As part of the Mozilla Foundation’s Secure Open Source (SOS) program they conducted a security audit of the NTP codebase. This release addresses the issues found along with a zero origin security bug.
NTF’s Network Time Protocol (NTP) Project released ntp-428p10 on 21 March 2016. This latest version addresses the following:
6 MEDIUM security vulnerabilities
4 LOW security vulnerabilities
5 INFORMATIONAL security vulnerabilities
15 non-security fixes and improvements
Fixed Security Vulnerabilities:
Security Informational fixes:
Sec 3386: ntpq_stripquotes() returns incorrect Value
Sec 3385: ereallocarray()/eallocarray() underused
Sec 3381: Copious amounts of Unused Code
Sec 3380: Off-by-one in Oncore GPS Receiver
Sec 3376: Makefile does not enforce Security Flags
Timeline:
2017 Mar 21 - Public Release
2017 Mar 13 - CERT Notified
2017 Mar 06 - All of NTF’s NTP Consortium members were notified. Partner and Premier levels received access to the patches as well
2017 Feb 10 - Mozilla/Cure53 completed audit received
We wish to thank the Mozilla Foundation for funding this audit of the NTP codebase. We would have preferred to give much more notice to our members and CERT, however, NTF’s NTP project remains severely under-funded. We sincerely appreciate the support of our members and donors; much more support is needed to continue to improve NTP, complete the Network Time Security (NTS) project, continue our standards work, improve documentation, start on General Timestamp API and so much more. If accurate, secure time is important to you or your organization, help us help you: Donate today or become a member. Thank you!