The NTPsec Project is pleased to announce the tagging of version 0.9.5.

This release includes a substantial refactoring of the core protocol implementation. Due to unresolvable security issues, support for broadcast/multicast clients has been dropped; broadcast servers are still supported. Likewise, symmetric mode is now only partially supported. The peer directive has become a synonym for server. Servers which receive symmetric-active mode packets will immediately give a symmetric-passive-mode response, but will not mobilize a new association.

All remaining Perl code in the distribution has been moved to Python.

The trap feature, broken in NTP Classic at the time of the NTPSec fork, has been removed. So has its only known client, the ntptrap script in the distribution.

A new visualization tool, ntpviz, generates graphical summaries of logfile data that can be helpful for identifying problems such as misconfigured servers. It replaces a messy and poorly documented pile of ancient Perl, awk, and S scripts; those have been removed.

It is now possible (and sometimes useful) to say “minpoll 0” for a 1-second interval.

The ntpq tool for querying and configuring a running ntpd has been moved from C to Python. About the only visible effect this has is that ntpq now resizes its peers display to accommodate wide terminal-emulator windows.

This release includes fixes for four low and medium-severity vulnerabilities: CVE-2016-7434: Null pointer dereference on malformed mrulist request CVE-2016-7429: Interface selection DoS CVE-2016-9311: Trap crash CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector

Note that the “fixes” for CVE-2016-9310/9311 consist of complete removal of the broken trap feature. This removal occurred post-0.9.4 but prior to the discovery of these issues.

Further, an additional low-severity issue impacting 0.9.0 through 0.9.3 has come to our attention:

CVE-2016-7433: Reboot sync calculation problem

This issue was already addressed in 0.9.4 but not treated as a vulnerability.

The following NTP Classic CVEs do not impact NTPsec: CVE-2016-7427, CVE-2016-7428, CVE-2016-9312, CVE-2016-7431. We reject CVE-2016-7426, as it describes known and intended behavior which is a necessary logical consequence of rate-limiting.