Since this is a security bug and you've provided targeted fixes, I'm
subscribing ubuntu-security-sponsors instead of ubuntu-sponsors. You
might want to update the series in your patches from bionic-security to
cosmic-security.

https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes%20for%20Contributors

Because the Ubuntu package did not have any changes compared to Debian
and because we are in Debian Import Freeze, the version from unstable
automatically synced so I removed that request from the bug description
so it's easier to read here.

** Summary changed:

- Sync ntpsec 1.1.3+dfsg1-1 (universe) from Debian sid (main)
+ ntpsec security fixes for bionic & cosmic

** Description changed:

- For the sync request:
- 
- I believe disco currently has 1.1.2+dfsg1-6. (packages.ubuntu.com is
- broken, so it's harder than normal for me to tell.) There are no Ubuntu
- changes for ntpsec in disco. 1.1.3+dfsg1-1 is the immediate next release
- in Debian.
- 
- ntpsec (1.1.3+dfsg1-1) unstable; urgency=high
- 
-   * New upstream version (Closes: 919513)
-     - Lots of typo fixes, documentation cleanups, test targets.
-     - CVE-2019-6442: "An authenticated attacker can write one byte out of
-       bounds in ntpd via a malformed config request, related to
-       config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and
-       yyerror in ntp_parser.y."
-     - CVE-2019-6443: "Because of a bug in ctl_getitem, there is a stack-based
-       buffer over-read in read_sysvars in ntp_control.c in ntpd.
-     - CVE-2019-6444: "process_control() in ntp_control.c has a stack-based
-       buffer over-read because attacker-controlled data is dereferenced by
-       ntohl() in ntpd."
-     - CVE-2019-6445: "An authenticated attacker can cause a NULL pointer
-       dereference and ntpd crash in ntp_control.c, related to ctl_getitem."
-   * Drop debian/patches/fix-ntploggps.patch (merged upstream)
-   * Refresh patches
-   * Revert "Use python3-gps"
-     At this time, python3-gps is only available in experimental.
-   * Disable the waf PYTHON_GPS check
-   * Update debian/copyright
-   * Fix ntpdate.8 documentation of -B
-   * Changes as of ntp_4.2.8p12+dfsg-3 have been merged as appropriate:
-     - Update ntpdate.8 from ntpdate.html
-       Thanks to Bernhard Schmidt <be...@debian.org>
-     - Update ntpdate.README.Debian
-       Thanks to Bernhard Schmidt <be...@debian.org>
-     - As a notable exception, while the ntp package has removed the ntpdate
-       hooks, I have not (yet?) done so in ntpsec.
-   * Set Rules-Requires-Root: no
-   * Sort debian/ntpsec.maintscript
- 
-  -- Richard Laager <rlaa...@wiktel.com>  Thu, 17 Jan 2019 04:17:46 -0600
- 
- ----
- 
  NTPsec < 1.1.3 has the following CVEs:
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6442
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6444
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6445
  
  I am the maintainer of ntpsec in Debian. Debian has 1.1.3.
  
  Ubuntu needs the following:
- - disco needs a sync from Debian.
  - cosmic needs the patches backported.
  - bionic needs the patches backported.
  
  I'm happy to do the work.
  
  BTW, these issues may impact the ntp package too, but I'm not sure that
  anyone (the original report, ntp upstream, or ntp in Debian) has
  evaluated that.

** Information type changed from Public to Public Security

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6442

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6443

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6444

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-6445

** Also affects: ntpsec (Ubuntu Cosmic)
   Importance: Undecided
       Status: New

** Also affects: ntpsec (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: ntpsec (Ubuntu)
       Status: Confirmed => Fix Released

** Changed in: ntpsec (Ubuntu Cosmic)
       Status: New => Confirmed

** Changed in: ntpsec (Ubuntu Bionic)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1812458

Title:
  ntpsec security fixes for bionic & cosmic

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1812458/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to