On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote:
> Hi Kurt
>
> As a member of the LTS team I have started to look into a ntp security
> update of CVE-2016-4953 mentioned here:
> https://security-tracker.debian.org/tracker/source- package/ntp
>
> I see that you have prepared security updates for Debian wheezy in the past
> so I would like to check with you if you want to do it this time too, or if
> you'd like me to do that for you.
>
> Or alternatively that you know it is a non-issue already.
>
> I can see the following comment about jessie in the security tracker:
> [jessie] - ntp <not-affected> (Fix for CVE-2016-1547 or CVE-2015-7979
> wasn't backported)
>
> But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version First, the situation for wheezy and jessie should be identical.
> so I guess it is affected, or?
>
> I have not looked into the details yet as I want to check with you first
> whether you know about this already (I guess you do).
They have the same upstream source and should have the same
patches for all security issues.
The fix we use for CVE-2015-7979 is unrelated to the upstream fix,
and so we're not affected by what the upstream patch broke.
Kurt