Re: [pkg-ntp-maintainers] squeeze update of ntp?

To: Kurt Roeckx <kurt@roeckx.be>, Damyan Ivanov <dmn@debian.org>
Cc: ntp@packages.debian.org, debian-lts@lists.debian.org
Subject: Re: [pkg-ntp-maintainers] squeeze update of ntp?
From: Antoine Beaupré <anarcat@orangeseeds.org>
Date: Wed, 18 May 2016 13:24:37 -0400
Message-id: <[🔎] 878tz7b7oq.fsf@angela.anarcat.ath.cx>
In-reply-to: <20160213104924.GA3127@roeckx.be>
References: <20160213100622.GA13541@ktnx.net> <20160213104924.GA3127@roeckx.be>

On 2016-02-13 05:49:24, Kurt Roeckx wrote:
> On Sat, Feb 13, 2016 at 10:06:23AM +0000, Damyan Ivanov wrote:
>> Hello dear maintainer(s),
>> 
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Squeeze version of ntp:
>> https://security-tracker.debian.org/tracker/source-package/ntp
>
> I was under the impression that squeeze LTS support ended?
>
>> Would you like to take care of this yourself?
>> 
>> Note that all of the squeeze-relevant issues are still open in the 
>> "newer" Debian releases (wheezy through sid).
>
> I'm waiting for upstream to actually fix things.  I estimate it's
> going to take 2 months.

Hi!

That two months delay seems to have expired now. Do you need help
backporting patches to wheezy?

I count around 9 issues still pending in the security tracker for ntp,
some of them being new since this was last discussed. Those are the
issues currently pending:

CVE-2016-2519	vulnerable	vulnerable	fixed	fixed	ctl_getitem() return value not always checked
CVE-2016-2518	vulnerable	vulnerable	fixed	fixed	Crafted addpeer with hmode > 7 causes out-of-bounds reference
CVE-2016-2517	vulnerable	vulnerable	fixed	fixed	Remote configuration trustedkey/requestkey/controlkey values are not properly validated
CVE-2016-2516	vulnerable	vulnerable	fixed	fixed	Duplicate IPs on unconfig directives will cause an assertion failure
CVE-2016-1551	vulnerable	vulnerable	fixed	fixed	Refclock packets can come from the network
CVE-2016-1550	vulnerable	vulnerable	fixed	fixed	Timing attack for authenticated packets
CVE-2016-1549	vulnerable	vulnerable	fixed	fixed	Sybil attack with trustedkey
CVE-2016-1548	vulnerable	vulnerable	fixed	fixed	Change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.
CVE-2016-1547	vulnerable

Thanks in advance!

a.

-- 
Be who you are and say what you feel
Because those who mind don't matter
And those who matter don't mind.
                         - Dr. Seuss

Reply to:

Follow-Ups:
- Re: [pkg-ntp-maintainers] squeeze update of ntp?
  - From: Kurt Roeckx <kurt@roeckx.be>

Prev by Date: Wheezy update of libgd?
Next by Date: Wheezy update of libgd? [resent]
Previous by thread: Wheezy update of libgd? [resent]
Next by thread: Re: [pkg-ntp-maintainers] squeeze update of ntp?
Index(es):
- Date
- Thread