Re: ntp security update
On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> I've looked through the upstream repository for the patches that fix he
> recently announced issues. Quite a few of them turned out not to apply
> to squeeze, or the newer stable releases, and I've updated the security
> tracker accordingly.
> I backported the remaining fixes as best I can, and uploaded the source
> package to:
> Would you be willing to review this package?
> I noticed that you entirely reverted the upstream patch that was
> supposed to fix CVE-2015-7704 and -7705, and then applied a different
> fix for -7704. I think this means -7705 isn't fixed in sid, though the
> security tracker currently says it is. Who's right?
I can't seem to ge getting much information out of anything from
upstream. Lots of things don't seem to be affecting the 4.2.6
>From what I currently understand the following don't apply to the
CVE-2015-7871 (unless you patch it first)
You seem to be right that we're affected by CVE-2015-7705 now,
which redhat also doesn't seem to have fixed because they don't
enable rate limiting. I actually enabled this in 4.2.8p3+dfsg-1
for some reason.