This release improves on one security issue in ntpd:

• LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / CVE-2018-7170: Sybil vulnerability: ephemeral association attack

  • While fixed in ntp-4.2.8p7 and with significant additional protections for this issue in 4.2.8p11, ntp-4.2.8p12 includes a fix for an edge case in the new noepeer support.

  • Originally reported by Matt Van Gundy of Cisco. Edge-case hole reported by Martin Burnicki of Meinberg.

one security issue in ntpq and ntpdc:

• LOW: Sec 3505 / CVE-2018-12327: The openhost() function used during command-line hostname processing by ntpq and ntpdc can write beyond its buffer limit.

  • Reported by Fakhri Zulkifli.

and provides 27 bugfixes and 4 other improvements.

E- Notification of these issues were delivered to our Institutional members on a rolling basis as they were reported and as progress was made.

Timeline:

• 2018 Aug 14: Public release

• 2018 Jul 25: Release to Advance Security Partners