Bug 22864

Summary: ntp new security issues CVE-2016-1549, CVE-2018-7170, CVE-2018-718[2-5], CVE-2018-12327
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: guichard.adrien, guillomovitch, lists.jjorge, marja11
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ntp-4.2.6p5-24.8.mga5.src.rpm CVE:
Status comment:
Bug Depends on: 22850    
Bug Blocks:    

Description David Walser 2018-04-02 12:53:30 CEST 
+++ This bug was initially created as a clone of Bug #22850 +++

Fedora has issued an advisory on March 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PAWSWGYT4BYAU6JMQXZOD22NFWPCVJQP/

The issues are fixed upstream in 4.2.8p11.

We should also add the noepeer restriction to the default config if we haven't:
https://src.fedoraproject.org/cgit/rpms/ntp.git/commit/?h=f27&id=ddca0198432d804162e603e987237163b628c587
Comment 1 Marja Van Waes 2018-04-03 12:21:18 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
CC'ing three committers.

CC: (none) => guichard.adrien, guillomovitch, lists.jjorge, marja11
Assignee: bugsquad => pkg-bugs

David Walser 2018-06-08 20:57:57 CEST

Summary: ntp new security issue CVE-2016-1549, CVE-2018-717[0,2-5] => ntp new security issue CVE-2016-1549, CVE-2018-7170, CVE-2018-718[2-5]

Comment 2 David Walser 2018-07-16 20:28:12 CEST 
Ubuntu has issued an advisory for the latter of these issues on July 9:
https://usn.ubuntu.com/3707-1/

We can borrow patches from Ubuntu 14.04.
Comment 3 Guillaume Rousse 2018-07-19 19:38:26 CEST 
Unless I'm mistaken, Mageia 5 is officialy EOLed:
https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/

So, why waste time providing update for it ?
Comment 4 David Walser 2018-07-20 13:07:41 CEST 
We're still providing limited support for it for a number of reasons, but you're under no obligation to help with that, so don't worry about it.  I'll take care of this when I have time.
Comment 5 David Walser 2018-08-31 19:10:13 CEST 
Fedora has issued an advisory on August 30:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/437XM4CMBCMPK7D2RSEUZIRLFZD5ZNRD/

It fixes one additional issue.

Summary: ntp new security issue CVE-2016-1549, CVE-2018-7170, CVE-2018-718[2-5] => ntp new security issues CVE-2016-1549, CVE-2018-7170, CVE-2018-718[2-5], CVE-2018-12327

Comment 6 Marja Van Waes 2018-10-06 12:54:12 CEST 
The limited support Mga5 continued to have after its official EOL has ended, so closing this bug as OLD.

Resolution: (none) => OLD
Status: NEW => RESOLVED