Commit Graph

60 Commits

Author SHA1 Message Date
delphij
a3a54e251a MFV r298691:
ntp 4.2.8p7.

Security:	CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security:	CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security:	CVE-2016-2519
Security:	FreeBSD-SA-16:16.ntp
With hat:	so
2016-04-27 07:46:38 +00:00
gjb
2ce876c7ed Remove the RCSID line from ntp_control.c, and set the fbsd:nokeywords
property.  This should have been done a while back (certainly before
mergeing projects/release-pkg to head), but I fixed the merge conflicts
and forgot to correct the real problem afterward.

Noticed by:	peter
Sponsored by:	The FreeBSD Foundation
2016-04-16 18:10:11 +00:00
gjb
ead3a2f824 MFH
Sponsored by:	The FreeBSD Foundation
2016-01-25 14:13:28 +00:00
delphij
51765b7c6f MFV r294491: ntp 4.2.8p6.
Security:	CVE-2015-7973, CVE-2015-7974, CVE-2015-7975
Security:	CVE-2015-7976, CVE-2015-7977, CVE-2015-7978
Security:	CVE-2015-7979, CVE-2015-8138, CVE-2015-8139
Security:	CVE-2015-8140, CVE-2015-8158
With hat:	so
2016-01-22 07:32:39 +00:00
gjb
c036d05fd1 MFH
Sponsored by:	The FreeBSD Foundation
2016-01-12 01:23:45 +00:00
delphij
31ece5769d MFV r293415:
ntp 4.2.8p5

Reviewed by:	cy, roberto
Relnotes:	yes
Differential Revision:	https://reviews.freebsd.org/D4828
2016-01-08 15:53:48 +00:00
gjb
fe036cdd93 Fix another mis-merge.
Sponsored by:	The FreeBSD Foundation
2016-01-05 16:23:43 +00:00
gjb
ccde53b74b MFH r289384-r293170
Sponsored by:	The FreeBSD Foundation
2016-01-04 19:19:48 +00:00
glebius
9163b6ba3b MFV ntp-4.2.8p4 (r289715)
Security:       VuXML: c4a18a12-77fc-11e5-a687-206a8a720317
Security:	CVE-2015-7871
Security:	CVE-2015-7855
Security:	CVE-2015-7854
Security:	CVE-2015-7853
Security:	CVE-2015-7852
Security:	CVE-2015-7851
Security:	CVE-2015-7850
Security:	CVE-2015-7849
Security:	CVE-2015-7848
Security:	CVE-2015-7701
Security:	CVE-2015-7703
Security:	CVE-2015-7704, CVE-2015-7705
Security:	CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Security:	http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Sponsored by:	Nginx, Inc.
2015-10-22 19:42:57 +00:00
bapt
b59c5e751e Merge from head 2015-09-12 11:41:31 +00:00
cy
4798ffa9e1 MFV ntp-4.2.8p3 (r284990).
Approved by:	roberto, delphij
Security:	VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0
Security:	http://bugs.ntp.org/show_bug.cgi?id=2853
Security:	https://www.kb.cert.org/vuls/id/668167
Security:	http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi
2015-07-05 15:42:16 +00:00
bapt
fff6c6a5b7 Merge from HEAD 2015-05-07 23:18:23 +00:00
cy
1818eba70c MFV ntp 4.2.8p2 (r281348)
Reviewed by:    delphij (suggested MFC)
Approved by:	roberto
Security:       CVE-2015-1798, CVE-2015-1799
Security:       VuXML ebd84c96-dd7e-11e4-854e-3c970e169bc2
MFC after:	1 month
2015-05-04 04:45:59 +00:00
bapt
ef3b6ff94c Merge from HEAD 2015-04-03 23:23:09 +00:00
cy
9d7ef98623 Fix merge error.
Submitted by:	jkim
2015-04-03 10:20:59 +00:00
cy
523f37c374 Remove rednandt file.
Submitted by:	jkim
2015-04-03 10:17:36 +00:00
cy
4295db0989 Fix build. 2015-03-31 19:35:32 +00:00
cy
8560674afd MFV ntp 4.2.8p1 (r258945, r275970, r276091, r276092, r276093, r278284)
Thanks to roberto for providing pointers to wedge this into HEAD.

Approved by:	roberto
2015-03-30 13:30:15 +00:00
hiren
1ded1eb19e ntpd tries to bind to IPv6 interfaces in 'tentative' state and fails as IPv6 is
actually disabled. Fix it by making ntpd ignore such interfaces.

Submitted by:	ume
Reviewed by:	bz, gnn
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D1527
2015-01-14 23:34:00 +00:00
ume
33e4c06b11 Correct comparison of IPv6 wildcard address.
MFC after:	3 days
2015-01-08 07:47:39 +00:00
delphij
1149a2acc4 Fix multiple ntp vulnerabilities.
Reviewed by:	roberto (earlier revision), philip
Security:	CVE-2014-9293, CVE-2014-9294
Security:	CVE-2014-9295, CVE-2014-9296
Security:	FreeBSD-SA-14:31.ntp

Differential Revision: https://reviews.freebsd.org/D1343
2014-12-22 18:54:55 +00:00
delphij
de5f21bd59 Don't reply monlist request when it's not enabled.
No objection from:	roberto (but all bugs are mine)
MFC after:	2 weeks
2014-05-06 21:34:01 +00:00
delphij
fa7f47e2d5 Disable 'monitor' feature in ntpd by default.
Security:	FreeBSD-SA-14:02.ntpd
Approved by:	so
2014-01-14 18:59:00 +00:00
eadler
0af88b7eae Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS in
share/mk/sys.mk instead.

This is part of a medium term project to permit deterministic builds of
FreeBSD.

Submitted by:	Erik Cederstrand <erik@cederstrand.dk>
Reviewed by:	imp, toolchain@
Approved by:	cperciva
MFC after:	2 weeks
2012-12-06 01:31:25 +00:00
emaste
ba92a7914a Remove extraneous log message
When ntp switched between PLL and FLL mode it produced a log message
"kernel time sync status change %04x".  This issue is reported in ntp
bug 452[1] which claims that this behaviour is normal and the log
message isn't necessary.  I'm not sure exactly when it was removed, but
it's gone in the latest ntp release (4.2.6p5).

[1] http://bugs.ntp.org/show_bug.cgi?id=452

Approved by:    roberto
2012-03-12 01:06:29 +00:00
bz
385c8843b3 In case ntp cannot resolve a hostname on startup it will queue the entry
for resolving by a child process that, upon success, will add the entry
to the config of the running running parent process.

Unfortunately there are a couple of bugs with this, fixed in various
later versions of upstream in potentially different ways due to other
code changes:

1) Upon server [-46] <FQDN> the [-46] are used as FQDN for later resolving
   which does not work.  Make sure we always pass the name (or IP there).

2) The intermediate file to carry the information to the child process
   does not know about -4/-6 restrictions, so that a dual-stacked host
   could resolve to an IPv6 address but that might be unreachable (see
   r223626) leading to no working synchronization ignoring a IPv4 record.
   Thus alter the intermediate format to also pass the address family
   (AF_UNSPEC (default), AF_INET or AF_INET6) to the child process
   depending on -4 or -6.

3) Make the child process to parse the new intermediate file format and
   save the address family for getaddrinfo() hints flags.

4) Change child to always reload resolv.conf calling res_init() before
   trying to resolve names.  This will pick up resolv.conf changes or
   new resolv.confs should they have not existed or been empty or
   unusable on ntp startup.  This fix is more conditional in upstream
   versions but given FreeBSD has res_init there is no need for the
   configure logic as well.

Approved by:	roberto
Sponsored by:	Sandvine Incorporated
MFC after:	9 days
2011-06-29 13:01:10 +00:00
bz
5eb4e348c8 Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by:	roberto
Sponsored by:	Sandvine Incorporated
MFC after:	1 week
2011-06-28 09:46:25 +00:00
bz
5cb7c50357 The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char.  For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
  on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by:	roberto
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	10 days
Filed as:	Bug 1936 on ntp.org
2011-05-29 07:40:48 +00:00
roberto
230e76b538 Merge 4.2.4p8 into contrib (r200452 & r200454).
Subversion is being difficult here so take a hammer and get it in.

MFC after:		2 weeks
Security:		CVE-2009-3563
2009-12-15 14:58:10 +00:00
ume
a3e767ede4 Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess.  It does away with an annoying
message.

Reviewed by:	bz, roberto
MFC after:	2 weeks
2009-12-01 16:07:50 +00:00
cperciva
632fa45574 Prevent integer overflow in direct pipe write code from circumventing
virtual-to-physical page lookups. [09:09]

Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]

Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]

Approved by:	so (cperciva)
Approved by:	re (not really, but SVN wants this...)
Security:	FreeBSD-SA-09:09.pipe
Security:	FreeBSD-SA-09:10.ipv6
Security:	FreeBSD-SA-09:11.ntpd
2009-06-10 10:31:11 +00:00
simon
49eb227b50 Correct ntpd(8) cryptographic signature bypass [SA-09:04].
Correct BIND DNSSEC incorrect checks for malformed signatures
[SA-09:04].

Security:	FreeBSD-SA-09:03.ntpd
Security:	FreeBSD-SA-09:04.bind
Obtained from:	ISC [SA-09:04]
Approved by:	so (simon)
2009-01-13 21:19:27 +00:00
roberto
b85c7169a7 Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after:	2 weeks
2008-08-22 15:58:00 +00:00
roberto
4ded1c1fa0 Flatten the dist and various 4.n.n trees in preparation of future ntp imports. 2008-08-17 17:37:33 +00:00
roberto
bdb274fee2 Remove an extra '}'. 2004-07-20 15:51:00 +00:00
roberto
4155ac9f07 Merge conflicts (see also previous commit).
Reinsert our local changes to ntp_control.c:

1.4:    Do not log every potential exploit attempt since a denial-of-service
        may result
1.5:    int -> unsigned char fixes
2004-07-20 15:18:31 +00:00
roberto
cdfc2f45fe Revert this file to the vendor version, we don't need to have our own
version of it.  Will help further upgrades.
2004-07-20 15:15:00 +00:00
roberto
118e757284 Virgin import of ntpd 4.2.0 2004-07-20 15:01:56 +00:00
roberto
929f0d3746 This commit was generated by cvs2svn to compensate for changes in r132451,
which included commits to RCS files with non-trunk default branches.
2004-07-20 15:01:56 +00:00
roberto
ad0bca971a Merge conflicts.
MFC after:	1 month
2002-11-04 19:38:46 +00:00
roberto
a85d9ae25e Virgin import of ntpd 4.1.1b 2002-11-04 19:36:11 +00:00
roberto
8f8f22cd2a This commit was generated by cvs2svn to compensate for changes in r106424,
which included commits to RCS files with non-trunk default branches.
2002-11-04 19:36:11 +00:00
roberto
8d541346f2 Remove files not present in 4.1.1a import. 2002-10-29 20:11:45 +00:00
roberto
c3ce66cde9 Merge conflicts.
MFC after:	1 month
2002-10-29 20:04:27 +00:00
roberto
f77146900e Virgin import of ntpd 4.1.1a 2002-10-29 19:58:12 +00:00
roberto
a925fb398b This commit was generated by cvs2svn to compensate for changes in r106163,
which included commits to RCS files with non-trunk default branches.
2002-10-29 19:58:12 +00:00
roberto
8a8eed52b9 Merge after 4.1.0 import. 2001-08-29 15:15:59 +00:00
roberto
fc8a76dcfc Redo the int -> unsigned changes jedgar did. It should have been submitted
back but it was off the vendor branch anyway so...
2001-08-29 15:01:06 +00:00
roberto
40b8e415eb Virgin import of ntpd 4.1.0 2001-08-29 14:35:15 +00:00
roberto
edc758be46 This commit was generated by cvs2svn to compensate for changes in r82498,
which included commits to RCS files with non-trunk default branches.
2001-08-29 14:35:15 +00:00