[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2020-13817/ntp: add patches

Sat Jun 6 11:37:58 BST 2020


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0e278286 by Sylvain Beucler at 2020-06-06T12:27:55+02:00
CVE-2020-13817/ntp: add patches

- - - - -
2f1fee25 by Sylvain Beucler at 2020-06-06T12:37:17+02:00
CVE-2020-13817,CVE-2018-8956/ntp: jessie triage

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -111,8 +111,11 @@ CVE-2020-13818 (In Zoho ManageEngine OpManager before 125144, when <cachestar
 	NOT-FOR-US: Zoho ManageEngine OpManager
 CVE-2020-13817 (ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote att ...)
 	- ntp 1:4.2.8p14+dfsg-1
+	[jessie] - ntp <ignored> (Too intrusive to backport, requires new configuration)
 	NOTE: http://support.ntp.org/bin/view/Main/NtpBug3596
 	NOTE: https://bugs.ntp.org/show_bug.cgi?id=3596
+	NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e312021VVVkyioYBR_aeIP1LqMCVg (4.2.8p14)
+	NOTE: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5e4a536dzxRWAzMw-KsKjm04l6joNA (4.2.8p14)
 	TODO: check ntpsec
 CVE-2020-13816
 	REJECTED
@@ -120506,6 +120509,7 @@ CVE-2018-8956 (ntpd in ntp 4.2.8p10, 4.2.8p11, 4.2.8p12 and 4.2.8p13 allow remot
 	- ntp <unfixed> (low)
 	[buster] - ntp <no-dsa> (Minor issue)
 	[stretch] - ntp <no-dsa> (Minor issue)
+	[jessie] - ntp <postponed> (Minor issue, requires being part of same broadcast network, no patch)
 	NOTE: https://arxiv.org/abs/2005.01783
 	NOTE: https://nikhiltripathi.in/NTP_attack.pdf
 	NOTE: https://tools.ietf.org/html/rfc5905


=====================================
data/dla-needed.txt
=====================================
@@ -91,8 +91,6 @@ nginx
 --
 nss (Adrian Bunk)
 --
-ntp
---
 opendmarc (Thorsten Alteholz)
   NOTE: 20200511: new CVEs arrived (thorsten)
   NOTE: 20200524: testing package



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fda32db24f5b69ac4c0767616ca8410156e4a74f...2f1fee254a886c8d76980c4f5902debd9180d54b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fda32db24f5b69ac4c0767616ca8410156e4a74f...2f1fee254a886c8d76980c4f5902debd9180d54b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200606/b3cbf704/attachment.html>
