Hello community, here is the log from the commit of package ntp.5195 for openSUSE:13.2:Update checked in at 2016-06-15 08:03:10 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/ntp.5195 (Old) and /work/SRC/openSUSE:13.2:Update/.ntp.5195.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "ntp.5195" Changes: -------- New Changes file: --- /dev/null 2016-04-07 01:36:33.300037506 +0200 +++ /work/SRC/openSUSE:13.2:Update/.ntp.5195.new/ntp.changes 2016-06-15 08:03:12.000000000 +0200 @@ -0,0 +1,1795 @@ +------------------------------------------------------------------- +Sun Jun 5 05:20:03 UTC 2016 - m...@suse.com + +- Keep the parent process alive until the daemon has finished + initialisation, to make sure that the PID file exists when the + parent returns (ntp-daemonize.patch). + +------------------------------------------------------------------- +Thu Jun 2 14:21:45 UTC 2016 - m...@suse.com + +- Update to 4.2.8p8 (bsc#982056): + * CVE-2016-4953, bsc#982065: Bad authentication demobilizes + ephemeral associations. + * CVE-2016-4954, bsc#982066: Processing spoofed server packets. + * CVE-2016-4955, bsc#982067: Autokey association reset. + * CVE-2016-4956, bsc#982068: Broadcast interleave. + * CVE-2016-4957, bsc#982064: CRYPTO_NAK crash. +- Change the process name of the forking DNS worker process to + avoid the impression that ntpd is started twice (bsc#979302). +- Don't ignore SIGCHILD because it breaks wait() (boo#981422). +- ntp-wait does not accept fractional seconds, so use 1 instead of + 0.2 in ntp-wait.service (boo#979981). +- Separate the creation of ntp.keys and key #1 in it to avoid + problems when upgrading installations that have the file, but + no key #1, which is needed e.g. by "rcntp addserver". + +------------------------------------------------------------------- +Thu Apr 28 13:10:01 UTC 2016 - m...@suse.com + +- Update to 4.2.8p7 (bsc#977446): + * CVE-2016-1547, bsc#977459: + Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. + * CVE-2016-1548, bsc#977461: Interleave-pivot + * CVE-2016-1549, bsc#977451: + Sybil vulnerability: ephemeral association attack. + * CVE-2016-1550, bsc#977464: Improve NTP security against buffer + comparison timing attacks. + * CVE-2016-1551, bsc#977450: + Refclock impersonation vulnerability + * CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig + directives will cause an assertion botch in ntpd. + * CVE-2016-2517, bsc#977455: remote configuration trustedkey/ + requestkey/controlkey values are not properly validated. + * CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 + causes array wraparound with MATCH_ASSOC. + * CVE-2016-2519, bsc#977458: ctl_getitem() return value not + always checked. + * integrate ntp-fork.patch + * Improve the fixes for: + CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 +- Restrict the parser in the startup script to the first + occurrance of "keys" and "controlkey" in ntp.conf (boo#957226). + +------------------------------------------------------------------- +Fri Apr 15 12:34:40 UTC 2016 - m...@suse.com + +- Enable compile-time support for MS-SNTP (--enable-ntp-signd). + This replaces the w32 patches in 4.2.4 that added the authreg + directive. (fate#320758). +- Fix ntp-sntp-dst.patch (bsc#975496). +- Call /usr/sbin/sntp with full path to synchronize in start-ntpd. + When run as cron job, /usr/sbin/ is not in the path, which caused + the synchronization to fail. (boo#962318) +- Speedup ntpq (boo#782060, ntp-speedup-ntpq.patch). +- Sync service files with openSUSE Factory. + +------------------------------------------------------------------- +Wed Mar 30 14:56:11 UTC 2016 - m...@suse.com + +- Fix the TZ offset output of sntp during DST (bsc#951559). + +------------------------------------------------------------------- +Fri Mar 18 13:51:13 UTC 2016 - m...@suse.com + +- Add ntp-fork.patch and build with threads disabled to allow + name resolution even when running chrooted. + +------------------------------------------------------------------- +Fri Jan 22 15:44:38 UTC 2016 - m...@suse.com + +- Update to 4.2.8p6: + * CVE-2015-8158, bsc#962966: Potential Infinite Loop in ntpq. + * CVE-2015-8138, bsc#963002: origin: Zero Origin Timestamp + Bypass. + * CVE-2015-7979, bsc#962784: Off-path Denial of Service (DoS) + attack on authenticated broadcast mode. + * CVE-2015-7978, bsc#963000: Stack exhaustion in recursive + traversal of restriction list. + * CVE-2015-7977, bsc#962970: reslist NULL pointer dereference. + * CVE-2015-7976, bsc#962802: ntpq saveconfig command allows + dangerous characters in filenames. + * CVE-2015-7975, bsc#962988: nextvar() missing length check. + * CVE-2015-7974, bsc#962960: Skeleton Key: Missing key check + allows impersonation between authenticated peers. + * CVE-2015-7973, bsc#962995: Deja Vu: Replay attack on + authenticated broadcast mode. + * CVE-2015-8140: ntpq vulnerable to replay attacks. + * CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. + * CVE-2015-5300, bsc#951629: Small-step/Big-step. +- Add /var/db/ntp-kod (bsc#916617). +- Add ntp-ENOBUFS.patch to limit a warning that might happen + quite a lot on loaded systems (bsc#956773). + +------------------------------------------------------------------- +Fri Nov 20 16:44:15 UTC 2015 - dmuel...@suse.com + +- add ntp.bug2965.diff (bsc#954982) + * fixes regression in 4.2.8p4 update + +------------------------------------------------------------------- +Thu Oct 29 11:33:13 UTC 2015 - m...@suse.com + +- Update to 4.2.8p4 to fix several security issues (bsc#951608): + * CVE-2015-7871: NAK to the Future: Symmetric association + authentication bypass via crypto-NAK + * CVE-2015-7855: decodenetnum() will ASSERT botch instead of + returning FAIL on some bogus values + * CVE-2015-7854: Password Length Memory Corruption Vulnerability + * CVE-2015-7853: Invalid length data provided by a custom + refclock driver could cause a buffer overflow + * CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability + * CVE-2015-7851 saveconfig Directory Traversal Vulnerability + * CVE-2015-7850 remote config logfile-keyfile + * CVE-2015-7849 trusted key use-after-free + * CVE-2015-7848 mode 7 loop counter underrun + * CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC + * CVE-2015-7703 configuration directives "pidfile" and + "driftfile" should only be allowed locally + * CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should + validate the origin timestamp field + * CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey + data packet length checks + * obsoletes ntp-memlock.patch. +- Add a controlkey line to /etc/ntp.conf if one does not already + exist to allow runtime configuuration via ntpq. + +------------------------------------------------------------------- +Tue Sep 22 14:32:10 UTC 2015 - m...@suse.com + +- Temporarily disable memlock to avoid problems due to high memory + usage during name resolution (bsc#946386, ntp-memlock.patch). + +------------------------------------------------------------------- +Fri Sep 18 12:28:43 UTC 2015 - m...@suse.com + +- Use SHA1 instead of MD5 for symmetric keys (bsc#905885). +- Improve runtime configuration: + * Read keytype from ntp.conf + * Don't write ntp keys to syslog. +- Fix legacy action scripts to pass on command line arguments. + +------------------------------------------------------------------- +Wed Sep 9 14:49:12 UTC 2015 - m...@suse.com + +- Remove ntp.1.gz, it wasn't installed anymore. +- Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. + The rest is partially irrelevant, partially redundant and + potentially outdated (bsc#942587). +- Remove "kod" from the restrict line in ntp.conf (bsc#944300). + +------------------------------------------------------------------- +Fri Sep 4 08:25:17 UTC 2015 - m...@suse.com + +- Use ntpq instead of deprecated ntpdc in start-ntpd (bnc#936327). +- Add a controlkey to ntp.conf to make the above work. +- Don't let "keysdir" lines in ntp.conf trigger the "keys" parser. +- Disable mode 7 (ntpdc) again, now that we don't use it anymore. + +------------------------------------------------------------------- +Thu Jul 23 08:13:30 UTC 2015 - m...@suse.com + +- Add "addserver" as a new legacy action. +- Fix the comment regarding addserver in ntp.conf (bnc#910063). + +------------------------------------------------------------------- +Mon Jul 13 14:26:15 UTC 2015 - m...@suse.com + +- Update to version 4.2.8p3 which incorporates all security fixes + and most other patches we have so far (fate#319040). + More information on: + http://archive.ntp.org/ntp4/ChangeLog-stable +- Disable chroot by default (bnc#926510). +- Enable ntpdc for backwards compatibility (bnc#920238). + +------------------------------------------------------------------- +Mon Apr 27 14:53:30 UTC 2015 - m...@suse.com + +- Security fix: ntp-keygen may generate non-random symmetric keys + +------------------------------------------------------------------- +Tue Apr 7 14:08:59 UTC 2015 - meiss...@suse.com + +- security update bsc#924202 / VU#374268 + + - ntp-CVE-2015-1798.patch: CVE-2015-1798: NTP Bug 2779: ntpd accepts + unauthenticated packets with symmetric key crypto. + - ntp-CVE-2015-1799.patch: CVE-2015-1799: NTP Bug 2781: Authentication ++++ 1598 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.ntp.5195.new/ntp.changes New: ---- MOD_NANO.diff NTP-FAQ-3.4.tar.bz2 README.SUSE bnc#574885.diff conf.logrotate.ntp conf.ntp-wait.service conf.ntp.conf conf.ntp.reg conf.ntpd.service conf.start-ntpd conf.sysconfig.ntp conf.sysconfig.syslog-ntp ntp-4.2.8p8.tar.gz ntp-ENOBUFS.patch ntp-daemonize.patch ntp-processname.patch ntp-sigchld.patch ntp-sntp-dst.patch ntp-speedup-ntpq.patch ntp.changes ntp.firewall ntp.spec ntp.xml ntptime.8.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ ntp.spec ++++++ # # spec file for package ntp # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: ntp %if 0%{?suse_version} > 1010 BuildRequires: autoconf BuildRequires: fdupes %endif BuildRequires: libcap-devel BuildRequires: libtool BuildRequires: openssl-devel BuildRequires: readline-devel # to allow the postinst script to succeed BuildRequires: pwdutils %if 0%{?suse_version} >= 1140 BuildRequires: pkgconfig(systemd) %{?systemd_requires} %if %{undefined _ntpunitsdir} %global _ntpunitsdir /usr/lib/systemd/ntp-units.d %endif %endif %define ntpfaqversion 3.4 Url: http://www.ntp.org/ Version: 4.2.8p8 Release: 0 Summary: Network Time Protocol daemon (version 4) License: (MIT and BSD-3-Clause and BSD-4-Clause) and GPL-2.0 Group: Productivity/Networking/Other # main source Source0: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-%{version}.tar.gz # configuration Source1: conf.logrotate.ntp Source2: conf.ntp.conf Source3: conf.ntpd.service Source4: conf.sysconfig.ntp Source5: conf.sysconfig.syslog-ntp Source6: conf.ntp.reg Source7: %name.firewall Source8: conf.start-ntpd Source9: conf.ntp-wait.service # documentation Source10: NTP-FAQ-%{ntpfaqversion}.tar.bz2 Source12: README.SUSE Source13: ntptime.8.gz Source14: ntp.xml Patch16: MOD_NANO.diff Patch18: bnc#574885.diff Patch19: ntp-ENOBUFS.patch Patch20: ntp-sntp-dst.patch Patch21: ntp-speedup-ntpq.patch Patch22: ntp-sigchld.patch Patch23: ntp-processname.patch Patch24: ntp-daemonize.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Provides: ntp-daemon Provides: xntp = %version Provides: xntp3 = %version Obsoletes: xntp < %version Obsoletes: xntp3 < %version Conflicts: openntpd PreReq: pwdutils %fillup_prereq /usr/bin/diff /usr/bin/grep /sbin/chkconfig Suggests: logrotate Requires: timezone %description The Network Time Protocol (NTP) is used to synchronize the time of a computer client or server to another server or reference time source, such as a radio, satellite receiver, or modem. Ntpd is an operating system daemon that sets and maintains the system time-of-day synchronized with Internet standard time servers. %package doc Provides: ntpdoc = %version Provides: xntp-doc = %version Provides: xntpdoc = %version Obsoletes: ntpdoc < %version Obsoletes: xntp-doc < %version Obsoletes: xntpdoc < %version Summary: Additional Package Documentation for ntp Group: Documentation/Other %description doc The complete set of documentation for building and configuring an NTP server or client. The documentation is in the form of HTML files suitable for browsing and contains links to additional documentation at various web sites. What about NTP? Understanding and using the Network Time Protocol (A first try on a non-technical Mini-HOWTO and FAQ on NTP). Edited by Ulrich Windl and David Dalton. %prep %setup -q -n ntp-%{version} # unpack ntp-faq tar -x -C html -j -f %{S:10} # copy README.SUSE cp %{S:12} . %patch16 %patch18 %patch19 -p1 %patch20 -p1 %patch21 %patch22 -p1 %patch23 %patch24 # fix DOS line breaks sed -i 's/\r//g' html/scripts/{footer.txt,style.css} # new automake 1.13 has removed old macro sed -i 's/AM_CONFIG_HEADER/AC_CONFIG_HEADERS/' configure.ac %build %if 0%{?suse_version} && 0%{?suse_version} < 1141 %{?suse_update_config} %endif %if 0%{?suse_version} > 1010 autoreconf -fi %endif export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -W -DOPENSSL_LOAD_CONF -Wall -Wstrict-prototypes -Wpointer-arith -Wno-unused-parameter -fno-strict-aliasing -fstack-protector" %ifarch alpha s390x export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -O0" %endif %ifarch ia64 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -ffast-math" %endif export CFLAGS="$RPM_OPT_FLAGS -fPIE" export LDFLAGS="-pie" %configure \ --with-binsubdir=bin \ --bindir=%{_sbindir} \ --docdir=%{_docdir}/%{name}-doc \ --enable-parse-clocks \ --enable-all-clocks \ --enable-linuxcaps \ --enable-ipv6 \ --with-sntp \ --enable-ntp-signd \ --disable-listen-read-drop \ --with-lineeditlibs=readline \ --with-crypto=openssl \ --with-openssl-libdir=%{_libdir} \ --with-openssl-incdir=%{_includedir} \ --disable-thread-support \ --without-threads \ --enable-ntp-signd make %{?_smp_mflags} %install %makeinstall # Change permissions chmod 644 html/pic/neoclock4x.gif %if 0%{?suse_version} > 1010 %fdupes -s html %endif # # default configuration # %__install -d %{buildroot}/var/lib/ntp/{drift,etc,var/{lib,run/ntp},dev} %__install -d %{buildroot}/var/run ln -s ../.. %{buildroot}/var/lib/ntp/var/lib/ntp ln -s /usr/sbin/service %buildroot/usr/sbin/rcntpd ln -s /usr/sbin/service %buildroot/usr/sbin/rcntp-wait %__install -m 644 -D %{S:1} %{buildroot}/etc/logrotate.d/ntp %__install -m 600 -D %{S:2} %{buildroot}/etc/ntp.conf %__install -m 600 -D %{S:2} %{buildroot}/var/lib/ntp/etc/ntp.conf.iburst # # boot scripts # %__install -m 0644 -D %{S:3} %{buildroot}/%{_unitdir}/ntpd.service %__install -m 0644 -D %{S:9} %{buildroot}/%{_unitdir}/ntp-wait.service %__install -d %{buildroot}/usr/sbin %__install -m 755 -D %{S:8} %{buildroot}/usr/sbin/start-ntpd %__install -d %{buildroot}/usr/lib/initscripts/legacy-actions/ntpd for f in ntptimeset addserver; do F=%{buildroot}/usr/lib/initscripts/legacy-actions/ntpd/$f cat >$F <<-EOF #!/bin/bash exec /usr/sbin/start-ntpd $f "\$@" EOF chmod 755 $F done # # fillup sysconfig.ntp # %__install -m 644 -D %{S:4} %{buildroot}/var/adm/fillup-templates/sysconfig.ntp %__install -m 644 -D %{S:5} %{buildroot}/var/adm/fillup-templates/sysconfig.syslog-ntp # # install SLP reg file # %__install -m 644 -D %{S:6} %{buildroot}/etc/slp.reg.d/ntp.reg # # man pages # %__install -m 644 %{S:13} %{buildroot}/%{_mandir}/man8 # # firewall # %__install -d %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ %__install -m 644 %{S:7} %{buildroot}%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} # # Logfile # %__install -d %{buildroot}/var/log/ touch %{buildroot}/var/log/ntp # # service xml # install -d %{buildroot}/usr/share/omc/svcinfo.d/ install -m 644 %{S:14} %{buildroot}/usr/share/omc/svcinfo.d/ install -m 755 scripts/ntp-wait/ntp-wait %{buildroot}/usr/sbin/ install -d %{buildroot}/var/db install -m 644 /dev/null %{buildroot}/var/db/ntp-kod %if %{defined _ntpunitsdir} %__install -d %{buildroot}%{_ntpunitsdir} echo ntpd.service > %{buildroot}%{_ntpunitsdir}/50-ntp.list %endif %clean %__rm -rf %{buildroot} %pre /usr/sbin/groupadd -r ntp 2> /dev/null || : /usr/sbin/useradd -r -o -g ntp -u 74 -s /bin/false -c "NTP daemon" -d /var/lib/ntp ntp 2> /dev/null || : /usr/sbin/usermod -g ntp ntp 2>/dev/null || : test -L /var/run/ntp || rm -rf /var/run/ntp && : %service_add_pre ntp.service ntpd.service %service_add_pre ntp-wait.service if [ $FIRST_ARG -ne 1 -a ! -e "/var/lib/systemd/migrated/ntpd" ]; then sed -i -e 's,ntp\t,ntpd\t,g' /var/lib/systemd/sysv-convert/database fi %preun %service_del_preun ntpd.service %service_del_preun ntp-wait.service # no update? Then remove these files that aren't owned by the package if [ ${FIRST_ARG:-0} -eq 0 ]; then test -e /var/lib/ntp/drift/ntp.drift && rm -f /var/lib/ntp/drift/ntp.drift rm -f /var/lib/ntp/etc/* 2>/dev/null test -e /var/log/ntp && rm -f /var/log/ntp fi %post # Create ntp.keys file if [ ! -f /etc/ntp.keys ]; then FILE=$(mktemp -p /etc) chmod 0640 $FILE chown root:ntp $FILE mv $FILE /etc/ntp.keys fi # Make sure we have a key with ID 1, because it is needed # by the startup scripts. if awk '$1 == "1" {exit 1}' /etc/ntp.keys; then KEY=$(tr -dc '[:alnum:]' < /dev/urandom | head -c 20) echo "1 SHA1 $KEY" >> /etc/ntp.keys fi # Are we in update mode? if [ -f /etc/sysconfig/ntp ]; then grep -q '^keys /etc/ntp.keys' /etc/ntp.conf || { echo "# # Authentication stuff # keys /etc/ntp.keys # path for keys file trustedkey 1 # define trusted keys requestkey 1 # key (7) for accessing server variables " >> /etc/ntp.conf } fi if [ -f /etc/sysconfig/ntp ]; then grep -q '^controlkey ' /etc/ntp.conf || { echo "# controlkey 1 # key (6) for accessing server variables " >> /etc/ntp.conf } fi # update from previous permissions if [ -f /etc/ntp.conf ]; then chown root:ntp /etc/ntp.conf fi if [ -f /etc/ntp.keys ]; then chown root:ntp /etc/ntp.keys fi if [ -f /var/lib/ntp/etc/ntp.conf.iburst ]; then chown --from=ntp:root root:ntp /var/lib/ntp/etc/ntp.conf.iburst fi %{fillup_only -n ntp } %{fillup_only -n syslog } if [ ! -f /var/log/ntp ]; then touch /var/log/ntp chmod 644 /var/log/ntp fi %service_add_post ntpd.service %service_add_post ntp-wait.service if [ ! -e "/var/lib/systemd/migrated/ntpd" ]; then touch /var/lib/systemd/migrated/ntpd fi %postun %service_del_postun ntpd.service %service_del_postun ntp-wait.service %files %defattr(-,root,root) %doc COPYRIGHT ChangeLog NEWS README* TODO WHERE-TO-START conf %attr(0640,root,ntp) %config(noreplace) %{_sysconfdir}/ntp.conf %dir %{_sysconfdir}/slp.reg.d %{_unitdir}/ntpd.service %{_unitdir}/ntp-wait.service /usr/lib/initscripts/legacy-actions/ntpd %if %{defined _ntpunitsdir} %{_ntpunitsdir}/50-ntp.list %endif %config(noreplace) %{_sysconfdir}/slp.reg.d/ntp.reg %config %{_sysconfdir}/logrotate.d/ntp %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ntp %{_sbindir}/* /var/lib/ntp %attr(0640,root,ntp) %config(noreplace) /var/lib/ntp/etc/ntp.conf.iburst %attr(0755,ntp,ntp) %dir /var/lib/ntp/drift %{_mandir}/*/* /var/adm/fillup-templates/* %attr(0755,ntp,root) /var/lib/ntp/var/run/ntp %ghost %config(noreplace) /var/log/ntp /usr/share/omc/svcinfo.d/ntp.xml %{_datadir}/%name /var/db %files doc %defattr(-,root,root) %doc %{_docdir}/%{name}-doc %changelog ++++++ MOD_NANO.diff ++++++ Index: include/ntp_syscall.h =================================================================== --- include/ntp_syscall.h.orig 2014-12-19 12:56:54.000000000 +0100 +++ include/ntp_syscall.h 2015-01-26 16:05:59.593943047 +0100 @@ -10,6 +10,14 @@ # include <sys/timex.h> #endif +#if defined(ADJ_NANO) && !defined(MOD_NANO) +#define MOD_NANO ADJ_NANO +#endif + +#if defined(ADJ_TAI) && !defined(MOD_TAI) +#define MOD_TAI ADJ_TAI +#endif + #ifndef NTP_SYSCALLS_LIBC # ifdef NTP_SYSCALLS_STD # define ntp_adjtime(t) syscall(SYS_ntp_adjtime, (t)) ++++++ README.SUSE ++++++ ################################################################### - More documentation is available in the package `ntp-doc': ntp-doc contains a complete set of documentation on building and configuring a NTP server or client. The documentation is in the form of HTML files suitable for browsing and contains links to additional documentation at various web sites. If a browser is unavailable, an ordinary text editor may also be used to view it. ################################################################### ++++++ bnc#574885.diff ++++++ Index: lib/isc/unix/interfaceiter.c =================================================================== --- lib/isc/unix/interfaceiter.c.orig 2014-12-19 12:56:54.000000000 +0100 +++ lib/isc/unix/interfaceiter.c 2015-02-27 13:09:25.652479263 +0100 @@ -151,7 +151,7 @@ #ifdef __linux #define ISC_IF_INET6_SZ \ - sizeof("00000000000000000000000000000001 01 80 10 80 XXXXXXloXXXXXXXX\n") + sizeof("00000000000000000000000000000001 00001 80 10 80 XXXXXXloXXXXXXXX\n") static isc_result_t linux_if_inet6_next(isc_interfaceiter_t *); static isc_result_t linux_if_inet6_current(isc_interfaceiter_t *); static void linux_if_inet6_first(isc_interfaceiter_t *iter); ++++++ conf.logrotate.ntp ++++++ /var/log/ntp { compress dateext maxage 365 rotate 99 size=+2048k notifempty missingok copytruncate postrotate chmod 644 /var/log/ntp endscript } ++++++ conf.ntp-wait.service ++++++ [Unit] Description=Wait for ntpd to synchronize system clock Requires=ntpd.service After=ntpd.service Conflicts=systemd-timesyncd.service Wants=time-sync.target Before=time-sync.target ConditionVirtualization=!container ConditionCapability=CAP_SYS_TIME [Service] Type=oneshot ExecStart=/usr/sbin/ntp-wait -s 1 -n 30000 RemainAfterExit=yes StandardOutput=null [Install] WantedBy=multi-user.target ++++++ conf.ntp.conf ++++++ ################################################################################ ## /etc/ntp.conf ## ## Sample NTP configuration file. ## See package 'ntp-doc' for documentation, Mini-HOWTO and FAQ. ## Copyright (c) 1998 S.u.S.E. GmbH Fuerth, Germany. ## ## Author: Michael Andres, <m...@suse.de> ## Michael Skibbe, <mski...@suse.de> ## ################################################################################ ## ## Radio and modem clocks by convention have addresses in the ## form 127.127.t.u, where t is the clock type and u is a unit ## number in the range 0-3. ## ## Most of these clocks require support in the form of a ## serial port or special bus peripheral. The particular ## device is normally specified by adding a soft link ## /dev/device-u to the particular hardware device involved, ## where u correspond to the unit number above. ## ## Generic DCF77 clock on serial port (Conrad DCF77) ## Address: 127.127.8.u ## Serial Port: /dev/refclock-u ## ## (create soft link /dev/refclock-0 to the particular ttyS?) ## # server 127.127.8.0 mode 5 prefer ## ## Undisciplined Local Clock. This is a fake driver intended for backup ## and when no outside source of synchronized time is available. ## # server 127.127.1.0 # local clock (LCL) # fudge 127.127.1.0 stratum 10 # LCL is unsynchronized ## ## Add external Servers using ## # rcntpd addserver <yourserver> ## The servers will only be added to the currently running instance, not ## to /etc/ntp.conf. ## # Access control configuration; see /usr/share/doc/packages/ntp/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. restrict -4 default notrap nomodify nopeer noquery restrict -6 default notrap nomodify nopeer noquery # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 192.168.123.0 mask 255.255.255.0 notrust ## ## Miscellaneous stuff ## driftfile /var/lib/ntp/drift/ntp.drift # path for drift file logfile /var/log/ntp # alternate log file # logconfig =syncstatus + sysevents # logconfig =all # statsdir /tmp/ # directory for statistics files # filegen peerstats file peerstats type day enable # filegen loopstats file loopstats type day enable # filegen clockstats file clockstats type day enable # # Authentication stuff # keys /etc/ntp.keys # path for keys file trustedkey 1 # define trusted keys requestkey 1 # key (7) for accessing server variables controlkey 1 # key (6) for accessing server variables ++++++ conf.ntp.reg ++++++ ############################################################################# # # OpenSLP registration file # # register NTP daemon # ############################################################################# service:ntp://$HOSTNAME:123,en,65535 watch-port-udp=123 description=Network Time Protocol [ntp] ++++++ conf.ntpd.service ++++++ [Unit] Description=NTP Server Daemon Documentation=man:ntpd(1) After=nss-lookup.target Conflicts=systemd-timesyncd.service Wants=network.target After=network.target ConditionVirtualization=!container ConditionCapability=CAP_SYS_TIME [Service] Type=forking PIDFile=/var/run/ntp/ntpd.pid ExecStart=/usr/sbin/start-ntpd start RestartSec=11min Restart=always PrivateTmp=true [Install] WantedBy=multi-user.target ++++++ conf.start-ntpd ++++++ #!/bin/bash # Copyright (c) 1995-2014 SuSE Linux AG, Nuernberg, Germany. # All rights reserved. # # Author: Peter Varkoly # set default options NTP_CONF="/etc/ntp.conf" if [ ! -f ${NTP_CONF} ]; then echo -n "Time server configuration file, ${NTP_CONF} does not exist." exit 6 fi NTPD_BIN="/usr/sbin/ntpd" if [ ! -x ${NTPD_BIN} ]; then echo -n "Time server, ${NTPD_BIN} not installed!" exit 5 fi NTPD_OPTIONS="-g -u ntp:ntp" NTPD_RUN_CHROOTED="yes" NTPQ_BIN="/usr/sbin/ntpq" NTP_KEYS=$(awk '/^keys[[:blank:]]/ { print $2; exit }' $NTP_CONF) NTP_KEYID=$(awk '/^controlkey[[:blank:]]/ { print $2; exit }' $NTP_CONF) if test -n "$NTP_KEYS" -a -n "$NTP_KEYID" -a -r "$NTP_KEYS"; then NTP_KEYTYPE=$(awk '$1 == "'$NTP_KEYID'"{ print $2 }' $NTP_KEYS) NTP_PASSWD=$(awk '$1 == "'$NTP_KEYID'"{ print $3 }' $NTP_KEYS) fi if [ -n "$NTP_KEYS" ]; then if test -z "$NTP_KEYID"; then echo -n "NTP key id not defined" exit 5 fi if test -z "$NTP_PASSWD"; then echo -n "No password for controlkey set" exit 1 fi fi # Override defaults, if we have the sysconfig file test -f /etc/sysconfig/ntp && . /etc/sysconfig/ntp function update_cmos() { return 0; } # Now see if we have to fix the CMOS clock if [ "$NTPD_FORCE_SYNC_ON_STARTUP" = yes -a "$1" = ntptimeset ] ; then test -f /etc/sysconfig/clock && . /etc/sysconfig/clock if test -r /proc/xen/capabilities ; then read -t1 caps < /proc/xen/capabilities test "$caps" = "${caps%control_d*}" && NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP=no fi case "$(uname -i)" in s390*) NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP=no esac if [ "$NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP" = yes ] ; then function update_cmos() { if test -e /dev/rtc ; then /sbin/hwclock --systohc $HWCLOCK return $? fi if test -z "$(/sbin/modprobe -l rtc_cmos)" ; then /sbin/hwclock --systohc $HWCLOCK return $? fi local temprules=/dev/.udev/rules.d local uevseqnum=/sys/kernel/uevent_seqnum local rule=$temprules/95-rtc-cmos.rules local -i start=0 end=0 /bin/mkdir -m 0755 -p $temprules echo ACTION==\"add\", KERNEL==\"rtc0\", RUN=\"/sbin/hwclock --systohc $HWCLOCK --rtc=\$env{DEVNAME}\" > $rule test -e $uevseqnum && read -t 1 start < $uevseqnum if /sbin/modprobe -q rtc_cmos ; then test -e $uevseqnum && read -t 1 end < $uevseqnum if test $start -lt $end ; then /sbin/udevadm settle --quiet --seq-start=$start --seq-end=$end else /sbin/udevadm settle --quiet fi else rm -f $rule /sbin/hwclock --systohc $HWCLOCK fi } fi fi # set Default CHROOT path if not set but wanted test "${NTPD_RUN_CHROOTED}" = "yes" && \ CHROOT_PREFIX="/var/lib/ntp" || \ CHROOT_PREFIX="" # set default PID variables NTPD_PID="${CHROOT_PREFIX}/var/run/ntp/ntpd.pid" # Create if /var/run is on tmpfs test -e /var/run/ntp || ln -s /var/lib/ntp/var/run/ntp /var/run function ntpd_is_running() { service ntpd status >/dev/null } function parse_symlink() { if [ -c "$NTP_PARSE_DEVICE" ]; then if [ -n "$NTP_PARSE_LINK" ]; then ln -sf $NTP_PARSE_DEVICE $NTP_PARSE_LINK fi fi } function prepare_chroot() { for configfile in /etc/{localtime,ntp.keys} $NTP_CONF $NTPD_CHROOT_FILES; do test -d ${CHROOT_PREFIX}${configfile%/*} || mkdir -p ${CHROOT_PREFIX}${configfile%/*} if [ -r ${configfile} ] then cp -aL ${configfile} ${CHROOT_PREFIX}${configfile%/*} else echo echo "Warning: ${configfile} not found or not readable" fi done mkdir -p ${CHROOT_PREFIX}/var/log mkdir -p ${CHROOT_PREFIX}/proc mount -t proc none -o ro,nosuid,nodev "${CHROOT_PREFIX}/proc" 2>/dev/null NTPD_OPTIONS="${NTPD_OPTIONS} -i ${CHROOT_PREFIX}" } function runtime_configuration() { for f in /var/run/ntp/servers*; do if [ -r ${f} ]; then . ${f} ntp_server="${ntp_server} ${RUNTIME_SERVERS}" fi done if [ -n "${ntp_server}" ]; then for s in ${ntp_server}; do add_runtime_server ${s} done fi } function add_runtime_server() { [ "$NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP" = "yes" ] && /usr/sbin/sntp -S -c $@ NTPC_CMD="keytype $NTP_KEYTYPE\nkeyid $NTP_KEYID\npasswd $NTP_PASSWD\n:config server $@\n" NTPQ_LOG=$(echo -e "${NTPC_CMD}quit" | $NTPQ_BIN) logger -t $0 "runtime configuration: server $@" } function get_ntpd_ip_proto() { local -a OPTS read -ra OPTS <<< "$NTPD_OPTIONS" for i in "${OPTS[@]}"; do if [ "$i" = "-4" ] || [ "$i" = "-6" ]; then # first occurrence wins safely because ntpd couldn't handle more anyway echo "$i" return fi done echo "" return } case "$1" in start) if [ "$NTPD_FORCE_SYNC_ON_STARTUP" = "yes" ]; then # get the initial date from the timeservers configured in ntp.conf ntpd_is_running || $0 ntptimeset fi echo -n "Starting network time protocol daemon (NTPD)" # do we need a refclock symlink? parse_symlink # do we run chrooted? test "${NTPD_RUN_CHROOTED}" = "yes" && prepare_chroot $NTPD_BIN -p ${NTPD_PID#${CHROOT_PREFIX}} $NTPD_OPTIONS -c $NTP_CONF if [ -n "${NTP_KEYS}" ]; then runtime_configuration fi ;; addserver) if [ -z "${NTP_KEYS}" ]; then echo "Runtime configuration disabled, no key file specified." exit 1 fi if test $# -lt 2; then echo "No servers to add specified" exit 1 fi shift service ntpd status 2>&1 >/dev/null if test $? = 0; then add_runtime_server "$@" fi ;; ntptimeset) NTPD_PROTO="$( get_ntpd_ip_proto )" while read arg1 arg2 arg3 dummy do test "$arg1" = "server" || continue if [ "$arg2" = "-4" -o "$arg2" = "-6" ] then srv="$arg3" proto="$arg2" args="$arg2 $arg3" else srv="$arg2" proto="" args="$arg2" fi # ignore servers with conflicting IP version test -n "$NTP_PROTO" -a "NTPD_PROTO" != "$proto" && continue # ignore hardware clock drivers test "${srv#127.127.}" != "$srv" && continue if /usr/sbin/sntp -S -c $args &> /dev/null then SYNCHRONISED=$srv break fi done < /etc/ntp.conf if [ "$SYNCHRONISED" ] then echo "Time synchronized with $SYNCHRONISED" update_cmos else echo "Time could not be synchronized" fi ;; *) echo "Usage: $0 {start|addserver|ntptimeset}" exit 1 ;; esac ++++++ conf.sysconfig.ntp ++++++ ## Path: Network/NTP ## Description: Network Time Protocol (NTP) server settings ## Type: string ## Default: "-g -u ntp:ntp" # # Additional arguments when starting ntpd. The most # important ones would be # -u user[:group] to make ntpd run as a user (group) other than root. # NTPD_OPTIONS="-g -u ntp:ntp" ## Type: yesno ## Default: yes ## ServiceRestart: ntp # # Shall the time server ntpd run in the chroot jail /var/lib/ntp? # # Each time you start ntpd with the init script, /etc/ntp.conf will be # copied to /var/lib/ntp/etc/. # # The pid file will be in /var/lib/ntp/var/run/ntpd.pid. # NTPD_RUN_CHROOTED="no" ## Type: string ## Default: "" ## ServiceRestart: ntp # # If the time server ntpd runs in the chroot jail these files will be # copied to /var/lib/ntp/ besides the default of /etc/{localtime,ntp.conf} # NTPD_CHROOT_FILES="" ## Type: string(/dev/refclock-0,/dev/refclock-1,/dev/refclock-2,/dev/refclock-3) ## Default: "" ## ServiceRestart: ntp # # Parse driver symlink # For more information see the ntp documentation in the package ntp-doc # /usr/share/doc/packages/ntp-doc/drivers/driver8.html # NTP_PARSE_LINK="" ## Type: string(/dev/ttyS0,/dev/ttyS1,/dev/ttyUSB0,/dev/ttyUSB1,/dev/ttyUSB2) ## Default: "" ## ServiceRestart: ntp # # Parse driver device # # For more information see the ntp documentation in the package ntp-doc # /usr/share/doc/packages/ntp-doc/drivers/driver8.html # # NOTE: Adjust /etc/apparmor.d/tunables/ntpd accordingly # NTP_PARSE_DEVICE="" ## Type: boolean ## Default: "yes" # # Force time synchronization befor start ntpd # NTPD_FORCE_SYNC_ON_STARTUP="no" ## Type: boolean ## Default: "no" # # Force time synchronization of hwclock befor start ntpd. # This works only if NTPD_FORCE_SYNC_ON_STARTUP is set # to yes. # NTPD_FORCE_SYNC_HWCLOCK_ON_STARTUP="yes" ++++++ conf.sysconfig.syslog-ntp ++++++ ## Type: string ## Default: "/var/lib/ntp/dev/log" ## ServiceRestart: syslog ## Config: syslog-ng # # The filename mentioned here will be added with the "-a ..." option as # additional socket via SYSLOGD_PARAMS when syslogd is started. # # This additional socket is needed in case that syslogd is restarted. Otherwise # a chrooted 'ntpd' won't be able to continue logging. # SYSLOGD_ADDITIONAL_SOCKET_NTP="/var/lib/ntp/dev/log" ++++++ ntp-ENOBUFS.patch ++++++ --- ntp-4.2.8p6.orig/ntpd/ntp_io.c +++ ntp-4.2.8p6/ntpd/ntp_io.c @@ -4568,6 +4568,7 @@ struct rt_msghdr rtm; char *p; #endif + static int netlink_warn = 1; if (disable_dynamic_updates) { /* @@ -4582,14 +4583,15 @@ cnt = read(reader->fd, buffer, sizeof(buffer)); if (cnt < 0) { - if (errno == ENOBUFS) { - msyslog(LOG_ERR, - "routing socket reports: %m"); - } else { + if (errno != ENOBUFS) { msyslog(LOG_ERR, "routing socket reports: %m - disabling"); remove_asyncio_reader(reader); delete_asyncio_reader(reader); + } else if (netlink_warn == 1) { + msyslog(LOG_ERR, + "routing socket reports: %m"); + netlink_warn = 0; } return; } ++++++ ntp-daemonize.patch ++++++ --- ntpd/ntpd.c.orig +++ ntpd/ntpd.c @@ -690,16 +690,17 @@ ntpdmain( /* make sure the FDs are initialised */ pipe_fds[0] = -1; pipe_fds[1] = -1; - do { /* 'loop' once */ - if (!HAVE_OPT( WAIT_SYNC )) - break; + if (HAVE_OPT( WAIT_SYNC )) { wait_sync = OPT_VALUE_WAIT_SYNC; - if (wait_sync <= 0) { - wait_sync = 0; - break; - } + } + if (wait_sync <= 0) { + wait_sync = 0; + } + if (wait_sync > 0) { /* -w requires a fork() even with debug > 0 */ nofork = FALSE; + } + if (!nofork) { if (pipe(pipe_fds)) { exit_code = (errno) ? errno : -1; msyslog(LOG_ERR, @@ -707,7 +708,7 @@ ntpdmain( exit(exit_code); } waitsync_fd_to_close = pipe_fds[1]; - } while (0); /* 'loop' once */ + } # endif /* HAVE_WORKING_FORK */ init_lib(); @@ -1240,6 +1241,20 @@ int scmp_sc[] = { } #endif /* LIBSECCOMP and KERN_SECCOMP */ +#ifdef HAVE_WORKING_FORK + if (!nofork && wait_sync == 0 && waitsync_fd_to_close != -1) { + /* + * Initialisation of the daemon is complete and the + * user does not want to wait for synchronisation, so + * tell the forground process to exit successfully. + */ + char ret = 0; + write(waitsync_fd_to_close, &ret, 1); + close(waitsync_fd_to_close); + waitsync_fd_to_close = -1; + } +#endif + # ifdef HAVE_IO_COMPLETION_PORT for (;;) { @@ -1436,11 +1451,17 @@ wait_child_sync_if( fd_set readset; struct timeval wtimeout; - if (0 == wait_sync) - return 0; - /* waitsync_fd_to_close used solely by child */ close(waitsync_fd_to_close); + + if (0 == wait_sync) { + /* Wait for the daemon to finish initialisation and + exit with success or failure accordingly */ + char ret = 1; + (void) read(pipe_read_fd, &ret, 1); + return ret; + } + wait_end_time = time(NULL) + wait_sync; do { cur_time = time(NULL); ++++++ ntp-processname.patch ++++++ --- libntp/work_fork.c.orig +++ libntp/work_fork.c @@ -24,6 +24,8 @@ int worker_process; addremove_io_fd_func addremove_io_fd; static volatile int worker_sighup_received; +int saved_argc = 0; +char **saved_argv; /* === function prototypes === */ static void fork_blocking_child(blocking_child *); @@ -495,6 +497,22 @@ fork_blocking_child( worker_process = TRUE; /* + * Change the process name of the child to avoid confusion + * about ntpd trunning twice. + */ + if (saved_argc != 0) { + int argcc; + int argvlen = 0; + /* Clear argv */ + for (argcc = 0; argcc < saved_argc; argcc++) { + int l = strlen(saved_argv[argcc]); + argvlen += l + 1; + memset(saved_argv[argcc], 0, l); + } + strlcpy(saved_argv[0], "ntpd: asynchronous dns resolver", argvlen); + } + + /* * In the child, close all files except stdin, stdout, stderr, * and the two child ends of the pipes. */ --- include/ntpd.h.orig +++ include/ntpd.h @@ -321,6 +321,8 @@ extern void parse_cmdline_opts(int *, ch /* ntp_config.c */ extern char const * progname; +extern int saved_argc; +extern char **saved_argv; extern char *sys_phone[]; /* ACTS phone numbers */ #if defined(HAVE_SCHED_SETSCHEDULER) extern int config_priority_override; --- ntpd/ntpd.c.orig +++ ntpd/ntpd.c @@ -230,8 +230,10 @@ static RETSIGTYPE no_debug (int); # endif /* !DEBUG */ #endif /* !SIM && !SYS_WINNT */ +#ifndef WORK_FORK int saved_argc; char ** saved_argv; +#endif #ifndef SIM int ntpdmain (int, char **); ++++++ ntp-sigchld.patch ++++++ --- ntp-4.2.8p7.orig/libntp/work_fork.c +++ ntp-4.2.8p7/libntp/work_fork.c @@ -461,8 +461,6 @@ fflush(stdout); fflush(stderr); - signal_no_reset(SIGCHLD, SIG_IGN); - childpid = fork(); if (-1 == childpid) { msyslog(LOG_ERR, "unable to fork worker: %m"); ++++++ ntp-sntp-dst.patch ++++++ Index: ntp-4.2.8p4/sntp/utilities.c =================================================================== --- ntp-4.2.8p4.orig/sntp/utilities.c +++ ntp-4.2.8p4/sntp/utilities.c @@ -139,34 +139,36 @@ tv_to_str( { const size_t bufsize = 48; char *buf; - time_t gmt_time, local_time; - struct tm *p_tm_local; + time_t time_gmt, time_local; + struct tm tm_gmt, tm_local; int hh, mm, lto; - /* - * convert to struct tm in UTC, then intentionally feed - * that tm to mktime() which expects local time input, to - * derive the offset from UTC to local time. + /* Get local time, convert it to GMT, adjust the tm_isdst to the + * current local DST value. Then call mktime which will not adjust + * for DST allowing us to calculate the offset from local to GMT */ - gmt_time = tv->tv_sec; - local_time = mktime(gmtime(&gmt_time)); - p_tm_local = localtime(&gmt_time); + time_gmt = tv->tv_sec; + localtime_r(&time_gmt, &tm_local); + time_local = mktime(&tm_local); + gmtime_r(&time_local, &tm_gmt); + tm_gmt.tm_isdst=tm_local.tm_isdst; + time_gmt = mktime(&tm_gmt); /* Local timezone offsets should never cause an overflow. Yeah. */ - lto = difftime(local_time, gmt_time); + lto = difftime(time_local, time_gmt); lto /= 60; hh = lto / 60; mm = abs(lto % 60); - buf = emalloc(bufsize); + buf = malloc(bufsize); snprintf(buf, bufsize, "%d-%.2d-%.2d %.2d:%.2d:%.2d.%.6d (%+03d%02d)", - p_tm_local->tm_year + 1900, - p_tm_local->tm_mon + 1, - p_tm_local->tm_mday, - p_tm_local->tm_hour, - p_tm_local->tm_min, - p_tm_local->tm_sec, + tm_local.tm_year + 1900, + tm_local.tm_mon + 1, + tm_local.tm_mday, + tm_local.tm_hour, + tm_local.tm_min, + tm_local.tm_sec, (int)tv->tv_usec, hh, mm); ++++++ ntp-speedup-ntpq.patch ++++++ From: Bernhard M. Wiedemann <bwiedemann suse de> do not ask for ntp service in all protocols which is very slow (bnc#782060) Index: libntp/decodenetnum.c =================================================================== --- libntp/decodenetnum.c.orig 2015-10-21 18:13:49.000000000 +0200 +++ libntp/decodenetnum.c 2015-11-06 10:38:49.777763897 +0100 @@ -71,8 +71,9 @@ cp = name; } ZERO(hints); - hints.ai_flags = Z_AI_NUMERICHOST; - err = getaddrinfo(cp, "ntp", &hints, &ai); + hints.ai_socktype = SOCK_DGRAM; + hints.ai_flags = Z_AI_NUMERICHOST | Z_AI_NUMERICSERV; + err = getaddrinfo(cp, "123", &hints, &ai); if (err != 0) return 0; INSIST(ai->ai_addrlen <= sizeof(*netnum)); ++++++ ntp.firewall ++++++ ## Name: xntp Server ## Description: Opens ports for xntp. # space separated list of allowed TCP ports TCP="" # space separated list of allowed UDP ports UDP="ntp" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST=""