Dimitry Andric wrote:> On 08 Dec 2016, at 06:08, Michelle Sullivan <michelle at sorbs.net> wrote: >> Are we going to get a patch for CVE-2016-7434 on FreeBSD 9.3? > On Nov 22, in r309009, Xin Li merged ntp 4.2.8p9, which fixes this > issue, to stable/9: > > https://svnweb.freebsd.org/changeset/base/309009 > > Unfortunately the commit message did not mention the CVE identifier. I > can't find any corresponding security advisory either. > > -Dimitry >.... No updates needed to update system to 9.3-RELEASE-p52. No updates are available to install. Run '/usr/sbin/freebsd-update fetch' first. [root at gauntlet /]# ntpd --version ntpd 4.2.8p8-a (1) So no then... 9.3 is still so-say supported so I'm not talking about -STABLE. Michelle
On 13 Dec 2016, at 03:18, Michelle Sullivan <michelle at sorbs.net> wrote:> > Dimitry Andric wrote: >> On 08 Dec 2016, at 06:08, Michelle Sullivan <michelle at sorbs.net> wrote: >>> Are we going to get a patch for CVE-2016-7434 on FreeBSD 9.3? >> On Nov 22, in r309009, Xin Li merged ntp 4.2.8p9, which fixes this >> issue, to stable/9: >> >> https://svnweb.freebsd.org/changeset/base/309009 >> >> Unfortunately the commit message did not mention the CVE identifier. I >> can't find any corresponding security advisory either....> No updates needed to update system to 9.3-RELEASE-p52. > No updates are available to install. > Run '/usr/sbin/freebsd-update fetch' first. > [root at gauntlet /]# ntpd --version > ntpd 4.2.8p8-a (1) > > So no then... > > 9.3 is still so-say supported so I'm not talking about -STABLE.Well, as I mentioned, there was no Security Advisory (which is a little strange), so I didn't expect there to be any binary updates. As far as I know, binary updates are only built for Security Advisories and Errata Notices. -Dimitry -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 194 bytes Desc: Message signed with OpenPGP using GPGMail URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20161213/f38cccab/attachment.sig>
We plan to issue an EN to update the base system ntp to 4.2.8p9. The high impact issue is Windows only by the way. Cheers, On Mon, Dec 12, 2016 at 6:18 PM, Michelle Sullivan <michelle at sorbs.net> wrote:> Dimitry Andric wrote: >> >> On 08 Dec 2016, at 06:08, Michelle Sullivan <michelle at sorbs.net> wrote: >>> >>> Are we going to get a patch for CVE-2016-7434 on FreeBSD 9.3? >> >> On Nov 22, in r309009, Xin Li merged ntp 4.2.8p9, which fixes this >> issue, to stable/9: >> >> https://svnweb.freebsd.org/changeset/base/309009 >> >> Unfortunately the commit message did not mention the CVE identifier. I >> can't find any corresponding security advisory either. >> >> -Dimitry >> > .... > > No updates needed to update system to 9.3-RELEASE-p52. > No updates are available to install. > Run '/usr/sbin/freebsd-update fetch' first. > [root at gauntlet /]# ntpd --version > ntpd 4.2.8p8-a (1) > > So no then... > > 9.3 is still so-say supported so I'm not talking about -STABLE. > > Michelle