January 2016 NTP 4.2.8p5 Security Vulnerability Announcement

NTP 4.2.8p5, released on 7 January 2016, contains two security-related issues and several minor bug fixes and code improvements since NTP 4.2.8p4, which was released on 21 October 2015.

• Bug 2956: CVE-2015-5300 Small-step/Big-step: This issue was published in October by Boston University. When it was first discovered, we were told that while 4.2.6 (which was past its EOL) was vulnerable, 4.2.8 was not. Later in November we discovered that 4.2.8 was vulnerable to a lesser degree. This weakness was discovered by Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg at Boston University.

• Bug 2952: CVE-2015-7704 Peer associations broken by fix for Bug 2901: This was an improvement to our patch in ntp-4.2.8p4. This weakness was discovered by Aanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg at Boston University.

To further improve our testing, the Coverity submission process was updated from Coverity 5 to Coverity 7. The NTP codebase has been undergoing regular Coverity scans on an ongoing basis since 2006. As part of our recent upgrade from Coverity 5 to Coverity 7, Coverity identified 16 nits in some of the newly-written Unity test programs. As a result, these very minor bugs were fixed.

We especially want to thank all of our volunteers who have contributed bug fixes and improvements over the years and continue to do so.

Network Time Foundation is continually looking for ways to improve the NTP code. We have announced the Network Time Security project (NTS), and will soon be announcing the first production release of the NTP “leaf node” client from the Ntimed Project.

We appreciate organizations reporting their discoveries to us. We continue to look for funding to hire full time developers. We’ve put together some projects for funding and if you are interested in helping please contact us.

You are welcomed and encouraged to join our Consortium or Donate.