Re: wheezy update of ntp? (was: squeeze update of ntp?)
On Wed, Jun 01, 2016 at 07:23:22AM +0200, Santiago Ruano Rincón wrote: > > I have picked your patches (I hope all of them) from the svn to build a > test package, and have also taken a look to remaining issues. I have > only could "backport" the fix for CVE-2016-1551, the refclock > impersonation. Svn still doesn't contain all the ones I have. Still didn't have time. Kurt
Re: wheezy update of ntp? (was: squeeze update of ntp?)
Hi Kurt, El 18/05/16 a las 23:20, Kurt Roeckx escribió: > On Wed, May 18, 2016 at 04:27:22PM -0400, Antoine Beaupré wrote: > > On 2016-05-18 13:56:37, Kurt Roeckx wrote: > > > There are 22 open, some of which are marked as non-important. Of > > > the new ones some should probably also be marked as such. > > > > I did so with CVE-2015-8158 as it affects only ntpq under very specific > > conditions and the impact is minor (it hangs). > > There are also some things that you need to be authenticated for, > which is at least a none default config. I consider all of those to > be non-imporant. > > > > I've spend several hours during the weekend going over commits in > > > bitkeeper. But as ussual, it's all a big mess. I have 10 issues > > > fixed in svn. I also have 7 files with the patches in as they > > > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6 > > > version yet, so I have no idea what the state of those patches > > > is. Then there also seem to be at least 2 other bug fixes that > > > appear to be security issues but that didn't get a CVE. > > ... > I suggest that you at least let me finish the patches I started > on. > I have picked your patches (I hope all of them) from the svn to build a test package, and have also taken a look to remaining issues. I have only could "backport" the fix for CVE-2016-1551, the refclock impersonation. For https://security-tracker.debian.org/tracker/CVE-2016-1547, I am not sure that it affects 4.2.6. I haven't found the fix for the Sybil attack https://security-tracker.debian.org/tracker/CVE-2016-1549 The fix for https://security-tracker.debian.org/tracker/CVE-2016-2517 requires a 4.2.8 ntp_keyacc.h, and I think it could be marked as non-important too. And the fix for https://security-tracker.debian.org/tracker/CVE-2016-2519 requires more study. A debdiff is attached. These are the changes from the changelog entry: [Kurt Roeckx] * Fix CVE-2015-7974: ntp_proto: Verify peer key ID. * Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer dereference, stack overflow and overfull reply buffers by flawns in restrict list processing. * Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. * Fix CVE-2015-8138: ntp: missing check for zero originate timestamp. * Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric interleaved mode with spoofed packets. * Fix CVE-2016-1550: Timing attack for authenticated packets. * Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on unconfig directives. * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted addpeer. . [Santiago Ruano Rincón] * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation. debian/rules: configure with --enable-bug3020-fix. And the package is available at: https://people.debian.org/~santiago/debian/santiago-wheezy/ntp_4.2.6.p5+dfsg-2+deb7u7~3.dsc and at the repo: deb https://people.debian.org/~santiago/debian santiago-wheezy/ deb-src https://people.debian.org/~santiago/debian santiago-wheezy/ Please, tell me if I could do anything else to help you handling this package. AFAIK, you want to upload it :) I hope this is useful, Santiago diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog --- ntp-4.2.6.p5+dfsg/debian/changelog 2015-10-28 21:05:59.0 +0100 +++ ntp-4.2.6.p5+dfsg/debian/changelog 2016-06-01 00:43:58.0 +0200 @@ -1,3 +1,29 @@ +ntp (1:4.2.6.p5+dfsg-2+deb7u7~3) santiago-wheezy; urgency=medium + + * Team upload + + [Kurt Roeckx] + * Fix CVE-2015-7974: ntp_proto: Verify peer key ID. + * Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer +dereference, stack overflow and overfull reply buffers by flawns in +restrict list processing. + * Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on +authenticated broadcast mode. + * Fix CVE-2015-8138: ntp: missing check for zero originate timestamp. + * Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric +interleaved mode with spoofed packets. + * Fix CVE-2016-1550: Timing attack for authenticated packets. + * Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on +unconfig directives. + * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted +addpeer. + + [Santiago Ruano Rincón] + * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation. +debian/rules: configure with --enable-bug3020-fix. + + -- Santiago Ruano RincónTue, 31 May 2016 19:38:12 +0200 + ntp (1:4.2.6.p5+dfsg-2+deb7u6) wheezy-security; urgency=medium * Fix errors in previous changelog entry diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch --- ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch2015-10-23 20:11:01.0 +0200
Re: [pkg-ntp-maintainers] squeeze update of ntp?
On 2016-05-18 13:56:37, Kurt Roeckx wrote: > There are 22 open, some of which are marked as non-important. Of > the new ones some should probably also be marked as such. I did so with CVE-2015-8158 as it affects only ntpq under very specific conditions and the impact is minor (it hangs). > I've spend several hours during the weekend going over commits in > bitkeeper. But as ussual, it's all a big mess. I have 10 issues > fixed in svn. I also have 7 files with the patches in as they > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6 > version yet, so I have no idea what the state of those patches > is. Then there also seem to be at least 2 other bug fixes that > appear to be security issues but that didn't get a CVE. I tried to go through a few CVEs myself, and I must say I admire your courage. It seems like a really confusing tangled mess up there in NTP land, really scary stuff and really hard to triage. I assume that, since both wheezy and jessie share the same version number, the same package can be uploaded for both? Or are there significant changes between those two? I wonder if it wouldn't be worth it to just ship 2.8 in wheezy/jessie and get it over with. I certainly don't feel like I have the courage to go through all of those. I am sorry I can't help any further than this for now... A. -- Imagine a world in which every single person on the planet is given free access to the sum of all human knowledge. - Jimmy Wales, co-founder of Wikipedia
Re: [pkg-ntp-maintainers] squeeze update of ntp?
On Wed, May 18, 2016 at 01:24:37PM -0400, Antoine Beaupré wrote: > On 2016-02-13 05:49:24, Kurt Roeckx wrote: > > On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote: > >> Hello dear maintainer(s), > >> > >> The Debian LTS team would like to fix the security issues which are > >> currently open in the Squeeze version of ntp: > >> https://security-tracker.debian.org/tracker/source-package/ntp > > > > I was under the impression that squeeze LTS support ended? > > > >> Would you like to take care of this yourself? > >> > >> Note that all of the squeeze-relevant issues are still open in the > >> "newer" Debian releases (wheezy through sid). > > > > I'm waiting for upstream to actually fix things. I estimate it's > > going to take 2 months. > > Hi! > > That two months delay seems to have expired now. Do you need help > backporting patches to wheezy? I need help getting them into jessie in the first place. It should normally be trivial to also get them in wheezy in that case. > I count around 9 issues still pending in the security tracker for ntp, > some of them being new since this was last discussed. Those are the > issues currently pending: There are 22 open, some of which are marked as non-important. Of the new ones some should probably also be marked as such. I've spend several hours during the weekend going over commits in bitkeeper. But as ussual, it's all a big mess. I have 10 issues fixed in svn. I also have 7 files with the patches in as they apply to 4.2.8 version, but I didn't try to apply them to 4.2.6 version yet, so I have no idea what the state of those patches is. Then there also seem to be at least 2 other bug fixes that appear to be security issues but that didn't get a CVE. Kurt
squeeze update of ntp?
Hello dear maintainer(s), The Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of ntp: https://security-tracker.debian.org/tracker/source-package/ntp Would you like to take care of this yourself? Note that all of the squeeze-relevant issues are still open in the "newer" Debian releases (wheezy through sid). It would be nice to know if you have planned some work on these to avoid duplication. The LTS workflow is defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Damyan Ivanov, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup signature.asc Description: PGP signature
Re: [pkg-ntp-maintainers] squeeze update of ntp?
On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote: > Hello dear maintainer(s), > > The Debian LTS team would like to fix the security issues which are > currently open in the Squeeze version of ntp: > https://security-tracker.debian.org/tracker/source-package/ntp I was under the impression that squeeze LTS support ended? > Would you like to take care of this yourself? > > Note that all of the squeeze-relevant issues are still open in the > "newer" Debian releases (wheezy through sid). I'm waiting for upstream to actually fix things. I estimate it's going to take 2 months. They're all not that important. Kurt
Re: [pkg-ntp-maintainers] squeeze update of ntp?
-=| Kurt Roeckx, 13.02.2016 11:49:24 +0100 |=- > On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote: > > Hello dear maintainer(s), > > > > The Debian LTS team would like to fix the security issues which are > > currently open in the Squeeze version of ntp: > > https://security-tracker.debian.org/tracker/source-package/ntp > > I was under the impression that squeeze LTS support ended? Ends on 29 February. See https://lists.debian.org/debian-announce/2016/msg2.html > > Note that all of the squeeze-relevant issues are still open in the > > "newer" Debian releases (wheezy through sid). > > I'm waiting for upstream to actually fix things. I estimate it's > going to take 2 months. When this happens, do you plan to do a wheezy-lts upload too? (wheeszy will gain LTS support in March). BTW CVE-2016-0727 seems to me to be Debian-specific, since the cron job is part of debian/. In case you missed it, there is a patch for it at http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ > They're all not that important. Cheers, dam signature.asc Description: Digital signature
Re: [pkg-ntp-maintainers] squeeze update of ntp?
On Sat, Feb 13, 2016 at 03:55:31PM +, Damyan Ivanov wrote: > -=| Kurt Roeckx, 13.02.2016 11:49:24 +0100 |=- > > On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote: > > > Hello dear maintainer(s), > > > > > > The Debian LTS team would like to fix the security issues which are > > > currently open in the Squeeze version of ntp: > > > https://security-tracker.debian.org/tracker/source-package/ntp > > > > I was under the impression that squeeze LTS support ended? > > Ends on 29 February. See > https://lists.debian.org/debian-announce/2016/msg2.html > > > > Note that all of the squeeze-relevant issues are still open in the > > > "newer" Debian releases (wheezy through sid). > > > > I'm waiting for upstream to actually fix things. I estimate it's > > going to take 2 months. > > When this happens, do you plan to do a wheezy-lts upload too? (wheeszy > will gain LTS support in March). Yes. > BTW CVE-2016-0727 seems to me to be Debian-specific, since the cron > job is part of debian/. In case you missed it, there is a patch for it > at > http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ Nobody seems to have informed me about this ... At first look this also doesn't seem that important. Kurt
squeeze update of ntp?
Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of ntp: https://security-tracker.debian.org/tracker/CVE-2015-1798 https://security-tracker.debian.org/tracker/CVE-2015-1799 https://security-tracker.debian.org/tracker/TEMP-000-C29A8D Would you like to take care of this yourself? We are still understaffed so any help is always highly appreciated. If yes, please follow the workflow we have defined here: http://wiki.debian.org/LTS/Development If that workflow is a burden to you, feel free to just prepare an updated source package and send it to debian-lts@lists.debian.org (via a debdiff, or with an URL pointing to the the source package, or even with a pointer to your packaging repository), and the members of the LTS team will take care of the rest. Indicate clearly whether you have tested the updated package or not. If you don't want to take care of this update, it's not a problem, we will do our best with your package. Just let us know whether you would like to review and/or test the updated package before it gets released. Thank you very much. Raphaël Hertzog, on behalf of the Debian LTS team. PS: A member of the LTS team might start working on this update at any point in time. You can verify whether someone is registered on this update in this file: https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150410210547.ga18...@home.ouaza.com
Re: squeeze update of ntp?
On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote: Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of ntp: https://security-tracker.debian.org/tracker/CVE-2015-1798 https://security-tracker.debian.org/tracker/CVE-2015-1799 https://security-tracker.debian.org/tracker/TEMP-000-C29A8D Would you like to take care of this yourself? We are still understaffed so any help is always highly appreciated. You really don't have patience do you? Kurt -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150410211355.ga2...@roeckx.be
Re: squeeze update of ntp?
Hi, On Fri, 10 Apr 2015, Kurt Roeckx wrote: On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote: Would you like to take care of this yourself? We are still understaffed so any help is always highly appreciated. You really don't have patience do you? I do, but contacting maintainers is just part of the workflow of CVE triage we defined for Debian LTS. Sorry if this mail bothered you. Is there a way to do it that would have been better received on your side? And thanks again for caring about Squeeze! Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150410213322.ga20...@home.ouaza.com
Re: squeeze update of ntp?
On Fri, Apr 10, 2015 at 11:33:22PM +0200, Raphael Hertzog wrote: Hi, On Fri, 10 Apr 2015, Kurt Roeckx wrote: On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote: Would you like to take care of this yourself? We are still understaffed so any help is always highly appreciated. You really don't have patience do you? I do, but contacting maintainers is just part of the workflow of CVE triage we defined for Debian LTS. Sorry if this mail bothered you. Is there a way to do it that would have been better received on your side? The upload to unstable (and wheezy) only happened a few hours ago because I didn't have time before. Kurt -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150410215649.ga12...@roeckx.be
Re: squeeze update of ntp?
On Fri, 10 Apr 2015, Kurt Roeckx wrote: On Fri, Apr 10, 2015 at 11:33:22PM +0200, Raphael Hertzog wrote: I do, but contacting maintainers is just part of the workflow of CVE triage we defined for Debian LTS. Sorry if this mail bothered you. Is there a way to do it that would have been better received on your side? The upload to unstable (and wheezy) only happened a few hours ago because I didn't have time before. OK, but my mail was not triggered by either upload. It just happened that I was going through the list of open CVE in squeeze and adding packages that were in need of an update to dla-needed.txt. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150410220904.ga23...@home.ouaza.com