one security issue in ntpd and provides 13 bugfixes:
MEDIUM: Sec 3661: Memory leak with CMAC keys
Systems that use a CMAC algorithm in ntp.keys will not release a bit of memory on each packet that uses a CMAC key, eventually causing ntpd to run out of memory and fail. The CMAC cleanup from ntp-4.2.8p11 and ntp-4.3.97 introduced a bug whereby the CMAC data structure was no longer completely removed.
ENotifications of these issues were delivered to NTP Institutional Members on a rolling basis as they were reported and as progress was made. Timeline:
2020 Jun 23: Public release
2020 Apr 12: First Release to Advance Security Partners
2020 Apr 07: Notification to Institutional Members
2020 Apr 01: Notification from reporter