[Bug 1756818] Re: Sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)
Hans Joachim Desserud
1756818 at bugs.launchpad.net
Mon Mar 19 17:11:20 UTC 2018
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-7182
** Tags added: upgrade-software-version
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1756818
Title:
Sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)
Status in ntpsec package in Ubuntu:
New
Bug description:
Please sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)
I am the maintainer of ntpsec in Debian.
I understand that there is a feature freeze on Bionic. I am requesting
a feature freeze exception for the following reasons:
1) There is a security vulnerability (CVE-2018-7182), so *something*
has to be done. The simplest way to fix this would be to sync either
1.0.0+dfsg1-5 or 1.1.0+dfsg1-1. I'm not sure if it's still possible to
sync 1.0.0+dfsg1-5. (I realize a security bug doesn't, by itself,
necessarily justify an exception.)
2) ntpsec is a new package. It has never appeared in an Ubuntu release
(LTS or non-LTS), nor a Debian release for that matter. This means
that the potential negative impact of the exception is much lower
(basically zero).
3) The 1.1.0 release fixes an interoperability bug with the Amazon
time service where 33% of packets are dropped when ntpsec is the
client.
4) The 1.1.0 release dramatically reduces the number of patches in the
Debian package, as a large number of patches were upstreamed. This
should make future security maintenance for the lifecycle of Bionic
slightly easier.
5) Other important bugs were fixed in 1.0.0+dfsg1-4, 1.0.0+dfsg1-5,
and 1.1.0+dfsg1-1, including those relating to conversions from the
venerable ntp package to ntpsec, which is likely to be a common path.
I am an Ubuntu user primarily. Every change to ntpsec is tested on
Ubuntu first. I have been running 1.1.0+dfsg1-1 (from a PPA) on
multiple machines running Xenial even before it was uploaded to
Debian. I tested in a Bionic VM by installing 1.0.0+dfsg1-3 and
upgrading to a PPA-packaged version of 1.1.0+dfsg1-1.
Changelog entries since current bionic version 1.0.0+dfsg1-3:
ntpsec (1.1.0+dfsg1-1) unstable; urgency=medium
* Make ntpsec Conflict with ntpdate
- Use ntpsec-ntpdate instead of ntpdate.
* Stop deleting /var/lib/ntpdate/ (Closes: 892966)
Thanks to Bernhard Schmidt <berni at debian.org> for the suggestion.
* New upstream version
- Digests longer then 20 bytes will be truncated.
- We have dropped support for Broadcast servers.
- A bug that caused the rejection of 33% of packets from Amazon time
service has been fixed.
* Drop patches merged upstream
- fix-ntpdig.patch
- systemd-remove-extra-dependencies.patch
- fix-name-of-psutil.patch
- fix-spectracom-log-prefixes.patch
- fix-ntpviz-file-encodings.patch
- systemd-remove-remainafterexit.patch
- systemd-use-high-priority.patch
- systemd-ionice-ntpviz.patch
- systemd-cleanup-ntp-wait-service.patch
- fix-ntploggps.patch
- systemd-use-usr-sbin.patch
- systemd-do-not-restart.patch
- systemd-allow-running-in-containers.patch
- Merge-Classic-fix-for-CVE-2018-7182.patch
* Update copyright
-- Richard Laager <rlaager at wiktel.com> Fri, 16 Mar 2018 00:42:24
-0500
ntpsec (1.0.0+dfsg1-5) unstable; urgency=high
* Fix CVE-2018-7182
-- Richard Laager <rlaager at wiktel.com> Wed, 07 Mar 2018 19:47:34
-0600
ntpsec (1.0.0+dfsg1-4) unstable; urgency=medium
* Remove empty /var/log/ntpstats on ntpviz removal
* Fix installing ntpsec-ntpviz without ntpsec (Closes: 891278)
* systemd: Allow running in containers (Closes: 890771)
-- Richard Laager <rlaager at wiktel.com> Sun, 04 Mar 2018 15:06:58
-0600
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1756818/+subscriptions
More information about the Ubuntu-sponsors
mailing list