head 1.4; access; symbols pkgsrc-2026Q1:1.4.0.48 pkgsrc-2026Q1-base:1.4 pkgsrc-2025Q4:1.4.0.46 pkgsrc-2025Q4-base:1.4 pkgsrc-2025Q3:1.4.0.44 pkgsrc-2025Q3-base:1.4 pkgsrc-2025Q2:1.4.0.42 pkgsrc-2025Q2-base:1.4 pkgsrc-2025Q1:1.4.0.40 pkgsrc-2025Q1-base:1.4 pkgsrc-2024Q4:1.4.0.38 pkgsrc-2024Q4-base:1.4 pkgsrc-2024Q3:1.4.0.36 pkgsrc-2024Q3-base:1.4 pkgsrc-2024Q2:1.4.0.34 pkgsrc-2024Q2-base:1.4 pkgsrc-2024Q1:1.4.0.32 pkgsrc-2024Q1-base:1.4 pkgsrc-2023Q4:1.4.0.30 pkgsrc-2023Q4-base:1.4 pkgsrc-2023Q3:1.4.0.28 pkgsrc-2023Q3-base:1.4 pkgsrc-2023Q2:1.4.0.26 pkgsrc-2023Q2-base:1.4 pkgsrc-2023Q1:1.4.0.24 pkgsrc-2023Q1-base:1.4 pkgsrc-2022Q4:1.4.0.22 pkgsrc-2022Q4-base:1.4 pkgsrc-2022Q3:1.4.0.20 pkgsrc-2022Q3-base:1.4 pkgsrc-2022Q2:1.4.0.18 pkgsrc-2022Q2-base:1.4 pkgsrc-2022Q1:1.4.0.16 pkgsrc-2022Q1-base:1.4 pkgsrc-2021Q4:1.4.0.14 pkgsrc-2021Q4-base:1.4 pkgsrc-2021Q3:1.4.0.12 pkgsrc-2021Q3-base:1.4 pkgsrc-2021Q2:1.4.0.10 pkgsrc-2021Q2-base:1.4 pkgsrc-2021Q1:1.4.0.8 pkgsrc-2021Q1-base:1.4 pkgsrc-2020Q4:1.4.0.6 pkgsrc-2020Q4-base:1.4 pkgsrc-2020Q3:1.4.0.4 pkgsrc-2020Q3-base:1.4 pkgsrc-2020Q2:1.4.0.2 pkgsrc-2020Q2-base:1.4 pkgsrc-2015Q3:1.2.0.8 pkgsrc-2015Q3-base:1.2 pkgsrc-2015Q2:1.2.0.6 pkgsrc-2015Q2-base:1.2 pkgsrc-2015Q1:1.2.0.4 pkgsrc-2015Q1-base:1.2 pkgsrc-2014Q4:1.2.0.2 pkgsrc-2014Q4-base:1.2 pkgsrc-2014Q3:1.1.0.6 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.4 pkgsrc-2014Q2-base:1.1 pkgsrc-2014Q1:1.1.0.2 pkgsrc-2014Q1-base:1.1; locks; strict; comment @# @; 1.4 date 2020.06.21.15.10.47; author taca; state Exp; branches; next 1.3; commitid qGo5iTmE719iv6dC; 1.3 date 2015.10.23.03.43.31; author taca; state dead; branches; next 1.2; commitid bE8tuUj0volSqbGy; 1.2 date 2014.12.20.09.45.46; author taca; state Exp; branches 1.2.8.1; next 1.1; commitid GqADPr2oZqikjL2y; 1.1 date 2014.02.18.22.18.48; author joerg; state Exp; branches; next ; commitid sjV6ZNCsTDSChDpx; 1.2.8.1 date 2015.10.27.19.07.02; author bsiegert; state dead; branches; next ; commitid 2ETjHD2rbFqkqMGy; desc @@ 1.4 log @net/ntp4: update to 4.2.8p14 Updaet ntp4 to 4.2.8p14. pkgsrc changes: * Incorporate several changes from NetBSD base. * few pkglint fixes. Quote from release announce: NTP 4.2.8p14 (Harlan Stenn , 2020 Mar 03) Focus: Security, Bug fixes, enhancements. Severity: MEDIUM This release fixes three vulnerabilities: a bug that causes causes an ntpd instance that is explicitly configured to override the default and allow ntpdc (mode 7) connections to be made to a server to read some uninitialized memory; fixes the case where an unmonitored ntpd using an unauthenticated association to its servers may be susceptible to a forged packet DoS attack; and fixes an attack against a client instance that uses a single unauthenticated time source. It also fixes 46 other bugs and addresses 4 other issues. @ text @$NetBSD$ * Changes from NetBSD base; add support for setproctitle(3). --- configure.orig 2020-03-04 01:40:14.000000000 +0000 +++ configure @@@@ -27148,7 +27148,7 @@@@ fi done -for ac_func in fnmatch getbootfile getuid getrusage nanosleep strsignal +for ac_func in fnmatch getbootfile getuid getrusage nanosleep strsignal setproctitle do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @ 1.3 log @Update ntp4 to 4.2.8p4. pkgsrc change: * Remove duplicated HTML documents. * Install some addtional documents. Changes are too many to write here, please refer NEWS files and this release fixes security problems. October 2015 NTP Security Vulnerability Announcement (Medium) NTF's NTP Project has been notified of the following 13 low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on Wednesday, 21 October 2015: * Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) * Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) * Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) * Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) * Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) * Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) * Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) * Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) * Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) * Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) * Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable) The only generally-exploitable bug in the above list is the crypto-NAK bug, which has a CVSS2 score of 6.4. Additionally, three bugs that have already been fixed in ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all below 1.8 CVSS score, so we're reporting them here: * Bug 2382 : Peer precision < -31 gives division by zero * Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL * Bug 1593 : ntpd abort in free() with logconfig syntax error @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.2 2014/12/20 09:45:46 taca Exp $ d3 3 a5 1 --- configure.orig 2014-12-19 12:42:27.000000000 +0000 d7 9 a15 11 @@@@ -26556,8 +26556,8 @@@@ done # thread cancellation fails to load libgcc_s with dlopen(). # We have to pass this all as linker options to avoid argument # reordering by libtool. - case "$GCC$with_gnu_ld" in - yesyes) + case "$GCC,$with_gnu_ld,$host_os" in + yes,yes,linux) { $as_echo "$as_me:${as_lineno-$LINENO}: checking for exit in -lgcc_s" >&5 $as_echo_n "checking for exit in -lgcc_s... " >&6; } if ${ac_cv_lib_gcc_s_exit+:} false; then : @ 1.2 log @Update ntpd4 pacakge to 4.2.8, here is summary for security related fixes. NTP 4.2.8 (Harlan Stenn , 2014/12/18) Focus: Security and Bug fixes, enhancements. Severity: HIGH In addition to bug fixes and enhancements, this release fixes the following high-severity vulnerabilities: * Weak default key in config_auth(). References: [Sec 2665] / CVE-2014-9293 / VU#852879 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 Vulnerable Versions: all releases prior to 4.2.7p11 Date Resolved: 28 Jan 2010 Summary: If no 'auth' key is set in the configuration file, ntpd would generate a random key on the fly. There were two problems with this: 1) the generated key was 31 bits in size, and 2) it used the (now weak) ntp_random() function, which was seeded with a 32-bit value and could only provide 32 bits of entropy. This was sufficient back in the late 1990s when the code was written. Not today. Mitigation: Upgrade to 4.2.7p11 or later. Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta of the Google Security Team. * Non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys. References: [Sec 2666] / CVE-2014-9294 / VU#852879 CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3 Vulnerable Versions: All NTP4 releases before 4.2.7p230 Date Resolved: Dev (4.2.7p230) 01 Nov 2011 Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to prepare a random number generator that was of good quality back in the late 1990s. The random numbers produced was then used to generate symmetric keys. In ntp-4.2.8 we use a current-technology cryptographic random number generator, either RAND_bytes from OpenSSL, or arc4random(). Mitigation: Upgrade to 4.2.7p230 or later. Credit: This vulnerability was discovered in ntp-4.2.6 by Stephen Roettger of the Google Security Team. * Buffer overflow in crypto_recv() References: Sec 2667 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: When Autokey Authentication is enabled (i.e. the ntp.conf file contains a 'crypto pw ...' directive) a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later, or Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. * Buffer overflow in ctl_putdata() References: Sec 2668 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. * Buffer overflow in configure() References: Sec 2669 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. * receive(): missing return on error References: Sec 2670 / CVE-2014-9296 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: Code in ntp_proto.c:receive() was missing a 'return;' in the code path where an error was detected, which meant processing did not stop when a specific rare error occurred. We haven't found a way for this bug to affect system integrity. If there is no way to affect system integrity the base CVSS score for this bug is 0. If there is one avenue through which system integrity can be partially affected, the base score becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5. Mitigation: Upgrade to 4.2.8, or later, or Remove or comment out all configuration directives beginning with the crypto keyword in your ntp.conf file. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. See http://support.ntp.org/security for more information. @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.1 2014/02/18 22:18:48 joerg Exp $ @ 1.2.8.1 log @Pullup ticket #4846 - requested by taca net/ntp4: security fix Revisions pulled up: - net/ntp4/Makefile 1.88 - net/ntp4/PLIST 1.20 - net/ntp4/distinfo 1.23 - net/ntp4/patches/patch-configure deleted - net/ntp4/patches/patch-sntp_configure deleted --- Module Name: pkgsrc Committed By: taca Date: Fri Oct 23 03:43:31 UTC 2015 Modified Files: pkgsrc/net/ntp4: Makefile PLIST distinfo Removed Files: pkgsrc/net/ntp4/patches: patch-configure patch-sntp_configure Log Message: Update ntp4 to 4.2.8p4. pkgsrc change: * Remove duplicated HTML documents. * Install some addtional documents. Changes are too many to write here, please refer NEWS files and this release fixes security problems. October 2015 NTP Security Vulnerability Announcement (Medium) NTF's NTP Project has been notified of the following 13 low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p4, released on Wednesday, 21 October 2015: * Bug 2941 CVE-2015-7871 NAK to the Future: Symmetric association authentication bypass via crypto-NAK (Cisco ASIG) * Bug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (IDA) * Bug 2921 CVE-2015-7854 Password Length Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2920 CVE-2015-7853 Invalid length data provided by a custom refclock driver could cause a buffer overflow. (Cisco TALOS) * Bug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability. (Cisco TALOS) * Bug 2918 CVE-2015-7851 saveconfig Directory Traversal Vulnerability. (OpenVMS) (Cisco TALOS) * Bug 2917 CVE-2015-7850 remote config logfile-keyfile. (Cisco TALOS) * Bug 2916 CVE-2015-7849 trusted key use-after-free. (Cisco TALOS) * Bug 2913 CVE-2015-7848 mode 7 loop counter underrun. (Cisco TALOS) * Bug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC. (Tenable) * Bug 2902 : CVE-2015-7703 configuration directives "pidfile" and "driftfile" should only be allowed locally. (RedHat) * Bug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field. (Boston University) * Bug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks. (Tenable) The only generally-exploitable bug in the above list is the crypto-NAK bug, which has a CVSS2 score of 6.4. Additionally, three bugs that have already been fixed in ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd have a security component, but are all below 1.8 CVSS score, so we're reporting them here: * Bug 2382 : Peer precision < -31 gives division by zero * Bug 1774 : Segfaults if cryptostats enabled when built without OpenSSL * Bug 1593 : ntpd abort in free() with logconfig syntax error @ text @d1 1 a1 1 $NetBSD: patch-configure,v 1.2 2014/12/20 09:45:46 taca Exp $ @ 1.1 log @Restrict the explicit -lgcc_s to Linux as the comment indicates where it is aimed at. @ text @d1 1 a1 1 $NetBSD$ d3 1 a3 1 --- configure.orig 2014-02-18 19:22:37.000000000 +0000 d5 2 a6 2 @@@@ -26457,8 +26457,8 @@@@ done # because thread cancellation fails to load libgcc_s with dlopen(). d13 3 a15 3 PTHREAD_LIBS="$LTHREAD_LIBS -Wl,--no-as-needed,-lgcc_s,--as-needed" ;; esac @