ubuntu/+source/ntp:ubuntu/yakkety-security

Last commit made on 2017-07-05
Get this branch:
git clone -b ubuntu/yakkety-security https://git.launchpad.net/ubuntu/+source/ntp
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/yakkety-security
Repository:
lp:ubuntu/+source/ntp

Recent commits

adf9ac0... by Marc Deslauriers on 2017-06-28

Import patches-unapplied version 1:4.2.8p8+dfsg-1ubuntu2.1 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: e4ab1bfe21ab378f6bc03b3dde943e7f15204e24

New changelog entries:
  * SECURITY UPDATE: DoS via responses with a spoofed source address
    - debian/patches/CVE-2016-7426.patch: improve rate limiting in
      ntpd/ntp_proto.c.
    - CVE-2016-7426
  * SECURITY UPDATE: DoS via crafted broadcast mode packet
    - debian/patches/CVE-2016-7427-1.patch: improve replay prevention
      logic in ntpd/ntp_proto.c.
    - debian/patches/CVE-2016-7427-2.patch: add bcpollbstep option to
      html/miscopt.html, include/ntp.h, include/ntpd.h,
      ntpd/complete.conf.in, ntpd/invoke-ntp.conf.texi, ntpd/keyword-gen.c,
      ntpd/ntp.conf.5man, ntpd/ntp.conf.5mdoc, ntpd/ntp.conf.def,
      ntpd/ntp.conf.man.in, ntpd/ntp.conf.mdoc.in, ntpd/ntp_config.c,
      ntpd/ntp_keyword.h, ntpd/ntp_parser.y, ntpd/ntp_proto.c.
    - CVE-2016-7427
  * SECURITY UPDATE: DoS via poll interval in a broadcast packet
    - debian/patches/CVE-2016-7428.patch: ensure at least one poll interval
      has elapsed in ntpd/ntp_proto.c, include/ntp.h.
    - CVE-2016-7428
  * SECURITY UPDATE: DoS via response for a source to an interface the
    source does not use
    - debian/patches/CVE-2016-7429-1.patch: add extra checks to
      ntpd/ntp_peer.c.
    - debian/patches/CVE-2016-7429-2.patch: check for NULL first in
      ntpd/ntp_peer.c.
    - debian/patches/CVE-2016-7429-3.patch: fix multicastclient regression
      in ntpd/ntp_peer.c.
    - CVE-2016-7429
  * SECURITY UPDATE: origin timestamp protection mechanism bypass
    - debian/patches/CVE-2016-7431.patch: handle zero origin in
      ntpd/ntp_proto.c.
    - CVE-2016-7431
  * SECURITY UPDATE: incorrect initial sync calculations
    - debian/patches/CVE-2016-7433.patch: use peer dispersion in
      ntpd/ntp_proto.c.
    - CVE-2016-7433
  * SECURITY UPDATE: DoS via crafted mrulist query
    - debian/patches/CVE-2016-7434.patch: added missing parameter
      validation to ntpd/ntp_control.c.
    - CVE-2016-7434
  * SECURITY UPDATE: DoS in the origin timestamp check
    - debian/patches/CVE-2016-9042.patch: comment out broken code in
      ntpd/ntp_proto.c.
    - CVE-2016-9042
  * SECURITY UPDATE: traps can be set or unset via a crafted control mode
    packet
    - debian/patches/CVE-2016-9310.patch: require AUTH in
      ntpd/ntp_control.c.
    - CVE-2016-9310
  * SECURITY UPDATE: DoS when trap service is enabled
    - debian/patches/CVE-2016-9311.patch: make sure peer events are
      associated with a peer in ntpd/ntp_control.c.
    - CVE-2016-9311
  * SECURITY UPDATE: potential Overflows in ctl_put() functions
    - debian/patches/CVE-2017-6458.patch: check lengths in
      ntpd/ntp_control.c.
    - CVE-2017-6458
  * SECURITY UPDATE: overflow via long flagstr variable
    - debian/patches/CVE-2017-6460.patch: check length in ntpq/ntpq-subs.c.
    - CVE-2017-6460
  * SECURITY UPDATE: buffer overflow in DPTS refclock driver
    - debian/patches/CVE-2017-6462.patch: don't overrun buffer in
      ntpd/refclock_datum.c.
    - CVE-2017-6462
  * SECURITY UPDATE: DoS via invalid setting in a :config directive
    - debian/patches/CVE-2017-6463.patch: protect against overflow in
      ntpd/ntp_config.c.
    - CVE-2017-6463
  * SECURITY UPDATE: Dos via malformed mode configuration directive
    - debian/patches/CVE-2017-6464.patch: validate directives in
      ntpd/ntp_config.c, ntpd/ntp_proto.c.
    - CVE-2017-6464

e4ab1bf... by Christian Ehrhardt  on 2016-08-26

Import patches-unapplied version 1:4.2.8p8+dfsg-1ubuntu2 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: a8d128c2eb43853e5eb9db950e9de3a6b8841f9b

New changelog entries:
  * Fix ntpdate-debian to be able to parse new config of ntp (LP: #1576698)

a8d128c... by Christian Ehrhardt  on 2016-07-29

Import patches-unapplied version 1:4.2.8p8+dfsg-1ubuntu1 to ubuntu/yakkety-proposed

Imported using git-ubuntu import.

Changelog parent: 08a20495a551a5bbfa11f29edaaa33704bb8ce5e

New changelog entries:
  [ Christian Ehrhardt ]
  * Merge from Debian testing. Remaining changes:
    + debian/rules: enable debugging. Asked debian to add this in bug #643954.
    + debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
    + debian/control: Add Suggests on apparmor.
    + debian/source_ntp.py: Add filter on AppArmor profile names to prevent
      false positives from denials originating in other packages
    + debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
      running ntpdate when an interface comes up, then start again afterwards.
    + debian/ntp.init, debian/rules: Only stop when entering single user mode,
      don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
      get stale. Patch by Simon Déziel.
    + debian/ntp.conf, debian/ntpdate.default: Change default server to
      ntp.ubuntu.com.
    + debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
    + Extend PPS support
      - debian/README.Debian: Add a PPS section to the README.Debian
      - debian/ntp.conf: Add some configuration examples from the offical
        documentation.
    + SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
      - debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
      - CVE-2016-0727
    + Merge also contains an upstream fix that solves (LP: #1567540)
  * Added changes
    + match Ubuntu packages now that Debian has ntp apparmor accepted in
      d/control for Apparmor conflicts/replaces
    + d/apparmor-profile add samba winbindd pipe (LP: #1582767)
  * Drop Changes:
    + Add enforcing AppArmor profile (accepted in Debian):
      - debian/control: Add Conflicts/Replaces on apparmor-profiles.
      - debian/control: Add Suggests on apparmor.
      - debian/control: Build-Depends on dh-apparmor.
      - add debian/apparmor-profile*.
      - debian/ntp.dirs: Add apparmor directories.
      - debian/rules: Install apparmor-profile and apparmor-profile.tunable.
      - debian/source_ntp.py: Add filter on AppArmor profile names to prevent
        false positives from denials originating in other packages.
      - debian/README.Debian: Add note on AppArmor.
    + Add PPS support (accepted in Debian)
      - debian/control: Add Build-Depends on pps-tools
    + debian/apparmor-profile: allow 'rw' access to /dev/pps[0-9]* devices.
    + d/p/fix_local_sync.patch: fix local clock sync (fixed upstream)
    + debian/patches/ntpdate-fix-lp1526264.patch (fixed upstream):
      - Add Alfonso Sanchez-Beato's patch for fixing the cannot correct dates in
        the future bug
    + debian/apparmor-profile: adjust to handle AF_UNSPEC with dgram and stream
    + dropping previous ubuntu security patches/fixes that have been upstreamed
      in 4.2.8p6: CVE-2015-7973, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977,
      CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8158
    + dropping previous ubuntu security patches/fixes that have been upstreamed
      in 4.2.8p7: CVE-2016-1548, CVE-2016-1550, CVE-2016-2516, CVE-2016-2518,
      CVE-2015-7974, CVE-2016-1547
  [ Robie Basak ]
  * Restore AppArmor entries in debian/ntp.dirs.

08a2049... by Kurt Roeckx on 2016-06-07

Import patches-unapplied version 1:4.2.8p8+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 43d1f6a79e5ddf90a602865ca005b1f6afdd4c4e

New changelog entries:
  * New usptream version
    - Fixes security issues

43d1f6a... by Kurt Roeckx on 2016-05-19

Import patches-unapplied version 1:4.2.8p7+dfsg-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 434d190e90dfb0cfcca7b965073840ba43d5a2c6

New changelog entries:
  * Update apparmor-profiles-extra again now we now in which version they
    removed it.
  * Call dh_apparmor. Add build-depends on dh-apparmor. (Closes: #824767)

434d190... by Kurt Roeckx on 2016-04-30

Import patches-unapplied version 1:4.2.8p7+dfsg-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: a3d2993682eb04091db9a84b08c674835933843d

New changelog entries:
  [ Hideki Yamane ]
  * Properly enable Apparmor profile from Ubuntu (Closes: #823024)
    Patch from Hideki Yamane <email address hidden>
  * Update replace/breaks versions of apparmor-profiles-extra
    (Closes: #805183)

a3d2993... by Kurt Roeckx on 2016-04-29

Import patches-unapplied version 1:4.2.8p7+dfsg-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 98c2165a9db47739866cf3dc9654cd7324ab4f3a

New changelog entries:
  * Only build-depend on pps-tools on Linux

98c2165... by Kurt Roeckx on 2016-01-24

Import patches-unapplied version 1:4.2.8p7+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 20ad5f709ff0e01e1f156ec25abe85e443075efb

New changelog entries:
  * New upstream version
    This might fix a few CVEs.
  * Drop CVE-2015-5300.patch and CVE-2015-7704.patch now claimed to
    be fixed upstream.
  * Remove Bdale from uploaders (Closes: #804377)
  * Remove section about patching the kernel for PPS support, it's already
    included in the kernel (Closes: #811171)
  * Pass --build and --host to configure. (Closes: #315935)
    Patch from Helmut Grohne <email address hidden>
  * Missing Build-Depends libopts25-dev (which is not implicit in autogen,
    because autogen is M-A:foreign).
    Patch from Helmut Grohne <email address hidden>
  * Fix ntp.dhcp to also check for pool and better handle spaces and tabs.
    (Closes: #809344, #806676)
  * Change watch file to use https (Closes: #793926)
  * Hook into NetworkManager to update ntp servers from dhcp. (Closes:
    #778415). Patch from Helmut Grohne <email address hidden>
  * Build Depend on pps-tools (Closes: #691672)
  * Don't run ntpdate when method is none. Patch from
    Dmitry Borisyuk <q1werty@i.com.ua>
  * Also use flock to in the ntp init script, and update the lock file
    location. (Closes: #806556)
  * Move apparmor profile from apparmor-profiles-extra. Add Breaks/Replaces.
    (Closes: #805183)

20ad5f7... by Kurt Roeckx on 2015-10-22

Import patches-unapplied version 1:4.2.8p4+dfsg-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7bc00668445065727499e00a9b664b7d6782d482

New changelog entries:
  * Remove rlimit memlock from default config file, the default is now
    to no longer lock. (Closes: #793745)
  * Really properly fix CVE-2015-7704, thanks to Miroslav Lichvar
    <email address hidden>

7bc0066... by Kurt Roeckx on 2015-10-22

Import patches-unapplied version 1:4.2.8p4+dfsg-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b72bcab04a11e28f82f2cb0a184ed66ef0050879

New changelog entries:
  * Change rlimit memlock default to -1. (Closes: #802638)
  * Fix CVE-2015-5300
  * Properly fix CVE-2015-7704