diff --git a/SOURCES/ntp-4.2.6p5-clockstate.patch b/SOURCES/ntp-4.2.6p5-clockstate.patch
new file mode 100644
index 0000000..487cf62
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-clockstate.patch
@@ -0,0 +1,118 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_loopfilter.c.clockstate ntp-4.2.6p5/ntpd/ntp_loopfilter.c
+--- ntp-4.2.6p5/ntpd/ntp_loopfilter.c.clockstate 2015-12-04 13:42:45.807689201 +0100
++++ ntp-4.2.6p5/ntpd/ntp_loopfilter.c 2015-12-04 15:21:34.252296997 +0100
+@@ -189,6 +189,51 @@ init_loopfilter(void)
+ clock_jitter = LOGTOD(sys_precision);
+ }
+
++#ifdef KERNEL_PLL
++/*
++ * ntp_adjtime_wrapper - call ntp_adjtime() and print errors and clock state
++ * changes related to leap seconds
++ */
++static int
++ntp_adjtime_wrapper(struct timex *timex)
++{
++ static int last_ret = TIME_OK;
++ int ret;
++
++ ret = ntp_adjtime(timex);
++
++ if (ret < 0) {
++ msyslog(LOG_ERR, "ntp_adjtime() failed: %s", strerror(errno));
++ return ret;
++ }
++
++ if (ret == last_ret || ret == TIME_ERROR)
++ return ret;
++
++ switch (ret) {
++ case TIME_OK:
++ if (last_ret != TIME_INS && last_ret != TIME_DEL)
++ break;
++ msyslog(LOG_INFO, "kernel leap second %s cancelled",
++ last_ret == TIME_INS ? "insertion" : "deletion");
++ break;
++ case TIME_INS:
++ msyslog(LOG_INFO, "kernel reports leap second insertion scheduled");
++ break;
++ case TIME_DEL:
++ msyslog(LOG_INFO, "kernel reports leap second deletion scheduled");
++ break;
++ case TIME_WAIT:
++ msyslog(LOG_INFO, "kernel reports leap second has occurred");
++ break;
++ }
++
++ last_ret = ret;
++
++ return ret;
++}
++#endif
++
+ /*
+ * local_clock - the NTP logical clock loop filter.
+ *
+@@ -566,7 +611,7 @@ local_clock(
+ * the pps. In any case, fetch the kernel offset,
+ * frequency and jitter.
+ */
+- if (ntp_adjtime(&ntv) == TIME_ERROR) {
++ if (ntp_adjtime_wrapper(&ntv) == TIME_ERROR) {
+ if (!(ntv.status & STA_PPSSIGNAL))
+ report_event(EVNT_KERN, NULL,
+ "PPS no signal");
+@@ -598,7 +643,7 @@ local_clock(
+ loop_tai = sys_tai;
+ ntv.modes = MOD_TAI;
+ ntv.constant = sys_tai;
+- ntp_adjtime(&ntv);
++ ntp_adjtime_wrapper(&ntv);
+ }
+ #endif /* STA_NANO */
+ }
+@@ -775,7 +820,7 @@ direct_freq(
+ */
+ if (pll_control && kern_enable) {
+ memset(&ntv, 0, sizeof(ntv));
+- ntp_adjtime(&ntv);
++ ntp_adjtime_wrapper(&ntv);
+ #ifdef STA_NANO
+ clock_offset = ntv.offset / 1e9;
+ #else /* STA_NANO */
+@@ -811,7 +856,7 @@ set_freq(
+ memset(&ntv, 0, sizeof(ntv));
+ ntv.modes = MOD_FREQUENCY;
+ ntv.freq = DTOFREQ(drift_comp);
+- ntp_adjtime(&ntv);
++ ntp_adjtime_wrapper(&ntv);
+ snprintf(tbuf, sizeof(tbuf), "kernel %.3f PPM",
+ drift_comp * 1e6);
+ report_event(EVNT_FSET, NULL, tbuf);
+@@ -905,7 +950,7 @@ loop_config(
+ pll_control = 0;
+ }
+ if (sigsetjmp(env, 1) == 0)
+- ntp_adjtime(&ntv);
++ ntp_adjtime_wrapper(&ntv);
+ if ((sigaction(SIGSYS, &sigsys,
+ (struct sigaction *)NULL))) {
+ msyslog(LOG_ERR,
+@@ -913,7 +958,7 @@ loop_config(
+ pll_control = 0;
+ }
+ #else /* SIGSYS */
+- ntp_adjtime(&ntv);
++ ntp_adjtime_wrapper(&ntv);
+ #endif /* SIGSYS */
+
+ /*
+@@ -964,7 +1009,7 @@ loop_config(
+ memset((char *)&ntv, 0, sizeof(ntv));
+ ntv.modes = MOD_STATUS;
+ ntv.status = STA_UNSYNC;
+- ntp_adjtime(&ntv);
++ ntp_adjtime_wrapper(&ntv);
+ report_event(EVNT_KERN, NULL,
+ "kernel time sync disabledx");
+ }
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-5194.patch b/SOURCES/ntp-4.2.6p5-cve-2015-5194.patch
new file mode 100644
index 0000000..a774749
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-5194.patch
@@ -0,0 +1,42 @@
+commit 553f2fa65865c31c5e3c48812cfd46176cffdd27
+Author: <davehart@shiny.ad.hartbrothers.com>
+Date: Wed Jul 28 05:33:53 2010 +0000
+
+ [Bug 1593] ntpd abort in free() with logconfig syntax error.
+
+diff --git a/ntpd/ntp_parser.y b/ntpd/ntp_parser.y
+index b3f7ac3..cf8942f 100644
+--- a/ntpd/ntp_parser.y
++++ b/ntpd/ntp_parser.y
+@@ -995,14 +995,24 @@ log_config_list
+ log_config_command
+ : T_String
+ {
+- char prefix = $1[0];
+- char *type = $1 + 1;
++ char prefix;
++ char * type;
+
+- if (prefix != '+' && prefix != '-' && prefix != '=') {
+- yyerror("Logconfig prefix is not '+', '-' or '='\n");
+- }
+- else
+- $$ = create_attr_sval(prefix, estrdup(type));
++ switch ($1[0]) {
++
++ case '+':
++ case '-':
++ case '=':
++ prefix = $1[0];
++ type = $1 + 1;
++ break;
++
++ default:
++ prefix = '=';
++ type = $1;
++ }
++
++ $$ = create_attr_sval(prefix, estrdup(type));
+ YYFREE($1);
+ }
+ ;
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-5195.patch b/SOURCES/ntp-4.2.6p5-cve-2015-5195.patch
new file mode 100644
index 0000000..3b2d9c3
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-5195.patch
@@ -0,0 +1,31 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2015-5195 ntp-4.2.6p5/ntpd/ntp_config.c
+--- ntp-4.2.6p5/ntpd/ntp_config.c.cve-2015-5195 2015-08-20 12:14:23.911585026 +0200
++++ ntp-4.2.6p5/ntpd/ntp_config.c 2015-08-20 12:15:14.850462173 +0200
+@@ -2019,6 +2019,13 @@ config_monitor(
+ while (pfilegen_token != NULL) {
+ filegen_string = keyword(*pfilegen_token);
+ filegen = filegen_get(filegen_string);
++ if (NULL == filegen) {
++ msyslog(LOG_ERR,
++ "stats %s unrecognized",
++ filegen_string);
++ pfilegen_token = next_node(pfilegen_token);
++ continue;
++ }
+
+ DPRINTF(4, ("enabling filegen for %s statistics '%s%s'\n",
+ filegen_string, filegen->prefix,
+@@ -2032,6 +2039,13 @@ config_monitor(
+ while (my_node != NULL) {
+ filegen_file = keyword(my_node->filegen_token);
+ filegen = filegen_get(filegen_file);
++ if (NULL == filegen) {
++ msyslog(LOG_ERR,
++ "filegen category '%s' unrecognized",
++ filegen_file);
++ my_node = next_node(my_node);
++ continue;
++ }
+
+ /* Initialize the filegen variables to their pre-configurtion states */
+ filegen_flag = filegen->flag;
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-5219.patch b/SOURCES/ntp-4.2.6p5-cve-2015-5219.patch
new file mode 100644
index 0000000..fba2051
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-5219.patch
@@ -0,0 +1,23 @@
+commit 5f295cd05c3c136d39f5b3e500a2d781bdbb59c8
+Author: <stenn@deacon.udel.edu>
+Date: Wed Apr 24 19:13:53 2013 -0400
+
+ [Bug 2382] Implement LOGTOD using ldexp() instead of shifting
+
+diff --git a/include/ntp.h b/include/ntp.h
+index aa45e16..95b2542 100644
+--- a/include/ntp.h
++++ b/include/ntp.h
+@@ -156,10 +156,9 @@ typedef char s_char;
+ #define SQUARE(x) ((x) * (x))
+ #define SQRT(x) (sqrt(x))
+ #define DIFF(x, y) (SQUARE((x) - (y)))
+-#define LOGTOD(a) ((a) < 0 ? 1. / (1L << -(a)) : \
+- 1L << (int)(a)) /* log2 to double */
++#define LOGTOD(a) ldexp(1., (int)(a)) /* log2 to double */
+ #define UNIVAR(x) (SQUARE(.28867513 * LOGTOD(x))) /* std uniform distr */
+-#define ULOGTOD(a) (1L << (int)(a)) /* ulog2 to double */
++#define ULOGTOD(a) ldexp(1., (int)(a)) /* ulog2 to double */
+
+ #define EVENT_TIMEOUT 0 /* one second, that is */
+
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7691_7692_7702.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7691_7692_7702.patch
new file mode 100644
index 0000000..d920200
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-7691_7692_7702.patch
@@ -0,0 +1,217 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2015-7691_7692_7702 ntp-4.2.6p5/ntpd/ntp_crypto.c
+--- ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2015-7691_7692_7702 2015-10-22 13:05:34.696482937 +0200
++++ ntp-4.2.6p5/ntpd/ntp_crypto.c 2015-10-22 13:14:12.473848919 +0200
+@@ -170,6 +170,7 @@ static void cert_free (struct cert_info
+ static struct pkey_info *crypto_key (char *, char *, sockaddr_u *);
+ static void bighash (BIGNUM *, BIGNUM *);
+ static struct cert_info *crypto_cert (char *);
++static u_int exten_payload_size(const struct exten *);
+
+ #ifdef SYS_WINNT
+ int
+@@ -389,7 +390,7 @@ crypto_recv(
+ struct autokey *ap, *bp; /* autokey pointer */
+ struct exten *ep, *fp; /* extension pointers */
+ struct cert_info *xinfo; /* certificate info pointer */
+- int has_mac; /* length of MAC field */
++ int macbytes; /* length of MAC field, signed by intention */
+ int authlen; /* offset of MAC field */
+ associd_t associd; /* association ID */
+ tstamp_t tstamp = 0; /* timestamp */
+@@ -417,7 +418,11 @@ crypto_recv(
+ */
+ authlen = LEN_PKT_NOMAC;
+ hismode = (int)PKT_MODE((&rbufp->recv_pkt)->li_vn_mode);
+- while ((has_mac = rbufp->recv_length - authlen) > MAX_MAC_LEN) {
++ while ((macbytes = rbufp->recv_length - authlen) > (int)MAX_MAC_LEN) {
++ /* We can be reasonably sure that we can read at least
++ * the opcode and the size field here. More stringent
++ * checks follow up shortly.
++ */
+ pkt = (u_int32 *)&rbufp->recv_pkt + authlen / 4;
+ ep = (struct exten *)pkt;
+ code = ntohl(ep->opcode) & 0xffff0000;
+@@ -441,6 +446,18 @@ crypto_recv(
+ code |= CRYPTO_ERROR;
+ }
+
++ /* Check if the declared size fits into the remaining
++ * buffer.
++ */
++ if (len > macbytes) {
++ DPRINTF(1, ("crypto_recv: possible attack detected, associd %d\n",
++ associd));
++ return XEVNT_LEN;
++ }
++
++ /* Check if the paylod of the extension fits into the
++ * declared frame.
++ */
+ if (len >= VALUE_LEN) {
+ tstamp = ntohl(ep->tstamp);
+ fstamp = ntohl(ep->fstamp);
+@@ -1170,9 +1187,8 @@ crypto_xmit(
+ * choice.
+ */
+ case CRYPTO_CERT | CRYPTO_RESP:
+- vallen = ntohl(ep->vallen); /* Must be <64k */
+- if (vallen == 0 || vallen > MAXHOSTNAME ||
+- len - VALUE_LEN < vallen) {
++ vallen = exten_payload_size(ep); /* Must be <64k */
++ if (vallen == 0 || vallen >= sizeof(certname) ) {
+ rval = XEVNT_LEN;
+ break;
+ } else {
+@@ -2134,8 +2150,7 @@ crypto_bob(
+ tstamp_t tstamp; /* NTP timestamp */
+ BIGNUM *bn, *bk, *r;
+ u_char *ptr;
+- u_int len; /* extension field length */
+- u_int vallen = 0; /* value length */
++ u_int len; /* extension field value length */
+
+ /*
+ * If the IFF parameters are not valid, something awful
+@@ -2150,11 +2165,10 @@ crypto_bob(
+ /*
+ * Extract r from the challenge.
+ */
+- vallen = ntohl(ep->vallen);
+- len = ntohl(ep->opcode) & 0x0000ffff;
+- if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
+- return XEVNT_LEN;
+- if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
++ len = exten_payload_size(ep);
++ if (len == 0 || len > MAX_VALLEN)
++ return (XEVNT_LEN);
++ if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
+ msyslog(LOG_ERR, "crypto_bob: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return (XEVNT_ERR);
+@@ -2166,7 +2180,7 @@ crypto_bob(
+ */
+ bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
+ sdsa = DSA_SIG_new();
+- BN_rand(bk, vallen * 8, -1, 1); /* k */
++ BN_rand(bk, len * 8, -1, 1); /* k */
+ BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
+ BN_add(bn, bn, bk);
+ BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */
+@@ -2185,16 +2199,16 @@ crypto_bob(
+ * Encode the values in ASN.1 and sign. The filestamp is from
+ * the local file.
+ */
+- vallen = i2d_DSA_SIG(sdsa, NULL);
+- if (vallen == 0) {
++ len = i2d_DSA_SIG(sdsa, NULL);
++ if (len == 0) {
+ msyslog(LOG_ERR, "crypto_bob: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ DSA_SIG_free(sdsa);
+ return (XEVNT_ERR);
+ }
+- if (vallen > MAX_VALLEN) {
+- msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
+- vallen);
++ if (len > MAX_VALLEN) {
++ msyslog(LOG_ERR, "crypto_bob: signature is too big: %u",
++ len);
+ DSA_SIG_free(sdsa);
+ return (XEVNT_LEN);
+ }
+@@ -2202,8 +2216,8 @@ crypto_bob(
+ tstamp = crypto_time();
+ vp->tstamp = htonl(tstamp);
+ vp->fstamp = htonl(iffkey_info->fstamp);
+- vp->vallen = htonl(vallen);
+- ptr = emalloc(vallen);
++ vp->vallen = htonl(len);
++ ptr = emalloc(len);
+ vp->ptr = ptr;
+ i2d_DSA_SIG(sdsa, &ptr);
+ DSA_SIG_free(sdsa);
+@@ -2214,9 +2228,9 @@ crypto_bob(
+ vp->sig = emalloc(sign_siglen);
+ EVP_SignInit(&ctx, sign_digest);
+ EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
+- EVP_SignUpdate(&ctx, vp->ptr, vallen);
+- if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
+- vp->siglen = htonl(sign_siglen);
++ EVP_SignUpdate(&ctx, vp->ptr, len);
++ if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
++ vp->siglen = htonl(len);
+ return (XEVNT_OK);
+ }
+
+@@ -2462,7 +2476,9 @@ crypto_bob2(
+ /*
+ * Extract r from the challenge.
+ */
+- len = ntohl(ep->vallen);
++ len = exten_payload_size(ep);
++ if (len == 0 || len > MAX_VALLEN)
++ return (XEVNT_LEN);
+ if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
+ msyslog(LOG_ERR, "crypto_bob2: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+@@ -2787,7 +2803,9 @@ crypto_bob3(
+ /*
+ * Extract r from the challenge.
+ */
+- len = ntohl(ep->vallen);
++ len = exten_payload_size(ep);
++ if (len == 0 || len > MAX_VALLEN)
++ return (XEVNT_LEN);
+ if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
+ msyslog(LOG_ERR, "crypto_bob3: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+@@ -3002,8 +3020,11 @@ cert_sign(
+ if (tstamp == 0)
+ return (XEVNT_TSP);
+
++ len = exten_payload_size(ep);
++ if (len == 0 || len > MAX_VALLEN)
++ return (XEVNT_LEN);
+ ptr = (u_char *)ep->pkt;
+- if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) {
++ if ((req = d2i_X509(NULL, &ptr, len)) == NULL) {
+ msyslog(LOG_ERR, "cert_sign: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return (XEVNT_CRT);
+@@ -3968,6 +3989,36 @@ crypto_config(
+ break;
+ }
+ }
++
++/*
++ * Get payload size (internal value length) of an extension packet. If
++ * the inner value length does not match the outer packet length (that
++ * is, the value would end behind the frame given by the opcode/size
++ * field) the function will efectively return UINT_MAX. If the frame is
++ * too short to holda variable-sized value, the return value is zero.
++ */
++static u_int
++exten_payload_size(
++ const struct exten * ep)
++{
++ typedef const u_char *BPTR;
++
++ size_t extn_size;
++ size_t data_size;
++ size_t head_size;
++
++ data_size = 0;
++ if (NULL != ep) {
++ head_size = (BPTR)(&ep->vallen + 1) - (BPTR)ep;
++ extn_size = (uint16_t)(ntohl(ep->opcode) & 0x0000ffff);
++ if (extn_size >= head_size) {
++ data_size = (uint32_t)ntohl(ep->vallen);
++ if (data_size > extn_size - head_size)
++ data_size = ~(size_t)0u;
++ }
++ }
++ return (u_int)data_size;
++}
+ # else
+ int ntp_crypto_bs_pubkey;
+ # endif /* OPENSSL */
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7701.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7701.patch
new file mode 100644
index 0000000..2015c9a
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-7701.patch
@@ -0,0 +1,19 @@
+commit d7cd5e186034340402f1393e0813c7d2b14ea6ca
+Author: <jnperlin@hydra.localnet>
+Date: Mon Sep 28 18:22:06 2015 +0200
+
+ [Bug 2909] - Slow memory leak in CRYPTO_ASSOC
+ - added missing call to 'free()' in ntp_crypto.c.
+
+diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c
+index e9cd6c2..a7b693f 100644
+--- a/ntpd/ntp_crypto.c
++++ b/ntpd/ntp_crypto.c
+@@ -508,6 +508,7 @@ crypto_recv(
+ rval = XEVNT_ERR;
+ break;
+ }
++ free(peer->cmmd); /* will be set again! */
+ }
+ fp = emalloc(len);
+ memcpy(fp, ep, len);
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7703.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7703.patch
new file mode 100644
index 0000000..2b0cb00
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-7703.patch
@@ -0,0 +1,52 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_parser.y.cve-2015-7703 ntp-4.2.6p5/ntpd/ntp_parser.y
+--- ntp-4.2.6p5/ntpd/ntp_parser.y.cve-2015-7703 2015-08-20 12:21:43.206525550 +0200
++++ ntp-4.2.6p5/ntpd/ntp_parser.y 2015-08-20 12:31:04.223172507 +0200
+@@ -1005,23 +1005,43 @@ misc_cmd_int_keyword
+
+ misc_cmd_str_keyword
+ : T_Leapfile
+- | T_Pidfile
+ | T_Qos
+ ;
+
+ misc_cmd_str_lcl_keyword
+ : T_Logfile
++ | T_Pidfile
+ | T_Saveconfigdir
+ ;
+
+ drift_parm
+ : T_String
+- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); }
++ {
++ if (input_from_file) {
++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1));
++ } else {
++ YYFREE($1);
++ yyerror("driftfile remote configuration ignored");
++ }
++ }
+ | T_String T_Double
+- { enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2));
+- enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1)); }
++ {
++ if (input_from_file) {
++ enqueue(cfgt.vars, create_attr_dval(T_WanderThreshold, $2));
++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, $1));
++ } else {
++ YYFREE($1);
++ yyerror("driftfile remote configuration ignored");
++ }
++ }
+ | /* Null driftfile, indicated by null string "\0" */
+- { enqueue(cfgt.vars, create_attr_sval(T_Driftfile, "\0")); }
++ {
++ if (input_from_file) {
++ enqueue(cfgt.vars, create_attr_sval(T_Driftfile, estrdup("")));
++ } else {
++ yyerror("driftfile remote configuration ignored");
++ }
++ }
+ ;
+
+ variable_assign
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7852.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7852.patch
new file mode 100644
index 0000000..1bac599
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-7852.patch
@@ -0,0 +1,22 @@
+diff -up ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-7852 ntp-4.2.6p5/ntpq/ntpq.c
+--- ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-7852 2015-10-21 19:38:34.008129649 +0200
++++ ntp-4.2.6p5/ntpq/ntpq.c 2015-10-21 19:39:40.207742621 +0200
+@@ -3449,12 +3449,17 @@ cookedprint(
+ char bv[401];
+ int len;
+
++ /* TALOS-CAN-0063: avoid buffer overrun */
+ atoascii(name, MAXVARLEN, bn, sizeof(bn));
+- atoascii(value, MAXVARLEN, bv, sizeof(bv));
+ if (output_raw != '*') {
++ atoascii(value, MAXVALLEN,
++ bv, sizeof(bv) - 1);
+ len = strlen(bv);
+ bv[len] = output_raw;
+ bv[len+1] = '\0';
++ } else {
++ atoascii(value, MAXVALLEN,
++ bv, sizeof(bv));
+ }
+ output(fp, bn, bv);
+ }
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7974.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7974.patch
new file mode 100644
index 0000000..2f05130
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-7974.patch
@@ -0,0 +1,20 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-7974 2016-01-21 14:06:18.958346184 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-01-21 14:16:34.894828262 +0100
+@@ -674,10 +674,13 @@ receive(
+ * succeed in bloating the key cache. If an autokey,
+ * purge it immediately, since we won't be needing it
+ * again. If the packet is authentic, it can mobilize an
+- * association. Note that there is no key zero.
++ * association. If it's a persistent association using a
++ * symmetric key, the key ID has to match the configured
++ * value. Note that there is no key zero.
+ */
+- if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
+- has_mac))
++ if ((peer && !(peer->flags & FLAG_PREEMPT) &&
++ peer->keyid <= NTP_MAXKEY && skeyid != peer->keyid) ||
++ !authdecrypt(skeyid, (u_int32 *)pkt, authlen, has_mac))
+ is_authentic = AUTH_ERROR;
+ else
+ is_authentic = AUTH_OK;
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-7977_7978.patch b/SOURCES/ntp-4.2.6p5-cve-2015-7977_7978.patch
new file mode 100644
index 0000000..ddcd91a
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-7977_7978.patch
@@ -0,0 +1,183 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 ntp-4.2.6p5/ntpd/ntp_request.c
+--- ntp-4.2.6p5/ntpd/ntp_request.c.cve-2015-7977_7978 2011-12-01 03:55:17.000000000 +0100
++++ ntp-4.2.6p5/ntpd/ntp_request.c 2016-01-20 11:14:20.855586406 +0100
+@@ -1730,56 +1730,143 @@ setclr_flags(
+ loop_config(LOOP_DRIFTCOMP, drift_comp);
+ }
+
++/* There have been some issues with the restrict list processing,
++ * ranging from problems with deep recursion (resulting in stack
++ * overflows) and overfull reply buffers.
++ *
++ * To avoid this trouble the list reversal is done iteratively using a
++ * scratch pad.
++ */
++typedef struct RestrictStack RestrictStackT;
++struct RestrictStack {
++ RestrictStackT *link;
++ size_t fcnt;
++ const restrict_u *pres[63];
++};
++
++static size_t
++getStackSheetSize(
++ RestrictStackT *sp
++ )
++{
++ if (sp)
++ return sizeof(sp->pres)/sizeof(sp->pres[0]);
++ return 0u;
++}
++
++static int/*BOOL*/
++pushRestriction(
++ RestrictStackT **spp,
++ const restrict_u *ptr
++ )
++{
++ RestrictStackT *sp;
++
++ if (NULL == (sp = *spp) || 0 == sp->fcnt) {
++ /* need another sheet in the scratch pad */
++ sp = emalloc(sizeof(*sp));
++ sp->link = *spp;
++ sp->fcnt = getStackSheetSize(sp);
++ *spp = sp;
++ }
++ sp->pres[--sp->fcnt] = ptr;
++ return TRUE;
++}
++
++static int/*BOOL*/
++popRestriction(
++ RestrictStackT **spp,
++ const restrict_u **opp
++ )
++{
++ RestrictStackT *sp;
++
++ if (NULL == (sp = *spp) || sp->fcnt >= getStackSheetSize(sp))
++ return FALSE;
++
++ *opp = sp->pres[sp->fcnt++];
++ if (sp->fcnt >= getStackSheetSize(sp)) {
++ /* discard sheet from scratch pad */
++ *spp = sp->link;
++ free(sp);
++ }
++ return TRUE;
++}
++
++static void
++flushRestrictionStack(
++ RestrictStackT **spp
++ )
++{
++ RestrictStackT *sp;
++
++ while (NULL != (sp = *spp)) {
++ *spp = sp->link;
++ free(sp);
++ }
++}
++
+ /*
+- * list_restrict4 - recursive helper for list_restrict dumps IPv4
++ * list_restrict4 - iterative helper for list_restrict dumps IPv4
+ * restriction list in reverse order.
+ */
+ static void
+ list_restrict4(
+- restrict_u * res,
++ const restrict_u * res,
+ struct info_restrict ** ppir
+ )
+ {
++ RestrictStackT * rpad;
+ struct info_restrict * pir;
+
+- if (res->link != NULL)
+- list_restrict4(res->link, ppir);
+-
+ pir = *ppir;
+- pir->addr = htonl(res->u.v4.addr);
+- if (client_v6_capable)
+- pir->v6_flag = 0;
+- pir->mask = htonl(res->u.v4.mask);
+- pir->count = htonl(res->count);
+- pir->flags = htons(res->flags);
+- pir->mflags = htons(res->mflags);
+- *ppir = (struct info_restrict *)more_pkt();
++ for (rpad = NULL; res; res = res->link)
++ if (!pushRestriction(&rpad, res))
++ break;
++
++ while (pir && popRestriction(&rpad, &res)) {
++ pir->addr = htonl(res->u.v4.addr);
++ if (client_v6_capable)
++ pir->v6_flag = 0;
++ pir->mask = htonl(res->u.v4.mask);
++ pir->count = htonl(res->count);
++ pir->flags = htons(res->flags);
++ pir->mflags = htons(res->mflags);
++ pir = (struct info_restrict *)more_pkt();
++ }
++ flushRestrictionStack(&rpad);
++ *ppir = pir;
+ }
+
+-
+ /*
+- * list_restrict6 - recursive helper for list_restrict dumps IPv6
++ * list_restrict6 - iterative helper for list_restrict dumps IPv6
+ * restriction list in reverse order.
+ */
+ static void
+ list_restrict6(
+- restrict_u * res,
++ const restrict_u * res,
+ struct info_restrict ** ppir
+ )
+ {
++ RestrictStackT * rpad;
+ struct info_restrict * pir;
+
+- if (res->link != NULL)
+- list_restrict6(res->link, ppir);
+-
+ pir = *ppir;
+- pir->addr6 = res->u.v6.addr;
+- pir->mask6 = res->u.v6.mask;
+- pir->v6_flag = 1;
+- pir->count = htonl(res->count);
+- pir->flags = htons(res->flags);
+- pir->mflags = htons(res->mflags);
+- *ppir = (struct info_restrict *)more_pkt();
++ for (rpad = NULL; res; res = res->link)
++ if (!pushRestriction(&rpad, res))
++ break;
++
++ while (pir && popRestriction(&rpad, &res)) {
++ pir->addr6 = res->u.v6.addr;
++ pir->mask6 = res->u.v6.mask;
++ pir->v6_flag = 1;
++ pir->count = htonl(res->count);
++ pir->flags = htons(res->flags);
++ pir->mflags = htons(res->mflags);
++ pir = (struct info_restrict *)more_pkt();
++ }
++ flushRestrictionStack(&rpad);
++ *ppir = pir;
+ }
+
+
+@@ -1803,8 +1890,7 @@ list_restrict(
+ /*
+ * The restriction lists are kept sorted in the reverse order
+ * than they were originally. To preserve the output semantics,
+- * dump each list in reverse order. A recursive helper function
+- * achieves that.
++ * dump each list in reverse order. The workers take care of that.
+ */
+ list_restrict4(restrictlist4, &ir);
+ if (client_v6_capable)
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-8158.patch b/SOURCES/ntp-4.2.6p5-cve-2015-8158.patch
new file mode 100644
index 0000000..0767b30
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-8158.patch
@@ -0,0 +1,126 @@
+diff -U0 ntp-4.2.6p5/ChangeLog.cve-2015-8158 ntp-4.2.6p5/ChangeLog
+diff -up ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 ntp-4.2.6p5/ntpdc/ntpdc.c
+--- ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2015-8158 2016-01-20 14:06:21.035659659 +0100
++++ ntp-4.2.6p5/ntpdc/ntpdc.c 2016-01-20 14:25:39.734622168 +0100
+@@ -657,6 +657,10 @@ getresponse(
+ fd_set fds;
+ int n;
+ int pad;
++ /* absolute timeout checks. Not 'time_t' by intention! */
++ uint32_t tobase; /* base value for timeout */
++ uint32_t tospan; /* timeout span (max delay) */
++ uint32_t todiff; /* current delay */
+
+ /*
+ * This is pretty tricky. We may get between 1 and many packets
+@@ -673,12 +677,14 @@ getresponse(
+ lastseq = 999; /* too big to be a sequence number */
+ memset(haveseq, 0, sizeof(haveseq));
+ FD_ZERO(&fds);
++ tobase = (uint32_t)time(NULL);
+
+ again:
+ if (firstpkt)
+ tvo = tvout;
+ else
+ tvo = tvsout;
++ tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0);
+
+ FD_SET(sockfd, &fds);
+ n = select(sockfd+1, &fds, (fd_set *)0, (fd_set *)0, &tvo);
+@@ -687,6 +693,17 @@ getresponse(
+ warning("select fails", "", "");
+ return -1;
+ }
++
++ /*
++ * Check if this is already too late. Trash the data and fake a
++ * timeout if this is so.
++ */
++ todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu;
++ if ((n > 0) && (todiff > tospan)) {
++ n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0);
++ n = 0; /* faked timeout return from 'select()'*/
++ }
++
+ if (n == 0) {
+ /*
+ * Timed out. Return what we have
+@@ -831,8 +848,10 @@ getresponse(
+ }
+
+ /*
+- * So far, so good. Copy this data into the output array.
++ * So far, so good. Copy this data into the output array. Bump
++ * the timeout base, in case we expect more data.
+ */
++ tobase = (uint32_t)time(NULL);
+ if ((datap + datasize + (pad * items)) > (pktdata + pktdatasize)) {
+ int offset = datap - pktdata;
+ growpktdata();
+diff -up ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 ntp-4.2.6p5/ntpq/ntpq.c
+--- ntp-4.2.6p5/ntpq/ntpq.c.cve-2015-8158 2016-01-20 14:06:21.493660755 +0100
++++ ntp-4.2.6p5/ntpq/ntpq.c 2016-01-20 14:13:56.132819820 +0100
+@@ -836,6 +836,10 @@ getresponse(
+ int len;
+ int first;
+ char *data;
++ /* absolute timeout checks. Not 'time_t' by intention! */
++ uint32_t tobase; /* base value for timeout */
++ uint32_t tospan; /* timeout span (max delay) */
++ uint32_t todiff; /* current delay */
+
+ /*
+ * This is pretty tricky. We may get between 1 and MAXFRAG packets
+@@ -852,6 +856,8 @@ getresponse(
+ numfrags = 0;
+ seenlastfrag = 0;
+
++ tobase = (uint32_t)time(NULL);
++
+ FD_ZERO(&fds);
+
+ /*
+@@ -864,7 +870,8 @@ getresponse(
+ tvo = tvout;
+ else
+ tvo = tvsout;
+-
++ tospan = (uint32_t)tvo.tv_sec + (tvo.tv_usec != 0);
++
+ FD_SET(sockfd, &fds);
+ n = select(sockfd + 1, &fds, NULL, NULL, &tvo);
+
+@@ -872,6 +879,17 @@ getresponse(
+ warning("select fails", "", "");
+ return -1;
+ }
++
++ /*
++ * Check if this is already too late. Trash the data and
++ * fake a timeout if this is so.
++ */
++ todiff = (((uint32_t)time(NULL)) - tobase) & 0x7FFFFFFFu;
++ if ((n > 0) && (todiff > tospan)) {
++ n = recv(sockfd, (char *)&rpkt, sizeof(rpkt), 0);
++ n = 0; /* faked timeout return from 'select()'*/
++ }
++
+ if (n == 0) {
+ /*
+ * Timed out. Return what we have
+@@ -1166,10 +1184,13 @@ getresponse(
+ }
+
+ /*
+- * Copy the data into the data buffer.
++ * Copy the data into the data buffer, and bump the
++ * timout base in case we need more.
+ */
+ memcpy((char *)pktdata + offset, rpkt.data, count);
+
++ tobase = (uint32_t)time(NULL);
++
+ /*
+ * If we've seen the last fragment, look for holes in the sequence.
+ * If there aren't any, we're done.
diff --git a/SOURCES/ntp-4.2.6p5-leapreset.patch b/SOURCES/ntp-4.2.6p5-leapreset.patch
new file mode 100644
index 0000000..81722fb
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-leapreset.patch
@@ -0,0 +1,18 @@
+commit 5f0420ad1ee3528bf83a28ea54c51af2b09ecfa5
+Author: <harlan@hms-mbp11.local>
+Date: Mon Nov 19 20:17:35 2012 -0800
+
+ [Bug 2246] Clear sys_leap when voting says to disarm the leap
+
+diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
+index 1259d52..397a80f 100644
+--- a/ntpd/ntp_proto.c
++++ b/ntpd/ntp_proto.c
+@@ -1948,6 +1948,7 @@ clock_update(
+ } else if (leapsec > 0) {
+ report_event(EVNT_DISARMED, NULL, NULL);
+ leapsec = 0;
++ sys_leap = LEAP_NOWARNING;
+ }
+ break;
+
diff --git a/SOURCES/ntp-4.2.6p5-rawstats.patch b/SOURCES/ntp-4.2.6p5-rawstats.patch
new file mode 100644
index 0000000..3e6fe67
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-rawstats.patch
@@ -0,0 +1,142 @@
+commit 63b405a67040ad6545abb102bf0714ccb5a50558
+Author: <murray@pogo.udel.edu>
+Date: Thu Dec 27 20:09:00 2012 -0500
+
+ ntp_util.c, ntpd.h, ChangeLog, ntp_proto.c:
+ Fix for bug 2081
+
+diff -up ntp-4.2.6p5/include/ntpd.h.rawstats ntp-4.2.6p5/include/ntpd.h
+--- ntp-4.2.6p5/include/ntpd.h.rawstats 2015-07-22 14:19:37.220167860 +0200
++++ ntp-4.2.6p5/include/ntpd.h 2015-07-22 14:20:52.819392212 +0200
+@@ -244,7 +244,7 @@ extern void record_peer_stats (sockaddr_
+ extern void record_proto_stats (char *);
+ extern void record_loop_stats (double, double, double, double, int);
+ extern void record_clock_stats (sockaddr_u *, const char *);
+-extern void record_raw_stats (sockaddr_u *, sockaddr_u *, l_fp *, l_fp *, l_fp *, l_fp *);
++extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int poll, int precision, double root_delay, double root_dispersion, u_int32 refid);
+ extern u_long leap_month(u_long);
+ extern void record_crypto_stats (sockaddr_u *, const char *);
+ #ifdef DEBUG
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.rawstats ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.rawstats 2015-07-22 14:19:37.218167854 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-07-22 14:19:37.221167862 +0200
+@@ -1341,7 +1341,7 @@ process_packet(
+ double t34, t21;
+ double p_offset, p_del, p_disp;
+ l_fp p_rec, p_xmt, p_org, p_reftime, ci;
+- u_char pmode, pleap, pstratum;
++ u_char pmode, pleap, pversion, pstratum;
+ char statstr[NTP_MAXSTRLEN];
+ #ifdef ASSYM
+ int itemp;
+@@ -1359,14 +1359,17 @@ process_packet(
+ NTOHL_FP(&pkt->xmt, &p_xmt);
+ pmode = PKT_MODE(pkt->li_vn_mode);
+ pleap = PKT_LEAP(pkt->li_vn_mode);
++ pversion = PKT_VERSION(pkt->li_vn_mode);
+ pstratum = PKT_TO_STRATUM(pkt->stratum);
+
+ /*
+ * Capture the header values in the client/peer association..
+ */
+ record_raw_stats(&peer->srcadr, peer->dstadr ?
+- &peer->dstadr->sin : NULL, &p_org, &p_rec, &p_xmt,
+- &peer->dst);
++ &peer->dstadr->sin : NULL,
++ &p_org, &p_rec, &p_xmt, &peer->dst,
++ pleap, pversion, pmode, pstratum, pkt->ppoll, pkt->precision,
++ p_del, p_disp, pkt->refid);
+ peer->leap = pleap;
+ peer->stratum = min(pstratum, STRATUM_UNSPEC);
+ peer->pmode = pmode;
+diff -up ntp-4.2.6p5/ntpd/ntp_util.c.rawstats ntp-4.2.6p5/ntpd/ntp_util.c
+--- ntp-4.2.6p5/ntpd/ntp_util.c.rawstats 2010-10-22 09:37:31.000000000 +0200
++++ ntp-4.2.6p5/ntpd/ntp_util.c 2015-07-22 14:19:37.221167862 +0200
+@@ -707,7 +707,16 @@ record_raw_stats(
+ l_fp *t1, /* originate timestamp */
+ l_fp *t2, /* receive timestamp */
+ l_fp *t3, /* transmit timestamp */
+- l_fp *t4 /* destination timestamp */
++ l_fp *t4, /* destination timestamp */
++ int leap,
++ int version,
++ int mode,
++ int stratum,
++ int poll,
++ int precision,
++ double root_delay, /* seconds */
++ double root_dispersion,/* seconds */
++ u_int32 refid
+ )
+ {
+ l_fp now;
+@@ -721,10 +730,13 @@ record_raw_stats(
+ day = now.l_ui / 86400 + MJD_1900;
+ now.l_ui %= 86400;
+ if (rawstats.fp != NULL) {
+- fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s\n", day,
+- ulfptoa(&now, 3), stoa(srcadr), dstadr ?
+- stoa(dstadr) : "-", ulfptoa(t1, 9), ulfptoa(t2, 9),
+- ulfptoa(t3, 9), ulfptoa(t4, 9));
++ fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s\n",
++ day, ulfptoa(&now, 3),
++ stoa(srcadr), dstadr ? stoa(dstadr) : "-",
++ ulfptoa(t1, 9), ulfptoa(t2, 9),
++ ulfptoa(t3, 9), ulfptoa(t4, 9),
++ leap, version, mode, stratum, poll, precision,
++ root_delay, root_dispersion, refid_str(refid, stratum));
+ fflush(rawstats.fp);
+ }
+ }
+
+commit f626c563dbf6c00c40f9d12e8200b427759ed0bf
+Author: <davehart@shiny.ad.hartbrothers.com>
+Date: Sat Dec 25 06:12:51 2010 +0000
+
+ Add ntpq sysinfo command, similar to ntpdc's sysinfo.
+
+diff --git a/libntp/numtoa.c b/libntp/numtoa.c
+index 36a7c58..0fbbab7 100644
+--- a/libntp/numtoa.c
++++ b/libntp/numtoa.c
+@@ -31,3 +31,29 @@ numtoa(
+ (u_long)netnum & 0xff);
+ return buf;
+ }
++
++
++/* Convert a refid & stratum to a string */
++const char *
++refid_str(
++ u_int32 refid,
++ int stratum
++ )
++{
++ char * text;
++ size_t tlen;
++
++ if (stratum > 1)
++ return numtoa(refid);
++
++ LIB_GETBUF(text);
++ text[0] = '.';
++ strncpy(&text[1], (void *)&refid, sizeof(refid));
++ text[1 + sizeof(refid)] = '\0';
++ tlen = strlen(text);
++ text[tlen] = '.';
++ text[tlen + 1] = '\0';
++
++ return text;
++}
++
+diff -up ntp-4.2.6p5/include/ntp_stdlib.h.rawstats ntp-4.2.6p5/include/ntp_stdlib.h
+--- ntp-4.2.6p5/include/ntp_stdlib.h.rawstats 2015-07-22 15:13:16.870503486 +0200
++++ ntp-4.2.6p5/include/ntp_stdlib.h 2015-07-22 15:14:21.893714802 +0200
+@@ -134,6 +134,7 @@ extern char * socktohost (const sockaddr
+ extern int octtoint (const char *, u_long *);
+ extern u_long ranp2 (int);
+ extern char * refnumtoa (sockaddr_u *);
++extern const char *refid_str (u_int32, int);
+ extern int tsftomsu (u_long, int);
+ extern char * uinttoa (u_long);
+
diff --git a/SOURCES/ntp-4.2.6p5-restrict46.patch b/SOURCES/ntp-4.2.6p5-restrict46.patch
new file mode 100644
index 0000000..7add549
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-restrict46.patch
@@ -0,0 +1,12 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_parser.y.restrict46 ntp-4.2.6p5/ntpd/ntp_parser.y
+--- ntp-4.2.6p5/ntpd/ntp_parser.y.restrict46 2015-12-03 18:14:32.378326330 +0100
++++ ntp-4.2.6p5/ntpd/ntp_parser.y 2015-12-03 18:21:08.369300132 +0100
+@@ -734,7 +734,7 @@ access_control_command
+ $4,
+ ip_file->line_no));
+ }
+- | T_Restrict ip_address T_Mask ip_address ac_flag_list
++ | T_Restrict address T_Mask ip_address ac_flag_list
+ {
+ enqueue(cfgt.restrict_opts,
+ create_restrict_node($2, $4, $5, ip_file->line_no));
diff --git a/SOURCES/ntpstat-0.2-manual.patch b/SOURCES/ntpstat-0.2-manual.patch
new file mode 100644
index 0000000..99dbb6a
--- /dev/null
+++ b/SOURCES/ntpstat-0.2-manual.patch
@@ -0,0 +1,41 @@
+diff -up ntp-4.2.6p5/ntpstat-0.2/ntpstat.1.manual ntp-4.2.6p5/ntpstat-0.2/ntpstat.1
+--- ntp-4.2.6p5/ntpstat-0.2/ntpstat.1.manual 2002-06-10 08:02:12.000000000 +0200
++++ ntp-4.2.6p5/ntpstat-0.2/ntpstat.1 2015-12-04 17:28:23.379793604 +0100
+@@ -1,4 +1,4 @@
+-.TH ntpstat 1 "$Date: 2001/06/22 03:27:10 $"
++.TH ntpstat 1
+ .UC 4
+ .SH NAME
+ ntpstat \- show network time synchronisation status
+@@ -6,12 +6,18 @@ ntpstat \- show network time synchronisa
+ .B ntpstat
+ .SH DESCRIPTION
+ .I ntpstat
+-will report the synchronisation state of the NTP daemon
++will report the synchronisation state of the NTP daemon (ntpd)
+ running on the local machine. If the local system is found to be
+ synchronised to a reference time source,
+ .I ntpstat
+ will report the approximate time accuracy.
+
++When the synchronised state is reported, it means the system clock was updated
++at some point. There is no timeout for this state. It will stay there even
++when the source becomes unreachable and there are no other sources available.
++However, the reported accuracy will be slowly increasing, in the default ntpd
++configuration by 15 microseconds per second.
++
+ .SH RETURNS
+ .I ntpstat
+ returns 0 if clock is synchronised.
+@@ -22,7 +28,10 @@ returns 2 if clock state is indeterminan
+ if ntpd is not contactable.
+
+ .SH SEE ALSO
+-ntpdc, ntpdq
++.BR ntp_misc (5),
++.BR ntpd (8),
++.BR ntpq (8),
++.BR ntpdc (8)
+
+ .SH AUTHOR
+ G. Richard Keech (rkeech@redhat.com)
diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec
index 02b1f82..4bc1756 100644
--- a/SPECS/ntp.spec
+++ b/SPECS/ntp.spec
@@ -1,7 +1,7 @@
Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.6p5
-Release: 22%{?dist}.2
+Release: 25%{?dist}
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -133,27 +133,57 @@ Patch42: ntp-4.2.6p5-dscp.patch
Patch43: ntp-4.2.6p5-cve-2015-7704.patch
# allow only one step larger than panic threshold with -g
Patch44: ntp-4.2.6p5-cve-2015-5300.patch
+# ntpbz #2246
+Patch45: ntp-4.2.6p5-leapreset.patch
+# ntpbz #2081
+Patch46: ntp-4.2.6p5-rawstats.patch
+# ntpbz #2639, #2880
+Patch47: ntp-4.2.6p5-clockstate.patch
+# ntpbz #2851
+Patch48: ntp-4.2.6p5-restrict46.patch
+# ntpbz #1593
+Patch49: ntp-4.2.6p5-cve-2015-5194.patch
+# fix crash when referencing disabled statistic type
+Patch50: ntp-4.2.6p5-cve-2015-5195.patch
+# don't hang in sntp with crafted reply
+Patch51: ntp-4.2.6p5-cve-2015-5219.patch
+# ntpbz #2909
+Patch52: ntp-4.2.6p5-cve-2015-7701.patch
+# ntpbz #2899
+Patch53: ntp-4.2.6p5-cve-2015-7691_7692_7702.patch
+# ntpbz #2919
+Patch54: ntp-4.2.6p5-cve-2015-7852.patch
+# ntpbz #2902
+Patch55: ntp-4.2.6p5-cve-2015-7703.patch
# ntpbz #2945
-Patch45: ntp-4.2.6p5-cve-2015-8138.patch
+Patch56: ntp-4.2.6p5-cve-2015-8138.patch
+# ntpbz #2939, #2940
+Patch57: ntp-4.2.6p5-cve-2015-7977_7978.patch
+# ntpbz #2948
+Patch58: ntp-4.2.6p5-cve-2015-8158.patch
+# ntpbz #2936
+Patch59: ntp-4.2.6p5-cve-2015-7974.patch
# ntpbz #2942, ntpbz #3007
-Patch46: ntp-4.2.6p5-cve-2015-7979.patch
+Patch60: ntp-4.2.6p5-cve-2015-7979.patch
# ntpbz #2978
-Patch47: ntp-4.2.6p5-cve-2016-1548.patch
+Patch61: ntp-4.2.6p5-cve-2016-1548.patch
# ntpbz #3009
-Patch48: ntp-4.2.6p5-cve-2016-2518.patch
+Patch62: ntp-4.2.6p5-cve-2016-2518.patch
# ntpbz #2879
-Patch49: ntp-4.2.6p5-cve-2016-1550.patch
+Patch63: ntp-4.2.6p5-cve-2016-1550.patch
# handle unknown clock types
-Patch50: ntpstat-0.2-clksrc.patch
+Patch100: ntpstat-0.2-clksrc.patch
# process first packet in multipacket response
-Patch51: ntpstat-0.2-multipacket.patch
+Patch101: ntpstat-0.2-multipacket.patch
# use current system variable names
-Patch52: ntpstat-0.2-sysvars.patch
+Patch102: ntpstat-0.2-sysvars.patch
# print synchronization distance instead of dispersion
-Patch53: ntpstat-0.2-maxerror.patch
+Patch103: ntpstat-0.2-maxerror.patch
# fix error bit checking
-Patch54: ntpstat-0.2-errorbit.patch
+Patch104: ntpstat-0.2-errorbit.patch
+# improve man page
+Patch105: ntpstat-0.2-manual.patch
URL: http://www.ntp.org
Requires(post): systemd-units
@@ -224,7 +254,7 @@ This package contains NTP documentation in HTML format.
# pool.ntp.org vendor zone which will be used in ntp.conf
%if 0%{!?vendorzone:1}
%{?fedora: %global vendorzone fedora.}
-%{?rhel: %global vendorzone centos.}
+%{?rhel: %global vendorzone rhel.}
%endif
%prep
@@ -275,18 +305,33 @@ This package contains NTP documentation in HTML format.
%patch42 -p1 -b .dscp
%patch43 -p1 -b .cve-2015-7704
%patch44 -p1 -b .cve-2015-5300
-%patch45 -p1 -b .cve-2015-8138
-%patch46 -p1 -b .cve-2015-7979
-%patch47 -p1 -b .cve-2016-1548
-%patch48 -p1 -b .cve-2016-2518
-%patch49 -p1 -b .cve-2016-1550
+%patch45 -p1 -b .leapreset
+%patch46 -p1 -b .rawstats
+%patch47 -p1 -b .clockstate
+%patch48 -p1 -b .restrict46
+%patch49 -p1 -b .cve-2015-5194
+%patch50 -p1 -b .cve-2015-5195
+%patch51 -p1 -b .cve-2015-5219
+%patch52 -p1 -b .cve-2015-7701
+%patch53 -p1 -b .cve-2015-7691_7692_7702
+%patch54 -p1 -b .cve-2015-7852
+%patch55 -p1 -b .cve-2015-7703
+%patch56 -p1 -b .cve-2015-8138
+%patch57 -p1 -b .cve-2015-7977_7978
+%patch58 -p1 -b .cve-2015-8158
+%patch59 -p1 -b .cve-2015-7974
+%patch60 -p1 -b .cve-2015-7979
+%patch61 -p1 -b .cve-2016-1548
+%patch62 -p1 -b .cve-2016-2518
+%patch63 -p1 -b .cve-2016-1550
# ntpstat patches
-%patch50 -p1 -b .clksrc
-%patch51 -p1 -b .multipacket
-%patch52 -p1 -b .sysvars
-%patch53 -p1 -b .maxerror
-%patch54 -p1 -b .errorbit
+%patch100 -p1 -b .clksrc
+%patch101 -p1 -b .multipacket
+%patch102 -p1 -b .sysvars
+%patch103 -p1 -b .maxerror
+%patch104 -p1 -b .errorbit
+%patch105 -p1 -b .manual
# set default path to sntp KoD database
sed -i 's|/var/db/ntp-kod|%{_localstatedir}/lib/sntp/kod|' sntp/{sntp.1,main.c}
@@ -497,19 +542,32 @@ popd
%{ntpdocdir}/html
%changelog
-* Tue May 31 2016 CentOS Sources <bugs@centos.org> - 4.2.6p5-22.el7.centos.2
-- rebrand vendorzone
-
-* Tue May 03 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-22.el7_2.2
-- don't allow spoofed packets to demobilize associations (CVE-2015-7979,
- CVE-2016-1547)
+* Tue May 03 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-25
- don't allow spoofed packet to enable symmetric interleaved mode
(CVE-2016-1548)
- check mode of new source in config command (CVE-2016-2518)
- make MAC check resilient against timing attack (CVE-2016-1550)
-* Wed Jan 20 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-22.el7_2.1
+* Tue Mar 15 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-24
+- fix crash with invalid logconfig command (CVE-2015-5194)
+- fix crash when referencing disabled statistic type (CVE-2015-5195)
+- don't hang in sntp with crafted reply (CVE-2015-5219)
+- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,
+ CVE-2015-7702)
+- fix memory leak with autokey (CVE-2015-7701)
+- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)
+- don't crash in ntpq with crafted packet (CVE-2015-7852)
+- check key ID in packets authenticated with symmetric key (CVE-2015-7974)
+- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)
+- don't allow spoofed packets to demobilize associations (CVE-2015-7979,
+ CVE-2016-1547)
- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)
+- fix infinite loop in ntpq/ntpdc (CVE-2015-8158)
+- fix resetting of leap status (#1242553)
+- extend rawstats log (#1242877)
+- report clock state changes related to leap seconds (#1242935)
+- allow -4/-6 on restrict lines with mask (#1304492)
+- explain synchronised state in ntpstat man page (#1309594)
* Fri Oct 16 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-22
- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)