Public bug reported:
Please sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)
I am the maintainer of ntpsec in Debian.
I understand that there is a feature freeze on Bionic. I am requesting a
feature freeze exception for the following reasons:
1) There is a security vulnerability (CVE-2018-7182), so *something* has
to be done. The simplest way to fix this would be to sync either
1.0.0+dfsg1-5 or 1.1.0+dfsg1-1. I'm not sure if it's still possible to
sync 1.0.0+dfsg1-5. (I realize a security bug doesn't, by itself,
necessarily justify an exception.)
2) ntpsec is a new package. It has never appeared in an Ubuntu release
(LTS or non-LTS), nor a Debian release for that matter. This means that
the potential negative impact of the exception is much lower (basically
zero).
3) The 1.1.0 release fixes an interoperability bug with the Amazon time
service where 33% of packets are dropped when ntpsec is the client.
4) The 1.1.0 release dramatically reduces the number of patches in the
Debian package, as a large number of patches were upstreamed. This
should make future security maintenance for the lifecycle of Bionic
slightly easier.
5) Other important bugs were fixed in 1.0.0+dfsg1-4, 1.0.0+dfsg1-5, and
1.1.0+dfsg1-1, including those relating to conversions from the
venerable ntp package to ntpsec, which is likely to be a common path.
I am an Ubuntu user primarily. Every change to ntpsec is tested on
Ubuntu first. I have been running 1.1.0+dfsg1-1 (from a PPA) on multiple
machines running Xenial even before it was uploaded to Debian. I tested
in a Bionic VM by installing 1.0.0+dfsg1-3 and upgrading to a PPA-
packaged version of 1.1.0+dfsg1-1.
Changelog entries since current bionic version 1.0.0+dfsg1-3:
ntpsec (1.1.0+dfsg1-1) unstable; urgency=medium
* Make ntpsec Conflict with ntpdate
- Use ntpsec-ntpdate instead of ntpdate.
* Stop deleting /var/lib/ntpdate/ (Closes: 892966)
Thanks to Bernhard Schmidt <be...@debian.org> for the suggestion.
* New upstream version
- Digests longer then 20 bytes will be truncated.
- We have dropped support for Broadcast servers.
- A bug that caused the rejection of 33% of packets from Amazon time
service has been fixed.
* Drop patches merged upstream
- fix-ntpdig.patch
- systemd-remove-extra-dependencies.patch
- fix-name-of-psutil.patch
- fix-spectracom-log-prefixes.patch
- fix-ntpviz-file-encodings.patch
- systemd-remove-remainafterexit.patch
- systemd-use-high-priority.patch
- systemd-ionice-ntpviz.patch
- systemd-cleanup-ntp-wait-service.patch
- fix-ntploggps.patch
- systemd-use-usr-sbin.patch
- systemd-do-not-restart.patch
- systemd-allow-running-in-containers.patch
- Merge-Classic-fix-for-CVE-2018-7182.patch
* Update copyright
-- Richard Laager <rlaa...@wiktel.com> Fri, 16 Mar 2018 00:42:24 -0500
ntpsec (1.0.0+dfsg1-5) unstable; urgency=high
* Fix CVE-2018-7182
-- Richard Laager <rlaa...@wiktel.com> Wed, 07 Mar 2018 19:47:34 -0600
ntpsec (1.0.0+dfsg1-4) unstable; urgency=medium
* Remove empty /var/log/ntpstats on ntpviz removal
* Fix installing ntpsec-ntpviz without ntpsec (Closes: 891278)
* systemd: Allow running in containers (Closes: 890771)
-- Richard Laager <rlaa...@wiktel.com> Sun, 04 Mar 2018 15:06:58 -0600
** Affects: ntpsec (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1756818
Title:
Sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntpsec/+bug/1756818/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
