Debian Bug report logs -
#833442
busybox: CVE-2016-6301: NTP server denial of service flaw
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 4 Aug 2016 12:24:23 UTC
Severity: normal
Tags: patch, security, upstream
Found in version busybox/1:1.22.0-9
Fixed in version busybox/1:1.27.2-1
Done: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>:
Bug#833442; Package src:busybox.
(Thu, 04 Aug 2016 12:24:27 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Install System Team <debian-boot@lists.debian.org>.
(Thu, 04 Aug 2016 12:24:27 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: busybox
Version: 1:1.22.0-9
Severity: normal
Tags: security upstream patch
Hi,
the following vulnerability was published for busybox. The config
CONFIG_NTPD is not enabled by default, so this only would affect
rebuild packages. It is thus marked unimportant in the
security-tracker. Opened the bug to track the issue in BTS.
CVE-2016-6301[0]:
NTP server denial of service flaw
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-6301
Regards,
Salvatore
Marked as fixed in versions busybox/1:1.27.2-1.
Request was from Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
to control@bugs.debian.org.
(Tue, 26 Sep 2017 18:09:11 GMT) (full text, mbox, link).
Reply sent
to Christoph Biedl <debian.axhn@manchmal.in-ulm.de>:
You have taken responsibility.
(Tue, 26 Sep 2017 18:15:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 26 Sep 2017 18:15:03 GMT) (full text, mbox, link).
Message #12 received at 833442-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
fixed 833442 1:1.27.2-1
thanks
> the following vulnerability was published for busybox. The config
> CONFIG_NTPD is not enabled by default, so this only would affect
> rebuild packages. It is thus marked unimportant in the
> security-tracker. Opened the bug to track the issue in BTS.
>
> CVE-2016-6301[0]:
> NTP server denial of service flaw
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This was fixed in the recent upload to unstable/sid which already
migrated to testing/buster. Since the ntpd module is not enabled in
Debian's busybox build, it's basically a change in unsued sources that
wasn't worth being mentioned in the changelog. For the same reason this
will not be handled in (old){0,2}stable.
Now closing.
Christoph
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 25 Oct 2017 07:35:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:39:37 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon