diff --git a/.chrony.metadata b/.chrony.metadata
index fb965c2..40fb2fc 100644
--- a/.chrony.metadata
+++ b/.chrony.metadata
@@ -1,3 +1,3 @@
-15dc1976653f17d290b65007a4779e3f4ac1833e SOURCES/chrony-4.1.tar.gz
-6f953389765ec334465ebdef4199e25c0290646e SOURCES/clknetsim-f89702.tar.gz
+0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz
+2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz
 1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
diff --git a/.gitignore b/.gitignore
index 20bd26c..65f6088 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,3 @@
-SOURCES/chrony-4.1.tar.gz
-SOURCES/clknetsim-f89702.tar.gz
+SOURCES/chrony-4.2.tar.gz
+SOURCES/clknetsim-824c48.tar.gz
 SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/chrony-4.1-tar-gz-asc.txt b/SOURCES/chrony-4.1-tar-gz-asc.txt
deleted file mode 100644
index b49c069..0000000
--- a/SOURCES/chrony-4.1-tar-gz-asc.txt
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmCdA+8ACgkQU34rdvdo
-DayU8Q/9FCKZSecv//ZdhH89eVYyQZsb7AREqhiJqaWHekd08Hj8UZx9SA+0JtSl
-QwnGJNOrF76gbvyvjCzVmUSnIuHWADK6tAWxm8RBXqjoIS9Qv15sIpVVvTGDWxJQ
-shN2Tag5gplI6ZRp2rJAggxxtqVR2ZC3sZ+ay5LHQUhN2buxqy/v3XZXaTtfqRtI
-QLq8IVXH7f08D+F0mlH+okJ0qyemP1KYMrD9XqZjmwUupAVhrVj0UCtn+wDszbbr
-hWcs12brtSq13YUu2hbU5tXS++BEVJ1QM9+7OvG2V2idV6NRIsDhLjNPJwdYC4Dw
-kJjN2dA1/tH9YaSUUV1vcSSSmkwYki2WJijIWMluoOlbO6aIR1+ohwkror4GztQL
-0hOnVgXgTTPCS1hb5qi2nG+n6p1iKDOHudGQoyqV+qbAZYAGPGaC5jd3vDKLlI1F
-TCmXL68VtTxamjI7hAUCvt1uMWtVhkogw1Y9pHU1D8PeB5iqPK6slLU0hAn1lhB9
-AUlJ/AFSTXXqpWOuUnMx8mC9xLbekeE+KnM/IfO3BUm7CgUO8pOBCteCisHl/IFU
-7Y7AmsB+15DjJasqLhhKiVeMTbMJBlA5a9y3kvbUJv0uhS1fl0XrYK6Ht09/6t3C
-CGy+YB7OfBp1w1kKix6kmsNVjGSL9s+pODRsj/vHAxTbzzbX80Y=
-=rNMW
------END PGP SIGNATURE-----
diff --git a/SOURCES/chrony-4.2-tar-gz-asc.txt b/SOURCES/chrony-4.2-tar-gz-asc.txt
new file mode 100644
index 0000000..23c7755
--- /dev/null
+++ b/SOURCES/chrony-4.2-tar-gz-asc.txt
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmG7LoQACgkQU34rdvdo
+Daw47w//fpF3YlqSJWQObHv/hMC6EGQSX6hRVzckXgzq7PFN2HaTX1iZV2UsP1KN
+NtXfH3V7PxTdT4jT41bHUw++vN0HXkaAw3ccbm31MVTc353JFv5VUKT/OtK+I8dZ
+CKGDy7X4REET7rCYTEfhgvAwjisIlc81xFq9fMYiGasj2LXZD9GUFHqu0JzvvyMz
+R0PNGDSYaJX5Ex1GtbgULjDJNF0FRDE+T6SBjs8Xlej020DbNRb4MNZitzygMNum
+ChN2MltzEccw/UegrsaN1UYQG2C4/Xgdjeqfa4ioiewBL0/79oPkNyJT0GCtOIUM
+TCAdDRrwLuh7d3+Hl6szy8FxKRFN4s/TTjSTinwDCaexqqNgKeSRkJPFWPWhq4l1
+2W+hh5cYtToP4wYNpFdadz+LJYrRzYEtAKdFMegYt2Q/MMVtsNji4qeJ/VOnyrUI
+cJD6sWqDtrUQnegVky1QDwKIYLzO+h6kDaTEm7ZhaT3pR4gGC47umPR9HAcgch0/
+QdmHd1dP1rutDdpiGmXRicvSV48M1Ol6AAs7rUERuQGJ4Tl/zoMGWmN93UQEpisS
+9L1PBNdAjdutJaZKA3Bgq49BOPzcRGvhamH63fO5Q+h6uXCzxd9s8MDeY8wh3Idn
+2aHcGnx32z3DNbpG/nXtKE3GeiSDbw6FmN4KUmKKBR552lCcgpA=
+=F4BS
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/chrony-nm-dispatcher-dhcp.patch b/SOURCES/chrony-nm-dispatcher-dhcp.patch
index 23087d6..d424737 100644
--- a/SOURCES/chrony-nm-dispatcher-dhcp.patch
+++ b/SOURCES/chrony-nm-dispatcher-dhcp.patch
@@ -1,3 +1,146 @@
+commit 5bd13c8d593a74ad168057efe94dd2b3aeeffe14
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Mon Feb 7 13:27:25 2022 +0100
+
+    examples: support DHCPv6 NTP servers in NM dispatcher script
+    
+    Latest NetworkManager code provides NTP servers from the DHCPv6 NTP
+    option (RFC 5908) in the DHCP6_DHCP6_NTP_SERVERS variable to dispatcher
+    scripts.
+    
+    Check for invalid characters (which can come from the FQDN suboption)
+    and include the servers in the interface-specific sources file.
+
+diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
+index 6ea4c370..4454f037 100644
+--- a/examples/chrony.nm-dispatcher.dhcp
++++ b/examples/chrony.nm-dispatcher.dhcp
+@@ -1,8 +1,7 @@
+ #!/bin/sh
+ # This is a NetworkManager dispatcher script for chronyd to update
+-# its NTP sources passed from DHCP options. Note that this script is
+-# specific to NetworkManager-dispatcher due to use of the
+-# DHCP4_NTP_SERVERS environment variable.
++# its NTP sources with servers from DHCP options passed by NetworkManager
++# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables.
+ 
+ export LC_ALL=C
+ 
+@@ -10,17 +9,19 @@ interface=$1
+ action=$2
+ 
+ chronyc=/usr/bin/chronyc
+-default_server_options=iburst
++server_options=iburst
+ server_dir=/var/run/chrony-dhcp
+ 
+ dhcp_server_file=$server_dir/$interface.sources
+-# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
+-nm_dhcp_servers=$DHCP4_NTP_SERVERS
++dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
+ 
+ add_servers_from_dhcp() {
+     rm -f "$dhcp_server_file"
+-    for server in $nm_dhcp_servers; do
+-        echo "server $server $default_server_options" >> "$dhcp_server_file"
++    for server in $dhcp_ntp_servers; do
++        # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
++        printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
++
++        printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
+     done
+     $chronyc reload sources > /dev/null 2>&1 || :
+ }
+@@ -34,10 +35,11 @@ clear_servers_from_dhcp() {
+ 
+ mkdir -p $server_dir
+ 
+-if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then
+-    add_servers_from_dhcp
+-elif [ "$action" = "down" ]; then
+-    clear_servers_from_dhcp
+-fi
++case "$action" in
++    up|dhcp4-change|dhcp6-change)
++        add_servers_from_dhcp;;
++    down)
++        clear_servers_from_dhcp;;
++esac
+ 
+ exit 0
+
+commit e55f174bd3a7ae82fb24afd43443d0b55d5536cf
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Mon Feb 7 13:27:48 2022 +0100
+
+    examples: handle more actions in NM dispatcher script
+    
+    Run the chronyc onoffline command also when the connectivity-change
+    and dhcp6-change actions are reported by the NetworkManager dispatcher.
+    
+    The latter should not be necessary, but there currently doesn't seem to
+    be any action for IPv6 becoming routable after duplicate address
+    detection, so at least in networks using DHCPv6, IPv6 NTP servers should
+    not be stuck in the offline state from a previously reported action.
+
+diff --git a/examples/chrony.nm-dispatcher.onoffline b/examples/chrony.nm-dispatcher.onoffline
+index 34cfa0db..01e6fdb1 100644
+--- a/examples/chrony.nm-dispatcher.onoffline
++++ b/examples/chrony.nm-dispatcher.onoffline
+@@ -7,8 +7,18 @@ export LC_ALL=C
+ 
+ chronyc=/usr/bin/chronyc
+ 
+-# For NetworkManager consider only up/down events
+-[ $# -ge 2 ] && [ "$2" != "up" ] && [ "$2" != "down" ] && exit 0
++# For NetworkManager consider only selected events
++if [ $# -ge 2 ]; then
++    case "$2" in
++        up|down|connectivity-change)
++            ;;
++        dhcp6-change)
++            # No other action is reported for routable IPv6
++            ;;
++        *)
++            exit 0;;
++    esac
++fi
+ 
+ # Note: for networkd-dispatcher routable.d ~= on and off.d ~= off
+ 
+commit fca8966adaaf8376536af86ba2afe02501463588
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Wed Mar 23 15:17:03 2022 +0100
+
+    examples: replace grep command in NM dispatcher script
+    
+    Some grep implementations detect binary data and return success without
+    matching whole line. This might be an issue for the DHCPv6 NTP FQDN
+    check. The GNU grep in the C locale seems to check only for the NUL
+    character, which cannot be passed in an environment variable, but other
+    implementations might behave differently and there doesn't seem to be a
+    portable way to force matching the whole line.
+    
+    Instead of the grep command, check for invalid characters by comparing
+    the length of the input passed through "tr -d -c".
+
+diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp
+index 4454f037..547ce83f 100644
+--- a/examples/chrony.nm-dispatcher.dhcp
++++ b/examples/chrony.nm-dispatcher.dhcp
+@@ -19,7 +19,11 @@ add_servers_from_dhcp() {
+     rm -f "$dhcp_server_file"
+     for server in $dhcp_ntp_servers; do
+         # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
+-        printf '%s\n' "$server" | grep -E -q '^[-A-Za-z0-9:.]{1,255}$' || continue
++        len1=$(printf '%s' "$server" | wc -c)
++        len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c)
++        if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then
++          continue
++        fi
+ 
+         printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file"
+     done
 From: Robert Fairley <rfairley@redhat.com>
 Date: Wed, 17 Jun 2020 10:14:19 -0400
 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig
@@ -11,33 +154,29 @@ diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.
 index 6ea4c37..a6ad35a 100644
 --- a/examples/chrony.nm-dispatcher.dhcp
 +++ b/examples/chrony.nm-dispatcher.dhcp
-@@ -6,16 +6,24 @@
+@@ -8,15 +8,23 @@ export LC_ALL=C
+ interface=$1
+ action=$2
  
++[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
++[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
++    . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
++
  chronyc=/usr/bin/chronyc
- default_server_options=iburst
+-server_options=iburst
 -server_dir=/var/run/chrony-dhcp
++server_options=${NTPSERVERARGS:-iburst}
 +server_dir=/run/chrony-dhcp
  
  dhcp_server_file=$server_dir/$interface.sources
- # DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager.
- nm_dhcp_servers=$DHCP4_NTP_SERVERS
+ dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS"
  
-+[ -f /etc/sysconfig/network ] && . /etc/sysconfig/network
-+[ -f /etc/sysconfig/network-scripts/ifcfg-"${interface}" ] && \
-+    . /etc/sysconfig/network-scripts/ifcfg-"${interface}"
-+
  add_servers_from_dhcp() {
      rm -f "$dhcp_server_file"
 +
 +    # Don't add NTP servers if PEERNTP=no specified; return early.
 +    [ "$PEERNTP" = "no" ] && return
 +
-     for server in $nm_dhcp_servers; do
--        echo "server $server $default_server_options" >> "$dhcp_server_file"
-+        echo "server $server ${NTPSERVERARGS:-$default_server_options}" >> "$dhcp_server_file"
-     done
-     $chronyc reload sources > /dev/null 2>&1 || :
- }
--- 
-2.29.2
-
+     for server in $dhcp_ntp_servers; do
+         # Check for invalid characters (from the DHCPv6 NTP FQDN suboption)
+         len1=$(printf '%s' "$server" | wc -c)
diff --git a/SOURCES/chrony-seccomp.patch b/SOURCES/chrony-seccomp.patch
index 1cc432d..523759c 100644
--- a/SOURCES/chrony-seccomp.patch
+++ b/SOURCES/chrony-seccomp.patch
@@ -1,30 +1,31 @@
-commit bbbd80bf03223f181d4abf5c8e5fe6136ab6129a
-Author: Miroslav Lichvar <mlichvar@redhat.com>
-Date:   Mon Aug 9 11:48:21 2021 +0200
+commit 8bb8f15a7d049ed26c69d95087065b381f76ec4d
+Author: Michael Hudson-Doyle <michael.hudson@canonical.com>
+Date:   Wed Feb 9 09:06:13 2022 +0100
 
-    sys_linux: allow clone3 and pread64 in seccomp filter
+    sys_linux: allow rseq in seccomp filter
     
-    These seem to be needed with the latest glibc.
+    Libc 2.35 will use rseq syscalls [1][2] by default and thereby
+    break chrony in seccomp isolation.
+    
+    [1]: https://www.efficios.com/blog/2019/02/08/linux-restartable-sequences/
+    [2]: https://sourceware.org/pipermail/libc-alpha/2022-February/136040.html
+    
+    Tested-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+    Reviewed-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
+    Signed-off-by: Michael Hudson-Doyle <michael.hudson@canonical.com>
+    Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
 
 diff --git a/sys_linux.c b/sys_linux.c
-index 50c08431..2b53f722 100644
+index 9cab2efa..cc3c9311 100644
 --- a/sys_linux.c
 +++ b/sys_linux.c
-@@ -503,6 +503,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
- 
-     /* Process */
-     SCMP_SYS(clone),
-+#ifdef __NR_clone3
-+    SCMP_SYS(clone3),
+@@ -497,6 +497,9 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
+     SCMP_SYS(getrlimit),
+     SCMP_SYS(getuid),
+     SCMP_SYS(getuid32),
++#ifdef __NR_rseq
++    SCMP_SYS(rseq),
 +#endif
-     SCMP_SYS(exit),
-     SCMP_SYS(exit_group),
-     SCMP_SYS(getpid),
-@@ -595,6 +598,7 @@ SYS_Linux_EnableSystemCallFilter(int level, SYS_ProcessContext context)
- #ifdef __NR_ppoll_time64
-     SCMP_SYS(ppoll_time64),
- #endif
-+    SCMP_SYS(pread64),
-     SCMP_SYS(pselect6),
- #ifdef __NR_pselect6_time64
-     SCMP_SYS(pselect6_time64),
+     SCMP_SYS(rt_sigaction),
+     SCMP_SYS(rt_sigreturn),
+     SCMP_SYS(rt_sigprocmask),
diff --git a/SOURCES/chrony-services.patch b/SOURCES/chrony-services.patch
new file mode 100644
index 0000000..262bf67
--- /dev/null
+++ b/SOURCES/chrony-services.patch
@@ -0,0 +1,38 @@
+diff -up chrony-4.2/examples/chronyd.service.services chrony-4.2/examples/chronyd.service
+--- chrony-4.2/examples/chronyd.service.services	2021-12-16 13:17:42.000000000 +0100
++++ chrony-4.2/examples/chronyd.service	2022-01-19 13:55:59.066677473 +0100
+@@ -32,8 +32,7 @@ ProtectKernelLogs=yes
+ ProtectKernelModules=yes
+ ProtectKernelTunables=yes
+ ProtectProc=invisible
+-ProtectSystem=strict
+-ReadWritePaths=/run /var/lib/chrony -/var/log
++ProtectSystem=full
+ RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+ RestrictNamespaces=yes
+ RestrictSUIDSGID=yes
+@@ -42,7 +41,6 @@ SystemCallFilter=~@cpu-emulation @debug
+ 
+ # Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
+ NoNewPrivileges=no
+-ReadWritePaths=-/var/spool
+ RestrictAddressFamilies=AF_NETLINK
+ 
+ [Install]
+
+Avoid a SELinux issue
+
+diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
+index 72b028f2..57646950 100644
+--- a/examples/chrony-wait.service
++++ b/examples/chrony-wait.service
+@@ -18,7 +18,7 @@ StandardOutput=null
+ 
+ CapabilityBoundingSet=
+ DevicePolicy=closed
+-DynamicUser=yes
++#DynamicUser=yes
+ IPAddressAllow=localhost
+ IPAddressDeny=any
+ LockPersonality=yes
+
diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec
index 4c9f83b..3525920 100644
--- a/SPECS/chrony.spec
+++ b/SPECS/chrony.spec
@@ -1,5 +1,5 @@
 %global _hardened_build 1
-%global clknetsim_ver f89702
+%global clknetsim_ver 824c48
 %bcond_without debug
 %bcond_without nts
 
@@ -8,8 +8,8 @@
 %endif
 
 Name:           chrony
-Version:        4.1
-Release:        3%{?dist}
+Version:        4.2
+Release:        1%{?dist}
 Summary:        An NTP client/server
 
 License:        GPLv2
@@ -22,14 +22,16 @@ Source3:        chrony.dhclient
 Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
 %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
 
-# add distribution-specific bits to DHCP dispatcher
+# add IPv6 support and distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
 # update seccomp filter for new glibc
 Patch2:         chrony-seccomp.patch
+# revert some hardening options in service files
+Patch3:         chrony-services.patch
 
-BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
+BuildRequires:  gnutls-devel libcap-devel libedit-devel pps-tools-devel
 BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
-%{?with_nts:BuildRequires: gnutls-devel gnutls-utils}
+%{?with_nts:BuildRequires: gnutls-utils}
 %{?with_seccomp:BuildRequires: libseccomp-devel}
 
 Requires(pre):  shadow-utils
@@ -58,18 +60,19 @@ service to other computers in the network.
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
 %patch2 -p1 -b .seccomp
+%patch3 -p1 -b .services
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 
 # review changes in packaged configuration files and scripts
 md5sum -c <<-EOF | (! grep -v 'OK$')
-        bc563c1bcf67b2da774bd8c2aef55a06  examples/chrony-wait.service
+        222e652b95027289877fa77146d3b9b1  examples/chrony-wait.service
         2d01b94bc1a7b7fb70cbee831488d121  examples/chrony.conf.example2
         96999221eeef476bd49fe97b97503126  examples/chrony.keys.example
         6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
-        a7054c9352c07384bd7ea0477e6e8a8c  examples/chrony.nm-dispatcher.dhcp
-        8f5a98fcb400a482d355b929d04b5518  examples/chrony.nm-dispatcher.onoffline
-        32c34c995c59fd1c3ad1616d063ae4a0  examples/chronyd.service
+        c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
+        2b81c60c020626165ac655b2633608eb  examples/chrony.nm-dispatcher.onoffline
+        619dd00009ea312c7201beefde10341a  examples/chronyd.service
 EOF
 
 # don't allow packaging without vendor zone
@@ -105,7 +108,10 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
         --with-user=chrony \
         --with-hwclockfile=%{_sysconfdir}/adjtime \
         --with-pidfile=/run/chrony/chronyd.pid \
-        --with-sendmail=%{_sbindir}/sendmail
+        --with-sendmail=%{_sbindir}/sendmail \
+        --without-nettle \
+        --without-nss \
+        --without-tomcrypt
 %make_build
 
 %install
@@ -161,8 +167,6 @@ getent passwd chrony > /dev/null || /usr/sbin/useradd -r -g chrony \
 :
 
 %post
-# workaround for late reload of unit file (#1614751)
-%{_bindir}/systemctl daemon-reload
 # migrate from chrony-helper to sourcedir directive
 if test -a %{_libexecdir}/chrony-helper; then
         grep -qi 'sourcedir /run/chrony-dhcp$' %{_sysconfdir}/chrony.conf 2> /dev/null || \
@@ -202,6 +206,12 @@ fi
 %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
+* Wed Mar 23 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.2-1
+- update to 4.2 (#2051441)
+- fully switch from nettle to gnutls (#1953463 #1954483)
+- use NTP servers from DHCPv6 NTP server option (#2047415)
+- drop obsolete workaround in scriptlet
+
 * Tue Aug 10 2021 Miroslav Lichvar <mlichvar@redhat.com> 4.1-3
 - update seccomp filter for new glibc (#1990589)
 - remove unnecessary build requirement