OpenPOWER buildroot sources https://git.raptorcs.com/git/buildroot/atom?h=2017.02 2017-02-07T14:26:22+00:00 2017-02-07T14:26:22+00:00 Adam Duskett Aduskett@gmail.com 2017-02-06T14:12:25+00:00 urn:sha1:ebf6f64b76059e31a85f982cb04f80ad5982dac3 This version of ntp fixes several vulnerabilities. CVE-2016-9311 CVE-2016-9310 CVE-2016-7427 CVE-2016-7428 CVE-2016-9312 CVE-2016-7431 CVE-2016-7434 CVE-2016-7429 CVE-2016-7426 CVE-2016-7433 http://www.kb.cert.org/vuls/id/633847 In addition, libssl_compat.h is now included in many files, which references openssl/evp.h, openssl/dsa.h, and openssl/rsa.h. Even if a you pass --disable-ssl as a configuration option, these files are now required. As such, I have also added openssl as a dependency, and it is now automatically selected when you select ntp. Signed-off-by: Adam Duskett <aduskett@codeblue.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-11-28T21:45:35+00:00 Jérôme Pouiller jezz@sysmic.org 2016-11-14T13:22:36+00:00 urn:sha1:008ab8d590e59b34bb5d0eebd48bd97e1a553dd0 ntpq and ntpdc may depends on libedit and libcap. $ arm-linux-readelf -d ./usr/bin/ntpdc | grep NEEDED 0x00000001 (NEEDED) Shared library: [libcap.so.2] 0x00000001 (NEEDED) Shared library: [libm.so.6] 0x00000001 (NEEDED) Shared library: [libedit.so.0] 0x00000001 (NEEDED) Shared library: [libncursesw.so.6] 0x00000001 (NEEDED) Shared library: [libssl.so.1.0.0] 0x00000001 (NEEDED) Shared library: [libcrypto.so.1.0.0] 0x00000001 (NEEDED) Shared library: [libpthread.so.0] 0x00000001 (NEEDED) Shared library: [libc.so.6] However, build order with these libraries is not defined. In order to keep things simple, we enforce build order even if ntpq/ntpdc are not selected. Signed-off-by: Jérôme Pouiller <jezz@sysmic.org> [Thomas: use --without-lineeditlibs.] Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-08-07T20:57:40+00:00 Vicente Bergas vicencb@gmail.com 2016-08-07T15:18:28+00:00 urn:sha1:a2ce4167e230415e0dbc1349112790b07e104e88 When running ntp it randomly aborts at ntp-4.2.8p8/libntp/recvbuff.c:326 which seems to be a debugging feature. This patch just disables debugging, it does not fix the root cause of the problem. Signed-off-by: Vicente Bergas <vicencb@gmail.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-07-15T11:11:06+00:00 Yugendra Sai Babu Nadupuru yugendra.sai.babu.nadupuru@rockwellcollins.com 2016-07-14T21:08:02+00:00 urn:sha1:c091ecda8743683102f9cccffa15f10b55b52ef3 In order for gpsd to work with the new version of ntpd, an enable option must be added to the configure step of ntp that allows for support of SHM clocks to be attached through shared memory. Signed-off-by: Yugendra Sai Babu Nadupuru <yugendra.sai.babu.nadupuru@rockwellcollins.com> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-06-03T07:45:40+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-06-03T01:26:22+00:00 urn:sha1:e748e303dadf8e04a8a07777e15adbae3d99a140 Fixes: CVE-2016-4957 - Crypto-NAK crash CVE-2016-4953 - Bad authentication demobilizes ephemeral associations CVE-2016-4954 - Processing spoofed server packets CVE-2016-4955 - Autokey association reset CVE-2016-4956 - Broadcast interleave Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com> 2016-05-02T15:24:10+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-05-02T12:21:22+00:00 urn:sha1:ee18216d47e3d1eb5e9f666a5f30d61d5e4bbd97 Fixes: CVE-2016-1551 - Refclock impersonation vulnerability, AKA: refclock-peering CVE-2016-1549 - Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY CVE-2016-2516 - Duplicate IPs on unconfig directives will cause an assertion botch CVE-2016-2517 - Remote configuration trustedkey/requestkey values are not properly validated CVE-2016-2518 - Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC CVE-2016-2519 - ctl_getitem() return value not always checked CVE-2016-1547 - Validate crypto-NAKs, AKA: nak-dos CVE-2016-1548 - Interleave-pivot - MITIGATION ONLY CVE-2015-7704 - KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken CVE-2015-8138 - Zero Origin Timestamp Bypass, AKA: Additional KoD Checks CVE-2016-1550 - Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-01-20T14:44:17+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-01-20T13:18:48+00:00 urn:sha1:18542431c1057f493f473f0521edf598a9b520ce CVE-2015-7973 - Deja Vu: Replay attack on authenticated broadcast mode CVE-2015-7974 - Skeleton Key: Missing key check allows impersonation between authenticated peers CVE-2015-7975 - nextvar() missing length check CVE-2015-7976 - ntpq saveconfig command allows dangerous characters in filenames CVE-2015-7977 - reslist NULL pointer dereference CVE-2015-7978 - Stack exhaustion in recursive traversal of restriction list CVE-2015-7979 - Off-path Denial of Service (DoS) attack on authenticated broadcast mode CVE-2015-8137 - origin: Zero Origin Timestamp Bypass CVE-2015-8158 - Potential Infinite Loop in ntpq Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2016-01-08T17:31:04+00:00 Gustavo Zacarias gustavo@zacarias.com.ar 2016-01-08T11:09:15+00:00 urn:sha1:513c314dc35ab0f976aaad12aeb5b34be2e55494 Fixes: CVE-2015-5300 - MITM attacker can force ntpd to make a step larger than the panic threshold. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2015-10-22T21:44:18+00:00 James Knight james.knight@rockwellcollins.com 2015-10-22T00:08:11+00:00 urn:sha1:73b193f840a9790f2438c02853f9be8738b7fb50 Signed-off-by: James Knight <james.knight@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com> 2015-10-19T22:19:36+00:00 James Knight james.knight@rockwellcollins.com 2015-10-14T23:45:33+00:00 urn:sha1:1c6629444dab52649b17a73dbd978c959f7d6b3c Allow the `ntptime` utility to be included on a target. [Peter: add comment why AUTORECONF is needed] Signed-off-by: James Knight <james.knight@rockwellcollins.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>