NTF announced the release of ntp-4.2.8p6 on 19 January 2016. This release contains nine security-related fixes, two security issue mitigations, and some minor bug fixes and code improvements since NTP 4.2.8p5, which was released on 7 January 2016.

• Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq

• Bug 2947 / CVE-2015-8140: Ntpq vulnerable to replay attacks

• Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin

• Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass

• Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode

• Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list

• Bug 2939 / CVE-2015-7977: reslistNULL pointer dereference

• Bug 2938 / CVE-2015-7976: ntpq saveconfigcommand allows dangerous characters in filenames

• Bug 2937 / CVE-2015-7975: nextvar()missing length check

• Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers

• Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode

We want to thank the members of the Cisco ASIG team for finding and reporting these issues.

We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so.

Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), and will soon be announcing the first production release of the NTP “leaf node” client from the Ntimed Project.

We appreciate organizations reporting their discoveries to us. We continue to look for funding to hire full time developers. We’ve put together some projects for funding and if you are interested in helping please contact us.

You are welcomed and encouraged to join our Consortium or Donate