subject:"squeeze update of ntp\?"

Re: wheezy update of ntp? (was: squeeze update of ntp?)

2016-06-01 Thread Kurt Roeckx

On Wed, Jun 01, 2016 at 07:23:22AM +0200, Santiago Ruano Rincón wrote:
> 
> I have picked your patches (I hope all of them) from the svn to build a
> test package, and have also taken a look to remaining issues.  I have
> only could "backport" the fix for CVE-2016-1551, the refclock
> impersonation.

Svn still doesn't contain all the ones I have. Still didn't have
time.


Kurt

Re: wheezy update of ntp? (was: squeeze update of ntp?)

2016-05-31 Thread Santiago Ruano Rincón

Hi Kurt,

El 18/05/16 a las 23:20, Kurt Roeckx escribió:
> On Wed, May 18, 2016 at 04:27:22PM -0400, Antoine Beaupré wrote:
> > On 2016-05-18 13:56:37, Kurt Roeckx wrote:
> > > There are 22 open, some of which are marked as non-important.  Of
> > > the new ones some should probably also be marked as such.
> > 
> > I did so with CVE-2015-8158 as it affects only ntpq under very specific
> > conditions and the impact is minor (it hangs).
> 
> There are also some things that you need to be authenticated for,
> which is at least a none default config.  I consider all of those to
> be non-imporant.
> 
> > > I've spend several hours during the weekend going over commits in
> > > bitkeeper.  But as ussual, it's all a big mess.  I have 10 issues
> > > fixed in svn.  I also have 7 files with the patches in as they
> > > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
> > > version yet, so I have no idea what the state of those patches
> > > is.  Then there also seem to be at least 2 other bug fixes that
> > > appear to be security issues but that didn't get a CVE.
> > 

...

> I suggest that you at least let me finish the patches I started
> on.
> 

I have picked your patches (I hope all of them) from the svn to build a
test package, and have also taken a look to remaining issues.  I have
only could "backport" the fix for CVE-2016-1551, the refclock
impersonation.

For https://security-tracker.debian.org/tracker/CVE-2016-1547, I am not
sure that it affects 4.2.6.

I haven't found the fix for the Sybil attack
https://security-tracker.debian.org/tracker/CVE-2016-1549

The fix for https://security-tracker.debian.org/tracker/CVE-2016-2517
requires a 4.2.8 ntp_keyacc.h, and I think it could be marked as
non-important too.

And the fix for https://security-tracker.debian.org/tracker/CVE-2016-2519
requires more study.

A debdiff is attached. These are the changes from the changelog entry:

   [Kurt Roeckx]
   * Fix CVE-2015-7974: ntp_proto: Verify peer key ID.
   * Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer
 dereference, stack overflow and overfull reply buffers by flawns in
 restrict list processing.
   * Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on
 authenticated broadcast mode.
   * Fix CVE-2015-8138: ntp: missing check for zero originate timestamp.
   * Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric
 interleaved mode with spoofed packets.
   * Fix CVE-2016-1550: Timing attack for authenticated packets.
   * Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on
 unconfig directives.
   * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted
 addpeer.
 .
   [Santiago Ruano Rincón]
   * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation.
 debian/rules: configure with --enable-bug3020-fix.

And the package is available at:
https://people.debian.org/~santiago/debian/santiago-wheezy/ntp_4.2.6.p5+dfsg-2+deb7u7~3.dsc

and at the repo:

deb https://people.debian.org/~santiago/debian santiago-wheezy/
deb-src https://people.debian.org/~santiago/debian santiago-wheezy/

Please, tell me if I could do anything else to help you handling this
package. AFAIK, you want to upload it :)

I hope this is useful,

Santiago
diff -Nru ntp-4.2.6.p5+dfsg/debian/changelog ntp-4.2.6.p5+dfsg/debian/changelog
--- ntp-4.2.6.p5+dfsg/debian/changelog  2015-10-28 21:05:59.0 +0100
+++ ntp-4.2.6.p5+dfsg/debian/changelog  2016-06-01 00:43:58.0 +0200
@@ -1,3 +1,29 @@
+ntp (1:4.2.6.p5+dfsg-2+deb7u7~3) santiago-wheezy; urgency=medium
+
+  * Team upload
+
+  [Kurt Roeckx]
+  * Fix CVE-2015-7974: ntp_proto: Verify peer key ID.
+  * Fix CVE-2015-7977 and CVE-2015-7978: ntp_request: null pointer
+dereference, stack overflow and overfull reply buffers by flawns in
+restrict list processing.
+  * Fix CVE-2015-7979: Off-path Denial of Service (DoS) attack on
+authenticated broadcast mode.
+  * Fix CVE-2015-8138: ntp: missing check for zero originate timestamp.
+  * Fix CVE-2016-1548: ntp_proto: DoS attack enabling the symmetric
+interleaved mode with spoofed packets.
+  * Fix CVE-2016-1550: Timing attack for authenticated packets.
+  * Fix CVE-2016-2516: ntp_request: Assertion failure by duplicate IPs on
+unconfig directives.
+  * Fix CVE-2016-2518: ntp_request: Out-of-bounds reference caused by crafted
+addpeer.
+
+  [Santiago Ruano Rincón]
+  * Fix CVE-2016-1551: ntp_io.c: [Sec 3020] Refclock impersonation.
+debian/rules: configure with --enable-bug3020-fix.
+
+ -- Santiago Ruano Rincón   Tue, 31 May 2016 19:38:12 
+0200
+
 ntp (1:4.2.6.p5+dfsg-2+deb7u6) wheezy-security; urgency=medium

   * Fix errors in previous changelog entry
diff -Nru ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch 
ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch
--- ntp-4.2.6.p5+dfsg/debian/patches/CVE-2015-7701.patch2015-10-23 
20:11:01.0 +0200

Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-05-18 Thread Antoine Beaupré

On 2016-05-18 13:56:37, Kurt Roeckx wrote:
> There are 22 open, some of which are marked as non-important.  Of
> the new ones some should probably also be marked as such.

I did so with CVE-2015-8158 as it affects only ntpq under very specific
conditions and the impact is minor (it hangs).

> I've spend several hours during the weekend going over commits in
> bitkeeper.  But as ussual, it's all a big mess.  I have 10 issues
> fixed in svn.  I also have 7 files with the patches in as they
> apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
> version yet, so I have no idea what the state of those patches
> is.  Then there also seem to be at least 2 other bug fixes that
> appear to be security issues but that didn't get a CVE.

I tried to go through a few CVEs myself, and I must say I admire your
courage. It seems like a really confusing tangled mess up there in NTP
land, really scary stuff and really hard to triage.

I assume that, since both wheezy and jessie share the same version
number, the same package can be uploaded for both? Or are there
significant changes between those two?

I wonder if it wouldn't be worth it to just ship 2.8 in wheezy/jessie
and get it over with. I certainly don't feel like I have the courage to
go through all of those.

I am sorry I can't help any further than this for now...

A.

-- 
Imagine a world in which every single person on the planet is given
free access to the sum of all human knowledge.
 - Jimmy Wales, co-founder of Wikipedia

Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-05-18 Thread Kurt Roeckx

On Wed, May 18, 2016 at 01:24:37PM -0400, Antoine Beaupré wrote:
> On 2016-02-13 05:49:24, Kurt Roeckx wrote:
> > On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote:
> >> Hello dear maintainer(s),
> >> 
> >> The Debian LTS team would like to fix the security issues which are
> >> currently open in the Squeeze version of ntp:
> >> https://security-tracker.debian.org/tracker/source-package/ntp
> >
> > I was under the impression that squeeze LTS support ended?
> >
> >> Would you like to take care of this yourself?
> >> 
> >> Note that all of the squeeze-relevant issues are still open in the 
> >> "newer" Debian releases (wheezy through sid).
> >
> > I'm waiting for upstream to actually fix things.  I estimate it's
> > going to take 2 months.
> 
> Hi!
> 
> That two months delay seems to have expired now. Do you need help
> backporting patches to wheezy?

I need help getting them into jessie in the first place.  It
should normally be trivial to also get them in wheezy in that
case.

> I count around 9 issues still pending in the security tracker for ntp,
> some of them being new since this was last discussed. Those are the
> issues currently pending:

There are 22 open, some of which are marked as non-important.  Of
the new ones some should probably also be marked as such.

I've spend several hours during the weekend going over commits in
bitkeeper.  But as ussual, it's all a big mess.  I have 10 issues
fixed in svn.  I also have 7 files with the patches in as they
apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
version yet, so I have no idea what the state of those patches
is.  Then there also seem to be at least 2 other bug fixes that
appear to be security issues but that didn't get a CVE.

Kurt

squeeze update of ntp?

2016-02-13 Thread Damyan Ivanov

Hello dear maintainer(s),

The Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of ntp:
https://security-tracker.debian.org/tracker/source-package/ntp

Would you like to take care of this yourself?

Note that all of the squeeze-relevant issues are still open in the 
"newer" Debian releases (wheezy through sid).

It would be nice to know if you have planned some work on these to 
avoid duplication.

The LTS workflow is defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Damyan Ivanov,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup


signature.asc
Description: PGP signature

Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-02-13 Thread Kurt Roeckx

On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote:
> Hello dear maintainer(s),
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Squeeze version of ntp:
> https://security-tracker.debian.org/tracker/source-package/ntp

I was under the impression that squeeze LTS support ended?

> Would you like to take care of this yourself?
> 
> Note that all of the squeeze-relevant issues are still open in the 
> "newer" Debian releases (wheezy through sid).

I'm waiting for upstream to actually fix things.  I estimate it's
going to take 2 months.

They're all not that important.


Kurt

Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-02-13 Thread Damyan Ivanov

-=| Kurt Roeckx, 13.02.2016 11:49:24 +0100 |=-
> On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote:
> > Hello dear maintainer(s),
> > 
> > The Debian LTS team would like to fix the security issues which are
> > currently open in the Squeeze version of ntp:
> > https://security-tracker.debian.org/tracker/source-package/ntp
> 
> I was under the impression that squeeze LTS support ended?

Ends on 29 February. See 
https://lists.debian.org/debian-announce/2016/msg2.html

> > Note that all of the squeeze-relevant issues are still open in the 
> > "newer" Debian releases (wheezy through sid).
> 
> I'm waiting for upstream to actually fix things.  I estimate it's
> going to take 2 months.

When this happens, do you plan to do a wheezy-lts upload too? (wheeszy 
will gain LTS support in March).

BTW CVE-2016-0727 seems to me to be Debian-specific, since the cron 
job is part of debian/. In case you missed it, there is a patch for it 
at 
http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/

> They're all not that important.

Cheers,
dam

signature.asc
Description: Digital signature

Re: [pkg-ntp-maintainers] squeeze update of ntp?

2016-02-13 Thread Kurt Roeckx

On Sat, Feb 13, 2016 at 03:55:31PM +, Damyan Ivanov wrote:
> -=| Kurt Roeckx, 13.02.2016 11:49:24 +0100 |=-
> > On Sat, Feb 13, 2016 at 10:06:23AM +, Damyan Ivanov wrote:
> > > Hello dear maintainer(s),
> > > 
> > > The Debian LTS team would like to fix the security issues which are
> > > currently open in the Squeeze version of ntp:
> > > https://security-tracker.debian.org/tracker/source-package/ntp
> > 
> > I was under the impression that squeeze LTS support ended?
> 
> Ends on 29 February. See 
> https://lists.debian.org/debian-announce/2016/msg2.html
> 
> > > Note that all of the squeeze-relevant issues are still open in the 
> > > "newer" Debian releases (wheezy through sid).
> > 
> > I'm waiting for upstream to actually fix things.  I estimate it's
> > going to take 2 months.
> 
> When this happens, do you plan to do a wheezy-lts upload too? (wheeszy 
> will gain LTS support in March).

Yes.

> BTW CVE-2016-0727 seems to me to be Debian-specific, since the cron 
> job is part of debian/. In case you missed it, there is a patch for it 
> at 
> http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/

Nobody seems to have informed me about this ...  At first look
this also doesn't seem that important.


Kurt

squeeze update of ntp?

2015-04-10 Thread Raphael Hertzog

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of ntp:
https://security-tracker.debian.org/tracker/CVE-2015-1798
https://security-tracker.debian.org/tracker/CVE-2015-1799
https://security-tracker.debian.org/tracker/TEMP-000-C29A8D

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150410210547.ga18...@home.ouaza.com

Re: squeeze update of ntp?

2015-04-10 Thread Kurt Roeckx

On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote:
 Hello dear maintainer(s),
 
 the Debian LTS team would like to fix the security issues which are
 currently open in the Squeeze version of ntp:
 https://security-tracker.debian.org/tracker/CVE-2015-1798
 https://security-tracker.debian.org/tracker/CVE-2015-1799
 https://security-tracker.debian.org/tracker/TEMP-000-C29A8D
 
 Would you like to take care of this yourself? We are still understaffed so
 any help is always highly appreciated.

You really don't have patience do you?


Kurt


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150410211355.ga2...@roeckx.be

Re: squeeze update of ntp?

2015-04-10 Thread Raphael Hertzog

Hi,

On Fri, 10 Apr 2015, Kurt Roeckx wrote:
 On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote:
  Would you like to take care of this yourself? We are still understaffed so
  any help is always highly appreciated.
 
 You really don't have patience do you?

I do, but contacting maintainers is just part of the workflow of CVE
triage we defined for Debian LTS. Sorry if this mail bothered you. Is
there a way to do it that would have been better received on your side?

And thanks again for caring about Squeeze!

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150410213322.ga20...@home.ouaza.com

Re: squeeze update of ntp?

2015-04-10 Thread Kurt Roeckx

On Fri, Apr 10, 2015 at 11:33:22PM +0200, Raphael Hertzog wrote:
 Hi,
 
 On Fri, 10 Apr 2015, Kurt Roeckx wrote:
  On Fri, Apr 10, 2015 at 11:05:47PM +0200, Raphael Hertzog wrote:
   Would you like to take care of this yourself? We are still understaffed so
   any help is always highly appreciated.
  
  You really don't have patience do you?
 
 I do, but contacting maintainers is just part of the workflow of CVE
 triage we defined for Debian LTS. Sorry if this mail bothered you. Is
 there a way to do it that would have been better received on your side?

The upload to unstable (and wheezy) only happened a few hours ago
because I didn't have time before.


Kurt


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150410215649.ga12...@roeckx.be

Re: squeeze update of ntp?

2015-04-10 Thread Raphael Hertzog

On Fri, 10 Apr 2015, Kurt Roeckx wrote:
 On Fri, Apr 10, 2015 at 11:33:22PM +0200, Raphael Hertzog wrote:
  I do, but contacting maintainers is just part of the workflow of CVE
  triage we defined for Debian LTS. Sorry if this mail bothered you. Is
  there a way to do it that would have been better received on your side?
 
 The upload to unstable (and wheezy) only happened a few hours ago
 because I didn't have time before.

OK, but my mail was not triggered by either upload. It just happened that
I was going through the list of open CVE in squeeze and adding packages
that were in need of an update to dla-needed.txt.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150410220904.ga23...@home.ouaza.com

Re: wheezy update of ntp? (was: squeeze update of ntp?)

Re: wheezy update of ntp? (was: squeeze update of ntp?)

Re: [pkg-ntp-maintainers] squeeze update of ntp?

Re: [pkg-ntp-maintainers] squeeze update of ntp?

squeeze update of ntp?

Re: [pkg-ntp-maintainers] squeeze update of ntp?

Re: [pkg-ntp-maintainers] squeeze update of ntp?

Re: [pkg-ntp-maintainers] squeeze update of ntp?

squeeze update of ntp?

Re: squeeze update of ntp?

Re: squeeze update of ntp?

Re: squeeze update of ntp?

Re: squeeze update of ntp?

13 matches

Site Navigation

Mail list logo

Footer information