Subject: CVS commit: [pkgsrc-2015Q2] pkgsrc/net/ntp4
From: Matthias Scheler
Date: 2015-07-12 10:58:43
Message id: 20150712085844.0C53098@cvs.netbsd.org

Log Message:
Pullup ticket #4764 - requested by taca
net/ntp4: security update

Revisions pulled up:
- net/ntp4/Makefile                                             1.87
- net/ntp4/PLIST                                                1.19
- net/ntp4/distinfo                                             1.22

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Tue Jun 30 16:08:21 UTC 2015

   Modified Files:
   	pkgsrc/net/ntp4: Makefile PLIST distinfo

   Log Message:
   Update ntp4 to 4.2.8p3.

   Please refer NEWS and ChangeLog for full changes.

   NTP 4.2.8p3 (Harlan Stenn <stenn@ntp.org>, 2015/06/29)

   Focus: 1 Security fix.  Bug fixes and enhancements.  Leap-second improvements.

   Severity: MEDIUM

   Security Fix:

   * [Sec 2853] Crafted remote config packet can crash some versions of
     ntpd.  Aleksis Kauppinen, Juergen Perlinger, Harlan Stenn.

   Under specific circumstances an attacker can send a crafted packet to
   cause a vulnerable ntpd instance to crash. This requires each of the
   following to be true:

   1) ntpd set up to allow remote configuration (not allowed by default), and
   2) knowledge of the configuration password, and
   3) access to a computer entrusted to perform remote configuration.

   This vulnerability is considered low-risk.

   New features in this release:

   Optional (disabled by default) support to have ntpd provide smeared
   leap second time.  A specially built and configured ntpd will only
   offer smeared time in response to client packets.  These response
   packets will also contain a "refid" of 254.a.b.c, where the 24 bits
   of a, b, and c encode the amount of smear in a 2:22 integer:fraction
   format.  See README.leapsmear and http://bugs.ntp.org/2855 for more
   information.

      *IF YOU CHOOSE TO CONFIGURE NTPD TO PROVIDE LEAP SMEAR TIME*
      *BE SURE YOU DO NOT OFFER THAT TIME ON PUBLIC TIMESERVERS.*

   We've imported the Unity test framework, and have begun converting
   the existing google-test items to this new framework.  If you want
   to write new tests or change old ones, you'll need to have ruby
   installed.  You don't need ruby to run the test suite.

Files:
RevisionActionfile
1.86.2.1modifypkgsrc/net/ntp4/Makefile
1.18.2.1modifypkgsrc/net/ntp4/PLIST
1.21.2.1modifypkgsrc/net/ntp4/distinfo