Log message:
Update ntp4 package to 4.2.8p2.

NTP 4.2.8p2 (Harlan Stenn <stenn@ntp.org>, 2015/04/xx)

Focus: Security and Bug fixes, enhancements.

Severity: MEDIUM

In addition to bug fixes and enhancements, this release fixes the
following medium-severity vulnerabilities involving private key
authentication:

* [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.

    References: Sec 2779 / CVE-2015-1798 / VU#374268
    Affects: All NTP4 releases starting with ntp-4.2.5p99 up to but not
	including ntp-4.2.8p2 where the installation uses symmetric keys
	to authenticate remote associations.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
    Summary: When ntpd is configured to use a symmetric key to authenticate
	a remote NTP server/peer, it checks if the NTP message
	authentication code (MAC) in received packets is valid, but not if
	there actually is any MAC included. Packets without a MAC are
	accepted as if they had a valid MAC. This allows a MITM attacker to
	send false packets that are accepted by the client/peer without
	having to know the symmetric key. The attacker needs to know the
	transmit timestamp of the client to match it in the forged reply
	and the false reply needs to reach the client before the genuine
	reply from the server. The attacker doesn't necessarily need to be
	relaying the packets between the client and the server.

	Authentication using autokey doesn't have this problem as there is
	a check that requires the key ID to be larger than NTP_MAXKEY,
	which fails for packets without a MAC.
    Mitigation:
        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
	or the NTP Public Services Project Download Page
        Configure ntpd with enough time sources and monitor it properly.
    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.

* [Sec 2781] Authentication doesn't protect symmetric associations against
  DoS attacks.

    References: Sec 2781 / CVE-2015-1799 / VU#374268
    Affects: All NTP releases starting with at least xntp3.3wy up to but
	not including ntp-4.2.8p2 where the installation uses symmetric
	key authentication.
    CVSS: (AV:A/AC:M/Au:N/C:P/I:P/A:P) Base Score: 5.4
    Note: the CVSS base Score for this issue could be 4.3 or lower, and
	it could be higher than 5.4.
    Date Resolved: Stable (4.2.8p2) 07 Apr 2015
    Summary: An attacker knowing that NTP hosts A and B are peering with
	each other (symmetric association) can send a packet to host A
	with source address of B which will set the NTP state variables
	on A to the values sent by the attacker. Host A will then send
	on its next poll to B a packet with originate timestamp that
	doesn't match the transmit timestamp of B and the packet will
	be dropped. If the attacker does this periodically for both
	hosts, they won't be able to synchronize to each other. This is
	a known denial-of-service attack, described at
	https://www.eecis.udel.edu/~mills/onwire.html .

	According to the document the NTP authentication is supposed to
	protect symmetric associations against this attack, but that
	doesn't seem to be the case. The state variables are updated even
	when authentication fails and the peers are sending packets with
	originate timestamps that don't match the transmit timestamps on
	the receiving side.

	This seems to be a very old problem, dating back to at least
	xntp3.3wy. It's also in the NTPv3 (RFC 1305) and NTPv4 (RFC 5905)
	specifications, so other NTP implementations with support for
	symmetric associations and authentication may be vulnerable too.
	An update to the NTP RFC to correct this error is in-process.
    Mitigation:
        Upgrade to 4.2.8p2, or later, from the NTP Project Download Page
	or the NTP Public Services Project Download Page
        Note that for users of autokey, this specific style of MITM attack
	is simply a long-known potential problem.
        Configure ntpd with appropriate time sources and monitor ntpd.
	Alert your staff if problems are detected.
    Credit: This issue was discovered by Miroslav Lichvar, of Red Hat.

* New script: update-leap
The update-leap script will verify and if necessary, update the
leap-second definition file.
It requires the following commands in order to work:

	wget logger tr sed shasum

Some may choose to run this from cron.  It needs more portability testing.

Log message:
SECURITY: Update ntpd to 4.2.8p1.

* [Sec 2671] vallen in extension fields are not validated.
* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.

Log message:
Look deeper for config.guess/config.sub.

Log message:
Create minimum services files on chroot environment as recent
NetBSD current.

Bump PKGREVISION.

Log message:
Update ntpd4 pacakge to 4.2.8, here is summary for security related fixes.

NTP 4.2.8 (Harlan Stenn <stenn@ntp.org>, 2014/12/18)

Focus: Security and Bug fixes, enhancements.

Severity: HIGH

In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:

* Weak default key in config_auth().

  References: [Sec 2665] / CVE-2014-9293 / VU#852879
  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
  Vulnerable Versions: all releases prior to 4.2.7p11
  Date Resolved: 28 Jan 2010

  Summary: If no 'auth' key is set in the configuration file, ntpd
	would generate a random key on the fly.  There were two
	problems with this: 1) the generated key was 31 bits in size,
	and 2) it used the (now weak) ntp_random() function, which was
	seeded with a 32-bit value and could only provide 32 bits of
	entropy.  This was sufficient back in the late 1990s when the
	code was written.  Not today.

  Mitigation: Upgrade to 4.2.7p11 or later.

  Credit: This vulnerability was noticed in ntp-4.2.6 by Neel Mehta
  	of the Google Security Team.

* Non-cryptographic random number generator with weak seed used by
  ntp-keygen to generate symmetric keys.

  References: [Sec 2666] / CVE-2014-9294 / VU#852879
  CVSS: (AV:N/AC:L/Au:M/C:P/I:P/A:C) Base Score: 7.3
  Vulnerable Versions: All NTP4 releases before 4.2.7p230
  Date Resolved: Dev (4.2.7p230) 01 Nov 2011

  Summary: Prior to ntp-4.2.7p230 ntp-keygen used a weak seed to
  	prepare a random number generator that was of good quality back
	in the late 1990s. The random numbers produced was then used to
	generate symmetric keys. In ntp-4.2.8 we use a current-technology
	cryptographic random number generator, either RAND_bytes from
	OpenSSL, or arc4random().

  Mitigation: Upgrade to 4.2.7p230 or later.

  Credit:  This vulnerability was discovered in ntp-4.2.6 by
  	Stephen Roettger of the Google Security Team.

* Buffer overflow in crypto_recv()

  References: Sec 2667 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: When Autokey Authentication is enabled (i.e. the ntp.conf
  	file contains a 'crypto pw ...' directive) a remote attacker
	can send a carefully crafted packet that can overflow a stack
	buffer and potentially allow malicious code to be executed
	with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later, or
	Disable Autokey Authentication by removing, or commenting out,
	all configuration directives beginning with the crypto keyword
	in your ntp.conf file.

  Credit: This vulnerability was discovered by Stephen Roettger of the
  	Google Security Team.

* Buffer overflow in ctl_putdata()

  References: Sec 2668 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
  	can overflow a stack buffer and potentially allow malicious
	code to be executed with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later.

  Credit: This vulnerability was discovered by Stephen Roettger of the
  	Google Security Team.

* Buffer overflow in configure()

  References: Sec 2669 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
	can overflow a stack buffer and potentially allow malicious
	code to be executed with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later.

  Credit: This vulnerability was discovered by Stephen Roettger of the
	Google Security Team.

* receive(): missing return on error

  References: Sec 2670 / CVE-2014-9296 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Base Score: 5.0
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: Code in ntp_proto.c:receive() was missing a 'return;' in
  	the code path where an error was detected, which meant
	processing did not stop when a specific rare error occurred.
	We haven't found a way for this bug to affect system integrity.
	If there is no way to affect system integrity the base CVSS
	score for this bug is 0. If there is one avenue through which
	system integrity can be partially affected, the base score
	becomes a 5. If system integrity can be partially affected
	via all three integrity metrics, the CVSS base score become 7.5.

  Mitigation:
        Upgrade to 4.2.8, or later,
        or Remove or comment out all configuration directives
	beginning with the crypto keyword in your ntp.conf file.

  Credit: This vulnerability was discovered by Stephen Roettger of the
  	Google Security Team.

See http://support.ntp.org/security for more information.

Log message:
Remove pkgviews: don't set PKG_INSTALLATION_TYPES in Makefiles.

Log message:
Bump for perl-5.20.0.
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.

Log message:
More files observed on FreeBSD.

Log message:
Remove example rc.d scripts from PLISTs.

These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.

Log message:
Fixes PKGNAME, '-dev-' should not be there.