[Secure-testing-commits] r48220 - in data: . CVE

Raphaël Hertzog hertzog at moszumanska.debian.org
Fri Jan 20 09:58:39 UTC 2017 

Author: hertzog
Date: 2017-01-20 09:58:39 +0000 (Fri, 20 Jan 2017)
New Revision: 48220

Modified:
   data/CVE/list
   data/dla-needed.txt
Log:
Demote NTP CVE on wheezy to no-dsa, drop entry from dla-needed

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-01-20 08:48:13 UTC (rev 48219)
+++ data/CVE/list	2017-01-20 09:58:39 UTC (rev 48220)
@@ -13895,17 +13895,17 @@
 CVE-2016-9311 (ntpd in NTP before 4.2.8p9, when the trap service is enabled, allows ...)
 	- ntp 1:4.2.8p9+dfsg-1
 	[jessie] - ntp <no-dsa> (Minor issue)
+	[wheezy] - ntp <no-dsa> (Minor issue, not vulnerable by default)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3119
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0204/
-	NOTE: Can be considered for a non-dsa for LTS as it is about a service
-	NOTE: not normally enabled. Should be judged in more details.
+	NOTE: Only affects configurations that do not have "restrict noquery", Debian's default config does have that restriction.
 CVE-2016-9310 (The control mode (mode 6) functionality in ntpd in NTP before 4.2.8p9 ...)
 	- ntp 1:4.2.8p9+dfsg-1
 	[jessie] - ntp <no-dsa> (Minor issue)
+	[wheezy] - ntp <no-dsa> (Minor issue, not vulnerable by default)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3118
 	NOTE: http://www.talosintelligence.com/reports/TALOS-2016-0203/
-	NOTE: Can be considered for a non-dsa for LTS as it is about a problem
-	NOTE: where things are not configured according to recommentation. Should be judged in more details.
+	NOTE: Only affects configurations that do not have "restrict noquery", Debian's default config does have that restriction.
 CVE-2016-9309
 	RESERVED
 CVE-2016-9308
@@ -19792,6 +19792,7 @@
 CVE-2016-7434 (The read_mru_list function in NTP before 4.2.8p9 allows remote ...)
 	- ntp 1:4.2.8p9+dfsg-1
 	[jessie] - ntp <not-affected> (mrulist introduced in ntp-4.2.7p22, vulnerable code not present)
+	[wheezy] - ntp <not-affected> (mrulist introduced in ntp-4.2.7p22, vulnerable code not present)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3082
 	NOTE: Only possible to trigger from hosts in allow mrulist query.
 CVE-2016-7433 (NTP before 4.2.8p9 does not properly perform the initial sync ...)
@@ -19837,6 +19838,7 @@
 CVE-2016-7426 (NTP before 4.2.8p9 rate limits responses received from the configured ...)
 	- ntp 1:4.2.8p9+dfsg-1
 	[jessie] - ntp <no-dsa> (Minor issue)
+	[wheezy] - ntp <no-dsa> (Minor issue)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3071
 CVE-2016-7425 (The arcmsr_iop_message_xfer function in ...)
 	{DSA-3696-1 DLA-670-1}

Modified: data/dla-needed.txt
===================================================================
--- data/dla-needed.txt	2017-01-20 08:48:13 UTC (rev 48219)
+++ data/dla-needed.txt	2017-01-20 09:58:39 UTC (rev 48220)
@@ -66,9 +66,6 @@
 mysql-connector-python
   NOTE: see http://bugs.debian.org/841677 for current discussion
 --
-ntp
-  NOTE: Kurt Roeckx is working on an update
---
 openjdk-7 (Emilio Pozuelo)
 --
 openssl

More information about the Secure-testing-commits mailing list