Re: ntp security update
On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> I've looked through the upstream repository for the patches that fix he
> recently announced issues. Quite a few of them turned out not to apply
> to squeeze, or the newer stable releases, and I've updated the security
> tracker accordingly.
>
> I backported the remaining fixes as best I can, and uploaded the source
> package to:
> https://people.debian.org/~benh/packages/squeeze-lts/
>
> Would you be willing to review this package?
>
> I noticed that you entirely reverted the upstream patch that was
> supposed to fix CVE-2015-7704 and -7705, and then applied a different
> fix for -7704. I think this means -7705 isn't fixed in sid, though the
> security tracker currently says it is. Who's right?
I can't seem to ge getting much information out of anything from
upstream. Lots of things don't seem to be affecting the 4.2.6
version.
>From what I currently understand the following don't apply to the
4.2.6 versions:
CVE-2015-5196
CVE-2015-7848
CVE-2015-7849
CVE-2015-7854
CVE-2015-7855
CVE-2015-7871 (unless you patch it first)
You seem to be right that we're affected by CVE-2015-7705 now,
which redhat also doesn't seem to have fixed because they don't
enable rate limiting. I actually enabled this in 4.2.8p3+dfsg-1
for some reason.
Kurt
Reply to: