diff --git a/SOURCES/ntp-4.2.6p4-htmldoc.patch b/SOURCES/ntp-4.2.6p4-htmldoc.patch
index 561dae7..6a082c9 100644
--- a/SOURCES/ntp-4.2.6p4-htmldoc.patch
+++ b/SOURCES/ntp-4.2.6p4-htmldoc.patch
@@ -1,3 +1,19 @@
+diff -up ntp-4.2.6p5/html/accopt.html.htmldoc ntp-4.2.6p5/html/accopt.html
+--- ntp-4.2.6p5/html/accopt.html.htmldoc 2009-12-09 08:36:36.000000000 +0100
++++ ntp-4.2.6p5/html/accopt.html 2015-02-10 14:55:24.467289637 +0100
+@@ -94,8 +94,10 @@ time) in log<sub>2</sub> s with default
+
+ <dt id="restrict"><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></dt>
+ <dd>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the
+- address of a host or network. Alternatively, the <tt><i>address</i></tt> argument
+- can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in
++ address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a
++ valid host DNS name, but it must be resolvable at the time when <tt>ntpd</tt> is started and
++ if it's resolved to multiple addresses, only the first address will be added to the list.
++ The <tt><i>mask</i></tt> argument expressed in
+ dotted-quad form defaults to 255.255.255.255, meaning that the <tt><i>address</i></tt> is
+ treated as the address of an individual host. A default entry (address 0.0.0.0,
+ mask 0.0.0.0) is always included and is always the first entry in the list.
diff -up ntp-4.2.6p5/html/authopt.html.htmldoc ntp-4.2.6p5/html/authopt.html
--- ntp-4.2.6p5/html/authopt.html.htmldoc 2011-07-11 04:18:25.000000000 +0200
+++ ntp-4.2.6p5/html/authopt.html 2013-03-28 18:04:38.581260191 +0100
@@ -32,7 +48,30 @@ diff -up ntp-4.2.6p5/html/keygen.html.htmldoc ntp-4.2.6p5/html/keygen.html
diff -up ntp-4.2.6p5/html/ntpd.html.htmldoc ntp-4.2.6p5/html/ntpd.html
--- ntp-4.2.6p5/html/ntpd.html.htmldoc 2011-07-11 04:18:26.000000000 +0200
-+++ ntp-4.2.6p5/html/ntpd.html 2013-03-28 18:05:21.174228349 +0100
++++ ntp-4.2.6p5/html/ntpd.html 2015-02-23 12:11:24.719093119 +0100
+@@ -35,11 +35,11 @@
+ <tt>ntpd [ -46aAbdDgLnNqx ] [ -c <i>conffile</i> ] [ -f <i>driftfile</i> ] [ -i <i>jaildir</i> ] [ -I <i>iface</i> ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ] [ -p <i>pidfile</i> ] [ -P <i>priority</i> ] [ -r <i>broadcastdelay</i> ] [ -s <i>statsdir</i> ] [ -t <i>key</i> ] [ -u <i>user</i>[:<i>group</i>] ] [ -U <i>interface_update_interval</i> ] [ -v <i>variable</i> ] [ -V <i>variable</i> ]</tt>
+ <h4 id="descr">Description</h4>
+ <p>The <tt>ntpd</tt> program is an operating system daemon that synchronises the system clock with remote NTP time servers or local reference clocks. It is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. The program can operate in any of several modes, as described on the <a href="assoc.html">Association Management</a> page, and with both symmetric key and public key cryptography, as described on the <a href="manyopt.html">Authentication Options</a> page.</p>
+- <p>The <tt>ntpd</tt> program ordinarily requires a configuration file as desccribe on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the <a href="manyopt.html">Automatic Server Discovery</a> page.</p>
++ <p>The <tt>ntpd</tt> program ordinarily requires a configuration file as described on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the <a href="manyopt.html">Automatic Server Discovery</a> page.</p>
+ <p>Once the NTP software distribution has been compiled and installed and the configuration file constructed, the next step is to verify correct operation and fix any bugs that may result. Usually, the command line that starts the daemon is included in the system startup file, so it is executed only at system boot time; however, the daemon can be stopped and restarted from root at any time. Once started, the daemon will begin sending and receiving messages, as specified in the configuration file.</p>
+ <h4 id="time">Setting the Time and Frequency</h4>
+ <p>The <tt>ntpd</tt> program operates by exchanging messages with one or more servers at designated intervals ranging from about one minute to about 17 minutes. When started, the program requires several exchanges while the algorithms accumulate and groom the data before setting the clock. The initial delay to set the clock can be reduced using options on the <a href="confopt.html">Server Options</a> page.</p>
+- <p>Most compters today incorporate a time-of-year (TOY) chip to maintain the time during periods when the power is off. When the machine is booted, the chip is used to initialize the operating system time. In case there is no TOY chip or the TOY time is more than 1000 s from the server time, <tt>ntpd</tt> assumes something must be terribly wrong and exits with a panic message to the system operator. With the <tt>-g</tt> option the clock will be initially set to the server time regardless of the chip time. However, once the clock has been set, an error greater than 1000 s will cause <tt>ntpd</tt> to exit anyway.</p>
++ <p>Most computers today incorporate a time-of-year (TOY) chip to maintain the time during periods when the power is off. When the machine is booted, the chip is used to initialize the operating system time. In case there is no TOY chip or the TOY time is more than 1000 s from the server time, <tt>ntpd</tt> assumes something must be terribly wrong and exits with a panic message to the system operator. With the <tt>-g</tt> option the clock will be initially set to the server time regardless of the chip time. However, once the clock has been set, an error greater than 1000 s will cause <tt>ntpd</tt> to exit anyway.</p>
+ <p>Under ordinary conditions, <tt>ntpd</tt> slews the clock so that the time is effectively continuous and never runs backwards. If due to extreme network congestion an error spike exceeds the <i>step threshold</i>, by default 128 ms, the spike is discarded. However, if the error persists for more than the <i>stepout threshold</i>, by default 900 s, the system clock is stepped to the correct value. In practice the need for a step has is extremely rare and almost always the result of a hardware failure. With the <tt>-x</tt> option the step threshold is increased to 600 s. Other options are available using the <tt>tinker</tt> command on the <a href="miscopt.html">Miscellaneous Options</a> page.</p>
+ <p>The issues should be carefully considered before using these options. The maximum slew rate possible is limited to 500 parts-per-million (PPM) by the Unix kernel. As a result, the clock can take 2000 s for each second the clock is outside the acceptable range. During this interval the clock will not be consistent with any other network clock and the system cannot be used for distributed applications that require correctly synchronized network time.</p>
+ <p>The frequency file, usually called <tt>ntp.drift</tt>, contains the latest estimate of clock frequency. If this file does not exist when <tt>ntpd</tt> is started, it enters a special mode designed to measure the particular frequency directly. The measurement takes 15 minutes, after which the frequency is set and <tt>ntpd</tt> resumes normal mode where the time and frequency are continuously adjusted. The frequency file is updated at intervals of an hour or more depending on the measured clock stability.</p>
+@@ -70,7 +70,7 @@
+ tally the leap warning bits of surviving servers and reference clocks.
+ When a majority of the survivors show warning, a leap is programmed
+ at the end of the current month. During the month and day of insertion,
+- they operate as above. In this way the leap is is propagated at all
++ they operate as above. In this way the leap is propagated at all
+ dependent servers and clients.</p>
+ <h4 id="notes">Additional Features</h4>
+ <p>A new experimental feature called interleaved modes can be used in NTP
@@ -143,26 +143,8 @@
<dd>Specify a user, and optionally a group, to switch to. This option is only available if the OS supports running the server without full root privileges. Currently, this option is supported under NetBSD (configure with <tt>--enable-clockctl</tt>) and Linux (configure with --<tt>enable-linuxcaps</tt>).</dd>
<dt><tt>-U <i>interface update interval</i></tt></dt>
diff --git a/SOURCES/ntp-4.2.6p5-backfwdstep.patch b/SOURCES/ntp-4.2.6p5-backfwdstep.patch
new file mode 100644
index 0000000..4ceb210
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-backfwdstep.patch
@@ -0,0 +1,180 @@
+diff -up ntp-4.2.6p5/html/miscopt.html.backfwdstep ntp-4.2.6p5/html/miscopt.html
+--- ntp-4.2.6p5/html/miscopt.html.backfwdstep 2015-05-13 17:07:13.553206904 +0200
++++ ntp-4.2.6p5/html/miscopt.html 2015-05-13 17:55:59.226133427 +0200
+@@ -70,7 +70,7 @@
+ <dd>Specify the directory in which to write configuration snapshots requested with <tt>ntpq</tt>'s <a href="ntpq.html#saveconfig">saveconfig</a> command. If <tt>saveconfigdir</tt> does not appear in the configuration file, saveconfig requests are rejected by ntpd.</dd>
+ <dt id="setvar"><tt>setvar <i>variable</i> [default]</tt></dt>
+ <dd>This command adds an additional system variable. These variables can be used to distribute additional information such as the access policy. If the variable of the form <tt><i>name</i> = <i>value</i></tt> is followed by the <tt>default</tt> keyword, the variable will be listed as part of the default system variables (<tt>ntpq rv</tt> command). These additional variables serve informational purposes only. They are not related to the protocol other that they can be listed. The known protocol variables will always override any variables defined via the <tt>setvar</tt> mechanism. There are three special variables that contain the names of all variable of the same group. The <tt>sys_var_list</tt> holds the names of all system variables. The <tt>peer_var_list</tt> holds the names of all peer variables and the <tt>clock_var_list</tt> holds the names of the reference clock variables.</dd>
+- <dt id="tinker"><tt>tinker [ allan <i>allan</i> | dispersion <i>dispersion</i> | freq <i>freq</i> | huffpuff <i>huffpuff</i> | panic <i>panic</i> | step <i>step</i> | stepout <i>stepout</i> ]</tt></dt>
++ <dt id="tinker"><tt>tinker [ allan <i>allan</i> | dispersion <i>dispersion</i> | freq <i>freq</i> | huffpuff <i>huffpuff</i> | panic <i>panic</i> | step <i>step</i> | stepback <i>step</i> | stepfwd <i>step</i> | stepout <i>stepout</i> ]</tt></dt>
+ <dd>This command alters certain system variables used by the clock discipline algorithm. The default values of these variables have been carefully optimized for a wide range of network speeds and reliability expectations. Very rarely is it necessary to change the default values; but, some folks can't resist twisting the knobs. The options are as follows:</dd>
+ <dd><dl>
+ <dt><tt>allan <i>allan</i></tt></dt>
+@@ -89,6 +89,10 @@
+ occur. Note: The kernel time discipline is disabled if
+ the step threshold is set to zero or greater than 0.5
+ s and the threshold is applied also to leap second corrections.</dd>
++ <dt><tt>stepback <i>step</i></tt></dt>
++ <dd>Specifies the step threshold, but only in the backward direction.</dd>
++ <dt><tt>stepfwd <i>step</i></tt></dt>
++ <dd>Specifies the step threshold, but only in the forward direction. To avoid problems with frequency stabilization after large slews it's not recommended to set one direction to a value greater than 0.5 s without setting also the other direction to at least 0.5 s.</dd>
+ <dt><tt>stepout <i>stepout</i></tt></dt>
+ <dd>Specifies the stepout threshold in seconds. The default without this
+ command is 900 s. If set to zero, popcorn spikes will
+diff -up ntp-4.2.6p5/include/ntp.h.backfwdstep ntp-4.2.6p5/include/ntp.h
+--- ntp-4.2.6p5/include/ntp.h.backfwdstep 2011-12-01 03:55:17.000000000 +0100
++++ ntp-4.2.6p5/include/ntp.h 2015-05-13 17:23:19.953372541 +0200
+@@ -725,6 +725,8 @@ struct pkt {
+ #define LOOP_KERN_CLEAR 11 /* reset kernel pll parameters */
+ #define LOOP_CODEC 12 /* set audio codec frequency */
+ #define LOOP_LEAP 13 /* insert leap after second 23:59 */
++#define LOOP_MAX_BACK 14 /* set bacward-step offset */
++#define LOOP_MAX_FWD 15 /* set forward-step offset */
+
+ /*
+ * Configuration items for the stats printer
+diff -up ntp-4.2.6p5/include/ntpd.h.backfwdstep ntp-4.2.6p5/include/ntpd.h
+--- ntp-4.2.6p5/include/ntpd.h.backfwdstep 2015-05-13 17:07:13.498212244 +0200
++++ ntp-4.2.6p5/include/ntpd.h 2015-05-13 17:28:42.516052737 +0200
+@@ -345,7 +345,8 @@ extern int maxactivefd;
+ /* ntp_loopfilter.c */
+ extern double drift_comp; /* clock frequency (s/s) */
+ extern double clock_stability; /* clock stability (s/s) */
+-extern double clock_max; /* max offset before step (s) */
++extern double clock_max_back; /* max backward offset before step (s) */
++extern double clock_max_fwd; /* max forward offset before step (s) */
+ extern double clock_panic; /* max offset before panic (s) */
+ extern double clock_phi; /* dispersion rate (s/s) */
+ extern double clock_minstep; /* step timeout (s) */
+diff -up ntp-4.2.6p5/ntpd/cmd_args.c.backfwdstep ntp-4.2.6p5/ntpd/cmd_args.c
+--- ntp-4.2.6p5/ntpd/cmd_args.c.backfwdstep 2009-12-25 10:03:41.000000000 +0100
++++ ntp-4.2.6p5/ntpd/cmd_args.c 2015-05-13 17:25:05.726102347 +0200
+@@ -161,8 +161,7 @@ getCmdOpts(
+ }
+
+ if (HAVE_OPT( SLEW )) {
+- clock_max = 600;
+- kern_enable = 0;
++ loop_config(LOOP_MAX, 600);
+ }
+ if (HAVE_OPT( UPDATEINTERVAL )) {
+ long val = OPT_VALUE_UPDATEINTERVAL;
+diff -up ntp-4.2.6p5/ntpd/keyword-gen.c.backfwdstep ntp-4.2.6p5/ntpd/keyword-gen.c
+--- ntp-4.2.6p5/ntpd/keyword-gen.c.backfwdstep 2010-04-18 10:05:39.000000000 +0200
++++ ntp-4.2.6p5/ntpd/keyword-gen.c 2015-05-13 17:39:08.889233906 +0200
+@@ -173,6 +173,8 @@ struct key_tok ntp_keywords[] = {
+ { "stats", T_Stats, FOLLBY_TOKEN },
+ /* tinker_option */
+ { "step", T_Step, FOLLBY_TOKEN },
++{ "stepback", T_Stepback, FOLLBY_TOKEN },
++{ "stepfwd", T_Stepfwd, FOLLBY_TOKEN },
+ { "panic", T_Panic, FOLLBY_TOKEN },
+ { "dispersion", T_Dispersion, FOLLBY_TOKEN },
+ { "stepout", T_Stepout, FOLLBY_TOKEN },
+diff -up ntp-4.2.6p5/ntpd/ntp_config.c.backfwdstep ntp-4.2.6p5/ntpd/ntp_config.c
+--- ntp-4.2.6p5/ntpd/ntp_config.c.backfwdstep 2015-05-13 17:07:13.534208748 +0200
++++ ntp-4.2.6p5/ntpd/ntp_config.c 2015-05-13 17:36:12.929319050 +0200
+@@ -2407,6 +2407,14 @@ config_tinker(
+ item = LOOP_MAX;
+ break;
+
++ case T_Stepback:
++ item = LOOP_MAX_BACK;
++ break;
++
++ case T_Stepfwd:
++ item = LOOP_MAX_FWD;
++ break;
++
+ case T_Stepout:
+ item = LOOP_MINSTEP;
+ break;
+diff -up ntp-4.2.6p5/ntpd/ntp_loopfilter.c.backfwdstep ntp-4.2.6p5/ntpd/ntp_loopfilter.c
+--- ntp-4.2.6p5/ntpd/ntp_loopfilter.c.backfwdstep 2015-05-13 17:07:13.499212146 +0200
++++ ntp-4.2.6p5/ntpd/ntp_loopfilter.c 2015-05-13 17:20:42.362674093 +0200
+@@ -107,7 +107,8 @@
+ /*
+ * Program variables that can be tinkered.
+ */
+-double clock_max = CLOCK_MAX; /* step threshold */
++double clock_max_back = CLOCK_MAX; /* step threshold */
++double clock_max_fwd = CLOCK_MAX; /* step threshold */
+ double clock_minstep = CLOCK_MINSTEP; /* stepout threshold */
+ double clock_panic = CLOCK_PANIC; /* panic threshold */
+ double clock_phi = CLOCK_PHI; /* dispersion rate (s/s) */
+@@ -257,7 +258,8 @@ local_clock(
+ * directly to the terminal.
+ */
+ if (mode_ntpdate) {
+- if (fabs(fp_offset) > clock_max && clock_max > 0) {
++ if ( ( fp_offset > clock_max_fwd && clock_max_fwd > 0)
++ || (-fp_offset > clock_max_back && clock_max_back > 0)) {
+ step_systime(fp_offset);
+ msyslog(LOG_NOTICE, "ntpd: time set %+.6f s",
+ fp_offset);
+@@ -319,7 +321,8 @@ local_clock(
+ mu = current_time - clock_epoch;
+ clock_frequency = drift_comp;
+ rval = 1;
+- if (fabs(fp_offset) > clock_max && clock_max > 0) {
++ if ( ( fp_offset > clock_max_fwd && clock_max_fwd > 0)
++ || (-fp_offset > clock_max_back && clock_max_back > 0)) {
+ switch (state) {
+
+ /*
+@@ -1007,8 +1010,20 @@ loop_config(
+ break;
+
+ case LOOP_MAX: /* step threshold (step) */
+- clock_max = freq;
+- if (clock_max == 0 || clock_max > 0.5)
++ clock_max_fwd = clock_max_back = freq;
++ if (freq == 0 || freq > 0.5)
++ kern_enable = 0;
++ break;
++
++ case LOOP_MAX_BACK: /* step threshold (step) */
++ clock_max_back = freq;
++ if (freq == 0 || freq > 0.5)
++ kern_enable = 0;
++ break;
++
++ case LOOP_MAX_FWD: /* step threshold (step) */
++ clock_max_fwd = freq;
++ if (freq == 0 || freq > 0.5)
+ kern_enable = 0;
+ break;
+
+diff -up ntp-4.2.6p5/ntpd/ntp_parser.y.backfwdstep ntp-4.2.6p5/ntpd/ntp_parser.y
+--- ntp-4.2.6p5/ntpd/ntp_parser.y.backfwdstep 2010-10-24 08:29:35.000000000 +0200
++++ ntp-4.2.6p5/ntpd/ntp_parser.y 2015-05-13 17:40:45.207881673 +0200
+@@ -190,6 +190,8 @@
+ %token <Integer> T_Stats
+ %token <Integer> T_Statsdir
+ %token <Integer> T_Step
++%token <Integer> T_Stepback
++%token <Integer> T_Stepfwd
+ %token <Integer> T_Stepout
+ %token <Integer> T_Stratum
+ %token <String> T_String
+@@ -899,6 +901,8 @@ tinker_option_keyword
+ | T_Huffpuff
+ | T_Panic
+ | T_Step
++ | T_Stepback
++ | T_Stepfwd
+ | T_Stepout
+ ;
+
+diff -up ntp-4.2.6p5/ntpd/ntp_timer.c.backfwdstep ntp-4.2.6p5/ntpd/ntp_timer.c
+--- ntp-4.2.6p5/ntpd/ntp_timer.c.backfwdstep 2015-05-13 17:07:13.554206806 +0200
++++ ntp-4.2.6p5/ntpd/ntp_timer.c 2015-05-13 17:27:45.659573319 +0200
+@@ -450,7 +450,7 @@ timer(void)
+ sys_tai = leap_tai;
+ #ifdef KERNEL_PLL
+ if (!pll_control || !kern_enable) {
+- if (clock_max < 1.0 && clock_max > 0.0) {
++ if (clock_max_back < 1.0 && clock_max_back > 0.0) {
+ step_systime(-1.0);
+ msyslog(LOG_NOTICE, "Inserting positive leap second");
+ } else {
diff --git a/SOURCES/ntp-4.2.6p5-cve-2014-9297.patch b/SOURCES/ntp-4.2.6p5-cve-2014-9297.patch
new file mode 100644
index 0000000..1364e8c
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2014-9297.patch
@@ -0,0 +1,375 @@
+http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54abb266In81wLNAqIaovtP8f2UmUw
+http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54a7c595jlwS3KmAxBML75HFGLR_pQ
+http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5492d353ncauuWt_PONxaDhC5Qv_SA
+
+diff -up ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2014-9297 ntp-4.2.6p5/ntpd/ntp_crypto.c
+--- ntp-4.2.6p5/ntpd/ntp_crypto.c.cve-2014-9297 2015-02-04 11:37:44.488673076 +0100
++++ ntp-4.2.6p5/ntpd/ntp_crypto.c 2015-02-04 11:37:44.491673082 +0100
+@@ -109,6 +109,7 @@
+ #define TAI_1972 10 /* initial TAI offset (s) */
+ #define MAX_LEAP 100 /* max UTC leapseconds (s) */
+ #define VALUE_LEN (6 * 4) /* min response field length */
++#define MAX_VALLEN (65535 - VALUE_LEN)
+ #define YEAR (60 * 60 * 24 * 365) /* seconds in year */
+
+ /*
+@@ -147,8 +148,8 @@ static char *rand_file = NULL; /* random
+ */
+ static int crypto_verify (struct exten *, struct value *,
+ struct peer *);
+-static int crypto_encrypt (struct exten *, struct value *,
+- keyid_t *);
++static int crypto_encrypt (const u_char *, u_int, keyid_t *,
++ struct value *);
+ static int crypto_alice (struct peer *, struct value *);
+ static int crypto_alice2 (struct peer *, struct value *);
+ static int crypto_alice3 (struct peer *, struct value *);
+@@ -444,6 +445,12 @@ crypto_recv(
+ tstamp = ntohl(ep->tstamp);
+ fstamp = ntohl(ep->fstamp);
+ vallen = ntohl(ep->vallen);
++ /*
++ * Bug 2761: I hope this isn't too early...
++ */
++ if ( vallen == 0
++ || len - VALUE_LEN < vallen)
++ return XEVNT_LEN;
+ }
+ switch (code) {
+
+@@ -494,8 +501,9 @@ crypto_recv(
+ rval = XEVNT_ERR;
+ break;
+ }
++ INSIST(len >= VALUE_LEN);
+ if (vallen == 0 || vallen > MAXHOSTNAME ||
+- len < VALUE_LEN + vallen) {
++ len - VALUE_LEN < vallen) {
+ rval = XEVNT_LEN;
+ break;
+ }
+@@ -1162,11 +1170,11 @@ crypto_xmit(
+ * choice.
+ */
+ case CRYPTO_CERT | CRYPTO_RESP:
+- vallen = ntohl(ep->vallen);
+- if (vallen == 0 || vallen > MAXHOSTNAME) {
++ vallen = ntohl(ep->vallen); /* Must be <64k */
++ if (vallen == 0 || vallen > MAXHOSTNAME ||
++ len - VALUE_LEN < vallen) {
+ rval = XEVNT_LEN;
+ break;
+-
+ } else {
+ memcpy(certname, ep->pkt, vallen);
+ certname[vallen] = '\0';
+@@ -1315,7 +1323,10 @@ crypto_xmit(
+ * anything goes wrong.
+ */
+ case CRYPTO_COOK | CRYPTO_RESP:
+- if ((opcode & 0xffff) < VALUE_LEN) {
++ vallen = ntohl(ep->vallen); /* Must be <64k */
++ if ( vallen == 0
++ || (vallen >= MAX_VALLEN)
++ || (opcode & 0x0000ffff) < VALUE_LEN + vallen) {
+ rval = XEVNT_LEN;
+ break;
+ }
+@@ -1323,8 +1334,8 @@ crypto_xmit(
+ tcookie = cookie;
+ else
+ tcookie = peer->hcookie;
+- if ((rval = crypto_encrypt(ep, &vtemp, &tcookie)) ==
+- XEVNT_OK) {
++ if ((rval = crypto_encrypt((const u_char *)ep->pkt, vallen, &tcookie, &vtemp))
++ == XEVNT_OK) {
+ len = crypto_send(fp, &vtemp, start);
+ value_free(&vtemp);
+ }
+@@ -1464,13 +1475,16 @@ crypto_verify(
+ * up to the next word (4 octets).
+ */
+ vallen = ntohl(ep->vallen);
+- if (vallen == 0)
++ if ( vallen == 0
++ || vallen > MAX_VALLEN)
+ return (XEVNT_LEN);
+
+ i = (vallen + 3) / 4;
+ siglen = ntohl(ep->pkt[i++]);
+- if (len < VALUE_LEN + ((vallen + 3) / 4) * 4 + ((siglen + 3) /
+- 4) * 4)
++ if ( siglen > MAX_VALLEN
++ || len - VALUE_LEN < ((vallen + 3) / 4) * 4
++ || len - VALUE_LEN - ((vallen + 3) / 4) * 4
++ < ((siglen + 3) / 4) * 4)
+ return (XEVNT_LEN);
+
+ /*
+@@ -1528,6 +1542,7 @@ crypto_verify(
+ * proventic bit. What a relief.
+ */
+ EVP_VerifyInit(&ctx, peer->digest);
++ /* XXX: the "+ 12" needs to be at least documented... */
+ EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
+ if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
+ pkey) <= 0)
+@@ -1540,34 +1555,32 @@ crypto_verify(
+
+
+ /*
+- * crypto_encrypt - construct encrypted cookie and signature from
+- * extension field and cookie
++ * crypto_encrypt - construct vp (encrypted cookie and signature) from
++ * the public key and cookie.
+ *
+- * Returns
++ * Returns:
+ * XEVNT_OK success
+ * XEVNT_CKY bad or missing cookie
+ * XEVNT_PUB bad or missing public key
+ */
+ static int
+ crypto_encrypt(
+- struct exten *ep, /* extension pointer */
+- struct value *vp, /* value pointer */
+- keyid_t *cookie /* server cookie */
++ const u_char *ptr, /* Public Key */
++ u_int vallen, /* Length of Public Key */
++ keyid_t *cookie, /* server cookie */
++ struct value *vp /* value pointer */
+ )
+ {
+ EVP_PKEY *pkey; /* public key */
+ EVP_MD_CTX ctx; /* signature context */
+ tstamp_t tstamp; /* NTP timestamp */
+ u_int32 temp32;
+- u_int len;
+- u_char *ptr;
++ u_char *puch;
+
+ /*
+ * Extract the public key from the request.
+ */
+- len = ntohl(ep->vallen);
+- ptr = (u_char *)ep->pkt;
+- pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
++ pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, vallen);
+ if (pkey == NULL) {
+ msyslog(LOG_ERR, "crypto_encrypt: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+@@ -1581,12 +1594,12 @@ crypto_encrypt(
+ tstamp = crypto_time();
+ vp->tstamp = htonl(tstamp);
+ vp->fstamp = hostval.tstamp;
+- len = EVP_PKEY_size(pkey);
+- vp->vallen = htonl(len);
+- vp->ptr = emalloc(len);
+- ptr = vp->ptr;
++ vallen = EVP_PKEY_size(pkey);
++ vp->vallen = htonl(vallen);
++ vp->ptr = emalloc(vallen);
++ puch = vp->ptr;
+ temp32 = htonl(*cookie);
+- if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
++ if (RSA_public_encrypt(4, (u_char *)&temp32, puch,
+ pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) {
+ msyslog(LOG_ERR, "crypto_encrypt: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+@@ -1601,8 +1614,8 @@ crypto_encrypt(
+ vp->sig = emalloc(sign_siglen);
+ EVP_SignInit(&ctx, sign_digest);
+ EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
+- EVP_SignUpdate(&ctx, vp->ptr, len);
+- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
++ EVP_SignUpdate(&ctx, vp->ptr, vallen);
++ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
+ vp->siglen = htonl(sign_siglen);
+ return (XEVNT_OK);
+ }
+@@ -1673,6 +1686,9 @@ crypto_ident(
+ * call in the protocol module.
+ *
+ * Returns extension field pointer (no errors)
++ *
++ * XXX: opcode and len should really be 32-bit quantities and
++ * we should make sure that str is not too big.
+ */
+ struct exten *
+ crypto_args(
+@@ -1685,24 +1701,31 @@ crypto_args(
+ tstamp_t tstamp; /* NTP timestamp */
+ struct exten *ep; /* extension field pointer */
+ u_int len; /* extension field length */
++ size_t slen;
+
+ tstamp = crypto_time();
+ len = sizeof(struct exten);
+- if (str != NULL)
+- len += strlen(str);
++ if (str != NULL) {
++ slen = strlen(str);
++ INSIST(slen < MAX_VALLEN);
++ len += slen;
++ }
+ ep = emalloc(len);
+ memset(ep, 0, len);
+ if (opcode == 0)
+ return (ep);
+
++ REQUIRE(0 == (len & ~0x0000ffff));
++ REQUIRE(0 == (opcode & ~0xffff0000));
++
+ ep->opcode = htonl(opcode + len);
+ ep->associd = htonl(associd);
+ ep->tstamp = htonl(tstamp);
+ ep->fstamp = hostval.tstamp;
+ ep->vallen = 0;
+ if (str != NULL) {
+- ep->vallen = htonl(strlen(str));
+- memcpy((char *)ep->pkt, str, strlen(str));
++ ep->vallen = htonl(slen);
++ memcpy((char *)ep->pkt, str, slen);
+ }
+ return (ep);
+ }
+@@ -1715,6 +1738,8 @@ crypto_args(
+ * Note: it is not polite to send a nonempty signature with zero
+ * timestamp or a nonzero timestamp with an empty signature, but those
+ * rules are not enforced here.
++ *
++ * XXX This code won't work on a box with 16-bit ints.
+ */
+ int
+ crypto_send(
+@@ -1730,8 +1755,9 @@ crypto_send(
+ * Calculate extension field length and check for buffer
+ * overflow. Leave room for the MAC.
+ */
+- len = 16;
++ len = 16; /* XXX Document! */
+ vallen = ntohl(vp->vallen);
++ INSIST(vallen <= MAX_VALLEN);
+ len += ((vallen + 3) / 4 + 1) * 4;
+ siglen = ntohl(vp->siglen);
+ len += ((siglen + 3) / 4 + 1) * 4;
+@@ -1772,6 +1798,7 @@ crypto_send(
+ }
+ opcode = ntohl(ep->opcode);
+ ep->opcode = htonl((opcode & 0xffff0000) | len);
++ ENSURE(len <= MAX_VALLEN);
+ return (len);
+ }
+
+@@ -1807,7 +1834,6 @@ crypto_update(void)
+ if (hostval.tstamp == 0)
+ return;
+
+-
+ /*
+ * Sign public key and timestamps. The filestamp is derived from
+ * the host key file extension from wherever the file was
+@@ -2108,7 +2134,8 @@ crypto_bob(
+ tstamp_t tstamp; /* NTP timestamp */
+ BIGNUM *bn, *bk, *r;
+ u_char *ptr;
+- u_int len;
++ u_int len; /* extension field length */
++ u_int vallen = 0; /* value length */
+
+ /*
+ * If the IFF parameters are not valid, something awful
+@@ -2123,8 +2150,11 @@ crypto_bob(
+ /*
+ * Extract r from the challenge.
+ */
+- len = ntohl(ep->vallen);
+- if ((r = BN_bin2bn((u_char *)ep->pkt, len, NULL)) == NULL) {
++ vallen = ntohl(ep->vallen);
++ len = ntohl(ep->opcode) & 0x0000ffff;
++ if (vallen == 0 || len < VALUE_LEN || len - VALUE_LEN < vallen)
++ return XEVNT_LEN;
++ if ((r = BN_bin2bn((u_char *)ep->pkt, vallen, NULL)) == NULL) {
+ msyslog(LOG_ERR, "crypto_bob: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ return (XEVNT_ERR);
+@@ -2136,7 +2166,7 @@ crypto_bob(
+ */
+ bctx = BN_CTX_new(); bk = BN_new(); bn = BN_new();
+ sdsa = DSA_SIG_new();
+- BN_rand(bk, len * 8, -1, 1); /* k */
++ BN_rand(bk, vallen * 8, -1, 1); /* k */
+ BN_mod_mul(bn, dsa->priv_key, r, dsa->q, bctx); /* b r mod q */
+ BN_add(bn, bn, bk);
+ BN_mod(bn, bn, dsa->q, bctx); /* k + b r mod q */
+@@ -2155,30 +2185,37 @@ crypto_bob(
+ * Encode the values in ASN.1 and sign. The filestamp is from
+ * the local file.
+ */
+- len = i2d_DSA_SIG(sdsa, NULL);
+- if (len == 0) {
++ vallen = i2d_DSA_SIG(sdsa, NULL);
++ if (vallen == 0) {
+ msyslog(LOG_ERR, "crypto_bob: %s",
+ ERR_error_string(ERR_get_error(), NULL));
+ DSA_SIG_free(sdsa);
+ return (XEVNT_ERR);
+ }
++ if (vallen > MAX_VALLEN) {
++ msyslog(LOG_ERR, "crypto_bob: signature is too big: %d",
++ vallen);
++ DSA_SIG_free(sdsa);
++ return (XEVNT_LEN);
++ }
+ memset(vp, 0, sizeof(struct value));
+ tstamp = crypto_time();
+ vp->tstamp = htonl(tstamp);
+ vp->fstamp = htonl(iffkey_info->fstamp);
+- vp->vallen = htonl(len);
+- ptr = emalloc(len);
++ vp->vallen = htonl(vallen);
++ ptr = emalloc(vallen);
+ vp->ptr = ptr;
+ i2d_DSA_SIG(sdsa, &ptr);
+ DSA_SIG_free(sdsa);
+ if (tstamp == 0)
+ return (XEVNT_OK);
+
++ /* XXX: more validation to make sure the sign fits... */
+ vp->sig = emalloc(sign_siglen);
+ EVP_SignInit(&ctx, sign_digest);
+ EVP_SignUpdate(&ctx, (u_char *)&vp->tstamp, 12);
+- EVP_SignUpdate(&ctx, vp->ptr, len);
+- if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
++ EVP_SignUpdate(&ctx, vp->ptr, vallen);
++ if (EVP_SignFinal(&ctx, vp->sig, &vallen, sign_pkey))
+ vp->siglen = htonl(sign_siglen);
+ return (XEVNT_OK);
+ }
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2014-9297 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2014-9297 2015-02-04 11:37:44.490673080 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-02-04 11:47:42.653868627 +0100
+@@ -431,7 +431,7 @@ receive(
+ */
+ authlen = LEN_PKT_NOMAC;
+ has_mac = rbufp->recv_length - authlen;
+- while (has_mac != 0) {
++ while (has_mac > 0) {
+ u_int32 len;
+
+ if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
+@@ -456,6 +456,14 @@ receive(
+ }
+
+ /*
++ * If has_mac is < 0 we had a malformed packet.
++ */
++ if (has_mac < 0) {
++ sys_badlength++;
++ return; /* bad length */
++ }
++
++ /*
+ * If authentication required, a MAC must be present.
+ */
+ if (restrict_mask & RES_DONTTRUST && has_mac == 0) {
diff --git a/SOURCES/ntp-4.2.6p5-cve-2014-9298.patch b/SOURCES/ntp-4.2.6p5-cve-2014-9298.patch
new file mode 100644
index 0000000..525e2a0
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2014-9298.patch
@@ -0,0 +1,38 @@
+http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54922b65gDSbE4G7c3JjkuK1Tv33qQ
+http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5492d2879rotbnnuVch_ZC3RAfS8AA
+http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=5496213frLaEz5PHLZVhuYjM7Lalkw
+http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=54c2228bpOp4_zrX9aGXdMEZJEGzkg
+
+diff -up ntp-4.2.6p5/ntpd/ntp_io.c.cve-2014-9298 ntp-4.2.6p5/ntpd/ntp_io.c
+--- ntp-4.2.6p5/ntpd/ntp_io.c.cve-2014-9298 2015-02-04 11:49:30.506083987 +0100
++++ ntp-4.2.6p5/ntpd/ntp_io.c 2015-02-04 12:09:12.638449788 +0100
+@@ -3498,6 +3498,29 @@ read_network_packet(
+ fd, buflen, stoa(&rb->recv_srcadr)));
+
+ /*
++ ** Bug 2672: Some OSes (MacOSX and Linux) don't block spoofed ::1
++ */
++
++ if (AF_INET6 == itf->family) {
++ DPRINTF(2, ("Got an IPv6 packet, from <%s> (%d) to <%s> (%d)\n",
++ stoa(&rb->recv_srcadr),
++ IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr)),
++ stoa(&itf->sin),
++ !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
++ ));
++
++ if ( IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&rb->recv_srcadr))
++ && !IN6_IS_ADDR_LOOPBACK(PSOCK_ADDR6(&itf->sin))
++ ) {
++ packets_dropped++;
++ DPRINTF(2, ("DROPPING that packet\n"));
++ freerecvbuf(rb);
++ return buflen;
++ }
++ DPRINTF(2, ("processing that packet\n"));
++ }
++
++ /*
+ * Got one. Mark how and when it got here,
+ * put it on the full list and do bookkeeping.
+ */
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-1798.patch b/SOURCES/ntp-4.2.6p5-cve-2015-1798.patch
new file mode 100644
index 0000000..413573d
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-1798.patch
@@ -0,0 +1,28 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-1798 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-1798 2015-04-08 12:50:57.997021032 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-04-08 12:50:58.005021047 +0200
+@@ -1130,18 +1130,20 @@ receive(
+ return;
+
+ /*
+- * If the digest fails, the client cannot authenticate a server
++ * If the digest fails or it's missing for authenticated
++ * associations, the client cannot authenticate a server
+ * reply to a client packet previously sent. The loopback check
+ * is designed to avoid a bait-and-switch attack, which was
+ * possible in past versions. If symmetric modes, return a
+ * crypto-NAK. The peer should restart the protocol.
+ */
+- } else if (!AUTH(has_mac || (restrict_mask & RES_DONTTRUST),
+- is_authentic)) {
++ } else if (!AUTH(peer->keyid || has_mac ||
++ (restrict_mask & RES_DONTTRUST), is_authentic)) {
+ report_event(PEVNT_AUTH, peer, "digest");
+ peer->flash |= TEST5; /* bad auth */
+ peer->badauth++;
+- if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
++ if (has_mac &&
++ (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE))
+ fast_xmit(rbufp, MODE_ACTIVE, 0, restrict_mask);
+ if (peer->flags & FLAG_PREEMPT) {
+ unpeer(peer);
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-1799.patch b/SOURCES/ntp-4.2.6p5-cve-2015-1799.patch
new file mode 100644
index 0000000..10548ab
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-1799.patch
@@ -0,0 +1,37 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-1799 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2015-1799 2015-04-08 13:06:43.083810350 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-04-08 13:08:12.679980322 +0200
+@@ -1101,16 +1101,6 @@ receive(
+ }
+
+ /*
+- * Update the state variables.
+- */
+- if (peer->flip == 0) {
+- if (hismode != MODE_BROADCAST)
+- peer->rec = p_xmt;
+- peer->dst = rbufp->recv_time;
+- }
+- peer->xmt = p_xmt;
+-
+- /*
+ * If this is a crypto_NAK, the server cannot authenticate a
+ * client packet. The server might have just changed keys. Clear
+ * the association and restart the protocol.
+@@ -1157,6 +1147,16 @@ receive(
+ }
+
+ /*
++ * Update the state variables.
++ */
++ if (peer->flip == 0) {
++ if (hismode != MODE_BROADCAST)
++ peer->rec = p_xmt;
++ peer->dst = rbufp->recv_time;
++ }
++ peer->xmt = p_xmt;
++
++ /*
+ * Set the peer ppoll to the maximum of the packet ppoll and the
+ * peer minpoll. If a kiss-o'-death, set the peer minpoll to
+ * this maximumn and advance the headway to give the sender some
diff --git a/SOURCES/ntp-4.2.6p5-cve-2015-3405.patch b/SOURCES/ntp-4.2.6p5-cve-2015-3405.patch
new file mode 100644
index 0000000..7cd238d
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2015-3405.patch
@@ -0,0 +1,31 @@
+diff -up ntp-4.2.6p5/util/ntp-keygen.c.bigkeygen ntp-4.2.6p5/util/ntp-keygen.c
+--- ntp-4.2.6p5/util/ntp-keygen.c.bigkeygen 2015-04-14 09:47:54.205534510 +0200
++++ ntp-4.2.6p5/util/ntp-keygen.c 2015-04-14 09:50:04.068927862 +0200
+@@ -742,24 +742,23 @@ gen_md5(
+ ntp_srandom((u_long)epoch);
+ for (i = 1; i <= MD5KEYS; i++) {
+ for (j = 0; j < MD5SIZE; j++) {
+- int temp;
++ u_char temp;
+
+ while (1) {
+ int rc;
+
+- rc = ntp_crypto_random_buf(&temp, 1);
++ rc = ntp_crypto_random_buf(&temp, sizeof(temp));
+ if (-1 == rc) {
+ fprintf(stderr, "ntp_crypto_random_buf() failed.\n");
+ exit (-1);
+ }
+- temp &= 0xff;
+ if (temp == '#')
+ continue;
+
+ if (temp > 0x20 && temp < 0x7f)
+ break;
+ }
+- md5key[j] = (u_char)temp;
++ md5key[j] = temp;
+ }
+ md5key[j] = '\0';
+ fprintf(str, "%2d MD5 %s # MD5 key\n", i,
diff --git a/SOURCES/ntp-4.2.6p5-dscp.patch b/SOURCES/ntp-4.2.6p5-dscp.patch
new file mode 100644
index 0000000..6b91e2c
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-dscp.patch
@@ -0,0 +1,163 @@
+diff -up ntp-4.2.6p5/html/miscopt.html.dscp ntp-4.2.6p5/html/miscopt.html
+--- ntp-4.2.6p5/html/miscopt.html.dscp 2015-06-04 15:50:44.726240345 +0200
++++ ntp-4.2.6p5/html/miscopt.html 2015-06-04 15:50:44.734240368 +0200
+@@ -132,6 +132,8 @@
+ <dd>The trap receiver will generally log event messages and other information from the server in a log file. While such monitor programs may also request their own trap dynamically, configuring a trap receiver will ensure that no messages are lost when the server is started.</dd>
+ <dt id="ttl"><tt>ttl <i>hop</i> ...</tt></dt>
+ <dd>This command specifies a list of TTL values in increasing order. up to 8 values can be specified. In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31.</dd>
++ <dt id="dscp"><tt>dscp <i>dscp</i></tt></dt>
++ <dd>This command specifies the Differentiated Services Code Point (DSCP) value that is used in sent NTP packets. The default value is 48 for Class Selector 6 (CS6).</dd>
+ </dl>
+ <hr>
+ <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
+diff -up ntp-4.2.6p5/include/ntp_io.h.dscp ntp-4.2.6p5/include/ntp_io.h
+--- ntp-4.2.6p5/include/ntp_io.h.dscp 2010-12-25 10:40:34.000000000 +0100
++++ ntp-4.2.6p5/include/ntp_io.h 2015-06-04 15:50:44.734240368 +0200
+@@ -80,6 +80,7 @@ typedef enum {
+ } nic_rule_action;
+
+
++extern int qos;
+ isc_boolean_t get_broadcastclient_flag(void);
+ extern int is_ip_address(const char *, sockaddr_u *);
+ extern void sau_from_netaddr(sockaddr_u *, const isc_netaddr_t *);
+diff -up ntp-4.2.6p5/ntpd/keyword-gen.c.dscp ntp-4.2.6p5/ntpd/keyword-gen.c
+--- ntp-4.2.6p5/ntpd/keyword-gen.c.dscp 2015-06-04 15:50:44.727240348 +0200
++++ ntp-4.2.6p5/ntpd/keyword-gen.c 2015-06-04 15:50:44.734240368 +0200
+@@ -38,6 +38,7 @@ struct key_tok ntp_keywords[] = {
+ { "calldelay", T_Calldelay, FOLLBY_TOKEN },
+ { "disable", T_Disable, FOLLBY_TOKEN },
+ { "driftfile", T_Driftfile, FOLLBY_STRING },
++{ "dscp", T_Dscp, FOLLBY_TOKEN },
+ { "enable", T_Enable, FOLLBY_TOKEN },
+ { "end", T_End, FOLLBY_TOKEN },
+ { "filegen", T_Filegen, FOLLBY_TOKEN },
+diff -up ntp-4.2.6p5/ntpd/ntp_config.c.dscp ntp-4.2.6p5/ntpd/ntp_config.c
+--- ntp-4.2.6p5/ntpd/ntp_config.c.dscp 2015-06-04 15:50:44.728240351 +0200
++++ ntp-4.2.6p5/ntpd/ntp_config.c 2015-06-04 15:50:44.735240371 +0200
+@@ -204,9 +204,6 @@ int cryptosw; /* crypto command called
+ extern int sys_maxclock;
+ extern char *stats_drift_file; /* name of the driftfile */
+ extern char *leapseconds_file_name; /*name of the leapseconds file */
+-#ifdef HAVE_IPTOS_SUPPORT
+-extern unsigned int qos; /* QoS setting */
+-#endif /* HAVE_IPTOS_SUPPORT */
+
+ #ifdef BC_LIST_FRAMEWORK_NOT_YET_USED
+ /*
+@@ -3201,6 +3198,10 @@ config_vars(
+ } else
+ stats_config(STATS_FREQ_FILE, curr_var->value.s);
+ break;
++ case T_Dscp:
++ /* DSCP is in the upper 6 bits of the IP TOS/DS field */
++ qos = curr_var->value.i << 2;
++ break;
+ case T_WanderThreshold:
+ wander_threshold = curr_var->value.d;
+ break;
+@@ -3737,7 +3738,6 @@ config_ntpd(
+ )
+ {
+ config_nic_rules(ptree);
+- io_open_sockets();
+ config_monitor(ptree);
+ config_auth(ptree);
+ config_tos(ptree);
+@@ -3750,6 +3750,9 @@ config_ntpd(
+ config_ttl(ptree);
+ config_trap(ptree);
+ config_vars(ptree);
++
++ io_open_sockets();
++
+ config_other_modes(ptree);
+ config_peers(ptree);
+ config_unpeers(ptree);
+diff -up ntp-4.2.6p5/ntpd/ntp_io.c.dscp ntp-4.2.6p5/ntpd/ntp_io.c
+--- ntp-4.2.6p5/ntpd/ntp_io.c.dscp 2015-06-04 15:50:44.725240342 +0200
++++ ntp-4.2.6p5/ntpd/ntp_io.c 2015-06-04 15:57:54.209359075 +0200
+@@ -66,6 +66,9 @@
+
+ extern int listen_to_virtual_ips;
+
++/* set IP_TOS/IPV6_TCLASS to minimize packet delay */
++int qos = IPTOS_PREC_INTERNETCONTROL;
++
+ /*
+ * NIC rule entry
+ */
+@@ -161,15 +164,6 @@ static int pktinfo_status = 0; /* is IP
+ static struct refclockio *refio;
+ #endif /* REFCLOCK */
+
+-#if defined(HAVE_IPTOS_SUPPORT)
+-/* set IP_TOS to minimize packet delay */
+-# if defined(IPTOS_PREC_INTERNETCONTROL)
+- unsigned int qos = IPTOS_PREC_INTERNETCONTROL;
+-# else
+- unsigned int qos = IPTOS_LOWDELAY;
+-# endif
+-#endif
+-
+ /*
+ * File descriptor masks etc. for call to select
+ * Not needed for I/O Completion Ports
+@@ -3034,6 +3028,13 @@ open_socket(
+ * IPv6 specific options go here
+ */
+ if (IS_IPV6(addr)) {
++#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
++ if (setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, (char*)&qos,
++ sizeof(qos)))
++ msyslog(LOG_ERR,
++ "setsockopt IPV6_TCLASS (%02x) fails on address %s: %m",
++ qos, stoa(addr));
++#endif /* IPPROTO_IPV6 && IPV6_TCLASS */
+ #ifdef IPV6_V6ONLY
+ if (isc_net_probe_ipv6only() == ISC_R_SUCCESS
+ && setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
+diff -up ntp-4.2.6p5/ntpd/ntp_parser.y.dscp ntp-4.2.6p5/ntpd/ntp_parser.y
+--- ntp-4.2.6p5/ntpd/ntp_parser.y.dscp 2015-06-04 15:50:44.728240351 +0200
++++ ntp-4.2.6p5/ntpd/ntp_parser.y 2015-06-04 15:50:44.736240374 +0200
+@@ -94,6 +94,7 @@
+ %token <Double> T_Double
+ %token <Integer> T_Driftfile
+ %token <Integer> T_Drop
++%token <Integer> T_Dscp
+ %token <Integer> T_Ellipsis /* "..." not "ellipsis" */
+ %token <Integer> T_Enable
+ %token <Integer> T_End
+@@ -268,6 +269,7 @@
+ %type <Attr_val> log_config_command
+ %type <Queue> log_config_list
+ %type <Integer> misc_cmd_dbl_keyword
++%type <Integer> misc_cmd_int_keyword
+ %type <Integer> misc_cmd_str_keyword
+ %type <Integer> misc_cmd_str_lcl_keyword
+ %type <Integer> nic_rule_class
+@@ -920,6 +922,13 @@ miscellaneous_command
+ av = create_attr_dval($1, $2);
+ enqueue(cfgt.vars, av);
+ }
++ | misc_cmd_int_keyword T_Integer
++ {
++ struct attr_val *av;
++
++ av = create_attr_ival($1, $2);
++ enqueue(cfgt.vars, av);
++ }
+ | misc_cmd_str_keyword T_String
+ {
+ struct attr_val *av;
+@@ -990,6 +999,10 @@ misc_cmd_dbl_keyword
+ | T_Tick
+ ;
+
++misc_cmd_int_keyword
++ : T_Dscp
++ ;
++
+ misc_cmd_str_keyword
+ : T_Leapfile
+ | T_Pidfile
diff --git a/SOURCES/ntp-4.2.6p5-keylen.patch b/SOURCES/ntp-4.2.6p5-keylen.patch
new file mode 100644
index 0000000..5dc50b8
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-keylen.patch
@@ -0,0 +1,12 @@
+diff -up ntp-4.2.6p5/libntp/authreadkeys.c.keylen ntp-4.2.6p5/libntp/authreadkeys.c
+--- ntp-4.2.6p5/libntp/authreadkeys.c.keylen 2015-02-09 12:33:15.549485698 +0100
++++ ntp-4.2.6p5/libntp/authreadkeys.c 2015-02-09 13:03:44.938842731 +0100
+@@ -74,7 +74,7 @@ authreadkeys(
+ keyid_t keyno;
+ int keytype;
+ char buf[512]; /* lots of room for line */
+- u_char keystr[20];
++ u_char keystr[32];
+ int len;
+
+ /*
diff --git a/SOURCES/ntp-4.2.6p5-mcastjoin.patch b/SOURCES/ntp-4.2.6p5-mcastjoin.patch
new file mode 100644
index 0000000..a86bc68
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-mcastjoin.patch
@@ -0,0 +1,76 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_io.c.mcastjoin ntp-4.2.6p5/ntpd/ntp_io.c
+--- ntp-4.2.6p5/ntpd/ntp_io.c.mcastjoin 2015-04-13 14:41:59.108323479 +0200
++++ ntp-4.2.6p5/ntpd/ntp_io.c 2015-04-13 14:43:46.468637433 +0200
+@@ -2038,6 +2038,32 @@ update_interfaces(
+ if (sys_bclient)
+ io_setbclient();
+
++ /*
++ * Check multicast interfaces and try to join multicast groups if
++ * not joined yet.
++ */
++ for (ep = ep_list; ep != NULL; ep = ep->elink) {
++ remaddr_t *entry;
++
++ if (!(INT_MCASTIF & ep->flags) || (INT_MCASTOPEN & ep->flags))
++ continue;
++
++ /* Find remote address that was linked to this interface */
++ for (entry = remoteaddr_list;
++ entry != NULL;
++ entry = entry->link) {
++ if (entry->ep == ep) {
++ if (socket_multicast_enable(ep, &entry->addr)) {
++ msyslog(LOG_INFO,
++ "Joined %s socket to multicast group %s",
++ stoa(&ep->sin),
++ stoa(&entry->addr));
++ }
++ break;
++ }
++ }
++ }
++
+ return new_interface_found;
+ }
+
+@@ -2467,12 +2493,12 @@ socket_multicast_enable(
+ IP_ADD_MEMBERSHIP,
+ (char *)&mreq,
+ sizeof(mreq))) {
+- msyslog(LOG_ERR,
++ DPRINTF(2, (
+ "setsockopt IP_ADD_MEMBERSHIP failed: %m on socket %d, addr %s for %x / %x (%s)",
+ iface->fd, stoa(&iface->sin),
+ mreq.imr_multiaddr.s_addr,
+ mreq.imr_interface.s_addr,
+- stoa(maddr));
++ stoa(maddr)));
+ return ISC_FALSE;
+ }
+ DPRINTF(4, ("Added IPv4 multicast membership on socket %d, addr %s for %x / %x (%s)\n",
+@@ -2497,10 +2523,10 @@ socket_multicast_enable(
+ if (setsockopt(iface->fd, IPPROTO_IPV6,
+ IPV6_JOIN_GROUP, (char *)&mreq6,
+ sizeof(mreq6))) {
+- msyslog(LOG_ERR,
++ DPRINTF(2, (
+ "setsockopt IPV6_JOIN_GROUP failed: %m on socket %d, addr %s for interface %u (%s)",
+ iface->fd, stoa(&iface->sin),
+- mreq6.ipv6mr_interface, stoa(maddr));
++ mreq6.ipv6mr_interface, stoa(maddr)));
+ return ISC_FALSE;
+ }
+ DPRINTF(4, ("Added IPv6 multicast group on socket %d, addr %s for interface %u (%s)\n",
+@@ -2793,11 +2819,6 @@ io_multicast_add(
+ "Joined %s socket to multicast group %s",
+ stoa(&ep->sin),
+ stoa(addr));
+- else
+- msyslog(LOG_ERR,
+- "Failed to join %s socket to multicast group %s",
+- stoa(&ep->sin),
+- stoa(addr));
+ }
+
+ add_addr_to_list(addr, one_ep);
diff --git a/SOURCES/ntp-4.2.6p5-mlock.patch b/SOURCES/ntp-4.2.6p5-mlock.patch
index b91da26..ba04c54 100644
--- a/SOURCES/ntp-4.2.6p5-mlock.patch
+++ b/SOURCES/ntp-4.2.6p5-mlock.patch
@@ -9,7 +9,7 @@ diff -up ntp-4.2.6p5/html/ntpd.html.mlock ntp-4.2.6p5/html/ntpd.html
+ <tt>ntpd [ -46aAbdDgLmnNqx ] [ -c <i>conffile</i> ] [ -f <i>driftfile</i> ] [ -i <i>jaildir</i> ] [ -I <i>iface</i> ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ] [ -p <i>pidfile</i> ] [ -P <i>priority</i> ] [ -r <i>broadcastdelay</i> ] [ -s <i>statsdir</i> ] [ -t <i>key</i> ] [ -u <i>user</i>[:<i>group</i>] ] [ -U <i>interface_update_interval</i> ] [ -v <i>variable</i> ] [ -V <i>variable</i> ]</tt>
<h4 id="descr">Description</h4>
<p>The <tt>ntpd</tt> program is an operating system daemon that synchronises the system clock with remote NTP time servers or local reference clocks. It is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. The program can operate in any of several modes, as described on the <a href="assoc.html">Association Management</a> page, and with both symmetric key and public key cryptography, as described on the <a href="manyopt.html">Authentication Options</a> page.</p>
- <p>The <tt>ntpd</tt> program ordinarily requires a configuration file as desccribe on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the <a href="manyopt.html">Automatic Server Discovery</a> page.</p>
+ <p>The <tt>ntpd</tt> program ordinarily requires a configuration file as described on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the <a href="manyopt.html">Automatic Server Discovery</a> page.</p>
@@ -123,6 +123,8 @@
<dd>Do not listen to virtual interfaces, defined as those with names containing a colon. This option is deprecated. Please consider using the configuration file <a href="miscopt.html#interface">interface</a> command, which is more versatile.</dd>
<dt><tt>-M</tt></dt>
@@ -37,7 +37,7 @@ diff -up ntp-4.2.6p5/ntpd/ntpd.c.mlock ntp-4.2.6p5/ntpd/ntpd.c
* has to be larger than the largest ntpd resident set size.
*/
- rl.rlim_cur = rl.rlim_max = 32*1024*1024;
-+ rl.rlim_cur = rl.rlim_max = 64*1024*1024;
++ rl.rlim_cur = rl.rlim_max = 128*1024*1024;
if (setrlimit(RLIMIT_MEMLOCK, &rl) == -1) {
msyslog(LOG_ERR, "Cannot set RLIMIT_MEMLOCK: %m");
}
diff --git a/SOURCES/ntp-4.2.6p5-monwarn.patch b/SOURCES/ntp-4.2.6p5-monwarn.patch
new file mode 100644
index 0000000..a1aa2d4
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-monwarn.patch
@@ -0,0 +1,17 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.monwarn ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.monwarn 2014-07-03 18:03:37.985020147 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2014-07-03 18:06:08.656380757 +0200
+@@ -3701,8 +3701,12 @@ proto_config(
+ case PROTO_MONITOR: /* monitoring (monitor) */
+ if (value)
+ mon_start(MON_ON);
+- else
++ else {
+ mon_stop(MON_ON);
++ if (mon_enabled)
++ msyslog(LOG_WARNING,
++ "monitor cannot be disabled with limited restrict");
++ }
+ break;
+
+ case PROTO_NTP: /* NTP discipline (ntp) */
diff --git a/SOURCES/ntp-4.2.6p5-mreadvar.patch b/SOURCES/ntp-4.2.6p5-mreadvar.patch
new file mode 100644
index 0000000..ed9dffc
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-mreadvar.patch
@@ -0,0 +1,13 @@
+diff -up ntp-4.2.6p5/ntpq/ntpq-subs.c.mreadvar ntp-4.2.6p5/ntpq/ntpq-subs.c
+--- ntp-4.2.6p5/ntpq/ntpq-subs.c.mreadvar 2011-12-25 00:27:15.000000000 +0100
++++ ntp-4.2.6p5/ntpq/ntpq-subs.c 2015-02-09 12:13:02.215449708 +0100
+@@ -857,8 +857,8 @@ mreadvar(
+ &from, &to))
+ return;
+
++ memset(tmplist, 0, sizeof(tmplist));
+ if (pcmd->nargs >= 3) {
+- memset(tmplist, 0, sizeof(tmplist));
+ doaddvlist(tmplist, pcmd->argval[2].string);
+ pvars = tmplist;
+ } else {
diff --git a/SOURCES/ntp-4.2.6p5-nanoshm.patch b/SOURCES/ntp-4.2.6p5-nanoshm.patch
new file mode 100644
index 0000000..5327a53
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-nanoshm.patch
@@ -0,0 +1,141 @@
+diff -up ntp-4.2.6p5/ntpd/refclock_shm.c.nanoshm ntp-4.2.6p5/ntpd/refclock_shm.c
+--- ntp-4.2.6p5/ntpd/refclock_shm.c.nanoshm 2010-02-04 08:26:55.000000000 +0100
++++ ntp-4.2.6p5/ntpd/refclock_shm.c 2014-08-25 15:43:45.608698816 +0200
+@@ -83,16 +83,18 @@ struct shmTime {
+ * use values
+ * clear valid
+ */
+- int count;
+- time_t clockTimeStampSec;
+- int clockTimeStampUSec;
+- time_t receiveTimeStampSec;
+- int receiveTimeStampUSec;
+- int leap;
+- int precision;
+- int nsamples;
+- int valid;
+- int dummy[10];
++ volatile int count;
++ time_t clockTimeStampSec;
++ int clockTimeStampUSec;
++ time_t receiveTimeStampSec;
++ int receiveTimeStampUSec;
++ int leap;
++ int precision;
++ int nsamples;
++ volatile int valid;
++ unsigned clockTimeStampNSec; /* Unsigned ns timestamps */
++ unsigned receiveTimeStampNSec; /* Unsigned ns timestamps */
++ int dummy[8];
+ };
+
+ struct shmunit {
+@@ -320,31 +322,68 @@ int shm_peek(
+ return(0);
+ }
+ if (shm->valid) {
+- struct timeval tvr;
+- struct timeval tvt;
++ struct timespec tvr;
++ struct timespec tvt;
+ struct tm *t;
+ int ok=1;
++ unsigned cns_new, rns_new;
++ int cnt;
+ tvr.tv_sec = 0;
+- tvr.tv_usec = 0;
++ tvr.tv_nsec = 0;
+ tvt.tv_sec = 0;
+- tvt.tv_usec = 0;
++ tvt.tv_nsec = 0;
+ switch (shm->mode) {
+- case 0: {
+- tvr.tv_sec=shm->receiveTimeStampSec;
+- tvr.tv_usec=shm->receiveTimeStampUSec;
+- tvt.tv_sec=shm->clockTimeStampSec;
+- tvt.tv_usec=shm->clockTimeStampUSec;
+- }
+- break;
+- case 1: {
+- int cnt=shm->count;
+- tvr.tv_sec=shm->receiveTimeStampSec;
+- tvr.tv_usec=shm->receiveTimeStampUSec;
+- tvt.tv_sec=shm->clockTimeStampSec;
+- tvt.tv_usec=shm->clockTimeStampUSec;
+- ok=(cnt==shm->count);
+- }
+- break;
++ case 0:
++ tvr.tv_sec = shm->receiveTimeStampSec;
++ tvr.tv_nsec = shm->receiveTimeStampUSec * 1000;
++ rns_new = shm->receiveTimeStampNSec;
++ tvt.tv_sec = shm->clockTimeStampSec;
++ tvt.tv_nsec = shm->clockTimeStampUSec * 1000;
++ cns_new = shm->clockTimeStampNSec;
++
++ /* Since these comparisons are between unsigned
++ ** variables they are always well defined, and any
++ ** (signed) underflow will turn into very large
++ ** unsigned values, well above the 1000 cutoff
++ */
++ if ( ((cns_new - (unsigned)tvt.tv_nsec) < 1000)
++ && ((rns_new - (unsigned)tvr.tv_nsec) < 1000)) {
++ tvt.tv_nsec = cns_new;
++ tvr.tv_nsec = rns_new;
++ }
++ // At this point tvr and tvt contains valid ns-level
++ // timestamps, possibly generated by extending the
++ // old us-level timestamps
++
++ break;
++
++ case 1:
++ cnt = shm->count;
++
++ tvr.tv_sec = shm->receiveTimeStampSec;
++ tvr.tv_nsec = shm->receiveTimeStampUSec * 1000;
++ rns_new = shm->receiveTimeStampNSec;
++ tvt.tv_sec = shm->clockTimeStampSec;
++ tvt.tv_nsec = shm->clockTimeStampUSec * 1000;
++ cns_new = shm->clockTimeStampNSec;
++ ok = (cnt == shm->count);
++
++ /* Since these comparisons are between unsigned
++ ** variables they are always well defined, and any
++ ** (signed) underflow will turn into very large
++ ** unsigned values, well above the 1000 cutoff
++ */
++ if ( ((cns_new - (unsigned)tvt.tv_nsec) < 1000)
++ && ((rns_new - (unsigned)tvr.tv_nsec) < 1000)) {
++ tvt.tv_nsec = cns_new;
++ tvr.tv_nsec = rns_new;
++ }
++ // At this point tvr and tvt contains valid ns-level
++ // timestamps, possibly generated by extending the
++ // old us-level timestamps
++
++ break;
++
+ default:
+ msyslog (LOG_ERR, "SHM: bad mode found in shared memory: %d",shm->mode);
+ }
+@@ -352,8 +391,8 @@ int shm_peek(
+ if (ok) {
+ time_t help; /* XXX NetBSD has incompatible tv_sec */
+
+- TVTOTS(&tvr,&pp->lastrec);
+- pp->lastrec.l_ui += JAN_1970;
++ pp->lastrec.l_ui = (u_long)tvr.tv_sec + JAN_1970;
++ pp->lastrec.l_uf = tvr.tv_nsec * 4.294967296;
+ /* pp->lasttime = current_time; */
+ pp->polls++;
+ help = tvt.tv_sec;
+@@ -362,7 +401,7 @@ int shm_peek(
+ pp->hour=t->tm_hour;
+ pp->minute=t->tm_min;
+ pp->second=t->tm_sec;
+- pp->nsec=tvt.tv_usec * 1000;
++ pp->nsec = tvt.tv_nsec;
+ peer->precision=shm->precision;
+ pp->leap=shm->leap;
+ }
diff --git a/SOURCES/ntp-4.2.6p5-rsaexp.patch b/SOURCES/ntp-4.2.6p5-rsaexp.patch
new file mode 100644
index 0000000..4930ded
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-rsaexp.patch
@@ -0,0 +1,21 @@
+diff -up ntp-4.2.6p5/util/ntp-keygen.c.rsaexp ntp-4.2.6p5/util/ntp-keygen.c
+--- ntp-4.2.6p5/util/ntp-keygen.c.rsaexp 2015-02-09 12:18:06.627127473 +0100
++++ ntp-4.2.6p5/util/ntp-keygen.c 2015-02-09 12:28:15.263780280 +0100
+@@ -882,7 +882,7 @@ gen_rsa(
+ FILE *str;
+
+ fprintf(stderr, "Generating RSA keys (%d bits)...\n", modulus);
+- rsa = RSA_generate_key(modulus, 3, cb, "RSA");
++ rsa = RSA_generate_key(modulus, 65537, cb, "RSA");
+ fprintf(stderr, "\n");
+ if (rsa == NULL) {
+ fprintf(stderr, "RSA generate keys fails\n%s\n",
+@@ -1223,7 +1223,7 @@ gen_gqkey(
+ fprintf(stderr,
+ "Generating GQ parameters (%d bits)...\n",
+ modulus2);
+- rsa = RSA_generate_key(modulus2, 3, cb, "GQ");
++ rsa = RSA_generate_key(modulus2, 65537, cb, "GQ");
+ fprintf(stderr, "\n");
+ if (rsa == NULL) {
+ fprintf(stderr, "RSA generate keys fails\n%s\n",
diff --git a/SOURCES/ntp-4.2.6p5-shmperm.patch b/SOURCES/ntp-4.2.6p5-shmperm.patch
new file mode 100644
index 0000000..35638eb
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-shmperm.patch
@@ -0,0 +1,191 @@
+diff -up ntp-4.2.6p5/html/drivers/driver28.html.shmperm ntp-4.2.6p5/html/drivers/driver28.html
+--- ntp-4.2.6p5/html/drivers/driver28.html.shmperm 2009-12-09 08:36:37.000000000 +0100
++++ ntp-4.2.6p5/html/drivers/driver28.html 2015-02-09 15:57:57.450877311 +0100
+@@ -18,7 +18,8 @@
+ Driver ID: <tt>SHM</tt></p>
+
+ <h4>Description</h4>
+- <p>This driver receives its reference clock info from a shared memory-segment. The shared memory-segment is created with owner-only access for unit 0 and 1, and world access for unit 2 and 3</p>
++ <p>This driver receives its reference clock info from a shared memory-segment. The shared memory-segment is created with owner-only access for unit 0 and 1, and world access for other units unless the mode word is set for owner-only access.</p>
++
+
+ <h4>Structure of shared memory-segment</h4>
+ <pre>struct shmTime {
+@@ -94,6 +95,40 @@ Here is a sample showing the GPS recepti
+ 54364 85700.160 127.127.28.0 65 0 65 0 0
+ </pre>
+
++ <h4>The 'mode' word</h4>
++
++ <p>
++ Some aspects of the driver behavior can be adjusted by setting bits of
++ the 'mode' word in the server configuration line:<br>
++ <tt>server 127.127.28.</tt><i>x</i><tt> mode </tt><i>Y</i>
++ </p>
++
++ <table border="1" width="100%">
++ <caption>mode word bits and bit groups</caption>
++ <tbody><tr>
++ <th align="center">Bit</th>
++ <th align="center">Dec</th>
++ <th align="center">Hex</th>
++ <th align="left">Meaning</th>
++ </tr>
++
++ <tr>
++ <td align="center">0</td>
++ <td align="center">1</td>
++ <td align="center">1</td>
++ <td>The SHM segment is private (mode 0600). This is the fixed
++ default for clock units 0 and 1; clock units >1 are mode
++ 0666 unless this bit is set for the specific unit.</td>
++
++ </tr><tr>
++ <td align="center">1-31</td>
++ <td align="center">-</td>
++ <td align="center">-</td>
++ <td><i>reserved -- do not use</i></td>
++ </tr>
++ </tbody>
++ </table>
++
+ <h4>Fudge Factors</h4>
+ <dl>
+ <dt><tt>time1 <i>time</i></tt>
+@@ -112,9 +147,64 @@ Here is a sample showing the GPS recepti
+ <dd>Not used by this driver.
+ <dt><tt>flag4 0 | 1</tt>
+ <dd>If flag4 is set, clockstats records will be written when the driver is polled.
+- <h4>Additional Information</h4>
+- <p><a href="../refclock.html">Reference Clock Drivers</a></p>
+ </dl>
++
++ <h4>Public vs. Private SHM segments</h4>
++
++ <p>The driver attempts to create a shared memory segment with an
++ identifier depending on the unit number. This identifier (which can be
++ a numeric value or a string) clearly depends on the method used, which
++ in turn depends on the host operating system:</p>
++
++ <ul>
++ <li><p>
++ <tt>Windows</tt> uses a file mapping to the page file with the
++ name '<tt>Global\NTP</tt><i>u</i>' for public accessible
++ mappings, where <i>u</i> is the clock unit. Private /
++ non-public mappings are created as
++ '<tt>Local\NTP</tt><i>u</i>'.
++ </p><p>
++ Public access assigns a NULL DACL to the memory mapping, while
++ private access just uses the default DACL of the process creating
++ the mapping.
++ </p>
++ </li>
++ <li><p>
++ <tt>SYSV IPC</tt> creates a shared memory segment with a key value
++ of <tt>0x4E545030</tt> + <i>u</i>, where <i>u</i> is again
++ the clock unit. (This value could be hex-decoded as 'NTP0',
++ 'NTP1',..., with funny characters for units > 9.)
++ </p><p>
++ Public access means a permission set of 0666, while private access
++ creates the mapping with a permission set of 0600.
++ </p>
++ </li>
++ </ul>
++
++ <p>There's no support for POSIX shared memory yet.</p>
++
++ <p><i>NTPD</i> is started as root on most POSIX-like operating systems
++ and uses the setuid/setgid system API to run under reduced rights once
++ the initial setup of the process is done. One consequence out of this
++ is that the allocation of SHM segments must be done early during the
++ clock setup. The actual polling of the clock is done as the run-time
++ user; deferring the creation of the SHM segment to this point will
++ create a SHM segment owned by the runtime-user account. The internal
++ structure of <i>NTPD</i> does not permit the use of a fudge flag if
++ this is to be avoided; this is the reason why a mode bit is used for
++ the configuration of a public segment.
++ </p>
++
++ <p>When running under Windows, the chosen user account must be able to
++ create a SHM segment in the global object name space for SHM clocks with
++ public access. Otherwise the session isolation used by Windows kernels
++ after WinXP will get into the way if the client program does not run in
++ the same session.
++ </p>
++
++ <h4>Additional Information</h4>
++ <p><a href="../refclock.html">Reference Clock Drivers</a></p>
++
+ <hr>
+ <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
+ </body>
+diff -up ntp-4.2.6p5/ntpd/refclock_shm.c.shmperm ntp-4.2.6p5/ntpd/refclock_shm.c
+--- ntp-4.2.6p5/ntpd/refclock_shm.c.shmperm 2015-02-09 15:52:06.131877933 +0100
++++ ntp-4.2.6p5/ntpd/refclock_shm.c 2015-02-09 15:52:06.137877933 +0100
+@@ -52,6 +52,11 @@
+ #define NSAMPLES 3 /* stages of median filter */
+
+ /*
++ * Mode flags
++ */
++#define SHM_MODE_PRIVATE 0x0001
++
++/*
+ * Function prototypes
+ */
+ static int shm_start (int unit, struct peer *peer);
+@@ -99,6 +104,7 @@ struct shmTime {
+
+ struct shmunit {
+ struct shmTime *shm; /* pointer to shared memory segment */
++ int forall; /* access for all UIDs? */
+
+ /* debugging/monitoring counters - reset when printed */
+ int ticks; /* number of attempts to read data*/
+@@ -109,9 +115,12 @@ struct shmunit {
+ };
+
+
+-struct shmTime *getShmTime(int);
+-
+-struct shmTime *getShmTime (int unit) {
++static struct shmTime*
++getShmTime(
++ int unit,
++ int/*BOOL*/ forall
++ )
++{
+ #ifndef SYS_WINNT
+ int shmid=0;
+
+@@ -119,8 +128,8 @@ struct shmTime *getShmTime (int unit) {
+ * Big units will give non-ascii but that's OK
+ * as long as everybody does it the same way.
+ */
+- shmid=shmget (0x4e545030+unit, sizeof (struct shmTime),
+- IPC_CREAT|(unit<2?0600:0666));
++ shmid=shmget(0x4e545030 + unit, sizeof (struct shmTime),
++ IPC_CREAT | (forall ? 0666 : 0600));
+ if (shmid==-1) { /*error */
+ msyslog(LOG_ERR,"SHM shmget (unit %d): %s",unit,strerror(errno));
+ return 0;
+@@ -199,7 +208,9 @@ shm_start(
+ memset(up, 0, sizeof(*up));
+ pp->unitptr = (caddr_t)up;
+
+- up->shm = getShmTime(unit);
++ up->forall = (unit >= 2) && !(peer->ttl & SHM_MODE_PRIVATE);
++
++ up->shm = getShmTime(unit, up->forall);
+
+ /*
+ * Initialize miscellaneous peer variables
+@@ -314,7 +325,7 @@ int shm_peek(
+ if (up->shm == 0) {
+ /* try to map again - this may succeed if meanwhile some-
+ body has ipcrm'ed the old (unaccessible) shared mem segment */
+- up->shm = getShmTime(unit);
++ up->shm = getShmTime(unit, up->forall);
+ }
+ shm = up->shm;
+ if (shm == 0) {
diff --git a/SOURCES/ntp-4.2.6p5-sourceport.patch b/SOURCES/ntp-4.2.6p5-sourceport.patch
new file mode 100644
index 0000000..ef3fb10
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-sourceport.patch
@@ -0,0 +1,12 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.sourceport ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.sourceport 2015-02-06 16:43:27.857879763 +0100
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2015-02-06 16:43:56.446879712 +0100
+@@ -334,7 +334,7 @@ receive(
+ * reveals a clogging attack.
+ */
+ sys_received++;
+- if (SRCPORT(&rbufp->recv_srcadr) < NTP_PORT) {
++ if (SRCPORT(&rbufp->recv_srcadr) == 0) {
+ sys_badlength++;
+ return; /* bogus port */
+ }
diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec
index 03ea0f0..6028994 100644
--- a/SPECS/ntp.spec
+++ b/SPECS/ntp.spec
@@ -1,7 +1,7 @@
Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.6p5
-Release: 19%{?dist}.3
+Release: 22%{?dist}
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -97,12 +97,42 @@ Patch23: ntp-4.2.6p5-cve-2014-9293.patch
Patch24: ntp-4.2.6p5-cve-2014-9295.patch
# ntpbz #2670
Patch25: ntp-4.2.6p5-cve-2014-9296.patch
-# ntpbz #2901
-Patch26: ntp-4.2.6p5-cve-2015-7704.patch
-# allow only one step larger than panic threshold with -g
-Patch27: ntp-4.2.6p5-cve-2015-5300.patch
+# ntpbz #2671
+Patch26: ntp-4.2.6p5-cve-2014-9297.patch
+# ntpbz #2672
+Patch27: ntp-4.2.6p5-cve-2014-9298.patch
+# ntpbz #2174
+Patch28: ntp-4.2.6p5-sourceport.patch
+# ntpbz #2612
+Patch29: ntp-4.2.6p5-monwarn.patch
+# ntpbz #1232
+Patch30: ntp-4.2.6p5-nanoshm.patch
+# ntpbz #2661
+Patch32: ntp-4.2.6p5-mreadvar.patch
+# ntpbz #730
+Patch33: ntp-4.2.6p5-rsaexp.patch
+# ntpbz #2537
+Patch34: ntp-4.2.6p5-keylen.patch
+# ntpbz #2627
+Patch35: ntp-4.2.6p5-shmperm.patch
# ntpbz #2745
Patch36: ntp-4.2.6p5-xleap.patch
+# ntpbz #2805
+Patch37: ntp-4.2.6p5-mcastjoin.patch
+# ntpbz #2763, ntpbz #2811
+Patch38: ntp-4.2.6p5-backfwdstep.patch
+# ntpbz #2779
+Patch39: ntp-4.2.6p5-cve-2015-1798.patch
+# ntpbz #2781
+Patch40: ntp-4.2.6p5-cve-2015-1799.patch
+# ntpbz #2797
+Patch41: ntp-4.2.6p5-cve-2015-3405.patch
+# ntpbz #2837
+Patch42: ntp-4.2.6p5-dscp.patch
+# ntpbz #2901
+Patch43: ntp-4.2.6p5-cve-2015-7704.patch
+# allow only one step larger than panic threshold with -g
+Patch44: ntp-4.2.6p5-cve-2015-5300.patch
# handle unknown clock types
Patch50: ntpstat-0.2-clksrc.patch
@@ -122,6 +152,7 @@ Requires(postun): systemd-units
Requires: ntpdate = %{version}-%{release}
BuildRequires: libcap-devel openssl-devel libedit-devel perl-HTML-Parser
BuildRequires: pps-tools-devel autogen autogen-libopts-devel systemd-units
+BuildRequires: bison
%description
The Network Time Protocol (NTP) is used to synchronize a computer's
@@ -183,7 +214,7 @@ This package contains NTP documentation in HTML format.
# pool.ntp.org vendor zone which will be used in ntp.conf
%if 0%{!?vendorzone:1}
%{?fedora: %global vendorzone fedora.}
-%{?rhel: %global vendorzone centos.}
+%{?rhel: %global vendorzone rhel.}
%endif
%prep
@@ -216,9 +247,24 @@ This package contains NTP documentation in HTML format.
%patch23 -p1 -b .cve-2014-9293
%patch24 -p1 -b .cve-2014-9295
%patch25 -p1 -b .cve-2014-9296
-%patch26 -p1 -b .cve-2015-7704
-%patch27 -p1 -b .cve-2015-5300
+%patch26 -p1 -b .cve-2014-9297
+%patch27 -p1 -b .cve-2014-9298
+%patch28 -p1 -b .sourceport
+%patch29 -p1 -b .monwarn
+%patch30 -p1 -b .nanoshm
+%patch32 -p1 -b .mreadvar
+%patch33 -p1 -b .rsaexp
+%patch34 -p1 -b .keylen
+%patch35 -p1 -b .shmperm
%patch36 -p1 -b .xleap
+%patch37 -p1 -b .mcastjoin
+%patch38 -p1 -b .backfwdstep
+%patch39 -p1 -b .cve-2015-1798
+%patch40 -p1 -b .cve-2015-1799
+%patch41 -p1 -b .cve-2015-3405
+%patch42 -p1 -b .dscp
+%patch43 -p1 -b .cve-2015-7704
+%patch44 -p1 -b .cve-2015-5300
# ntpstat patches
%patch50 -p1 -b .clksrc
@@ -228,7 +274,7 @@ This package contains NTP documentation in HTML format.
%patch54 -p1 -b .errorbit
# set default path to sntp KoD database
-sed -i 's|/var/db/ntp-kod|%{_localstatedir}/lib/sntp-kod|' sntp/{sntp.1,main.c}
+sed -i 's|/var/db/ntp-kod|%{_localstatedir}/lib/sntp/kod|' sntp/{sntp.1,main.c}
# fix line terminators
sed -i 's|\r||g' html/scripts/{footer.txt,style.css}
@@ -243,6 +289,10 @@ touch ntpd/ntpd-opts.texi util/ntp-keygen-opts.texi
# autogen fails to regenerate man pages (#958908), but they won't be used anyway
touch ntpd/ntpd.1 util/ntp-keygen.1
+# make the build fail if the parsers are not regenerated
+rm ntpd/ntp_parser.{c,h}
+echo > ntpd/ntp_keyword.h
+
%build
sed -i 's|$CFLAGS -Wstrict-overflow|$CFLAGS|' configure sntp/configure
export CFLAGS="$RPM_OPT_FLAGS -fPIE -fno-strict-aliasing -fno-strict-overflow"
@@ -257,6 +307,7 @@ export LDFLAGS="-pie -Wl,-z,relro,-z,now"
echo '#define KEYFILE "%{_sysconfdir}/ntp/keys"' >> ntpdate/ntpdate.h
echo '#define NTP_VAR "%{_localstatedir}/log/ntpstats/"' >> config.h
+make -C ntpd ntp_keyword.h
make %{?_smp_mflags}
sed -i 's|$ntpq = "ntpq"|$ntpq = "%{_sbindir}/ntpq"|' scripts/ntptrace
@@ -299,8 +350,8 @@ find $RPM_BUILD_ROOT%{ntpdocdir} -type d | xargs chmod 755
pushd $RPM_BUILD_ROOT
mkdir -p .%{_sysconfdir}/{ntp/crypto,sysconfig,dhcp/dhclient.d} .%{_libexecdir}
-mkdir -p .%{_localstatedir}/{lib/ntp,log/ntpstats} .%{_unitdir}
-touch .%{_localstatedir}/lib/{ntp/drift,sntp-kod}
+mkdir -p .%{_localstatedir}/{lib/{s,}ntp,log/ntpstats} .%{_unitdir}
+touch .%{_localstatedir}/lib/{ntp/drift,sntp/kod}
sed -e 's|VENDORZONE\.|%{vendorzone}|' \
-e 's|ETCNTP|%{_sysconfdir}/ntp|' \
-e 's|VARNTP|%{_localstatedir}/lib/ntp|' \
@@ -423,22 +474,39 @@ popd
%config(noreplace) %{_sysconfdir}/sysconfig/sntp
%{_sbindir}/sntp
%{_mandir}/man8/sntp.8*
-%ghost %{_localstatedir}/lib/sntp-kod
+%dir %{_localstatedir}/lib/sntp
+%ghost %{_localstatedir}/lib/sntp/kod
%{_unitdir}/sntp.service
%files doc
%{ntpdocdir}/html
%changelog
-* Mon Oct 26 2015 CentOS Sources <bugs@centos.org> - 4.2.6p5-19.el7.centos.3
-- rebrand vendorzone
-
-* Fri Oct 16 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-19.el7_1.3
+* Fri Oct 16 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-22
- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)
- allow only one step larger than panic threshold with -g (CVE-2015-5300)
-* Thu Apr 23 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-19.el7_1.1
+* Thu Jun 04 2015 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-20
+- validate lengths of values in extension fields (CVE-2014-9297)
+- drop packets with spoofed source address ::1 (CVE-2014-9298)
+- reject packets without MAC when authentication is enabled (CVE-2015-1798)
+- protect symmetric associations with symmetric key against DoS attack (CVE-2015-1799)
+- fix generation of MD5 keys with ntp-keygen on big-endian systems (CVE-2015-3405)
+- add option to set Differentiated Services Code Point (DSCP) (#1202828)
+- add nanosecond support to SHM refclock (#1117702)
+- allow creating all SHM segments with owner-only access (#1122012)
+- allow different thresholds for forward and backward step (#1193154)
+- allow symmetric keys up to 32 bytes again (#1191111)
- don't step clock for leap second with -x option (#1191122)
+- don't drop packets with source port below 123 (#1171640)
+- retry joining multicast groups (#1207014)
+- increase memlock limit again (#1053569)
+- warn when monitor can't be disabled due to limited restrict (#1191108)
+- use larger RSA exponent in ntp-keygen (#1191116)
+- fix crash in ntpq mreadvar command (#1180721)
+- move sntp kod database to allow SELinux labeling (#1082934)
+- fix typos in ntpd man page (#1195211)
+- improve documentation of restrict command (#1213953)
* Fri Dec 19 2014 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-19
- don't generate weak control key for resolver (CVE-2014-9293)