Re: ntp security update
On Sun, Oct 25, 2015 at 11:19:03AM +0100, Kurt Roeckx wrote:
> On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> > I've looked through the upstream repository for the patches that fix he
> > recently announced issues. Quite a few of them turned out not to apply
> > to squeeze, or the newer stable releases, and I've updated the security
> > tracker accordingly.
> > I backported the remaining fixes as best I can, and uploaded the source
> > package to:
> > https://people.debian.org/~benh/packages/squeeze-lts/
> > Would you be willing to review this package?
> > I noticed that you entirely reverted the upstream patch that was
> > supposed to fix CVE-2015-7704 and -7705, and then applied a different
> > fix for -7704. I think this means -7705 isn't fixed in sid, though the
> > security tracker currently says it is. Who's right?
> I can't seem to ge getting much information out of anything from
> upstream. Lots of things don't seem to be affecting the 4.2.6
> From what I currently understand the following don't apply to the
> 4.2.6 versions:
So it seems they renamed CVE-2015-5196 to CVE-2015-7703. Your
patch probably makes sense and I should get that fixed in jessie
and wheezy too.
I'm just wondering why you didn't move the T_Pidfile like upstream
did, that part seems to apply.
(I have to go now, will look at it later again.)