[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security update of ntp

Hi Kurt

Thanks a lot for a quick and good answer. Will mark it as unaffected in wheezy too then.

Best regards

// Ola

On Mon, Aug 8, 2016 at 6:30 PM, Kurt Roeckx <kurt@roeckx.be> wrote:
On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote:
> Hi Kurt
> As a member of the LTS team I have started to look into a ntp security
> update of CVE-2016-4953 mentioned here:
> https://security-tracker.debian.org/tracker/source-package/ntp
> I see that you have prepared security updates for Debian wheezy in the past
> so I would like to check with you if you want to do it this time too, or if
> you'd like me to do that for you.
> Or alternatively that you know it is a non-issue already.
> I can see the following comment about jessie in the security tracker:
> [jessie] - ntp <not-affected> (Fix for CVE-2016-1547 or CVE-2015-7979
> wasn't backported)
> But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version
> so I guess it is affected, or?
> I have not looked into the details yet as I want to check with you first
> whether you know about this already (I guess you do).

First, the situation for wheezy and jessie should be identical.
They have the same upstream source and should have the same
patches for all security issues.

The fix we use for CVE-2015-7979 is unrelated to the upstream fix,
and so we're not affected by what the upstream patch broke.


 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: