[ntp:hackers] Release fixing all issues

Kurt Roeckx kurt at roeckx.be
Wed Nov 25 07:59:57 UTC 2015


On Wed, Oct 28, 2015 at 11:52:19PM +0000, Harlan Stenn wrote:
> Kurt Roeckx writes:
> > Hi,
> > 
> > When can we expect a release fixing all the issues?  I would
> > really like to see a release that fixes CVE-2015-5300,
> > CVE-2015-7704 and CVE-2015-7705.
> > 
> > The fix for CVE-2015-5300 is a trivial 1 line thing.
> 
> That one is interesting - we were told that it was not an issue in 4.2.8
> until the day before p4 was released.  The window of vulnerability for
> that one is very small, too.
> 
> The short answer is we're planning to fix this in 4.2.8p5, due out
> "soon".
> 
> > The fix for CVE-2015-7704 seems to be incomplete, and I got an
> > alternative patch for that.  But I've been told that I had to
> > revert the patch for CVE-2015-7704+CVE-2015-7705 to get that
> > working, so now I'm still affected by CVE-2015-7705.
> 
> Our patch for 7704/7705 went "too far".  Some of the patches I've seen
> from others are differently broken.
> 
> We've been working on better patches and should have found a proper fix
> soon, in 4.2.8p5.

We're a month later now.  When can we expect the new version?


Kurt



More information about the hackers mailing list