[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ntp security update

On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> I've looked through the upstream repository for the patches that fix he
> recently announced issues.  Quite a few of them turned out not to apply
> to squeeze, or the newer stable releases, and I've updated the security
> tracker accordingly.
> I backported the remaining fixes as best I can, and uploaded the source
> package to:
> https://people.debian.org/~benh/packages/squeeze-lts/
> Would you be willing to review this package?
> I noticed that you entirely reverted the upstream patch that was
> supposed to fix CVE-2015-7704 and -7705, and then applied a different
> fix for -7704.  I think this means -7705 isn't fixed in sid, though the
> security tracker currently says it is.  Who's right?

I can't seem to ge getting much information out of anything from
upstream.  Lots of things don't seem to be affecting the 4.2.6

>From what I currently understand the following don't apply to the
4.2.6 versions:
CVE-2015-7871 (unless you patch it first)

You seem to be right that we're affected by CVE-2015-7705 now,
which redhat also doesn't seem to have fixed because they don't
enable rate limiting.  I actually enabled this in 4.2.8p3+dfsg-1
for some reason.


Reply to: