diff --git a/.gitignore b/.gitignore
index 95b8f3e..86e0978 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
 SOURCES/ntp-4.2.6p5.tar.gz
-SOURCES/ntpstat-0.2.tgz
+SOURCES/ntpstat-0.5.tar.gz
diff --git a/.ntp.metadata b/.ntp.metadata
index ffc3452..ab4a419 100644
--- a/.ntp.metadata
+++ b/.ntp.metadata
@@ -1,2 +1,2 @@
 4a5353a4791b6f4315a66c28d504ec6c7926b192 SOURCES/ntp-4.2.6p5.tar.gz
-9b6baf20b5943651a6bf8d6cf9a78e318573b541 SOURCES/ntpstat-0.2.tgz
+cb8ccc71c5b036bdefe9af8911ea4202dee84a54 SOURCES/ntpstat-0.5.tar.gz
diff --git a/SOURCES/ntp-4.2.6p5-cve-2017-6464.patch b/SOURCES/ntp-4.2.6p5-cve-2017-6464.patch
index 6725c83..a271db7 100644
--- a/SOURCES/ntp-4.2.6p5-cve-2017-6464.patch
+++ b/SOURCES/ntp-4.2.6p5-cve-2017-6464.patch
@@ -57,6 +57,17 @@ diff -up ntp-4.2.6p5/ntpd/ntp_config.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_config
  
  static void
  config_system_opts(
+@@ -2920,7 +2941,9 @@ config_ttl(
+ 
+ 		curr_ttl = next_node(curr_ttl);
+ 	}
+-	sys_ttlmax = i - 1;
++
++	if (i)
++		sys_ttlmax = i - 1;
+ }
+ 
+ 
 diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464 ntp-4.2.6p5/ntpd/ntp_proto.c
 --- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2017-6464	2017-03-22 12:54:11.270454677 +0100
 +++ ntp-4.2.6p5/ntpd/ntp_proto.c	2017-03-22 12:54:11.279454706 +0100
diff --git a/SOURCES/ntp-4.2.6p5-cve-2018-12327.patch b/SOURCES/ntp-4.2.6p5-cve-2018-12327.patch
new file mode 100644
index 0000000..8e250d4
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2018-12327.patch
@@ -0,0 +1,38 @@
+diff -up ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2018-12327 ntp-4.2.6p5/ntpdc/ntpdc.c
+--- ntp-4.2.6p5/ntpdc/ntpdc.c.cve-2018-12327	2018-12-10 12:01:08.096202203 +0100
++++ ntp-4.2.6p5/ntpdc/ntpdc.c	2018-12-10 12:02:05.385805767 +0100
+@@ -459,8 +459,14 @@ openhost(
+ 	
+ 	if (*cp == '[') {
+ 		cp++;	
+-		for (i = 0; *cp && *cp != ']'; cp++, i++)
++		for (i = 0; *cp && *cp != ']'; cp++, i++) {
++			if (i + 1 == sizeof (name)) {
++				errno = EINVAL;
++				warning("%s", "bad hostname/address", "");
++				return 0;
++			}
+ 			name[i] = *cp;
++		}
+ 		if (*cp == ']') {
+ 			name[i] = '\0';
+ 			hname = name;
+diff -up ntp-4.2.6p5/ntpq/ntpq.c.cve-2018-12327 ntp-4.2.6p5/ntpq/ntpq.c
+--- ntp-4.2.6p5/ntpq/ntpq.c.cve-2018-12327	2018-12-10 12:01:08.157201781 +0100
++++ ntp-4.2.6p5/ntpq/ntpq.c	2018-12-10 12:02:17.739720281 +0100
+@@ -640,8 +640,14 @@ openhost(
+ 	
+ 	if (*cp == '[') {
+ 		cp++;
+-		for (i = 0; *cp && *cp != ']'; cp++, i++)
++		for (i = 0; *cp && *cp != ']'; cp++, i++) {
++			if (i + 1 == sizeof (name)) {
++				errno = EINVAL;
++				warning("%s", "bad hostname/address", "");
++				return 0;
++			}
+ 			name[i] = *cp;
++		}
+ 		if (*cp == ']') {
+ 			name[i] = '\0';
+ 			hname = name;
diff --git a/SOURCES/ntp-4.2.6p5-decodenetnum.patch b/SOURCES/ntp-4.2.6p5-decodenetnum.patch
new file mode 100644
index 0000000..e456f01
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-decodenetnum.patch
@@ -0,0 +1,21 @@
+Author:  <stenn@psp-deb1.ntp.org>
+Date:   Tue Oct 6 08:51:27 2015 +0000
+
+    [Sec 2922] decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values.  Harlan Stenn.
+
+diff --git a/libntp/decodenetnum.c b/libntp/decodenetnum.c
+index ebcb2da69..35b908f39 100644
+--- a/libntp/decodenetnum.c
++++ b/libntp/decodenetnum.c
+@@ -36,7 +36,10 @@ decodenetnum(
+ 	char name[80];
+ 
+ 	NTP_REQUIRE(num != NULL);
+-	NTP_REQUIRE(strlen(num) < sizeof(name));
++
++	if (strlen(num) >= sizeof(name)) {
++		return 0;
++	}
+ 
+ 	port_str = NULL;
+ 	if ('[' != num[0]) {
diff --git a/SOURCES/ntp-4.2.6p5-netlinkdrop.patch b/SOURCES/ntp-4.2.6p5-netlinkdrop.patch
new file mode 100644
index 0000000..4422777
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-netlinkdrop.patch
@@ -0,0 +1,34 @@
+Author:  <davehart@dlh-7551.ad.hartbrothers.com>
+Date:   Mon Jun 11 17:22:29 2012 +0000
+
+    [Bug 2224] Use-after-free in routing socket code after dropping root.
+
+diff -up ntp-4.2.6p5/ntpd/ntp_io.c.netlinkdrop ntp-4.2.6p5/ntpd/ntp_io.c
+--- ntp-4.2.6p5/ntpd/ntp_io.c.netlinkdrop	2019-01-11 12:34:21.356195246 +0100
++++ ntp-4.2.6p5/ntpd/ntp_io.c	2019-01-11 12:37:55.719194867 +0100
+@@ -3584,7 +3584,8 @@ input_handler(
+ 	int select_count = 0;
+ 	endpt *ep;
+ #if defined(HAS_ROUTING_SOCKET)
+-	struct asyncio_reader *asyncio_reader;
++	struct asyncio_reader * asyncio_reader;
++	struct asyncio_reader *	next_asyncio_reader;
+ #endif
+ 
+ 	handler_calls++;
+@@ -3687,11 +3688,13 @@ input_handler(
+ 	asyncio_reader = asyncio_reader_list;
+ 
+ 	while (asyncio_reader != NULL) {
++		/* callback may unlink and free asyncio_reader */
++		next_asyncio_reader = asyncio_reader->link;
+ 		if (FD_ISSET(asyncio_reader->fd, &fds)) {
+ 			++select_count;
+-			(asyncio_reader->receiver)(asyncio_reader);
++			(*asyncio_reader->receiver)(asyncio_reader);
+ 		}
+-		asyncio_reader = asyncio_reader->link;
++		asyncio_reader = next_asyncio_reader;
+ 	}
+ #endif /* HAS_ROUTING_SOCKET */
+ 	
diff --git a/SOURCES/ntp-4.2.6p5-netlinknobuf.patch b/SOURCES/ntp-4.2.6p5-netlinknobuf.patch
new file mode 100644
index 0000000..8ddf25f
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-netlinknobuf.patch
@@ -0,0 +1,28 @@
+Author:  <stenn@psp-at1.ntp.org>
+Date:   Fri Jul 31 07:58:11 2015 +0000
+
+    [Bug 2890] Ignore ENOBUFS on routing netlink socket.  Konstantin Khlebnikov.
+
+diff -up ntp-4.2.6p5/ntpd/ntp_io.c.netlinknobuf ntp-4.2.6p5/ntpd/ntp_io.c
+--- ntp-4.2.6p5/ntpd/ntp_io.c.netlinknobuf	2019-01-11 12:34:09.115195268 +0100
++++ ntp-4.2.6p5/ntpd/ntp_io.c	2019-01-11 12:34:21.356195246 +0100
+@@ -4480,10 +4480,15 @@ process_routing_msgs(struct asyncio_read
+ 	cnt = read(reader->fd, buffer, sizeof(buffer));
+ 	
+ 	if (cnt < 0) {
+-		msyslog(LOG_ERR,
+-			"i/o error on routing socket %m - disabling");
+-		remove_asyncio_reader(reader);
+-		delete_asyncio_reader(reader);
++		if (errno == ENOBUFS) {
++			msyslog(LOG_ERR,
++				"routing socket reports: %m");
++		} else {
++			msyslog(LOG_ERR,
++				"routing socket reports: %m - disabling");
++			remove_asyncio_reader(reader);
++			delete_asyncio_reader(reader);
++		}
+ 		return;
+ 	}
+ 
diff --git a/SOURCES/ntpstat-0.2-clksrc.patch b/SOURCES/ntpstat-0.2-clksrc.patch
deleted file mode 100644
index c427f1f..0000000
--- a/SOURCES/ntpstat-0.2-clksrc.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat ntp-4.2.4p7/ntpstat-0.2/ntpstat.c
---- ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat	2002-06-10 08:02:12.000000000 +0200
-+++ ntp-4.2.4p7/ntpstat-0.2/ntpstat.c	2009-07-20 12:22:35.000000000 +0200
-@@ -187,7 +187,7 @@ int main (void) {
-     else
-       printf("unknown source");
- 
--    if (!strncmp(clksrcname[clksrc],clksrcname[6],sizeof(clksrcname[6]))) {
-+    if (clksrc == 6) {
-       // source of sync is another NTP server so check the IP address
-       strncpy(buff, ntpmsg.payload, sizeof(buff));
-       if ((newstr = strstr (buff, REFID))) {
diff --git a/SOURCES/ntpstat-0.2-errorbit.patch b/SOURCES/ntpstat-0.2-errorbit.patch
deleted file mode 100644
index 06e9342..0000000
--- a/SOURCES/ntpstat-0.2-errorbit.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-diff -up ntp-4.2.6p4/ntpstat-0.2/ntpstat.c.errorbit ntp-4.2.6p4/ntpstat-0.2/ntpstat.c
---- ntp-4.2.6p4/ntpstat-0.2/ntpstat.c.errorbit	2011-10-06 13:41:38.591669772 +0200
-+++ ntp-4.2.6p4/ntpstat-0.2/ntpstat.c	2011-10-06 16:50:01.708315811 +0200
-@@ -104,6 +104,7 @@ int main (void) {
-   FD_ZERO(&fds);
- 
-   inet_aton("127.0.0.1", &address);
-+  memset(&sock, 0, sizeof (sock));;
-   sock.sin_family = AF_INET;
-   sock.sin_addr = address;
-   sock.sin_port = htons(NTP_PORT);
-@@ -159,15 +160,18 @@ int main (void) {
-     die ("return data appears to be invalid based on status word");
-   }
- 
--  if (!(ntpmsg.byte2 | EMASK)) {
-+  if (ntpmsg.byte2 & EMASK) {
-     fprintf (stderr,"status byte2 is %02x\n", ntpmsg.byte2 );
-     die ("error bit is set in reply");
-   }
- 
--  if (!(ntpmsg.byte2 | MMASK)) {
-+  /* ignore the more bit */
-+#if 0
-+  if (ntpmsg.byte2 & MMASK) {
-     fprintf (stderr,"status byte2 is %02x\n", ntpmsg.byte2 );
-     fprintf (stderr,"More bit unexpected in reply");
-   }
-+#endif
- 
-   /* if the leap indicator (LI), which is the two most significant bits
-      in status byte1, are both one, then the clock is not synchronised. */
diff --git a/SOURCES/ntpstat-0.2-manual.patch b/SOURCES/ntpstat-0.2-manual.patch
deleted file mode 100644
index 99dbb6a..0000000
--- a/SOURCES/ntpstat-0.2-manual.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-diff -up ntp-4.2.6p5/ntpstat-0.2/ntpstat.1.manual ntp-4.2.6p5/ntpstat-0.2/ntpstat.1
---- ntp-4.2.6p5/ntpstat-0.2/ntpstat.1.manual	2002-06-10 08:02:12.000000000 +0200
-+++ ntp-4.2.6p5/ntpstat-0.2/ntpstat.1	2015-12-04 17:28:23.379793604 +0100
-@@ -1,4 +1,4 @@
--.TH ntpstat 1 "$Date: 2001/06/22 03:27:10 $"
-+.TH ntpstat 1
- .UC 4
- .SH NAME
- ntpstat \- show network time synchronisation status
-@@ -6,12 +6,18 @@ ntpstat \- show network time synchronisa
- .B ntpstat
- .SH DESCRIPTION
- .I ntpstat
--will report the synchronisation state of the NTP daemon
-+will report the synchronisation state of the NTP daemon (ntpd)
- running on the local machine.  If the local system is found to be 
- synchronised to a reference time source,  
- .I ntpstat
- will report the approximate time accuracy.
- 
-+When the synchronised state is reported, it means the system clock was updated
-+at some point.  There is no timeout for this state.  It will stay there even
-+when the source becomes unreachable and there are no other sources available.
-+However, the reported accuracy will be slowly increasing, in the default ntpd
-+configuration by 15 microseconds per second.
-+
- .SH RETURNS
- .I ntpstat
- returns 0 if clock is synchronised.
-@@ -22,7 +28,10 @@ returns 2 if clock state is indeterminan
- if ntpd is not contactable.
- 
- .SH SEE ALSO
--ntpdc, ntpdq
-+.BR ntp_misc (5),
-+.BR ntpd (8),
-+.BR ntpq (8),
-+.BR ntpdc (8)
- 
- .SH AUTHOR
- G. Richard Keech (rkeech@redhat.com)
diff --git a/SOURCES/ntpstat-0.2-maxerror.patch b/SOURCES/ntpstat-0.2-maxerror.patch
deleted file mode 100644
index f8ab750..0000000
--- a/SOURCES/ntpstat-0.2-maxerror.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff -up ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.maxerror ntp-4.2.6p1/ntpstat-0.2/ntpstat.c
---- ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.maxerror	2010-05-03 11:37:49.000000000 +0200
-+++ ntp-4.2.6p1/ntpstat-0.2/ntpstat.c	2010-05-03 12:20:08.000000000 +0200
-@@ -89,7 +89,9 @@ int main (void) {
-     "modem"};         /* 9 */
-   char *newstr;
-   char *dispstr;
-+  char *delaystr;
-   const char DISP[] = "rootdisp=";
-+  const char DELAY[] = "rootdelay=";
-   const char STRATUM[] = "stratum=";
-   const char POLL[] = "tc=";
-   const char REFID[] = "refid=";
-@@ -235,16 +237,19 @@ int main (void) {
-     /* Set the position of the start of the string to 
-        "rootdispersion=" part of the string. */
-     strncpy(buff, ntpmsg.payload, sizeof(buff));
--    if ((newstr = strstr (buff, DISP))) {
--      newstr += sizeof(DISP) - 1;
--      dispstr = strtok(newstr,".");
-+    if ((dispstr = strstr (buff, DISP)) && (delaystr = strstr (buff, DELAY))) {
-+      dispstr += sizeof(DISP) - 1;
-+      dispstr = strtok(dispstr,",");
-+      delaystr += sizeof(DELAY) - 1;
-+      delaystr = strtok(delaystr,",");
- 
-       /* Check the resultant string is of a reasonable length */
--      if ((strlen (dispstr) == 0) || (strlen (dispstr) > 4)) {
-+      if ((strlen (dispstr) == 0) || (strlen (dispstr) > 10) ||
-+	      (strlen (delaystr) == 0) || (strlen (delaystr) > 10)) {
- 	printf ("accuracy unreadable\n");
-       }
-       else {
--	printf("   time correct to within %s ms\n",dispstr);
-+	printf("   time correct to within %.0f ms\n", atof(dispstr) + atof(delaystr) / 2.0);
-       }
-     } else {
-       rc=1;
diff --git a/SOURCES/ntpstat-0.2-multipacket.patch b/SOURCES/ntpstat-0.2-multipacket.patch
deleted file mode 100644
index ca21257..0000000
--- a/SOURCES/ntpstat-0.2-multipacket.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat ntp-4.2.4p7/ntpstat-0.2/ntpstat.c
---- ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat	2002-06-10 08:02:12.000000000 +0200
-+++ ntp-4.2.4p7/ntpstat-0.2/ntpstat.c	2009-07-20 12:22:35.000000000 +0200
-@@ -151,7 +151,7 @@ int main (void) {
-   /* For the reply message to be valid, the first byte should be as sent, 
-      and the second byte should be the same, with the response bit set */
-   byte1ok = ((ntpmsg.byte1&0x3F) == B1VAL);
--  byte2ok = (ntpmsg.byte2 == (B2VAL|RMASK));
-+  byte2ok = ((ntpmsg.byte2 & ~MMASK) == (B2VAL|RMASK));
-   if (!(byte1ok && byte2ok)) {
-     fprintf (stderr,"status word is 0x%02x%02x\n", ntpmsg.byte1,ntpmsg.byte2 );
-     die ("return data appears to be invalid based on status word");
diff --git a/SOURCES/ntpstat-0.2-sysvars.patch b/SOURCES/ntpstat-0.2-sysvars.patch
deleted file mode 100644
index 3f641a9..0000000
--- a/SOURCES/ntpstat-0.2-sysvars.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-diff -up ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.sysvars ntp-4.2.6p1/ntpstat-0.2/ntpstat.c
---- ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.sysvars	2010-05-03 11:27:47.000000000 +0200
-+++ ntp-4.2.6p1/ntpstat-0.2/ntpstat.c	2010-05-03 11:32:56.000000000 +0200
-@@ -89,9 +89,9 @@ int main (void) {
-     "modem"};         /* 9 */
-   char *newstr;
-   char *dispstr;
--  const char DISP[] = "rootdispersion=";
-+  const char DISP[] = "rootdisp=";
-   const char STRATUM[] = "stratum=";
--  const char POLL[] = "poll=";
-+  const char POLL[] = "tc=";
-   const char REFID[] = "refid=";
- 
-   /* initialise timeout value */
diff --git a/SOURCES/ntpstat-compat.patch b/SOURCES/ntpstat-compat.patch
new file mode 100644
index 0000000..5d81706
--- /dev/null
+++ b/SOURCES/ntpstat-compat.patch
@@ -0,0 +1,41 @@
+diff -up ntp-4.2.6p5/ntpstat-0.5/ntpstat.compat ntp-4.2.6p5/ntpstat-0.5/ntpstat
+--- ntp-4.2.6p5/ntpstat-0.5/ntpstat.compat	2018-03-20 16:02:33.000000000 +0100
++++ ntp-4.2.6p5/ntpstat-0.5/ntpstat	2019-01-11 16:52:04.003167878 +0100
+@@ -116,6 +116,7 @@ get_ntpd_state() {
+     disp=$(parse_rv_field "$output" "rootdisp")
+     distance=$(echo "$delay $disp" | awk '{ printf "%.3f", $1 / 2.0 + $2 }')
+ 
++    : <<'EOF'
+     syspeer_id=$("${NTPQ[@]}" -c associations 2> /dev/null |\
+         grep 'sys\.peer' | awk '{ print $2 }') || return 4
+     output=$("${NTPQ[@]}" -c "rv $syspeer_id" 2> /dev/null) || return 5
+@@ -124,6 +125,19 @@ get_ntpd_state() {
+         address=$(parse_rv_field "$output" "srcadr")
+     fi
+     poll=$(parse_rv_field "$output" "hpoll")
++EOF
++
++    # bug compatibility with original EL7 ntpstat
++    # - refid interpretted as IP address
++    # - tc interpretted as poll
++    # - code 1 (no drift file in NTPv4) printed as server restart in NTPv3
++    address=$(parse_rv_field "$output" "refid")
++    poll=$(parse_rv_field "$output" "tc")
++    local code=$(parse_rv_field "$output" "status" | \
++        awk '{ print and(strtonum($1), 0xf) }')
++    if [ "$leap" -eq 3 ] && [ "$code" -eq 1 ]; then
++        leap=4
++    fi
+ 
+     echo "$leap,$source,$address,$stratum,$distance,$poll"
+ }
+@@ -176,6 +190,9 @@ if [ "$leap" -ge 0 -a "$leap" -le 2 ]; t
+     fi
+ else
+     printf "unsynchronised\n"
++    if [ "$leap" -eq 4 ]; then
++        printf "  time server re-starting\n"
++    fi
+     status=1
+ fi
+ 
diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec
index 52ad9aa..6527a43 100644
--- a/SPECS/ntp.spec
+++ b/SPECS/ntp.spec
@@ -1,7 +1,7 @@
 Summary: The NTP daemon and utilities
 Name: ntp
 Version: 4.2.6p5
-Release: 28%{?dist}
+Release: 29%{?dist}
 # primary license (COPYRIGHT) : MIT
 # ElectricFence/ (not used) : GPLv2
 # kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -34,8 +34,7 @@ Source0: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-%{version}.ta
 Source1: ntp.conf
 Source2: ntp.keys
 Source4: ntpd.sysconfig
-# http://people.redhat.com/rkeech/#ntpstat
-Source5: ntpstat-0.2.tgz
+Source5: https://github.com/mlichvar/ntpstat/archive/0.5/ntpstat-0.5.tar.gz
 Source6: ntp.step-tickers
 Source7: ntpdate.wrapper
 Source8: ntp.cryptopw
@@ -193,19 +192,17 @@ Patch72: ntp-4.2.6p5-tsyncdriver.patch
 Patch73: ntp-4.2.6p5-staunsync.patch
 # use SHA1 request key by default (#1442083)
 Patch74: ntp-4.2.6p5-defreqkey.patch
-
-# handle unknown clock types
-Patch100: ntpstat-0.2-clksrc.patch
-# process first packet in multipacket response
-Patch101: ntpstat-0.2-multipacket.patch
-# use current system variable names
-Patch102: ntpstat-0.2-sysvars.patch
-# print synchronization distance instead of dispersion
-Patch103: ntpstat-0.2-maxerror.patch
-# fix error bit checking
-Patch104: ntpstat-0.2-errorbit.patch
-# improve man page
-Patch105: ntpstat-0.2-manual.patch
+# ntpbz #3505
+Patch75: ntp-4.2.6p5-cve-2018-12327.patch
+# ntpbz #2922
+Patch76: ntp-4.2.6p5-decodenetnum.patch
+# ntpbz #2224
+Patch77: ntp-4.2.6p5-netlinkdrop.patch
+# ntpbz #2890
+Patch78: ntp-4.2.6p5-netlinknobuf.patch
+
+# add bugs for compatibility with original EL7 ntpstat
+Patch100: ntpstat-compat.patch
 
 URL: http://www.ntp.org
 Requires(post): systemd-units
@@ -276,7 +273,7 @@ This package contains NTP documentation in HTML format.
 # pool.ntp.org vendor zone which will be used in ntp.conf
 %if 0%{!?vendorzone:1}
 %{?fedora: %global vendorzone fedora.}
-%{?rhel: %global vendorzone centos.}
+%{?rhel: %global vendorzone rhel.}
 %endif
 
 %prep
@@ -357,14 +354,12 @@ This package contains NTP documentation in HTML format.
 %patch72 -p1 -b .tsyncdriver
 %patch73 -p1 -b .staunsync
 %patch74 -p1 -b .defreqkey
+%patch75 -p1 -b .cve-2018-12327
+%patch76 -p1 -b .decodenetnum
+%patch77 -p1 -b .netlinkdrop
+%patch78 -p1 -b .netlinknobuf
 
-# ntpstat patches
-%patch100 -p1 -b .clksrc
-%patch101 -p1 -b .multipacket
-%patch102 -p1 -b .sysvars
-%patch103 -p1 -b .maxerror
-%patch104 -p1 -b .errorbit
-%patch105 -p1 -b .manual
+%patch100 -p1 -b .compat
 
 # set default path to sntp KoD database
 sed -i 's|/var/db/ntp-kod|%{_localstatedir}/lib/sntp/kod|' sntp/{sntp.1,main.c}
@@ -386,6 +381,10 @@ touch ntpd/ntpd.1 util/ntp-keygen.1
 rm ntpd/ntp_parser.{c,h}
 echo > ntpd/ntp_keyword.h
 
+# hardcode paths in ntpstat
+sed -i '/^CHRONYC=/s|chronyc|%{_bindir}/chronyc|' ntpstat-*/ntpstat
+sed -i '/^NTPQ=/s|ntpq|%{_sbindir}/ntpq|' ntpstat-*/ntpstat
+
 %build
 sed -i 's|$CFLAGS -Wstrict-overflow|$CFLAGS|' configure sntp/configure
 export CFLAGS="$RPM_OPT_FLAGS -fPIE -fno-strict-aliasing -fno-strict-overflow"
@@ -412,8 +411,6 @@ pushd html
 sed -i 's/^[\t\ ]*$//;/./,/^$/!d' man/man*/*.[58]
 popd 
 
-make -C ntpstat-0.2 CFLAGS="$CFLAGS"
-
 %install
 make DESTDIR=$RPM_BUILD_ROOT bindir=%{_sbindir} install
 
@@ -422,11 +419,7 @@ sed -i 's/sntp\.1/sntp\.8/' $RPM_BUILD_ROOT%{_mandir}/man1/sntp.1
 mv $RPM_BUILD_ROOT%{_mandir}/man{1/sntp.1,8/sntp.8}
 rm -rf $RPM_BUILD_ROOT%{_mandir}/man1
 
-pushd ntpstat-0.2
-mkdir -p $RPM_BUILD_ROOT%{_bindir}
-install -m 755 ntpstat $RPM_BUILD_ROOT%{_bindir}
-install -m 644 ntpstat.1 $RPM_BUILD_ROOT%{_mandir}/man8/ntpstat.8
-popd
+%makeinstall -C ntpstat-*
 
 # fix section numbers
 sed -i 's/\(\.TH[a-zA-Z ]*\)[1-9]\(.*\)/\18\2/' $RPM_BUILD_ROOT%{_mandir}/man8/*.8
@@ -533,12 +526,12 @@ popd
 %ghost %attr(644,ntp,ntp) %{_localstatedir}/lib/ntp/drift
 %dir %attr(-,ntp,ntp) %{_localstatedir}/log/ntpstats
 %{_bindir}/ntpstat
+%{_mandir}/man1/ntpstat.1*
 %{_mandir}/man5/*.5*
 %{_mandir}/man8/ntp-keygen.8*
 %{_mandir}/man8/ntpd.8*
 %{_mandir}/man8/ntpdc.8*
 %{_mandir}/man8/ntpq.8*
-%{_mandir}/man8/ntpstat.8*
 %{_mandir}/man8/ntptime.8*
 %{_mandir}/man8/tickadj.8*
 %{_prefix}/lib/systemd/ntp-units.d/*.list
@@ -575,8 +568,13 @@ popd
 %{ntpdocdir}/html
 
 %changelog
-* Tue Apr 10 2018 CentOS Sources <bugs@centos.org> - 4.2.6p5-28.el7.centos
-- rebrand vendorzone
+* Fri Jan 11 2019 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-29
+- fix CVE-2016-7429 patch to restore default ttl configuration (#1550637)
+- fix buffer overflow in parsing of address in ntpq and ntpdc (CVE-2018-12327)
+- fix crash in parsing of received address in ntpq (#1616250)
+- avoid reading freed memory after disabling netlink socket (#1555401)
+- don't disable netlink socket on ENOBUFS error (#1555413)
+- replace ntpstat with shell script using ntpq and supporting chrony (#1592871)
 
 * Mon Oct 09 2017 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-28
 - fix buffer overflow in datum refclock driver (CVE-2017-6462)