From https://blog.ntpsec.org/2019/06/30/version-1.1.5.html "We have added ALPN to be consistent with the NTS draft. And we have discovered and fixed a buffer overrun in debug compile of ALPN implementation." While this "only" affects debug compiles, we have a debug use flag on the ebuild, so this should be treated as a security bug. We already have ntpsec 1.1.6 in the tree, but 1.1.4 is the current stable version.
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
All current ebuilds are using the new service file; all we need now is x86 stable and the old versions can be nuked.
(In reply to Steve Arnold from comment #2) > All current ebuilds are using the new service file; all we need now is x86 > stable and the old versions can be nuked. x86 isn't stable for any versions atm: do we need to CC x86 and request it, or can we just cleanup?
If we can get x86 stable that would be great, otherwise security has the ball.
No, no need to stabilize x86. x86 never set stable keyword. If you want x86 for some reason, file an own bug and request normal stabilization. But that's not part of this security bug. @ maintainer(s): Please cleanup and drop <net-misc/ntpsec-1.1.7-r1!
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Maintainer(s), please drop the vulnerable version(s).
Maintainer(s), it has been 30 days + since request for cleanup. Please drop the vulnerable version(s).
@maintainer(s), ping, please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd1a7b82b201c4a2f1a72eeb8c52f226be22e2c0 commit fd1a7b82b201c4a2f1a72eeb8c52f226be22e2c0 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2020-06-20 00:41:33 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2020-06-20 00:41:33 +0000 net-misc/ntpsec: drop vulnerable Bug: https://bugs.gentoo.org/694748 Signed-off-by: Aaron Bauman <bman@gentoo.org> net-misc/ntpsec/Manifest | 2 - net-misc/ntpsec/ntpsec-1.1.4.ebuild | 160 ------------------------------------ net-misc/ntpsec/ntpsec-1.1.6.ebuild | 159 ----------------------------------- 3 files changed, 321 deletions(-)