[pkg-ntp-maintainers] squeeze update of ntp?
Kurt Roeckx
kurt at roeckx.be
Wed May 18 21:20:42 UTC 2016
On Wed, May 18, 2016 at 04:27:22PM -0400, Antoine Beaupré wrote:
> On 2016-05-18 13:56:37, Kurt Roeckx wrote:
> > There are 22 open, some of which are marked as non-important. Of
> > the new ones some should probably also be marked as such.
>
> I did so with CVE-2015-8158 as it affects only ntpq under very specific
> conditions and the impact is minor (it hangs).
There are also some things that you need to be authenticated for,
which is at least a none default config. I consider all of those to
be non-imporant.
> > I've spend several hours during the weekend going over commits in
> > bitkeeper. But as ussual, it's all a big mess. I have 10 issues
> > fixed in svn. I also have 7 files with the patches in as they
> > apply to 4.2.8 version, but I didn't try to apply them to 4.2.6
> > version yet, so I have no idea what the state of those patches
> > is. Then there also seem to be at least 2 other bug fixes that
> > appear to be security issues but that didn't get a CVE.
>
> I tried to go through a few CVEs myself, and I must say I admire your
> courage. It seems like a really confusing tangled mess up there in NTP
> land, really scary stuff and really hard to triage.
Which is one of the reason I want to switch to ntpsec instead.
I've complained about this mess many times, but it seems to be too
complicated to make things simple.
I suggest that you at least let me finish the patches I started
on.
> I assume that, since both wheezy and jessie share the same version
> number, the same package can be uploaded for both? Or are there
> significant changes between those two?
Jessie and wheezy are the same upstream version, not much changed
between the Debian version, so it's really trivial to get one done
if the other is done. Squeeze had an slighty older version, but
even that wasn't that much different.
But they have been ignoring 4.2.6 for years, even before the 4.2.8
release, 4.2.8 was supposed to be release real soon now for years.
> I wonder if it wouldn't be worth it to just ship 2.8 in wheezy/jessie
> and get it over with. I certainly don't feel like I have the courage to
> go through all of those.
The changes between 4.2.6 and 4.2.8 are years of work, caused lots
of breakage (that we told years before the release), and I don't
really trust 4.2.8 yet.
Kurt
More information about the pkg-ntp-maintainers
mailing list