Re: ntp security update

[Kurt Roeckx <kurt@roeckx.be>]

On Sun, Oct 25, 2015 at 11:19:03AM +0100, Kurt Roeckx wrote:
> On Sun, Oct 25, 2015 at 01:30:18PM +0900, Ben Hutchings wrote:
> > I've looked through the upstream repository for the patches that fix he
> > recently announced issues.  Quite a few of them turned out not to apply
> > to squeeze, or the newer stable releases, and I've updated the security
> > tracker accordingly.
> > 
> > I backported the remaining fixes as best I can, and uploaded the source
> > package to:
> > https://people.debian.org/~benh/packages/squeeze-lts/
> > 
> > Would you be willing to review this package?
> > 
> > I noticed that you entirely reverted the upstream patch that was
> > supposed to fix CVE-2015-7704 and -7705, and then applied a different
> > fix for -7704.  I think this means -7705 isn't fixed in sid, though the
> > security tracker currently says it is.  Who's right?
> 
> I can't seem to ge getting much information out of anything from
> upstream.  Lots of things don't seem to be affecting the 4.2.6
> version.
> 
> From what I currently understand the following don't apply to the
> 4.2.6 versions:
> CVE-2015-5196

So it seems they renamed CVE-2015-5196 to CVE-2015-7703.  Your
patch probably makes sense and I should get that fixed in jessie
and wheezy too.

I'm just wondering why you didn't move the T_Pidfile like upstream
did, that part seems to apply.

(I have to go now, will look at it later again.)



Kurt