On 2016-02-13 05:49:24, Kurt Roeckx wrote:
> On Sat, Feb 13, 2016 at 10:06:23AM +0000, Damyan Ivanov wrote:
>> Hello dear maintainer(s),
>>
>> The Debian LTS team would like to fix the security issues which are
>> currently open in the Squeeze version of ntp:
>> https://security-tracker.debian.org/tracker/source-package/ntp
>
> I was under the impression that squeeze LTS support ended?
>
>> Would you like to take care of this yourself?
>>
>> Note that all of the squeeze-relevant issues are still open in the
>> "newer" Debian releases (wheezy through sid).
>
> I'm waiting for upstream to actually fix things. I estimate it's
> going to take 2 months.
Hi!
That two months delay seems to have expired now. Do you need help
backporting patches to wheezy?
I count around 9 issues still pending in the security tracker for ntp,
some of them being new since this was last discussed. Those are the
issues currently pending:
CVE-2016-2519 vulnerable vulnerable fixed fixed ctl_getitem()
return value not always checked
CVE-2016-2518 vulnerable vulnerable fixed fixed Crafted addpeer
with hmode > 7 causes out-of-bounds reference
CVE-2016-2517 vulnerable vulnerable fixed fixed Remote
configuration trustedkey/requestkey/controlkey values are not properly validated
CVE-2016-2516 vulnerable vulnerable fixed fixed Duplicate IPs
on unconfig directives will cause an assertion failure
CVE-2016-1551 vulnerable vulnerable fixed fixed Refclock
packets can come from the network
CVE-2016-1550 vulnerable vulnerable fixed fixed Timing attack
for authenticated packets
CVE-2016-1549 vulnerable vulnerable fixed fixed Sybil attack
with trustedkey
CVE-2016-1548 vulnerable vulnerable fixed fixed Change the time
of an ntpd client or deny service to an ntpd client by forcing it to change
from basic client/server mode to interleaved symmetric mode.
CVE-2016-1547 vulnerable
Thanks in advance!
a.
--
Be who you are and say what you feel
Because those who mind don't matter
And those who matter don't mind.
- Dr. Seuss
