[pkg-ntp-maintainers] CVE-2016-2517 and CVE-2016-2519

[Kurt Roeckx]

On Sat, Sep 17, 2016 at 10:43:11AM -0500, Bryan Green wrote:
> Greetings:
>     I noticed these two are still not fixed in Wheezy or Jessie.
> There are upstream patches and was wondering if there is a plan to
> address these on Wheezy and Jessie?

Both issues require that you first set up ntp so that you can
remotely make changes to it's configuration. So it's clearly a
non-default configuration and I don't actually know anybody that
uses it. It's probably something you shouldn't enable.

You claim that there are patches for it, but to actually find the
real complete patch for them you have to really go over all their
commits and hope you find all the relevant ones. And then you need
to review that their patch actually makes sense. I don't know if
anybody took the time to do that for those issues.

I already spend way too much time trying to understand all their
issues that I'm not motivated to try and fix such minor issues.
But if you have a pointer to the actual complete patch somewhere,
preferably by some other linux distribution, I will take a look at
it.

Kurt