Release notes for Firmware 11 - Powered by Kayako Help Desk Software

Knowledgebase

1Whitepapers 52Network Time Servers (NTS) 8Time Servers (TS) 7Atomic Clocks (AC) 6Digital Clocks

Knowledgebase: Network Time Servers (NTS) > NTS-6002

Release notes for Firmware 11

Posted by Uzair A., Last modified by Uzair A. on 18 July 2017 10:34

Firmware 11#10

Release Date: 14/12/2016

Fixed a potential issue when calculating delay with radio clocks (MSF, DCF, WWVB)
Updated the leap-seconds.list to account for the upcoming leap second
Updated Nginx to 1.10.2
Updated PHP to 7.0.14
Updated OpenSSH to 7.3p1
Updated OpenSSL to 1.0.2j
Updated the Linux kernel

NTP has been updated to 4.2.8p9 which has the following fixes:

Sec 3119 / CVE-2016-9311: Trap crash
Sec 3118 / CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector
Sec 3114 / CVE-2016-7427: Broadcast Mode Replay Prevention DoS
Sec 3113 / CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS
Sec 3110 / CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet
Sec 3102 / CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass
Sec 3082 / CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()
Sec 3072 / CVE-2016-7429: Interface selection attack
Sec 3071 / CVE-2016-7426: Client rate limiting and server responses
Sec 3067 / CVE-2016-7433: Reboot sync calculation problem

Firmware 11#9

Release Date: 14/06/2016

Updated the SSL ciphers used by the web server to be more up-to-date
Fixed an issue with IPv6 connectivity to the web interface
Hostname added to eth0 + eth1 + bond
Fixed the Dashboard showing a network speed of -1 Mbps when an interface is not configured
Added verification of SSL certificate to ensure the certificate is valid for the server
Updated NTP to 4.2.8p
Updated nginx to 1.10.1
Updated PHP to 7.0.7
Updated OpenSSL to 1.0.2h
Updated the Linux kernel

Firmware 11#8

Release Date: 20/04/2016

Fixed a security issue where the ping and traceroute fields could execute code on the server
Fixed a rare issue where some users were not able to login to SSH
Updated PHP to 5.6.20
Updated OpenSSL to 1.0.2g
Updated OpenSSH to 7.2p2

Firmware 11#7

Release Date: 10/02/2016

OpenSSL has been updated to 1.0.2f
An issue was found in DCF and WWVB where, in some rare cases, the unit would not synchronise.

NTP has been updated to 4.2.8p6 which has the following fixes:

Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq
Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass
Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference
Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
Bug 2937 / CVE-2015-7975: nextvar() missing length check
Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers
Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode

Additionally, mitigations are published for the following two issues:

Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks
Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin

Firmware 11#6

Release Date: 18/01/2016

Fixed a bug where users were not able to set the gateway for the second network card if both were in use.
Fixed a bug where users were not able to use the backslash (\) character in NTP keys.
Fixed an issue where the display could stop displaying messages.
Fixed a rare issue where the web interface would show ‘Unsynchronised’ when it actually was synchronised.
Fixed an issue with Radio-Only (MSF, DCF, WWVB), units falling out of sync and not resynchronising.
Under Software Versions, the full firmware version is displayed.
Updated OpenSSH to 7.1p2
Updated OpenSSL to 1.0.2e
Updated PHP to 5.6.16

Updated NTP to 4.2.8p5 which has the following fixes:

NTF's NTP Project has been notified of the following 1 medium-severity vulnerability that is fixed in ntp-4.2.8p5, released on Thursday, 7 January 2016:

NtpBug2956: Small-step/Big-step CVE-2015-5300
Bug #2829 Clean up pipe_fds in ntpd.c
Bug #2887 Stratum -1 config results as showing value 99.
Bug #2944 Errno is not preserved properly in ntpdate after sendto call.
Bug #2952 Peer associations were broken by the fix for NtpBug2901 CVE-2015-7704
Bug #2954 Version 4.2.8p4 crashes on startup on some OSes.
Bug #2957 'Unsigned int' vs 'size_t' format clash.
Bug #2958 NTPQ: fatal error messages need a final newline.
Bug #2965 Local clock didn't work since 4.2.8p4.
Bug #2967 'Ntpdate' command suffers an assertion failure
Bug #2969 Seg fault from ntpq/mrulist when looking at server with lots of clients.
Bug #2971 NTPQ bails on ^C: select fails: Interrupted system call
Bug #2962 truncation of size_t/ptrdiff_t on 64bit targets.

(7 vote(s))

Helpful

Not helpful

Comments (0)

Post a new comment Reply to comment
Post a new comment Reply to comment

Full Name:
Email:
Comments:

CAPTCHA Verification
CAPTCHA Verification

Please complete the below captcha challenge (we use this to prevent automated submissions).

Help Desk Software by Kayako