There was a hiccup or two along the way, but in essence we have a new - stable release, 4.2.6, and will soon see the first 4.2.7 -dev release. If you look at the distribution points right now, there is a ntp-4.2.6-RC.tar.gz. I expect within a day there will also be a ntp-4.2.6.tar.gz, differing only in the version's -RC suffix (which is replicated into quite a few files), as the final 4.2.6 version text without -RC is now at the head of ntp-stable.
While I'm jumping the gun as the official 4.2.6 announcement and tarball hasn't come, thanks to everyone who reported bugs, provided or verified fixes, or otherwise help nudge NTP towards its first major release in three years. I have uploaded x86 Windows binaries for 4.2.6 to my website. Regarding CVE-2009-3563 patched yesterday [1], versions of 4.2.4 through p7 are vulnerable, as are all versions of 4.2.5. The fix first appears in 4.2.4p8 and 4.2.6. The crux of the bug was responding to mode 7 responses with an error response. When triggered between two ntpd servers, or in some cases with a single server talking to itself, the ntpd processes would run away transmitting packets and logging a message for each as fast as conditions permitted, until something dropped a packet. When I first reproduced it, syslog helpfully collapsed a quarter-million identical log lines into one for me. Cheers, Dave Hart [1] http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode _______________________________________________ questions mailing list questions@lists.ntp.org https://lists.ntp.org/mailman/listinfo/questions
