[pkg-ntp-maintainers] CVE-2016-2517 and CVE-2016-2519
Bryan Green
dbryan.green at gmail.com
Sat Sep 17 16:44:23 UTC 2016
No, fair enough. I am currently putting together a reply to a psirt
to say that our restrictions of nopeer notrap nomodify noquery
mitigates those concerns. I appreciate the reply.
I was looking at the upstream links for each cve as listed in the
ubuntu page for each CVE. I decided that I didn't have enough
confidence to patch with based on those.
Again, thanks for all of your effort.
On Sat, Sep 17, 2016 at 11:28 AM, Kurt Roeckx <kurt at roeckx.be> wrote:
> On Sat, Sep 17, 2016 at 10:43:11AM -0500, Bryan Green wrote:
>> Greetings:
>> I noticed these two are still not fixed in Wheezy or Jessie.
>> There are upstream patches and was wondering if there is a plan to
>> address these on Wheezy and Jessie?
>
> Both issues require that you first set up ntp so that you can
> remotely make changes to it's configuration. So it's clearly a
> non-default configuration and I don't actually know anybody that
> uses it. It's probably something you shouldn't enable.
>
> You claim that there are patches for it, but to actually find the
> real complete patch for them you have to really go over all their
> commits and hope you find all the relevant ones. And then you need
> to review that their patch actually makes sense. I don't know if
> anybody took the time to do that for those issues.
>
> I already spend way too much time trying to understand all their
> issues that I'm not motivated to try and fix such minor issues.
> But if you have a pointer to the actual complete patch somewhere,
> preferably by some other linux distribution, I will take a look at
> it.
>
> Kurt
>
More information about the pkg-ntp-maintainers
mailing list