Re: Security update of ntp

To: Ola Lundqvist <ola@inguza.com>
Cc: Debian LTS <debian-lts@lists.debian.org>
Subject: Re: Security update of ntp
From: Kurt Roeckx <kurt@roeckx.be>
Date: Mon, 8 Aug 2016 18:30:44 +0200
Message-id: <[🔎] 20160808163044.GA4657@roeckx.be>
In-reply-to: <[🔎] CABY6=0k8JshV0PLPMsumX8SWtqgAOb+G0jD1rSwiWRjPo9jAtA@mail.gmail.com>
References: <[🔎] CABY6=0k8JshV0PLPMsumX8SWtqgAOb+G0jD1rSwiWRjPo9jAtA@mail.gmail.com>

On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote:
> Hi Kurt
> 
> As a member of the LTS team I have started to look into a ntp security
> update of CVE-2016-4953 mentioned here:
> https://security-tracker.debian.org/tracker/source-package/ntp
> 
> I see that you have prepared security updates for Debian wheezy in the past
> so I would like to check with you if you want to do it this time too, or if
> you'd like me to do that for you.
> 
> Or alternatively that you know it is a non-issue already.
> 
> I can see the following comment about jessie in the security tracker:
> [jessie] - ntp <not-affected> (Fix for CVE-2016-1547 or CVE-2015-7979
> wasn't backported)
> 
> But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version
> so I guess it is affected, or?
> 
> I have not looked into the details yet as I want to check with you first
> whether you know about this already (I guess you do).

First, the situation for wheezy and jessie should be identical.
They have the same upstream source and should have the same
patches for all security issues.

The fix we use for CVE-2015-7979 is unrelated to the upstream fix,
and so we're not affected by what the upstream patch broke.


Kurt

Reply to:

Follow-Ups:
- Re: Security update of ntp
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Security update of ntp
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Security update of ntp
Next by Date: Re: Security update of ntp
Previous by thread: Security update of ntp
Next by thread: Re: Security update of ntp
Index(es):
- Date
- Thread