XPost: linux.debian.devel.release   
   From: debian@fabian.gruenbichler.email   
      
   This is a multi-part MIME message sent by reportbug.   
      
      
   Package: release.debian.org   
   Severity: normal   
   Tags: trixie   
   X-Debbugs-Cc: rust-ntp-proto@packages.debian.org, debian@fabian.   
   ruenbichler.email   
   Control: affects -1 + src:rust-ntp-proto   
   User: release.debian.org@packages.debian.org   
   Usertags: pu   
      
   [ Reason ]   
      
   Fix CVE-2026-26076 - increased load while processing malformed NTS packets   
      
   See #1127929 for details and input by the security team.   
      
   [ Impact ]   
      
   ntpd-rs (the NTP client/daemon using the ntp-proto crate) would still be   
   affected by the CVE.   
      
   [ Tests ]   
      
   The fix is cherry-picked from upstream, the autopkgtest suite pass as much as   
   it did before.   
      
   [ Risks ]   
      
   The change is fairly trivial.   
      
   [ Checklist ]   
     [x] *all* changes are documented in the d/changelog   
     [x] I reviewed all changes and I approve them   
     [x] attach debdiff against the package in (old)stable   
     [x] the issue is verified as fixed in unstable   
      
   [ Changes ]   
      
   A single cherry-picked patch with a minor modification for different import   
   context, introducing an upper bound for the amount of NTS packets processed for   
   a given request.   
      
   [ Other info ]   
   Since rust-ntp-proto just builds librust-ntp-proto-dev which just contains Rust   
   source code, the actual fix will only materialize via a binNMU of rust-ntpd to   
   pick up the change.   
      
   Thanks for your consideration,   
   Fabian   
      
   [SoupGate killed MIME-encoded file debdiff (2889 bytes)]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)