Fixes the following CVEs:
Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering
Reported by Matt Street and others of Cisco ASIG
Bug 3012 / CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY
Reported by Matthew Van Gundy of Cisco ASIG
Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked
Reported by Yihan Lian of the Cloud Security Team, Qihoo 360
Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos
Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG
Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY
Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG
Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken
Reported by Michael Tatarinov, NTP Project Developer Volunteer
Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks
Reported by Jonathan Gardner of Cisco ASIG
Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing
Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
Signed-off-by: Peter Wagner <tripolar@gmx.at>
Seems ntpdate also requires this lib:
```
Package ntpdate is missing dependencies for the following libraries:
libcap.so.2
make[2]: *** [/store/buildbot/slave/ar71xx/build/bin/ar71xx/packages/packages/ntpdate_4.2.8p4-1_ar71xx.ipk] Error 1
make[2]: Leaving directory `/store/buildbot/slave/ar71xx/build/feeds/packages/net/ntpd'
```
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
The ntpd package ships autoconf macros which attempt to test for the C99
compliance of `snprintf()` and `vsnprintf()`.
Those macros unconditionally consider the functions not compliant in a cross
compile setting and therfore break all subsequent configure tests because
the `snprintf` and `vsnprintf` symbols are shadowed with `#define` directives
redirecting them to their respectiv gnulib replacements.
The fortify source headers in turn will `#undef` those defines when wrapping
the associated functions and therfore cause all `conftest` programs to emit
a failure.
Pass the required magic autoconf cache variables via `CONFIGURE_VARS` to let
`./configure` assume C99 compliance of the affected functions, thus fixing
the build.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
recent changes in trunk allow us to specify the userid inside the openwrt makefile.
the info is stored int he meta data of the IPK contorl file and users are generated
by the new generic postinst trigger.
Signed-off-by: John Crispin <blogic@openwrt.org>
Peter Wagner
Alexandru Ardelean
Jo-Philipp Wich
Christian Pointner
Nicolas Thill
Ian Leonard
Michael Heimpold
John Crispin
Steven Barth
Etienne CHAMPETIER