News from 2009-01-08
Software: New NTP Version for Windows (4.2.4p6) - Security Update
A simple automatic update mechanism optionally allows to simply replace the binaries of an installed NTP version. This is detected when the installer starts and can be safely selected for 4.2.4p5 installations. Older NTP versions should be removed before the new NTP 4.2.4p6 version is installed. Uninstalling the existing version can be performed by the installer as well and will be offered if the user does not want to use the simple binaries replacement approach.
The original announcement of the new NTP version has been published as follows:
Redwood City, CA - 2009/01/08 - The NTP Public Services Project (http://support.ntp.org/) is pleased to announce that NTP 4.2.4p6, a Point Release of the NTP Reference Implementation from the NTP Project, is now available at http://www.ntp.org/downloads.html and http://support.ntp.org/download.
This release fixes oCERT.org's CVE-2009-0021, a vulnerability affecting the OpenSSL library relating to the incorrect checking of the return value of EVP_VerifyFinal function.
Credit for finding this issue goes to the Google Security Team for finding the original issue with OpenSSL, and to ocert.org for finding the problem in NTP and telling us about it.
This is a recommended upgrade. The file-size of this Point Release is 3443787 bytes. An MD5 sum of this release is available at http://www.ntp.org/downloads.html and http://support.ntp.org/download.
Please report any bugs, issues, or desired enhancements at http://bugs.ntp.org/.
The NTP (Network Time Protocol) Public Services Project, which is hosted by Internet Systems Consortium, Inc. (http://www.isc.org/), provides support and additional development resources for the Reference Implementation of NTP produced by the NTP Project (http://www.ntp.org/).
Please note that the mentioned MD5 checksum as well as the download links in the announcement refer to the source distribution of NTP and do not apply for the ready-to-run prebuilt binary version included in the Meinberg NTP installer. Questions concerning the update or the use of the reference implementation of NTP for time synchronization of Windows machines can be sent to ntp-support@meinberg.de.
The download link for the NTP installer can be found on the Meinberg NTP Download page.