r29 - 28 Jul 2008 - 01:14:34 - SteveKosteckeYou are here: NTP >  Main Web > SoftwareDownloads

Software Downloads

Current versions of NTP

Release Version Date Download ChangeLog
Stable 4.2.6 2009/12/12 ftp/md5 http/md5 ftp http
Release Candidate 4.2.6p1-RC5 2010/02/09 ftp/md5 http/md5 ftp http
Development 4.2.7p18 2010/02/07 ftp/md5 http/md5 ftp http

Feed for: Current versions of NTP

Information and other download links

Stable Release NEWS

NTP 4.2.6 (Harlan Stenn <stenn@ntp.org>, 2009/12/12)

Focus: Security Fixes

Severity: HIGH

This release fixes the following high-severity vulnerability:

  • [Sec 1331] DoS with mode 7 packets - CVE-2009-3563.
See http://support.ntp.org/security for more information.

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address which is not listed in a restrict ... noquery or restrict ... ignore statement, ntpd will reply with a mode 7 error response (and log a message). In this case:

  • If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.

  • If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, A will respond to itself endlessly, consuming CPU and logging excessively.

Credit for finding this vulnerability goes to Robin Park and Dmitri Vinokurov of Alcatel-Lucent.

ALERT! This is a strongly recommended upgrade.

more Complete NEWS file
more Complete Change Log

About the NTP Source Releases and Patches

The NTP (R&D) Project only produces source code releases of NTP; users needing precompiled versions of NTP should see the links page. These releases may be installed using the standard Unix "make" command in conjunction with a compiler and all necessary libraries.

Please contact your operating system vendor for binary packages or assistance with your package-management system.

IDEA! The NTP version numbering page explains the version numbering scheme.

NTP Archives from the NTP (R&D) Project at www.ntp.org

Tarballs (for both the release and development versions) and patch files are available from the:

Obsolete versions of NTP are available from the:

ALERT! Access to the FTP archive is restricted; incoming connections from certain IP addresses are blocked by the organization hosting the NTP (R&D) Project archives. Please try the HTTP archive if you are unable to access the FTP archive.

Precompiled packages and ports to other operating systems

Third-party implementations, including pre-compiled versions for operating systems such as Microsoft Windows, and some ports of the NTP package are linked to on the links page.

Receiving Notifications about new releases

Please visit ReleaseNotifications for more information about the many options available for receiving notifications about new NTP releases.

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r29 < r28 < r27 < r26 < r25 | More topic actions
 
NTP Public Services Project
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platformCopyright © 1999-2010 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback