Q: Snow Leopard users: Turn off automatic date and time in System Preferences immediately

Things have moved to 4.2.8p1-RC1

---

(4.2.8p1-RC1) 2015/01/24 Released by Harlan Stenn <stenn@ntp.org>

* Start the RC for 4.2.8p1.

* [Bug 2187] Update version number generation scripts.

* [Bug 2617] Fix sntp Usage documentation section.

* [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...

* [Bug 2736] Show error message if we cannot open the config file.

* Copyright update.

* Fix the package name.

---

(4.2.8p1-beta5) 2015/01/07 Released by Harlan Stenn <stenn@ntp.org>

* [Bug 2728] Work around C99-style structure initialization code

  for older compilers, specifically Visual Studio prior to VS2013.

* [Bug 2695] Windows build: __func__ not supported under Windows.

---

(4.2.8p1-beta4) 2015/01/04 Released by Harlan Stenn <stenn@ntp.org>

* Fix a regression introduced to timepps-Solaris.h as part of:

  [Bug 1206] Required compiler changes for Windows

  (4.2.5p181) 2009/06/06

* [Bug 1084] PPSAPI for ntpd on Windows with DLL backends

* [Bug 2695] Build problem on Windows (sys/socket.h).

* [Bug 2715] mdnstries option for ntp.conf from NetBSD.

---

(4.2.8p1-beta3) 2015/01/02 Released by Harlan Stenn <stenn@ntp.org>

* [Bug 2627] shm refclock allows only two units with owner-only access

  Use mode bit 0 to select public access for units >= 2 (units 0 & 1 are

  always private.

* [Bug 2681] Fix display of certificate EOValidity dates on 32-bit systems.

* [Bug 2695] 4.2.8 does not build on Windows.

* [bug 2700] mrulist stopped working in 4.2.8.

* [Bug 2706] libparse/info_trimble.c build dependencies are broken.

* [Bug 2713] variable type/cast, parameter name, general cleanup from NetBSD.

* [Bug 2714] libevent may need to be built independently of any build of sntp.

* [Bug 2715] mdnstries option for ntp.conf from NetBSD.

---

(4.2.8p1-beta2) 2014/12/27 Released by Harlan Stenn <stenn@ntp.org>

* [Bug 2674] Install sntp in sbin on NetBSD.

* [Bug 2693] ntp-keygen doesn't build without OpenSSL and sntp.

* [Bug 2707] Avoid a C90 extension in libjsmn/jsmn.c.

* [Bug 2709] see if we have a C99 compiler (not yet required).

---

(4.2.8p1-beta1) 2014/12/23 Released by Harlan Stenn <stenn@ntp.org>

* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.

* [Bug 2693] ntp-keygen doesn't build without OpenSSL.

* [Bug 2697] IN6_IS_ADDR_LOOPBACK build problems on some OSes.

* [Bug 2699] HAVE_SYS_SELECT_H is misspelled in refclock_gpsdjson.c.

---

(4.2.8) 2014/12/19 Released by Harlan Stenn <stenn@ntp.org>

* [Sec 730] Increase RSA_generate_key modulus.

* [Sec 2666] Use cryptographic random numbers for md5 key generation.

* [Sec 2667] buffer overflow in crypto_recv().

* [Sec 2668] buffer overflow in ctl_putdata().

* [Sec 2669] buffer overflow in configure().

* [Sec 2670] Missing return; from error clause.

* [Sec 2671] vallen in extension fields are not validated.

* [Sec 2672] On some OSes ::1 can be spoofed, bypassing source IP ACLs.

* [Bug 2691] Wrong variable name in refclock_ripencc.c.

Anwar Shiekh wrote:

 

Things have moved to 4.2.8p1-RC1

 

---

(4.2.8p1-RC1) 2015/01/24 Released by Harlan Stenn <stenn@ntp.org>

 

* Start the RC for 4.2.8p1.

* [Bug 2187] Update version number generation scripts.

* [Bug 2617] Fix sntp Usage documentation section.

* [Sec 2672] Code cleanup: On some OSes ::1 can be spoofed...

* [Bug 2736] Show error message if we cannot open the config file.

* Copyright update.

* Fix the package name.

Hmm, they changed a little more that that.  Specifically all the ntp html documentation went from being in /usr/share/doc/ntp4 to the more "standard" (well where Apple always had it) in /usr/share/doc/ntp.  This impacts my script a little.   It installs everything a ntp build creates including the documentation.  I need to go back in to handle this change since it maintains a list of what goes where in order to properly handle installations (by the script and package installers).  It does however produce a conflict which I need to think about.

Thinking out loud...

When I change the script to handle 4.2.8p1-RC1 and presumably what comes beyond will be the same since they are up to a "release candidate" that would mean anything prior to that would have a problem since the previous stuff uses doc/ntp4 and not doc/ntp for its docs.  Or maybe I can have both variants coexist (use doc/ntp4 for all versions up to ntp-4.2.8p1-beta5).  Obviously that's a little bit more work and frankly I am not sure its worth it (other than the initial ever popular 4.2.8 stable release and the script's default couldn't be handled).

By the way, I did notice when I was coding this script, and had a bunch of comments about the fact that it was strange the ntp builds were placing their docs in docs/ntp4 and not docs/ntp (also the man pages in man8 and not man1).  I did even consider just renaming docs/ntp4 to docs/ntp (and also the man pages).  This is in a place were I do final cleanup of a build.  So now that I am thinking of this that looks like a convenient place to handle this change and also let the older builds coexist.  Specifically if see a docs/ntp4 directory just rename it to docs/ntp.  That's just a few lines of change.  But I think I will still leave the man pages alone for the time being.

Stay tuned.

Personally I'd not worry overtly about documentation, but rather plugging this vulnerability in the simplest way possible. A separate installer for 10.5 might be best, without a script to compile the code (I can send you the files you need).

A quote that may amuse

"I will always choose a lazy person to do a difficult job,  because he will find an easy way to do it" - Bill Gates.

[I've bee off doing other things so the script "adjustments" got delayed a little.]

Anwar Shiekh wrote:

 

Personally I'd not worry overtly about documentation, but rather plugging this vulnerability in the simplest way possible. A separate installer for 10.5 might be best, without a script to compile the code (I can send you the files you need).

Sorry but I don't agree.  When I download sources from places like sourceforge, ntp.org, and the like I prefer to build ALL that is built and if I agree with what the install phase creates (I always use configure --prefix to a private directory initially to check and verify what a build and subsequent install would actually install).  I usually don't editorialize too much on what's created.  In my option if it's worth doing, it is worth doing all of it.

In the case of ntp I think you do want the documentation particularly since sampling the ntpd.8 man page.  It was dated "August 2, 2001".  I think that's a bit old considering the current documentation for ntpd.8 is "January 24 2015".  Not only that Apple apparently goofed on 10.6 installs because they installed a duplicate set of man pages in man1 which are even older ("2007-09-10").  I verified they are on my 10.6.4 installer dvd.  That's not even the proper place to have man pages for this stuff.  Man8 is.

At any rate I am not doing anything about the man1 mistake but I believe I solved all my problems with the documentation and other man pages.  So I think I now have a version of my script ready for testing.  It seems to work on my test boot (which I am using as I write this  -- version ntp-4.2.8p1-RC1).  It will be interesting to see how it behaves on 10.5, particularly the handling of ntpd-wrapper.

I posted the script on Zippyshare (a media sharing/file locker site, reasonably fast, no captcha's).  Here's the link:

http://www63.zippyshare.com/v/FyFb7h1i/file.html

It's a zip file which you need to expand.  I made sure that it downloads ok and it appears to keep its permissions across the upload/download.  But in case it doesn't for you change the file to be executable.

Read the man page at the front of the file (hey, maybe you can proof it for me), give it a try, and let me know how it goes.

Thanks in advance.

I should have some time later today; it would actually be a lot easier if you had an email and I didn't need to clutter this forum.

Near the end of the man page (REPORTING BUGS).

Best to take that route till there are results to report.

Is turning automatic updates OFF the quick and easy fix just to have an immediate block to this exploit? That said, even if you had your time to update from Apple, it's still an issue (assming the exploit didn't happen if you had it set elsewhere).

I took the TenFourFox PPC binaries for 10.5 and put them into an installer; seems to work.

http://www.cubeowner.com/forums/index.php?s=&showtopic=14866&view=findpost&p=104 508