| 2019-01-18 23:28:54 |
Richard Laager |
bug |
|
|
added bug |
| 2019-01-18 23:29:08 |
Richard Laager |
information type |
Private Security |
Public |
|
| 2019-01-18 23:29:23 |
Richard Laager |
ntpsec (Ubuntu): assignee |
|
Richard Laager (rlaager) |
|
| 2019-01-18 23:29:29 |
Richard Laager |
ntpsec (Ubuntu): status |
New |
Confirmed |
|
| 2019-01-18 23:32:52 |
Richard Laager |
summary |
ntpsec CVE-2019-6442 CVE-2019-6443 CVE-2019-6444 CVE-2019-6445 |
Sync ntpsec 1.1.3+dfsg1-1 (universe) from Debian sid (main) |
|
| 2019-01-18 23:35:44 |
Richard Laager |
description |
NTPsec < 1.1.3 has the following CVEs:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6445
I am the maintainer of ntpsec in Debian. Debian has 1.1.3.
Ubuntu needs the following:
- disco needs a sync from Debian.
- cosmic needs the patches backported.
- bionic needs the patches backported.
I'm happy to do the work.
BTW, these issues may impact the ntp package too, but I'm not sure that anyone (the original report, ntp upstream, or ntp in Debian) has evaluated that. |
For the sync request:
I believe disco currently has 1.1.2+dfsg1-6. (packages.ubuntu.com is broken, so it's harder than normal for me to tell.) There are no Ubuntu changes for ntpsec in disco. 1.1.3+dfsg1-1 is the immediate next release in Debian.
ntpsec (1.1.3+dfsg1-1) unstable; urgency=high
* New upstream version (Closes: 919513)
- Lots of typo fixes, documentation cleanups, test targets.
- CVE-2019-6442: "An authenticated attacker can write one byte out of
bounds in ntpd via a malformed config request, related to
config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and
yyerror in ntp_parser.y."
- CVE-2019-6443: "Because of a bug in ctl_getitem, there is a stack-based
buffer over-read in read_sysvars in ntp_control.c in ntpd.
- CVE-2019-6444: "process_control() in ntp_control.c has a stack-based
buffer over-read because attacker-controlled data is dereferenced by
ntohl() in ntpd."
- CVE-2019-6445: "An authenticated attacker can cause a NULL pointer
dereference and ntpd crash in ntp_control.c, related to ctl_getitem."
* Drop debian/patches/fix-ntploggps.patch (merged upstream)
* Refresh patches
* Revert "Use python3-gps"
At this time, python3-gps is only available in experimental.
* Disable the waf PYTHON_GPS check
* Update debian/copyright
* Fix ntpdate.8 documentation of -B
* Changes as of ntp_4.2.8p12+dfsg-3 have been merged as appropriate:
- Update ntpdate.8 from ntpdate.html
Thanks to Bernhard Schmidt <berni@debian.org>
- Update ntpdate.README.Debian
Thanks to Bernhard Schmidt <berni@debian.org>
- As a notable exception, while the ntp package has removed the ntpdate
hooks, I have not (yet?) done so in ntpsec.
* Set Rules-Requires-Root: no
* Sort debian/ntpsec.maintscript
-- Richard Laager <rlaager@wiktel.com> Thu, 17 Jan 2019 04:17:46 -0600
----
NTPsec < 1.1.3 has the following CVEs:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6445
I am the maintainer of ntpsec in Debian. Debian has 1.1.3.
Ubuntu needs the following:
- disco needs a sync from Debian.
- cosmic needs the patches backported.
- bionic needs the patches backported.
I'm happy to do the work.
BTW, these issues may impact the ntp package too, but I'm not sure that anyone (the original report, ntp upstream, or ntp in Debian) has evaluated that. |
|
| 2019-01-18 23:35:58 |
Richard Laager |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2019-01-19 02:18:14 |
Richard Laager |
attachment added |
|
The debdiff for Bionic https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1812458/+attachment/5230451/+files/bionic.debdiff |
|
| 2019-01-19 02:18:30 |
Richard Laager |
attachment added |
|
The debdiff for Cosmic https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1812458/+attachment/5230452/+files/cosmic.debdiff |
|
| 2019-01-19 02:18:45 |
Richard Laager |
ntpsec (Ubuntu): assignee |
Richard Laager (rlaager) |
|
|
| 2019-01-22 23:01:32 |
Jeremy Bícha |
summary |
Sync ntpsec 1.1.3+dfsg1-1 (universe) from Debian sid (main) |
ntpsec security fixes for bionic & cosmic |
|
| 2019-01-22 23:01:38 |
Jeremy Bícha |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2019-01-22 23:02:15 |
Jeremy Bícha |
description |
For the sync request:
I believe disco currently has 1.1.2+dfsg1-6. (packages.ubuntu.com is broken, so it's harder than normal for me to tell.) There are no Ubuntu changes for ntpsec in disco. 1.1.3+dfsg1-1 is the immediate next release in Debian.
ntpsec (1.1.3+dfsg1-1) unstable; urgency=high
* New upstream version (Closes: 919513)
- Lots of typo fixes, documentation cleanups, test targets.
- CVE-2019-6442: "An authenticated attacker can write one byte out of
bounds in ntpd via a malformed config request, related to
config_remotely in ntp_config.c, yyparse in ntp_parser.tab.c, and
yyerror in ntp_parser.y."
- CVE-2019-6443: "Because of a bug in ctl_getitem, there is a stack-based
buffer over-read in read_sysvars in ntp_control.c in ntpd.
- CVE-2019-6444: "process_control() in ntp_control.c has a stack-based
buffer over-read because attacker-controlled data is dereferenced by
ntohl() in ntpd."
- CVE-2019-6445: "An authenticated attacker can cause a NULL pointer
dereference and ntpd crash in ntp_control.c, related to ctl_getitem."
* Drop debian/patches/fix-ntploggps.patch (merged upstream)
* Refresh patches
* Revert "Use python3-gps"
At this time, python3-gps is only available in experimental.
* Disable the waf PYTHON_GPS check
* Update debian/copyright
* Fix ntpdate.8 documentation of -B
* Changes as of ntp_4.2.8p12+dfsg-3 have been merged as appropriate:
- Update ntpdate.8 from ntpdate.html
Thanks to Bernhard Schmidt <berni@debian.org>
- Update ntpdate.README.Debian
Thanks to Bernhard Schmidt <berni@debian.org>
- As a notable exception, while the ntp package has removed the ntpdate
hooks, I have not (yet?) done so in ntpsec.
* Set Rules-Requires-Root: no
* Sort debian/ntpsec.maintscript
-- Richard Laager <rlaager@wiktel.com> Thu, 17 Jan 2019 04:17:46 -0600
----
NTPsec < 1.1.3 has the following CVEs:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6445
I am the maintainer of ntpsec in Debian. Debian has 1.1.3.
Ubuntu needs the following:
- disco needs a sync from Debian.
- cosmic needs the patches backported.
- bionic needs the patches backported.
I'm happy to do the work.
BTW, these issues may impact the ntp package too, but I'm not sure that anyone (the original report, ntp upstream, or ntp in Debian) has evaluated that. |
NTPsec < 1.1.3 has the following CVEs:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6445
I am the maintainer of ntpsec in Debian. Debian has 1.1.3.
Ubuntu needs the following:
- cosmic needs the patches backported.
- bionic needs the patches backported.
I'm happy to do the work.
BTW, these issues may impact the ntp package too, but I'm not sure that anyone (the original report, ntp upstream, or ntp in Debian) has evaluated that. |
|
| 2019-01-22 23:02:21 |
Jeremy Bícha |
information type |
Public |
Public Security |
|
| 2019-01-22 23:02:40 |
Jeremy Bícha |
cve linked |
|
2019-6442 |
|
| 2019-01-22 23:02:50 |
Jeremy Bícha |
cve linked |
|
2019-6443 |
|
| 2019-01-22 23:03:01 |
Jeremy Bícha |
cve linked |
|
2019-6444 |
|
| 2019-01-22 23:03:10 |
Jeremy Bícha |
cve linked |
|
2019-6445 |
|
| 2019-01-22 23:06:24 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Cosmic |
|
| 2019-01-22 23:06:24 |
Jeremy Bícha |
bug task added |
|
ntpsec (Ubuntu Cosmic) |
|
| 2019-01-22 23:06:24 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Bionic |
|
| 2019-01-22 23:06:24 |
Jeremy Bícha |
bug task added |
|
ntpsec (Ubuntu Bionic) |
|
| 2019-01-22 23:06:32 |
Jeremy Bícha |
ntpsec (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2019-01-22 23:06:38 |
Jeremy Bícha |
ntpsec (Ubuntu Cosmic): status |
New |
Confirmed |
|
| 2019-01-22 23:06:43 |
Jeremy Bícha |
ntpsec (Ubuntu Bionic): status |
New |
Confirmed |
|
| 2019-01-22 23:07:19 |
Jeremy Bícha |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2019-01-23 04:12:36 |
Richard Laager |
attachment added |
|
Corrected debdiff for bionic targetting bionic-security https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1812458/+attachment/5231595/+files/bionic-security.debdiff |
|
| 2019-01-23 04:12:52 |
Richard Laager |
attachment added |
|
Corrected debdiff for cosmic targetting cosmic-security https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1812458/+attachment/5231596/+files/cosmic-security.debdiff |
|
| 2019-01-23 20:03:56 |
Marc Deslauriers |
ntpsec (Ubuntu Bionic): status |
Confirmed |
Fix Committed |
|
| 2019-01-23 20:03:59 |
Marc Deslauriers |
ntpsec (Ubuntu Cosmic): status |
Confirmed |
Fix Committed |
|
| 2019-01-24 13:03:09 |
Launchpad Janitor |
ntpsec (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
| 2019-01-24 13:13:13 |
Launchpad Janitor |
ntpsec (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
