[pkg-ntp-maintainers] squeeze update of ntp?

[Antoine Beaupré]

On 2016-05-18 13:56:37, Kurt Roeckx wrote:
> There are 22 open, some of which are marked as non-important.  Of
> the new ones some should probably also be marked as such.

I did so with CVE-2015-8158 as it affects only ntpq under very specific
conditions and the impact is minor (it hangs).

> I've spend several hours during the weekend going over commits in
> bitkeeper.  But as ussual, it's all a big mess.  I have 10 issues
> fixed in svn.  I also have 7 files with the patches in as they
> apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
> version yet, so I have no idea what the state of those patches
> is.  Then there also seem to be at least 2 other bug fixes that
> appear to be security issues but that didn't get a CVE.

I tried to go through a few CVEs myself, and I must say I admire your
courage. It seems like a really confusing tangled mess up there in NTP
land, really scary stuff and really hard to triage.

I assume that, since both wheezy and jessie share the same version
number, the same package can be uploaded for both? Or are there
significant changes between those two?

I wonder if it wouldn't be worth it to just ship 2.8 in wheezy/jessie
and get it over with. I certainly don't feel like I have the courage to
go through all of those.

I am sorry I can't help any further than this for now...

A.

-- 
Imagine a world in which every single person on the planet is given
free access to the sum of all human knowledge.
                         - Jimmy Wales, co-founder of Wikipedia