4.2.6 Release Announcement

Last update: June 28, 2022 21:06 UTC (1f97faf40)

The NTP Public Services Project is pleased to announce that NTP 4.2.6, a Stable Release of the NTP Reference Implementation from the NTP Project, is now available.

Focus: Security Fixes

Severity: HIGH

This release fixes the following high-severity vulnerability:

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address which is not listed in a restrict ... noquery or restrict ... ignore statement, ntpd will reply with a mode 7 error response (and log a message). In this case:

Credit for finding this vulnerability goes to Robin Park and Dmitri Vinokurov of Alcatel-Lucent.