[Bug 1756818] [NEW] Sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)

Launchpad Bug Tracker 1756818 at bugs.launchpad.net
Mon Mar 19 08:47:48 UTC 2018 

You have been subscribed to a public bug by Richard Laager (rlaager):

Please sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)

I am the maintainer of ntpsec in Debian.

I understand that there is a feature freeze on Bionic. I am requesting a
feature freeze exception for the following reasons:

1) There is a security vulnerability (CVE-2018-7182), so *something* has
to be done. The simplest way to fix this would be to sync either
1.0.0+dfsg1-5 or 1.1.0+dfsg1-1. I'm not sure if it's still possible to
sync 1.0.0+dfsg1-5. (I realize a security bug doesn't, by itself,
necessarily justify an exception.)

2) ntpsec is a new package. It has never appeared in an Ubuntu release
(LTS or non-LTS), nor a Debian release for that matter. This means that
the potential negative impact of the exception is much lower (basically
zero).

3) The 1.1.0 release fixes an interoperability bug with the Amazon time
service where 33% of packets are dropped when ntpsec is the client.

4) The 1.1.0 release dramatically reduces the number of patches in the
Debian package, as a large number of patches were upstreamed. This
should make future security maintenance for the lifecycle of Bionic
slightly easier.

5) Other important bugs were fixed in 1.0.0+dfsg1-4, 1.0.0+dfsg1-5, and
1.1.0+dfsg1-1, including those relating to conversions from the
venerable ntp package to ntpsec, which is likely to be a common path.

I am an Ubuntu user primarily. Every change to ntpsec is tested on
Ubuntu first. I have been running 1.1.0+dfsg1-1 (from a PPA) on multiple
machines running Xenial even before it was uploaded to Debian. I tested
in a Bionic VM by installing 1.0.0+dfsg1-3 and upgrading to a PPA-
packaged version of 1.1.0+dfsg1-1.

Changelog entries since current bionic version 1.0.0+dfsg1-3:

ntpsec (1.1.0+dfsg1-1) unstable; urgency=medium

  * Make ntpsec Conflict with ntpdate
    - Use ntpsec-ntpdate instead of ntpdate.
  * Stop deleting /var/lib/ntpdate/ (Closes: 892966)
    Thanks to Bernhard Schmidt <berni at debian.org> for the suggestion.
  * New upstream version
    - Digests longer then 20 bytes will be truncated.
    - We have dropped support for Broadcast servers.
    - A bug that caused the rejection of 33% of packets from Amazon time
      service has been fixed.
  * Drop patches merged upstream
    - fix-ntpdig.patch
    - systemd-remove-extra-dependencies.patch
    - fix-name-of-psutil.patch
    - fix-spectracom-log-prefixes.patch
    - fix-ntpviz-file-encodings.patch
    - systemd-remove-remainafterexit.patch
    - systemd-use-high-priority.patch
    - systemd-ionice-ntpviz.patch
    - systemd-cleanup-ntp-wait-service.patch
    - fix-ntploggps.patch
    - systemd-use-usr-sbin.patch
    - systemd-do-not-restart.patch
    - systemd-allow-running-in-containers.patch
    - Merge-Classic-fix-for-CVE-2018-7182.patch
  * Update copyright

 -- Richard Laager <rlaager at wiktel.com>  Fri, 16 Mar 2018 00:42:24 -0500

ntpsec (1.0.0+dfsg1-5) unstable; urgency=high

  * Fix CVE-2018-7182

 -- Richard Laager <rlaager at wiktel.com>  Wed, 07 Mar 2018 19:47:34 -0600

ntpsec (1.0.0+dfsg1-4) unstable; urgency=medium

  * Remove empty /var/log/ntpstats on ntpviz removal
  * Fix installing ntpsec-ntpviz without ntpsec (Closes: 891278)
  * systemd: Allow running in containers (Closes: 890771)

 -- Richard Laager <rlaager at wiktel.com>  Sun, 04 Mar 2018 15:06:58 -0600

** Affects: ntpsec (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)
https://bugs.launchpad.net/bugs/1756818
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list