diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-7426.patch b/SOURCES/ntp-4.2.6p5-cve-2016-7426.patch
new file mode 100644
index 0000000..5f24774
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2016-7426.patch
@@ -0,0 +1,74 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7426 2016-11-21 16:14:42.804048665 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-11-21 17:32:45.619107824 +0100
+@@ -473,30 +473,7 @@ receive(
+ }
+
+ /*
+- * Update the MRU list and finger the cloggers. It can be a
+- * little expensive, so turn it off for production use.
+- */
+- restrict_mask = ntp_monitor(rbufp, restrict_mask);
+- if (restrict_mask & RES_LIMITED) {
+- sys_limitrejected++;
+- if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
+- hismode || MODE_SERVER == hismode)
+- return; /* rate exceeded */
+-
+- if (hismode == MODE_CLIENT)
+- fast_xmit(rbufp, MODE_SERVER, skeyid,
+- restrict_mask);
+- else
+- fast_xmit(rbufp, MODE_ACTIVE, skeyid,
+- restrict_mask);
+- return; /* rate exceeded */
+- }
+- restrict_mask &= ~RES_KOD;
+-
+- /*
+- * We have tossed out as many buggy packets as possible early in
+- * the game to reduce the exposure to a clogging attack. now we
+- * have to burn some cycles to find the association and
++ * now we have to burn some cycles to find the association and
+ * authenticate the packet if required. Note that we burn only
+ * MD5 cycles, again to reduce exposure. There may be no
+ * matching association and that's okay.
+@@ -519,6 +496,27 @@ receive(
+ NTOHL_FP(&pkt->xmt, &p_xmt);
+
+ /*
++ * Update the MRU list and finger the cloggers. It can be a
++ * little expensive, so turn it off for production use.
++ */
++ restrict_mask = ntp_monitor(rbufp, restrict_mask);
++ if (restrict_mask & RES_LIMITED && retcode == AM_FXMIT) {
++ sys_limitrejected++;
++ if (!(restrict_mask & RES_KOD) || MODE_BROADCAST ==
++ hismode || MODE_SERVER == hismode)
++ return; /* rate exceeded */
++
++ if (hismode == MODE_CLIENT)
++ fast_xmit(rbufp, MODE_SERVER, skeyid,
++ restrict_mask);
++ else
++ fast_xmit(rbufp, MODE_ACTIVE, skeyid,
++ restrict_mask);
++ return; /* rate exceeded */
++ }
++ restrict_mask &= ~RES_KOD;
++
++ /*
+ * Authentication is conditioned by three switches:
+ *
+ * NOPEER (RES_NOPEER) do not mobilize an association unless
+@@ -940,6 +938,10 @@ receive(
+ case AM_NEWPASS:
+ if (!AUTH(sys_authenticate | (restrict_mask &
+ (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
++ if (restrict_mask & RES_LIMITED) {
++ sys_limitrejected++;
++ return;
++ }
+
+ /*
+ * If authenticated but cannot mobilize an
diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-7429.patch b/SOURCES/ntp-4.2.6p5-cve-2016-7429.patch
new file mode 100644
index 0000000..0a8c228
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2016-7429.patch
@@ -0,0 +1,39 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_peer.c.cve-2016-7429 ntp-4.2.6p5/ntpd/ntp_peer.c
+--- ntp-4.2.6p5/ntpd/ntp_peer.c.cve-2016-7429 2016-11-21 16:47:51.738767270 +0100
++++ ntp-4.2.6p5/ntpd/ntp_peer.c 2016-11-21 16:52:02.434034046 +0100
+@@ -241,7 +241,8 @@ findpeer(
+ hash = NTP_HASH_ADDR(srcadr);
+ for (p = peer_hash[hash]; p != NULL; p = p->next) {
+ if (SOCK_EQ(srcadr, &p->srcadr) &&
+- NSRCPORT(srcadr) == NSRCPORT(&p->srcadr)) {
++ NSRCPORT(srcadr) == NSRCPORT(&p->srcadr) &&
++ p->dstadr == rbufp->dstadr) {
+
+ /*
+ * if the association matching rules determine
+@@ -288,13 +289,6 @@ findpeer(
+ */
+ if (NULL == p) {
+ *action = MATCH_ASSOC(NO_PEER, pkt_mode);
+- } else if (p->dstadr != rbufp->dstadr) {
+- set_peerdstadr(p, rbufp->dstadr);
+- if (p->dstadr == rbufp->dstadr) {
+- DPRINTF(1, ("Changed %s local address to match response\n",
+- stoa(&p->srcadr)));
+- return findpeer(rbufp, pkt_mode, action);
+- }
+ }
+ return p;
+ }
+@@ -548,6 +542,11 @@ set_peerdstadr(
+ {
+ struct peer * unlinked;
+
++ DEBUG_INSIST(p != NULL);
++
++ if (p == NULL)
++ return;
++
+ if (p->dstadr == dstadr)
+ return;
+
diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-7433.patch b/SOURCES/ntp-4.2.6p5-cve-2016-7433.patch
new file mode 100644
index 0000000..16dba95
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2016-7433.patch
@@ -0,0 +1,23 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7433 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2016-7433 2016-11-21 17:54:29.604704343 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2016-11-21 17:55:04.231569928 +0100
+@@ -2914,8 +2914,7 @@ root_distance(
+ * where:
+ * delta is the round-trip delay
+ * DELTA is the root delay
+- * epsilon is the remote server precision + local precision
+- * + (15 usec each second)
++ * epsilon is the peer dispersion (15 usec each second)
+ * EPSILON is the root dispersion
+ * phi is the peer jitter statistic
+ *
+@@ -2926,8 +2925,7 @@ root_distance(
+ * other worse choices.
+ */
+ dtemp = (peer->delay + peer->rootdelay) / 2
+- + LOGTOD(peer->precision)
+- + LOGTOD(sys_precision)
++ + peer->disp
+ + clock_phi * (current_time - peer->update)
+ + peer->rootdisp
+ + peer->jitter;
diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-9310.patch b/SOURCES/ntp-4.2.6p5-cve-2016-9310.patch
new file mode 100644
index 0000000..c5eb750
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2016-9310.patch
@@ -0,0 +1,16 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9310 ntp-4.2.6p5/ntpd/ntp_control.c
+--- ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9310 2016-11-21 16:30:56.826396891 +0100
++++ ntp-4.2.6p5/ntpd/ntp_control.c 2016-11-21 16:31:54.171830390 +0100
+@@ -88,9 +88,9 @@ static struct ctl_proc control_codes[] =
+ { CTL_OP_READVAR, NOAUTH, read_variables },
+ { CTL_OP_WRITEVAR, AUTH, write_variables },
+ { CTL_OP_READCLOCK, NOAUTH, read_clock_status },
+- { CTL_OP_WRITECLOCK, NOAUTH, write_clock_status },
+- { CTL_OP_SETTRAP, NOAUTH, set_trap },
+- { CTL_OP_UNSETTRAP, NOAUTH, unset_trap },
++ { CTL_OP_WRITECLOCK, AUTH, write_clock_status },
++ { CTL_OP_SETTRAP, AUTH, set_trap },
++ { CTL_OP_UNSETTRAP, AUTH, unset_trap },
+ { CTL_OP_SAVECONFIG, AUTH, save_config },
+ { CTL_OP_CONFIGURE, AUTH, configure },
+ { NO_REQUEST, 0 }
diff --git a/SOURCES/ntp-4.2.6p5-cve-2016-9311.patch b/SOURCES/ntp-4.2.6p5-cve-2016-9311.patch
new file mode 100644
index 0000000..8be2dfd
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2016-9311.patch
@@ -0,0 +1,36 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9311 ntp-4.2.6p5/ntpd/ntp_control.c
+--- ntp-4.2.6p5/ntpd/ntp_control.c.cve-2016-9311 2016-11-21 16:14:42.800048565 +0100
++++ ntp-4.2.6p5/ntpd/ntp_control.c 2016-11-21 16:18:24.484590147 +0100
+@@ -3080,6 +3080,22 @@ report_event(
+ if (num_ctl_traps <= 0)
+ return;
+
++ /* [Bug 3119]
++ * Peer Events should be associated with a peer -- hence the
++ * name. But there are instances where this function is called
++ * *without* a valid peer. This happens e.g. with an unsolicited
++ * CryptoNAK, or when a leap second alarm is going off while
++ * currently without a system peer.
++ *
++ * The most sensible approach to this seems to bail out here if
++ * this happens. Avoiding to call this function would also
++ * bypass the log reporting in the first part of this function,
++ * and this is probably not the best of all options.
++ * -*-perlinger@ntp.org-*-
++ */
++ if ((err & PEER_EVENT) && !peer)
++ return;
++
+ /*
+ * Set up the outgoing packet variables
+ */
+@@ -3104,8 +3120,7 @@ report_event(
+ #endif /* OPENSSL */
+ ctl_putsys(i);
+ }
+- } else {
+- NTP_INSIST(peer != NULL);
++ } else if (NULL != peer) { /* paranoia -- skip output */
+ rpkt.associd = htons(peer->associd);
+ rpkt.status = htons(ctlpeerstatus(peer));
+
diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec
index 1a1ce9b..1a74942 100644
--- a/SPECS/ntp.spec
+++ b/SPECS/ntp.spec
@@ -1,7 +1,7 @@
Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.6p5
-Release: 25%{?dist}
+Release: 25%{?dist}.1
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -171,6 +171,16 @@ Patch61: ntp-4.2.6p5-cve-2016-1548.patch
Patch62: ntp-4.2.6p5-cve-2016-2518.patch
# ntpbz #2879
Patch63: ntp-4.2.6p5-cve-2016-1550.patch
+# ntpbz #3071
+Patch64: ntp-4.2.6p5-cve-2016-7426.patch
+# ntpbz #3072
+Patch65: ntp-4.2.6p5-cve-2016-7429.patch
+# ntpbz #3067
+Patch66: ntp-4.2.6p5-cve-2016-7433.patch
+# ntpbz #3118
+Patch67: ntp-4.2.6p5-cve-2016-9310.patch
+# ntpbz #3119
+Patch68: ntp-4.2.6p5-cve-2016-9311.patch
# handle unknown clock types
Patch100: ntpstat-0.2-clksrc.patch
@@ -254,7 +264,7 @@ This package contains NTP documentation in HTML format.
# pool.ntp.org vendor zone which will be used in ntp.conf
%if 0%{!?vendorzone:1}
%{?fedora: %global vendorzone fedora.}
-%{?rhel: %global vendorzone centos.}
+%{?rhel: %global vendorzone rhel.}
%endif
%prep
@@ -324,6 +334,11 @@ This package contains NTP documentation in HTML format.
%patch61 -p1 -b .cve-2016-1548
%patch62 -p1 -b .cve-2016-2518
%patch63 -p1 -b .cve-2016-1550
+%patch64 -p1 -b .cve-2016-7426
+%patch65 -p1 -b .cve-2016-7429
+%patch66 -p1 -b .cve-2016-7433
+%patch67 -p1 -b .cve-2016-9310
+%patch68 -p1 -b .cve-2016-9311
# ntpstat patches
%patch100 -p1 -b .clksrc
@@ -542,8 +557,12 @@ popd
%{ntpdocdir}/html
%changelog
-* Thu Nov 03 2016 CentOS Sources <bugs@centos.org> - 4.2.6p5-25.el7.centos
-- rebrand vendorzone
+* Wed Jan 11 2017 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-25.el7_3.1
+- don't limit rate of packets from sources (CVE-2016-7426)
+- don't change interface from received packets (CVE-2016-7429)
+- fix calculation of root distance again (CVE-2016-7433)
+- require authentication for trap commands (CVE-2016-9310)
+- fix crash when reporting peer event to trappers (CVE-2016-9311)
* Tue May 03 2016 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-25
- don't allow spoofed packet to enable symmetric interleaved mode