[ubuntu/xenial-proposed] ntp 1:4.2.8p4+dfsg-3ubuntu1 (Accepted)

Pierre-André MOREY pierre-andre.morey at canonical.com
Thu Feb 11 15:00:19 UTC 2016 

ntp (1:4.2.8p4+dfsg-3ubuntu1) xenial; urgency=medium

  * Merge from Debian testing. Remaining changes:
    + debian/rules: enable debugging. Ask debian to add this.
    + debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
    + Add enforcing AppArmor profile:
      - debian/control: Add Conflicts/Replaces on apparmor-profiles.
      - debian/control: Add Suggests on apparmor.
      - debian/control: Build-Depends on dh-apparmor.
      - add debian/apparmor-profile*.
      - debian/ntp.dirs: Add apparmor directories.
      - debian/rules: Install apparmor-profile and apparmor-profile.tunable.
      - debian/source_ntp.py: Add filter on AppArmor profile names to prevent
        false positives from denials originating in other packages.
      - debian/README.Debian: Add note on AppArmor.
    + debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
      running ntpdate when an interface comes up, then start again afterwards.
    + debian/ntp.init, debian/rules: Only stop when entering single user mode,
      don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
      get stale. Patch by Simon Déziel.
    + debian/ntp.conf, debian/ntpdate.default: Change default server to
      ntp.ubuntu.com.
    + debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
  * Includes fix for requests with source ports < 123, fixed upstream in
    4.2.8p1 (LP: #1479652).
  * Add PPS support (LP: #1512980):
    + debian/README.Debian: Add a PPS section to the README.Debian,
      removed all PPSkit one.
    + debian/ntp.conf: Add some configuration examples from the offical
      documentation.
    + debian/control: Add Build-Depends on pps-tools
  * Drop Changes:
    + debian/rules: Update config.{guess,sub} for AArch64, because upstream use
      dh_autoreconf now.
    + debian/{control,rules}: Add and enable hardened build for PIE.
      Upstream use fPIC. Options -fPIC and -fPIE are uncompatible, thus this is
      never applied, (cf. dpkg-buildflags manual), checked with Marc
      Deslauriers on freenode #ubuntu-hardened, 2016-01-20~13:11 UTC.
    + debian/rules: Remove update-rcd-params in dh_installinit command. When
      setting up ntp package, the following message is presented to the user
      due to deprecated use:
      "update-rc.d: warning: start and stop actions are no longer
      supported; falling back to defaults". The defaults are taken from the
      init.d script LSB comment header, which contain what we need anyway.
    + debian/rules: Remove ntp/ntp_parser.{c,h} or they don't get properly
      regenerated for some reason. Seems to have been due to ntpd/ntp_parser.y
      patches from CVE-2015-5194 and CVE-2015-5196, already upstreamed.
    + debian/ntpdate.if-up: Drop lockfile mechanism as upstream is using flock
      now.
    + Remove natty timeframe old deltas (transitional code not needed since
      Trusty): Those patches were for an incorrect behaviour of
      system-tools-backend, around natty time
      (https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/83604/comments/23)
      - debian/ntpdate-debian: Disregard empty ntp.conf files.
      - debian/ntp.preinst: Remove empty /etc/ntp.conf on fresh intallation.
    + debian/ntp.dhcp: Rewrite sed rules. This was done incorrectly as pointed
      out in LP 575458. This decision is explained in detail there.
  * All previous ubuntu security patches/fixes have been upstreamed:
    + CVE-2015-5146, CVE-2015-5194, CVE-2015-5195, CVE-2015-5196,
      CVE-2015-7703, CVE-2015-5219, CVE-2015-5300, CVE-2015-7691,
      CVE-2015-7692, CVE-2015-7702, CVE-2015-7701, CVE-2015-7704,
      CVE-2015-7705, CVE-2015-7850, CVE-2015-7852, CVE-2015-7853,
      CVE-2015-7855, CVE-2015-7871, CVE-2015-1798, CVE-2015-1799,
      CVE-2014-9297, CVE-2014-9298, CVE-2014-9293, CVE-2014-9294,
      CVE-2014-9295, CVE-2014-9296
    + Fix to ignore ENOBUFS on routing netlink socket
    + Fix use-after-free in routing socket code
    + ntp-keygen infinite loop or lack of randonmess on big endian platforms

Date: Fri, 5 Feb 2016 18:28:52 +0100
Changed-By: Pierre-André MOREY <pierre-andre.morey at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Robie Basak <robie.basak at canonical.com>
https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu1
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 5 Feb 2016 18:28:52 +0100
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source
Version: 1:4.2.8p4+dfsg-3ubuntu1
Distribution: xenial
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Pierre-André MOREY <pierre-andre.morey at canonical.com>
Description:
 ntp        - Network Time Protocol daemon and utility programs
 ntp-doc    - Network Time Protocol documentation
 ntpdate    - client for setting system time from NTP servers
Launchpad-Bugs-Fixed: 1479652 1512980
Changes:
 ntp (1:4.2.8p4+dfsg-3ubuntu1) xenial; urgency=medium
 .
   * Merge from Debian testing. Remaining changes:
     + debian/rules: enable debugging. Ask debian to add this.
     + debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
     + Add enforcing AppArmor profile:
       - debian/control: Add Conflicts/Replaces on apparmor-profiles.
       - debian/control: Add Suggests on apparmor.
       - debian/control: Build-Depends on dh-apparmor.
       - add debian/apparmor-profile*.
       - debian/ntp.dirs: Add apparmor directories.
       - debian/rules: Install apparmor-profile and apparmor-profile.tunable.
       - debian/source_ntp.py: Add filter on AppArmor profile names to prevent
         false positives from denials originating in other packages.
       - debian/README.Debian: Add note on AppArmor.
     + debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
       running ntpdate when an interface comes up, then start again afterwards.
     + debian/ntp.init, debian/rules: Only stop when entering single user mode,
       don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
       get stale. Patch by Simon Déziel.
     + debian/ntp.conf, debian/ntpdate.default: Change default server to
       ntp.ubuntu.com.
     + debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
   * Includes fix for requests with source ports < 123, fixed upstream in
     4.2.8p1 (LP: #1479652).
   * Add PPS support (LP: #1512980):
     + debian/README.Debian: Add a PPS section to the README.Debian,
       removed all PPSkit one.
     + debian/ntp.conf: Add some configuration examples from the offical
       documentation.
     + debian/control: Add Build-Depends on pps-tools
   * Drop Changes:
     + debian/rules: Update config.{guess,sub} for AArch64, because upstream use
       dh_autoreconf now.
     + debian/{control,rules}: Add and enable hardened build for PIE.
       Upstream use fPIC. Options -fPIC and -fPIE are uncompatible, thus this is
       never applied, (cf. dpkg-buildflags manual), checked with Marc
       Deslauriers on freenode #ubuntu-hardened, 2016-01-20~13:11 UTC.
     + debian/rules: Remove update-rcd-params in dh_installinit command. When
       setting up ntp package, the following message is presented to the user
       due to deprecated use:
       "update-rc.d: warning: start and stop actions are no longer
       supported; falling back to defaults". The defaults are taken from the
       init.d script LSB comment header, which contain what we need anyway.
     + debian/rules: Remove ntp/ntp_parser.{c,h} or they don't get properly
       regenerated for some reason. Seems to have been due to ntpd/ntp_parser.y
       patches from CVE-2015-5194 and CVE-2015-5196, already upstreamed.
     + debian/ntpdate.if-up: Drop lockfile mechanism as upstream is using flock
       now.
     + Remove natty timeframe old deltas (transitional code not needed since
       Trusty): Those patches were for an incorrect behaviour of
       system-tools-backend, around natty time
       (https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/83604/comments/23)
       - debian/ntpdate-debian: Disregard empty ntp.conf files.
       - debian/ntp.preinst: Remove empty /etc/ntp.conf on fresh intallation.
     + debian/ntp.dhcp: Rewrite sed rules. This was done incorrectly as pointed
       out in LP 575458. This decision is explained in detail there.
   * All previous ubuntu security patches/fixes have been upstreamed:
     + CVE-2015-5146, CVE-2015-5194, CVE-2015-5195, CVE-2015-5196,
       CVE-2015-7703, CVE-2015-5219, CVE-2015-5300, CVE-2015-7691,
       CVE-2015-7692, CVE-2015-7702, CVE-2015-7701, CVE-2015-7704,
       CVE-2015-7705, CVE-2015-7850, CVE-2015-7852, CVE-2015-7853,
       CVE-2015-7855, CVE-2015-7871, CVE-2015-1798, CVE-2015-1799,
       CVE-2014-9297, CVE-2014-9298, CVE-2014-9293, CVE-2014-9294,
       CVE-2014-9295, CVE-2014-9296
     + Fix to ignore ENOBUFS on routing netlink socket
     + Fix use-after-free in routing socket code
     + ntp-keygen infinite loop or lack of randonmess on big endian platforms
Checksums-Sha1:
 5ee9272c8404767aac92abb993df0f0668181381 2350 ntp_4.2.8p4+dfsg-3ubuntu1.dsc
 5ab8f932917d3587b63f00fe45099dc45cb57d4f 7065768 ntp_4.2.8p4+dfsg.orig.tar.gz
 37ae25601b4c10e2ba599a5ae30b0de5eb8023ff 61716 ntp_4.2.8p4+dfsg-3ubuntu1.debian.tar.xz
Checksums-Sha256:
 537fa22c3b5abf5aa47158f154338f5e90fc6efe7d5d5c8e4b24f0ea6f4e6580 2350 ntp_4.2.8p4+dfsg-3ubuntu1.dsc
 6da2529b5d9ee4ac01fb64d127426b254c6defa3098a456a6f71736920f4e4ed 7065768 ntp_4.2.8p4+dfsg.orig.tar.gz
 363f90956d871ef592f8e575f3828d2a0d69aa52bcbff06e7aa81047e76d8d94 61716 ntp_4.2.8p4+dfsg-3ubuntu1.debian.tar.xz
Files:
 d108b6e04945a2e3855421404b96594b 2350 net optional ntp_4.2.8p4+dfsg-3ubuntu1.dsc
 babfb260562a71f6384ad35c65a4db54 7065768 net optional ntp_4.2.8p4+dfsg.orig.tar.gz
 f7cf05011eef4e11871ca4775e95d5d2 61716 net optional ntp_4.2.8p4+dfsg-3ubuntu1.debian.tar.xz
Original-Maintainer: Debian NTP Team <pkg-ntp-maintainers at lists.alioth.debian.org>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWvKHPAAoJEOVkucJ1vdUuZioP/RHYFxxGRdOD8t7R/+jaeBc5
/BnNXhkXq8eeY/zT8Z6P3nOXcVe7NfqXoSQT57Chak6LnmtgvQj2jd0YV+9BzFor
IP+NfARAEmgzP+7UukeOOKJV4IXxNi/2HIIDGrqHaPxjrFvHUY0qYeN4SVMT7iSe
S4pVaJk/tZefgsgsY/WocVNxkIsgP1K53dTAW1dqlK1SUh3MPpjuWEatGS30G7wp
bvtX5GYFnYvXUunXIwVOCFNVNdQxaJxCxsuB7KjM46LfpB/LcatlMMhokPJVowYJ
omgDTbasLlnEAkvQcsG/V62N49cUaRrp+ERxbUAuOn6GDuEAT5obS1+rETJmIPPV
y/dX5iMLhPL3mSZVsphsoj7y2q9Ud/FSJDuoyjHC8oLUi5zjSb2WwnQeNyxoAt0i
tEydfJRRjrX5qwemilfoIbPSrvRDTb0LD02eEmCtaxToU3aftKN+0LrAy/UEOP7M
L9xlfmNalRLpQugAKKxToUntevoeKpVRoNYiCOE8ZeXKihvkZwJGiCfH7OPx17ci
HTupfe8vYBneJyfTWwxTMUCK02V09gb/xVeD5OpmyjIPThP1obTMKlipzcnWhrD+
BGF/dgqJZGggEFTFYsWojw2br1O8k/fBLTP5Iiut5xxzi0EBMHqZWzlENjQoxukJ
UUp85mAFLiYQzVKu6Qjy
=sBWJ
-----END PGP SIGNATURE-----

More information about the Xenial-changes mailing list