[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
** Changed in: ntp (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Fix Released Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Fix Released Status in ntp source package in Groovy: Fix Released Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
This bug was fixed in the package ntp - 1:4.2.8p12+dfsg-3ubuntu4.20.10.1 --- ntp (1:4.2.8p12+dfsg-3ubuntu4.20.10.1) groovy-security; urgency=medium * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953) - debian/patches/CVE-2019-8936.patch: Guard against operations on NULL pointer in ntpd/ntp_control.c. - CVE-2019-8936 * Fix FTBFS with GCC-10 - debian/rules: add -fcommon flag to CFLAGS -- Brian Morton Fri, 27 Nov 2020 16:10:51 -0500 ** Changed in: ntp (Ubuntu Groovy) Status: Confirmed => Fix Released ** Changed in: ntp (Ubuntu Focal) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Fix Released Status in ntp source package in Groovy: Fix Released Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
This bug was fixed in the package ntp - 1:4.2.8p12+dfsg-3ubuntu4.20.04.1 --- ntp (1:4.2.8p12+dfsg-3ubuntu4.20.04.1) focal-security; urgency=medium * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953) - debian/patches/CVE-2019-8936.patch: Guard against operations on NULL pointer in ntpd/ntp_control.c. - CVE-2019-8936 -- Brian Morton Fri, 27 Nov 2020 16:10:51 -0500 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Fix Released Status in ntp source package in Groovy: Fix Released Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
Apologies for the delay on this, it fell off our radar but we're working on the Focal+ updates now. And no need for the separate Groovy debdiff, thanks Brian! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Confirmed Status in ntp source package in Groovy: Confirmed Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
@alexmurray - The debdiff for Groovy is identical to the one from Focal (same source package version). Let me know if you need a distinct debdiff with the release pocket (groovy-security) identified. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Confirmed Status in ntp source package in Groovy: Confirmed Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
Patch for Focal ** Patch added: "Patch for Focal" https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+attachment/5438836/+files/1-ntp_4.2.8p12+dfsg-3ubuntu5.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Confirmed Status in ntp source package in Groovy: Confirmed Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
Excellent - thank you :) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Confirmed Status in ntp source package in Groovy: Confirmed Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
@alexmurray - Yes, I'll work on it this week. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Confirmed Status in ntp source package in Groovy: Confirmed Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
@rokclimb15 - are you still looking at producing debdiff's for focal + groovy as well? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Confirmed Status in ntp source package in Groovy: Confirmed Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
** Also affects: ntp (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: ntp (Ubuntu Groovy) Importance: Medium Assignee: Brian Morton (rokclimb15) Status: Fix Released ** Also affects: ntp (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: ntp (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: ntp (Ubuntu Focal) Assignee: (unassigned) => Brian Morton (rokclimb15) ** Changed in: ntp (Ubuntu Bionic) Assignee: (unassigned) => Brian Morton (rokclimb15) ** Changed in: ntp (Ubuntu Bionic) Status: New => Confirmed ** Changed in: ntp (Ubuntu Focal) Status: New => Confirmed ** Changed in: ntp (Ubuntu Bionic) Status: Confirmed => Fix Released ** Changed in: ntp (Ubuntu Groovy) Status: Fix Released => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Confirmed Status in ntp source package in Bionic: Fix Released Status in ntp source package in Focal: Confirmed Status in ntp source package in Groovy: Confirmed Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
This bug was fixed in the package ntp - 1:4.2.8p10+dfsg-5ubuntu7.3 --- ntp (1:4.2.8p10+dfsg-5ubuntu7.3) bionic-security; urgency=medium * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953) - debian/patches/CVE-2019-8936.patch: Guard against operations on NULL pointer in ntpd/ntp_control.c. - CVE-2019-8936 -- Brian Morton Mon, 17 Aug 2020 21:58:51 -0400 ** Changed in: ntp (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: Fix Released Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
** Changed in: ntp (Debian) Status: Unknown => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: In Progress Status in ntp package in Debian: Fix Released Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
** Changed in: ntp (Ubuntu) Importance: Undecided => Medium ** Bug watch added: Debian Bug tracker #924228 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924228 ** Also affects: ntp (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=924228 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: In Progress Status in ntp package in Debian: Unknown Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
Hi Alex, thanks very much for fixing that loose end in the changelog and for sponsoring this fix. I can produce them for the other releases as well. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: In Progress Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
Thanks for the debdiff - I am happy to sponsor this for you - one quick thing, there is no need to reference the debian bug report in the changelog so I have cleaned it up to look like the following: ntp (1:4.2.8p10+dfsg-5ubuntu7.3) bionic-security; urgency=medium * SECURITY UPDATE: Null dereference attack in mode 6 packet (LP: #1891953) - debian/patches/CVE-2019-8936.patch: Guard against operations on NULL pointer in ntpd/ntp_control.c. - CVE-2019-8936 -- Brian Morton Mon, 17 Aug 2020 21:58:51 -0400 I also notice this CVE is also unresolved in focal and groovy - would you be interested in preparing debdiff's against ntp in those releases as well? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: In Progress Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
** Patch added: "Debdiff for Bionic" https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+attachment/5402291/+files/1-4.2.8p10+dfsg-5ubuntu7.3.debdiff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: In Progress Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-8936 ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: In Progress Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1891953] Re: CVE-2019-8936
Requires security backport for Bionic only. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1891953 Title: CVE-2019-8936 Status in ntp package in Ubuntu: In Progress Bug description: It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer dereference into NTP. An attacker could use this vulnerability to cause a denial of service (crash). https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-8936.html To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1891953/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
