The NTPsec Project is pleased to announce the tagging of version 0.9.7.
The code size has been further reduced, to 60KLOC.
A shell script, buildprep, has been added to the top level source directory. It prepares your system for an NTPsec source build by installing all required dependencies on the build host.
Extra digits of precision are now output in numerous places. The driftfile now output 6 digits past the decimal point instead of 3. The stats files now output 9 digits past the decimal point instead of 6 for some fields. ntpq and ntpmon also report extra digits of precision in multiple places. These changes may break simple parsing scripts.
Four contrib programs: cpu-temp-log; smartctl-temp-log, temper-temp-log, and zone-temp-log; have been combined into the new program ntplogtemp. The new program allows for easy logging of system temperatures and is installed by default.
The SHM refclock no longer limits the value of SHM time by default. This allows SHM to work on systems with no RTC by default.
The following CVEs revealed by a Mozilla penetration test and reported in CERT VU#325339 have been resolved:
CVE-2017-6464: Denial of Service via Malformed Config
CVE-2017-6463: Authenticated DoS via Malicious Config Option
CVE-2017-6458: Potential Overflows in ctl_put() functions
CVE-2017-6451: Improper use of snprintf() in mx4200_send()
The following CVEs, announced simultaneously, affected NTP Classic but not NTPsec, because we had already removed the attack surface:
CVE-2017-6462: Buffer Overflow in DPTS Clock
CVE-2017-6455: Privileged execution of User Library code
CVE-2017-6452: Stack Buffer Overflow from Command Line
CVE-2017-6459: Data Structure terminated insufficiently
CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist
We gratefully acknowledge the work of Dr.-Ing. Mario Heiderich and his team at Cure53 in detecting these problems and their cooperation in resolving them.
The GPG signatures for the tarball, sum file, and signed git tag can be checked with GPG key 0x05D9B371477C7528