[ntp:questions] One last release candidate (in name only) and a new -stable

Dave Hart davehart at gmail.com
Wed Dec 9 13:27:54 UTC 2009

There was a hiccup or two along the way, but in essence we have a new -
stable release, 4.2.6, and will soon see the first 4.2.7 -dev
release.  If you look at the distribution points right now, there is a
ntp-4.2.6-RC.tar.gz.  I expect within a day there will also be a
ntp-4.2.6.tar.gz, differing only in the version's -RC suffix (which is
replicated into quite a few files), as the final 4.2.6 version text
without -RC is now at the head of ntp-stable.

While I'm jumping the gun as the official 4.2.6 announcement and
tarball hasn't come, thanks to everyone who reported bugs, provided or
verified fixes, or otherwise help nudge NTP towards its first major
release in three years.

I have uploaded x86 Windows binaries for 4.2.6 to my website.

Regarding CVE-2009-3563 patched yesterday [1], versions of 4.2.4
through p7 are vulnerable, as are all versions of 4.2.5.  The fix
first appears in 4.2.4p8 and 4.2.6.  The crux of the bug was
responding to mode 7 responses with an error response.  When triggered
between two ntpd servers, or in some cases with a single server
talking to itself, the ntpd processes would run away transmitting
packets and logging a message for each as fast as conditions
permitted, until something dropped a packet.  When I first reproduced
it, syslog helpfully collapsed a quarter-million identical log lines
into one for me.

Dave Hart

[1] http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode

More information about the questions mailing list