Patches not yet available to my best knowledge, see URL above for latest developments. Mostly opening this ticket so you know what's coming.
PS: Given the state of net-misc/ntp upstream and downstream, I wonder if we should hard mask it for future removal and recommend use of net-misc/ntpsec instead. Based on what https://packages.debian.org/bookworm/ntp says about "dummy transitional package to transition to NTPsec", the upcoming Debian stable seems to have gone that very route.
Ping, maintainers? Shall we last rite?
No, I don't think we will last rite over a bug in the rarely used ntpq utility.
Hi Mike, what do you suggest how to deal best with absence of patches to vulnerabilities and no upstream release for near three years? Wouldn't it be great if users migrated to something less zombie like ntpsec or chrony, instead?
(In reply to Sebastian Pipping from comment #4) > Hi Mike, what do you suggest how to deal best with absence of patches to > vulnerabilities and no upstream release for near three years? It's been ~3 weeks since the references CVEs were published. What's the rush? > Wouldn't it be great if users migrated to something less zombie like ntpsec > or chrony, instead? There is nothing stopping users from migrating.
Eh, I guess ntpsec is basically a drop-in replacement, so there's no strong reason to keep ntp around. Objection withdrawn.
Thank you!
I have a minor concern. ntpsec took quite a bit longer than other packages to add openssl-3.0 compatibility. If they are going to be this slow to library updates in the future, then it may be worth keeping ntp around so users have an option.
(In reply to Patrick McLean from comment #8) Slow updates from ntpsec are better than no updates from ntp. The handbook recommends net-misc/chrony anyway.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=709240c79986e92294e0329e66b99f20dd05b1de commit 709240c79986e92294e0329e66b99f20dd05b1de Author: Sam James <sam@gentoo.org> AuthorDate: 2023-06-01 23:47:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-02 00:24:32 +0000 net-misc/ntp: add 4.2.8_p16 We don't need to generate our own man pages, see: ``` * CMP: =net-misc/ntp-4.2.8_p15-r6 with net-misc/ntp-4.2.8_p16/image * FILES:-usr/share/man/man8/keygen.8.xz * FILES:-usr/share/man/man8/ntpd.8.xz * FILES:-usr/share/man/man8/ntpdate.8.xz * FILES:-usr/share/man/man8/ntpdc.8.xz * FILES:-usr/share/man/man8/ntpdsim.8.xz * FILES:-usr/share/man/man8/ntpq.8.xz * FILES:-usr/share/man/man8/ntptime.8.xz * FILES:-usr/share/man/man8/ntptrace.8.xz * FILES:-usr/share/man/man8/tickadj.8.xz * SIZE: 18.14MiB -> 18.17MiB, 305 -> 296 files * ------> FILES(-9) SIZE(+0.16%) ``` ... but man pages remain in man1. Bug: https://bugs.gentoo.org/904337 Signed-off-by: Sam James <sam@gentoo.org> net-misc/ntp/Manifest | 1 + net-misc/ntp/ntp-4.2.8_p16.ebuild | 158 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 159 insertions(+)
From https://fossies.org/linux/misc/ntp-4.2.8p16.tar.gz/ntp-4.2.8p16/NEWS?m=t """ --- NTP 4.2.8p16 (Harlan Stenn <stenn@ntp.org>, 2023 May 30) Focus: Security, Bug fixes Severity: LOW This release: - fixes 4 vulnerabilities (3 LOW and 1 None severity), - fixes 46 bugs - includes 15 general improvements - adds support for OpenSSL-3.0 [...] """
