* Merge from Debian testing. Remaining changes:
+ debian/rules: enable debugging. Ask debian to add this.
+ debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
+ Add enforcing AppArmor profile:
- debian/control: Add Conflicts/Replaces on apparmor-profiles.
- debian/control: Add Suggests on apparmor.
- debian/control: Build-Depends on dh-apparmor.
- add debian/apparmor-profile*.
- debian/ntp.dirs: Add apparmor directories.
- debian/rules: Install apparmor-profile and apparmor-profile.tunable.
- debian/source_ntp.py: Add filter on AppArmor profile names to prevent
false positives from denials originating in other packages.
- debian/README.Debian: Add note on AppArmor.
+ debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
running ntpdate when an interface comes up, then start again afterwards.
+ debian/ntp.init, debian/rules: Only stop when entering single user mode,
don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
get stale. Patch by Simon Déziel.
+ debian/ntp.conf, debian/ntpdate.default: Change default server to
ntp.ubuntu.com.
+ debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
* Includes fix for requests with source ports < 123, fixed upstream in
4.2.8p1 (LP: #1479652).
* Add PPS support (LP: #1512980):
+ debian/README.Debian: Add a PPS section to the README.Debian,
removed all PPSkit one.
+ debian/ntp.conf: Add some configuration examples from the offical
documentation.
+ debian/control: Add Build-Depends on pps-tools
* Drop Changes:
+ debian/rules: Update config.{guess,sub} for AArch64, because upstream use
dh_autoreconf now.
+ debian/{control,rules}: Add and enable hardened build for PIE.
Upstream use fPIC. Options -fPIC and -fPIE are uncompatible, thus this is
never applied, (cf. dpkg-buildflags manual), checked with Marc
Deslauriers on freenode #ubuntu-hardened, 2016-01-20~13:11 UTC.
+ debian/rules: Remove update-rcd-params in dh_installinit command. When
setting up ntp package, the following message is presented to the user
due to deprecated use:
"update-rc.d: warning: start and stop actions are no longer
supported; falling back to defaults". The defaults are taken from the
init.d script LSB comment header, which contain what we need anyway.
+ debian/rules: Remove ntp/ntp_parser.{c,h} or they don't get properly
regenerated for some reason. Seems to have been due to ntpd/ntp_parser.y
patches from CVE-2015-5194 and CVE-2015-5196, already upstreamed.
+ debian/ntpdate.if-up: Drop lockfile mechanism as upstream is using flock
now.
+ Remove natty timeframe old deltas (transitional code not needed since
Trusty): Those patches were for an incorrect behaviour of
system-tools-backend, around natty time
(https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/83604/comments/23)
- debian/ntpdate-debian: Disregard empty ntp.conf files.
- debian/ntp.preinst: Remove empty /etc/ntp.conf on fresh intallation.
+ debian/ntp.dhcp: Rewrite sed rules. This was done incorrectly as pointed
out in LP 575458. This decision is explained in detail there.
* All previous ubuntu security patches/fixes have been upstreamed:
+ CVE-2015-5146, CVE-2015-5194, CVE-2015-5195, CVE-2015-5196,
CVE-2015-7703, CVE-2015-5219, CVE-2015-5300, CVE-2015-7691,
CVE-2015-7692, CVE-2015-7702, CVE-2015-7701, CVE-2015-7704,
CVE-2015-7705, CVE-2015-7850, CVE-2015-7852, CVE-2015-7853,
CVE-2015-7855, CVE-2015-7871, CVE-2015-1798, CVE-2015-1799,
CVE-2014-9297, CVE-2014-9298, CVE-2014-9293, CVE-2014-9294,
CVE-2014-9295, CVE-2014-9296
+ Fix to ignore ENOBUFS on routing netlink socket
+ Fix use-after-free in routing socket code
+ ntp-keygen infinite loop or lack of randonmess on big endian platforms
This bug was fixed in the package ntp - 1:4.2.8p4+ dfsg-3ubuntu1
--------------- 8p4+dfsg- 3ubuntu1) xenial; urgency=medium
ntp (1:4.2.
* Merge from Debian testing. Remaining changes: source_ ntp.py: Add apport hook. apparmor- profile* . profile. tunable. source_ ntp.py: Add filter on AppArmor profile names to prevent README. Debian: Add note on AppArmor. ntpdate. if-up: Fix interaction with openntpd. Stop ntp before ntp/ntp. conf.dhcp if /etc/ntp.conf is newer - it can ntpdate. default: Change default server to ubuntu. com. README. Debian: Add a PPS section to the README.Debian, tion. {control, rules}: Add and enable hardened build for PIE. parser. {c,h} or they don't get properly ntpdate. if-up: Drop lockfile mechanism as upstream is using flock tools-backend, around natty time /bugs.launchpad .net/ubuntu/ +source/ ntp/+bug/ 83604/comments/ 23) ntpdate- debian: Disregard empty ntp.conf files. 2015-7703, CVE-2015-5219, CVE-2015-5300, CVE-2015-7691, 2015-7692, CVE-2015-7702, CVE-2015-7701, CVE-2015-7704, 2015-7705, CVE-2015-7850, CVE-2015-7852, CVE-2015-7853, 2015-7855, CVE-2015-7871, CVE-2015-1798, CVE-2015-1799, 2014-9297, CVE-2014-9298, CVE-2014-9293, CVE-2014-9294, 2014-9295, CVE-2014-9296
+ debian/rules: enable debugging. Ask debian to add this.
+ debian/rules, debian/ntp.dirs, debian/
+ Add enforcing AppArmor profile:
- debian/control: Add Conflicts/Replaces on apparmor-profiles.
- debian/control: Add Suggests on apparmor.
- debian/control: Build-Depends on dh-apparmor.
- add debian/
- debian/ntp.dirs: Add apparmor directories.
- debian/rules: Install apparmor-profile and apparmor-
- debian/
false positives from denials originating in other packages.
- debian/
+ debian/
running ntpdate when an interface comes up, then start again afterwards.
+ debian/ntp.init, debian/rules: Only stop when entering single user mode,
don't use /var/lib/
get stale. Patch by Simon Déziel.
+ debian/ntp.conf, debian/
ntp.
+ debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
* Includes fix for requests with source ports < 123, fixed upstream in
4.2.8p1 (LP: #1479652).
* Add PPS support (LP: #1512980):
+ debian/
removed all PPSkit one.
+ debian/ntp.conf: Add some configuration examples from the offical
documenta
+ debian/control: Add Build-Depends on pps-tools
* Drop Changes:
+ debian/rules: Update config.{guess,sub} for AArch64, because upstream use
dh_autoreconf now.
+ debian/
Upstream use fPIC. Options -fPIC and -fPIE are uncompatible, thus this is
never applied, (cf. dpkg-buildflags manual), checked with Marc
Deslauriers on freenode #ubuntu-hardened, 2016-01-20~13:11 UTC.
+ debian/rules: Remove update-rcd-params in dh_installinit command. When
setting up ntp package, the following message is presented to the user
due to deprecated use:
"update-rc.d: warning: start and stop actions are no longer
supported; falling back to defaults". The defaults are taken from the
init.d script LSB comment header, which contain what we need anyway.
+ debian/rules: Remove ntp/ntp_
regenerated for some reason. Seems to have been due to ntpd/ntp_parser.y
patches from CVE-2015-5194 and CVE-2015-5196, already upstreamed.
+ debian/
now.
+ Remove natty timeframe old deltas (transitional code not needed since
Trusty): Those patches were for an incorrect behaviour of
system-
(https:/
- debian/
- debian/ntp.preinst: Remove empty /etc/ntp.conf on fresh intallation.
+ debian/ntp.dhcp: Rewrite sed rules. This was done incorrectly as pointed
out in LP 575458. This decision is explained in detail there.
* All previous ubuntu security patches/fixes have been upstreamed:
+ CVE-2015-5146, CVE-2015-5194, CVE-2015-5195, CVE-2015-5196,
CVE-
CVE-
CVE-
CVE-
CVE-
CVE-
+ Fix to ignore ENOBUFS on routing netlink socket
+ Fix use-after-free in routing socket code
+ ntp-keygen infinite loop or lack of randonmess on big endian platforms
-- Pierre-André MOREY <email address hidden> Fri, 5 Feb 2016 18:28:52 +0100