Bug 1275065 - Please update ntp to the latest version (ntp-4.2.8p9)
Please update ntp to the latest version (ntp-4.2.8p9)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: ntp (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Lichvar
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-25 10:07 EDT by marianne@tuxette.fr
Modified: 2016-11-22 07:04 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-22 07:04:56 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description marianne@tuxette.fr 2015-10-25 10:07:56 EDT
Ntp in fedora is in a version who is 4 years old. 
Latest version fix several security issues. 
http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

Please update (not everyone has switch to chrony )
Comment 1 Miroslav Lichvar 2015-10-26 03:40:48 EDT
The security issues from 4.2.8p4 have been backported to the Fedora package.

https://bodhi.fedoraproject.org/updates/FEDORA-2015-de44abca87

As for updating to 4.2.8, that will probably happen at some point, but I think we should wait until 4.2.8 is a bit more stable.
Comment 2 Jan Kurik 2016-02-24 08:52:11 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 3 Chris Adams 2016-07-12 14:53:23 EDT
Any update on this?  Fedora's version of ntp is sorely out of date.
Comment 4 Miroslav Lichvar 2016-07-13 04:58:33 EDT
The current upstream code is not in a very good shape. It seems there are still some bugs causing crashes and there are unfixed security vulnerabilities. Some fixes were incorrect and some I think should be reworked to use a different approach. Upstream is working very slowly, so I'm not sure how long it will take before I feel comfortable with rebasing our package.

It would be good to know what a typical user that still runs ntpd expects from it. Stability or new features? We can always throw away all our patches and just closely follow the upstream releases. I'm not sure if the users would be happy with that. For me as the Fedora mantainer it would probably be less work.

Anyway, I'm trying to follow upstream bug reports and backport important fixes to the Fedora package. Do you miss some particular feature or bugfix from 4.2.8?
Comment 5 Chris Adams 2016-07-13 09:01:01 EDT
This is Fedora, not RHEL/CentOS. Fedora is supposed to generally track upstream releases, not backport fixes for 4 years.

https://fedoraproject.org/wiki/Staying_close_to_upstream_projects

I have read about features related to reporting (expanded ntpq functionality) and leap seconds (there's one scheduled for the end of this year) that I would like to explore.
Comment 6 Miroslav Lichvar 2016-07-15 08:27:50 EDT
Here is a copr repo with an experimental ntp-4.2.8 package if anyone is interested in testing. Most patches are disabled for now. Please be careful, there are known security issues that were not (properly) fixed yet.

https://copr.fedorainfracloud.org/coprs/mlichvar/ntp/
Comment 7 Jan Kurik 2016-07-26 00:47:00 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 8 Miroslav Lichvar 2016-11-21 11:46:33 EST
4.2.8p9 was released today and it adds support for new openssl. I'll update the Fedora package soon.
Comment 9 Miroslav Lichvar 2016-11-22 07:04:56 EST
4.2.8p9 is now in rawhide. All patches that were not accepted by upstream were dropped. It's a fresh start of the Fedora ntp package with the intention of staying close to upstream.

Note You need to log in before you can comment on or make changes to this bug.