version 0.9.7

The NTPsec Project is pleased to announce the tagging of version 0.9.7.

The code size has been further reduced, to 60KLOC.

A shell script, buildprep, has been added to the top level source directory. It prepares your system for an NTPsec source build by installing all required dependencies on the build host.

Extra digits of precision are now output in numerous places. The driftfile now output 6 digits past the decimal point instead of 3. The stats files now output 9 digits past the decimal point instead of 6 for some fields. ntpq and ntpmon also report extra digits of precision in multiple places. These changes may break simple parsing scripts.

Four contrib programs: cpu-temp-log; smartctl-temp-log, temper-temp-log, and zone-temp-log; have been combined into the new program ntplogtemp. The new program allows for easy logging of system temperatures and is installed by default.

The SHM refclock no longer limits the value of SHM time by default. This allows SHM to work on systems with no RTC by default.

The following CVEs revealed by a Mozilla penetration test and reported in CERT VU#325339 have been resolved:

  • CVE-2017-6464: Denial of Service via Malformed Config

  • CVE-2017-6463: Authenticated DoS via Malicious Config Option

  • CVE-2017-6458: Potential Overflows in ctl_put() functions

  • CVE-2017-6451: Improper use of snprintf() in mx4200_send()

The following CVEs, announced simultaneously, affected NTP Classic but not NTPsec, because we had already removed the attack surface:

  • CVE-2017-6462: Buffer Overflow in DPTS Clock

  • CVE-2017-6455: Privileged execution of User Library code

  • CVE-2017-6452: Stack Buffer Overflow from Command Line

  • CVE-2017-6459: Data Structure terminated insufficiently

  • CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist

We gratefully acknowledge the work of Dr.-Ing. Mario Heiderich and his team at Cure53 in detecting these problems and their cooperation in resolving them.

As always, you can download the release tarballs with sums and signatures from and can clone the git repo from

The GPG signatures for the tarball, sum file, and signed git tag can be checked with GPG key 0x05D9B371477C7528