diff --git a/SOURCES/ntp-4.2.6p5-cve-2020-11868.patch b/SOURCES/ntp-4.2.6p5-cve-2020-11868.patch
new file mode 100644
index 0000000..705f792
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-cve-2020-11868.patch
@@ -0,0 +1,36 @@
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2020-11868 ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.cve-2020-11868 2020-05-26 13:03:53.778232633 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2020-05-26 13:04:41.367347264 +0200
+@@ -1044,6 +1044,10 @@ receive(
+ if (L_ISZERO(&p_xmt)) {
+ peer->flash |= TEST3; /* unsynch */
+
++ /* Don't update the state in client mode. */
++ if (peer->hmode == MODE_CLIENT)
++ return;
++
+ /*
+ * If the transmit timestamp duplicates a previous one, the
+ * packet is a replay. This prevents the bad guys from replaying
+@@ -1077,6 +1081,11 @@ receive(
+ if (L_ISZERO(&p_org) || !L_ISEQU(&p_org, &peer->aorg)) {
+ peer->bogusorg++;
+ peer->flash |= TEST2; /* bogus */
++
++ /* Don't update the state in client mode. */
++ if (peer->hmode == MODE_CLIENT)
++ return;
++
+ if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,
+ &peer->dst)) {
+ xleave_mismatch = 1;
+@@ -1410,7 +1419,8 @@ process_packet(
+ if (peer->burst > 0)
+ peer->nextdate = current_time;
+ }
+- poll_update(peer, peer->hpoll);
++ if (!(peer->flash & PKT_TEST_MASK))
++ poll_update(peer, peer->hpoll);
+
+ /*
+ * Verify the server is synchronized; that is, the leap bits,
diff --git a/SOURCES/ntp-4.2.6p5-randomtx.patch b/SOURCES/ntp-4.2.6p5-randomtx.patch
new file mode 100644
index 0000000..7bd2ba7
--- /dev/null
+++ b/SOURCES/ntp-4.2.6p5-randomtx.patch
@@ -0,0 +1,76 @@
+diff -up ntp-4.2.6p5/include/ntp.h.randomtx ntp-4.2.6p5/include/ntp.h
+--- ntp-4.2.6p5/include/ntp.h.randomtx 2020-05-27 16:11:23.206229510 +0200
++++ ntp-4.2.6p5/include/ntp.h 2020-05-27 16:11:23.217229536 +0200
+@@ -351,6 +351,7 @@ struct peer {
+ l_fp dst; /* destination timestamp */
+ l_fp aorg; /* origin timestamp */
+ l_fp borg; /* alternate origin timestamp */
++ l_fp xorg; /* hidden origin timestamp (client mode) */
+ double offset; /* peer clock offset */
+ double delay; /* peer roundtrip delay */
+ double jitter; /* peer jitter (squares) */
+diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.randomtx ntp-4.2.6p5/ntpd/ntp_proto.c
+--- ntp-4.2.6p5/ntpd/ntp_proto.c.randomtx 2020-05-27 16:11:23.216229533 +0200
++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2020-05-28 09:02:50.973320647 +0200
+@@ -1563,14 +1563,14 @@ process_packet(
+ /*
+ * Basic mode, otherwise known as the old fashioned way.
+ *
+- * t1 = p_org, t2 = p_rec, t3 = p_xmt, t4 = peer->dst
++ * t1 = peer->xorg, t2 = p_rec, t3 = p_xmt, t4 = peer->dst
+ */
+ } else {
+ ci = p_xmt; /* t3 - t4 */
+ L_SUB(&ci, &peer->dst);
+ LFPTOD(&ci, t34);
+ ci = p_rec; /* t2 - t1 */
+- L_SUB(&ci, &p_org);
++ L_SUB(&ci, &peer->xorg);
+ LFPTOD(&ci, t21);
+ p_del = fabs(t21 - t34);
+ p_offset = (t21 + t34) / 2.;
+@@ -2942,6 +2942,16 @@ peer_xmit(
+ HTONL_FP(&peer->rec, &xpkt.org);
+ HTONL_FP(&peer->dst, &xpkt.rec);
+
++ /* Generate a random transmit timestamp in the client mode to
++ make the server origin timestamp unpredictable */
++ if (peer->flip == 0 && peer->hmode == MODE_CLIENT) {
++ if (ntp_crypto_random_buf(&peer->aorg, sizeof (peer->aorg))) {
++ msyslog(LOG_ERR, "ntp_crypto_random_buf() failed.");
++ exit(1);
++ }
++ xpkt.precision = 32;
++ }
++
+ /*
+ * If the received packet contains a MAC, the transmitted packet
+ * is authenticated and contains a MAC. If not, the transmitted
+@@ -2965,9 +2975,11 @@ peer_xmit(
+ * Transmit a-priori timestamps
+ */
+ get_systime(&xmt_tx);
++ peer->xorg = xmt_tx;
+ if (peer->flip == 0) { /* basic mode */
+- peer->aorg = xmt_tx;
+- HTONL_FP(&xmt_tx, &xpkt.xmt);
++ if (peer->hmode != MODE_CLIENT)
++ peer->aorg = xmt_tx;
++ HTONL_FP(&peer->aorg, &xpkt.xmt);
+ } else { /* interleaved modes */
+ if (peer->hmode == MODE_BROADCAST) { /* bcst */
+ HTONL_FP(&xmt_tx, &xpkt.xmt);
+@@ -3266,9 +3278,11 @@ peer_xmit(
+ * Transmit a-priori timestamps
+ */
+ get_systime(&xmt_tx);
++ peer->xorg = xmt_tx;
+ if (peer->flip == 0) { /* basic mode */
+- peer->aorg = xmt_tx;
+- HTONL_FP(&xmt_tx, &xpkt.xmt);
++ if (peer->hmode != MODE_CLIENT)
++ peer->aorg = xmt_tx;
++ HTONL_FP(&peer->aorg, &xpkt.xmt);
+ } else { /* interleaved modes */
+ if (peer->hmode == MODE_BROADCAST) { /* bcst */
+ HTONL_FP(&xmt_tx, &xpkt.xmt);
diff --git a/SPECS/ntp.spec b/SPECS/ntp.spec
index 178a961..a789633 100644
--- a/SPECS/ntp.spec
+++ b/SPECS/ntp.spec
@@ -1,7 +1,7 @@
Summary: The NTP daemon and utilities
Name: ntp
Version: 4.2.6p5
-Release: 29%{?dist}
+Release: 29%{?dist}.2
# primary license (COPYRIGHT) : MIT
# ElectricFence/ (not used) : GPLv2
# kernel/sys/ppsclock.h (not used) : BSD with advertising
@@ -200,6 +200,10 @@ Patch76: ntp-4.2.6p5-decodenetnum.patch
Patch77: ntp-4.2.6p5-netlinkdrop.patch
# ntpbz #2890
Patch78: ntp-4.2.6p5-netlinknobuf.patch
+# ntpbz #3592
+Patch79: ntp-4.2.6p5-cve-2020-11868.patch
+# ntpbz #3596
+Patch80: ntp-4.2.6p5-randomtx.patch
# add bugs for compatibility with original EL7 ntpstat
Patch100: ntpstat-compat.patch
@@ -273,7 +277,7 @@ This package contains NTP documentation in HTML format.
# pool.ntp.org vendor zone which will be used in ntp.conf
%if 0%{!?vendorzone:1}
%{?fedora: %global vendorzone fedora.}
-%{?rhel: %global vendorzone centos.}
+%{?rhel: %global vendorzone rhel.}
%endif
%prep
@@ -358,6 +362,8 @@ This package contains NTP documentation in HTML format.
%patch76 -p1 -b .decodenetnum
%patch77 -p1 -b .netlinkdrop
%patch78 -p1 -b .netlinknobuf
+%patch79 -p1 -b .cve-2020-11868
+%patch80 -p1 -b .randomtx
%patch100 -p1 -b .compat
@@ -568,8 +574,9 @@ popd
%{ntpdocdir}/html
%changelog
-* Tue Aug 06 2019 CentOS Sources <bugs@centos.org> - 4.2.6p5-29.el7.centos
-- rebrand vendorzone
+* Mon Jun 01 2020 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-29.el7_8.2
+- don't update transmission time on invalid response (CVE-2020-11868)
+- randomize transmit timestamp in client requests (CVE-?, #1813787)
* Fri Jan 11 2019 Miroslav Lichvar <mlichvar@redhat.com> 4.2.6p5-29
- fix CVE-2016-7429 patch to restore default ttl configuration (#1550637)