Re: Security update of ntp
Hi Kurt Thanks a lot for a quick and good answer. Will mark it as unaffected in wheezy too then. Best regards // Ola On Mon, Aug 8, 2016 at 6:30 PM, Kurt Roeckx <k...@roeckx.be> wrote: > On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote: > > Hi Kurt > > > > As a member of the LTS team I have started to look into a ntp security > > update of CVE-2016-4953 mentioned here: > > https://security-tracker.debian.org/tracker/source-package/ntp > > > > I see that you have prepared security updates for Debian wheezy in the > past > > so I would like to check with you if you want to do it this time too, or > if > > you'd like me to do that for you. > > > > Or alternatively that you know it is a non-issue already. > > > > I can see the following comment about jessie in the security tracker: > > [jessie] - ntp (Fix for CVE-2016-1547 or CVE-2015-7979 > > wasn't backported) > > > > But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy > version > > so I guess it is affected, or? > > > > I have not looked into the details yet as I want to check with you first > > whether you know about this already (I guess you do). > > First, the situation for wheezy and jessie should be identical. > They have the same upstream source and should have the same > patches for all security issues. > > The fix we use for CVE-2015-7979 is unrelated to the upstream fix, > and so we're not affected by what the upstream patch broke. > > > Kurt > > -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---
Re: Security update of ntp
On Mon, Aug 08, 2016 at 01:12:28PM +0200, Ola Lundqvist wrote: > Hi Kurt > > As a member of the LTS team I have started to look into a ntp security > update of CVE-2016-4953 mentioned here: > https://security-tracker.debian.org/tracker/source-package/ntp > > I see that you have prepared security updates for Debian wheezy in the past > so I would like to check with you if you want to do it this time too, or if > you'd like me to do that for you. > > Or alternatively that you know it is a non-issue already. > > I can see the following comment about jessie in the security tracker: > [jessie] - ntp (Fix for CVE-2016-1547 or CVE-2015-7979 > wasn't backported) > > But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version > so I guess it is affected, or? > > I have not looked into the details yet as I want to check with you first > whether you know about this already (I guess you do). First, the situation for wheezy and jessie should be identical. They have the same upstream source and should have the same patches for all security issues. The fix we use for CVE-2015-7979 is unrelated to the upstream fix, and so we're not affected by what the upstream patch broke. Kurt
Security update of ntp
Hi Kurt As a member of the LTS team I have started to look into a ntp security update of CVE-2016-4953 mentioned here: https://security-tracker.debian.org/tracker/source-package/ntp I see that you have prepared security updates for Debian wheezy in the past so I would like to check with you if you want to do it this time too, or if you'd like me to do that for you. Or alternatively that you know it is a non-issue already. I can see the following comment about jessie in the security tracker: [jessie] - ntp (Fix for CVE-2016-1547 or CVE-2015-7979 wasn't backported) But it looks like ntp-4.2.6p5-cve-2015-7979.patch is in the wheezy version so I guess it is affected, or? I have not looked into the details yet as I want to check with you first whether you know about this already (I guess you do). Best regards // Ola -- --- Inguza Technology AB --- MSc in Information Technology / o...@inguza.comFolkebogatan 26\ | o...@debian.org 654 68 KARLSTAD| | http://inguza.com/Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---