Accepting request 1301942 from network:time

- bsc#1247587: Fix a crash when calling "sntp -d".
  * ntp-sntp-assert.patch
- Update source URL.

OBS-URL: https://build.opensuse.org/request/show/1301942
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/ntp?expand=0&rev=142

Get-rid-of-EVP_MD_CTX_FLAG_NON_FIPS_ALLOW.patch

@@ -1,384 +0,0 @@
-From 57049ca2ac4676ba6ab02509e740799cf39e42ac Mon Sep 17 00:00:00 2001
-From: michellew-vmware <michellew@vmware.com>
-Date: Tue, 27 Jun 2023 18:26:05 +0000
-Subject: [PATCH] Get rid of  EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-
-- openssl-3.x provides EVP_MD_fetch() api to make use of non fips algorithms in user space programs.
-- EVP_MD_CTX_FLAG_NON_FIPS_ALLOW is obsolete.
----
- libntp/a_md5encrypt.c | 76 +++++++++++++++++++++++++++++++++++++------
- ntpd/ntp_control.c    | 54 ++++++++++++++++--------------
- ntpd/ntp_crypto.c     | 60 ++++++++++++++++++++++------------
- sntp/crypto.c         | 48 ++++++++++++++++++++-------
- 4 files changed, 172 insertions(+), 66 deletions(-)
-
-Index: ntp-4.2.8p17/libntp/a_md5encrypt.c
-===================================================================
---- ntp-4.2.8p17.orig/libntp/a_md5encrypt.c
-+++ ntp-4.2.8p17/libntp/a_md5encrypt.c
-@@ -11,6 +11,8 @@
- #include "ntp.h"
- #include "isc/string.h"
- 
-+#include <openssl/core_names.h>
-+
- typedef struct {
- 	const void *	buf;
- 	size_t		len;
-@@ -110,10 +112,31 @@ make_mac(
- 			goto mac_fail;
- 		}
- 
--	   #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
--		/* make sure MD5 is allowd */
-+
-+#   if OPENSSL_VERSION_NUMBER >= 0x30000000
-+                /* make sure MD5 is allowed */
-+		OSSL_LIB_CTX *octx = OSSL_LIB_CTX_new();
-+		if (!octx) {
-+		    msyslog(LOG_ERR, "MAC encrypt: OSSL_LIB_CTX_new failed\n");
-+		    goto mac_fail;
-+		}
-+
-+		EVP_MD *type = EVP_MD_fetch(octx, OBJ_nid2sn(ktype), "-fips");
-+		if (!type) {
-+		    msyslog(LOG_ERR, "MAC encrypt: EVP_MD_fetch failed\n");
-+		    goto mac_fail;
-+		}
-+
-+		if (!EVP_DigestInit_ex(ctx, type, NULL)) {
-+		    msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Init failed.",
-+			    OBJ_nid2sn(ktype));
-+		    goto mac_fail;
-+		}
-+#   else
-+#       ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
- 		EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
--	   #endif
-+#       endif
-+
- 		/* [Bug 3457] DON'T use plain EVP_DigestInit! It would
- 		 * kill the flags! */
- 		if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(ktype), NULL)) {
-@@ -121,6 +144,7 @@ make_mac(
- 				OBJ_nid2sn(ktype));
- 			goto mac_fail;
- 		}
-+#       endif
- 		if ((size_t)EVP_MD_CTX_size(ctx) > digest->len) {
- 			msyslog(LOG_ERR, "MAC encrypt: MAC %s buf too small.",
- 				OBJ_nid2sn(ktype));
-@@ -146,6 +170,12 @@ make_mac(
- 
- 		if (ctx)
- 			EVP_MD_CTX_free(ctx);
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+        if (type)
-+            EVP_MD_free(type);
-+        if (octx)
-+            OSSL_LIB_CTX_free(octx);
-+#   endif
- 	}
- 
- #else /* !OPENSSL follows */
-@@ -270,23 +300,51 @@ addr2refid(sockaddr_u *addr)
- 	INIT_SSL();
- 
- 	ctx = EVP_MD_CTX_new();
-+#   if OPENSSL_VERSION_NUMBER >= 0x30000000
-+    /* MD5 is not used as a crypto hash here. */
-+    OSSL_LIB_CTX *octx = OSSL_LIB_CTX_new();
-+    if (!octx) {
-+        msyslog(LOG_ERR, "addr2refid: OSSL_LIB_CTX_new failed\n");
-+        exit(1);
-+    }
-+
-+    EVP_MD *type = EVP_MD_fetch(octx, OSSL_DIGEST_NAME_MD5, "-fips");
-+    if (!type) {
-+        msyslog(LOG_ERR, "addr2refid: EVP_MD_fetch failed\n");
-+        exit(1);
-+    }
-+
-+    if (!EVP_DigestInit_ex(ctx, type, NULL)) {
-+        msyslog(LOG_ERR, "MD5 init failed");
-+        EVP_MD_CTX_free(ctx);   /* pedantic... but safe */
-+        exit(1);
-+    }
-+#   else
- #   ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
--	/* MD5 is not used as a crypto hash here. */
--	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- #   endif
- 	/* [Bug 3457] DON'T use plain EVP_DigestInit! It would kill the
- 	 * flags! */
- 	if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) {
--		msyslog(LOG_ERR,
--		    "MD5 init failed");
-+		msyslog(LOG_ERR, "MD5 init failed");
- 		EVP_MD_CTX_free(ctx);	/* pedantic... but safe */
- 		exit(1);
- 	}
-+#   endif
- 
- 	EVP_DigestUpdate(ctx, (u_char *)PSOCK_ADDR6(addr),
- 	    sizeof(struct in6_addr));
- 	EVP_DigestFinal(ctx, digest, &len);
- 	EVP_MD_CTX_free(ctx);
--	memcpy(&addr_refid, digest, sizeof(addr_refid));
--	return (addr_refid);
-+
-+#   if OPENSSL_VERSION_NUMBER >= 0x30000000
-+    if (type)
-+        EVP_MD_free(type);
-+    if (octx)
-+        OSSL_LIB_CTX_free(octx);
-+#   endif
-+
-+    memcpy(&addr_refid, digest, sizeof(addr_refid));
-+
-+    return (addr_refid);
- }
-Index: ntp-4.2.8p17/ntpd/ntp_control.c
-===================================================================
---- ntp-4.2.8p17.orig/ntpd/ntp_control.c
-+++ ntp-4.2.8p17/ntpd/ntp_control.c
-@@ -29,6 +29,8 @@
- #include "lib_strbuf.h"
- #include "timexsup.h"
- 
-+#include <openssl/core_names.h>
-+
- #include <rc_cmdlength.h>
- #ifdef KERNEL_PLL
- # include "ntp_syscall.h"
-@@ -3662,33 +3664,37 @@ static u_int32 derive_nonce(
- 	}
- 
- 	ctx = EVP_MD_CTX_new();
--#   if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
--	/* [Bug 3457] set flags and don't kill them again */
--	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
--	rc = EVP_DigestInit_ex(ctx, EVP_get_digestbynid(NID_md5), NULL);
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+    /* [Bug 3457] set flags and don't kill them again */
-+    OSSL_LIB_CTX *octx = OSSL_LIB_CTX_new();
-+    EVP_MD *type = EVP_MD_fetch(octx, OSSL_DIGEST_NAME_MD5, "-fips");
-+    EVP_DigestInit_ex(ctx, type, NULL);
- #   else
--	rc = EVP_DigestInit(ctx, EVP_get_digestbynid(NID_md5));
-+#   ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-+#   endif
-+        EVP_DigestInit(ctx, EVP_get_digestbynid(NID_md5));
-+#   endif
-+        EVP_DigestUpdate(ctx, salt, sizeof(salt));
-+        EVP_DigestUpdate(ctx, &ts_i, sizeof(ts_i));
-+        EVP_DigestUpdate(ctx, &ts_f, sizeof(ts_f));
-+        if (IS_IPV4(addr))
-+                EVP_DigestUpdate(ctx, &SOCK_ADDR4(addr),
-+                                 sizeof(SOCK_ADDR4(addr)));
-+        else
-+                EVP_DigestUpdate(ctx, &SOCK_ADDR6(addr),
-+                                 sizeof(SOCK_ADDR6(addr)));
-+        EVP_DigestUpdate(ctx, &NSRCPORT(addr), sizeof(NSRCPORT(addr)));
-+        EVP_DigestUpdate(ctx, salt, sizeof(salt));
-+        EVP_DigestFinal(ctx, d.digest, &len);
-+        EVP_MD_CTX_free(ctx);
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+    EVP_MD_free(type);
-+    OSSL_LIB_CTX_free(octx);
- #   endif
--	if (!rc) {
--		msyslog(LOG_ERR, "EVP_DigestInit failed in '%s'", __func__);
--		return (0);
--	}
- 
--	EVP_DigestUpdate(ctx, salt, sizeof(salt));
--	EVP_DigestUpdate(ctx, &ts_i, sizeof(ts_i));
--	EVP_DigestUpdate(ctx, &ts_f, sizeof(ts_f));
--	if (IS_IPV4(addr))
--		EVP_DigestUpdate(ctx, &SOCK_ADDR4(addr),
--			         sizeof(SOCK_ADDR4(addr)));
--	else
--		EVP_DigestUpdate(ctx, &SOCK_ADDR6(addr),
--			         sizeof(SOCK_ADDR6(addr)));
--	EVP_DigestUpdate(ctx, &NSRCPORT(addr), sizeof(NSRCPORT(addr)));
--	EVP_DigestUpdate(ctx, salt, sizeof(salt));
--	EVP_DigestFinal(ctx, d.digest, &len);
--	EVP_MD_CTX_free(ctx);
-+        return d.extract;
- 
--	return d.extract;
- }
- 
- 
-Index: ntp-4.2.8p17/ntpd/ntp_crypto.c
-===================================================================
---- ntp-4.2.8p17.orig/ntpd/ntp_crypto.c
-+++ ntp-4.2.8p17/ntpd/ntp_crypto.c
-@@ -34,6 +34,8 @@
- #include "openssl/x509v3.h"
- #include "libssl_compat.h"
- 
-+#include <openssl/core_names.h>
-+
- #ifdef KERNEL_PLL
- #include "ntp_syscall.h"
- #endif /* KERNEL_PLL */
-@@ -268,16 +270,24 @@ session_key(
- 		break;
- 	}
- 	ctx = EVP_MD_CTX_new();
--#   if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
--	/* [Bug 3457] set flags and don't kill them again */
--	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
--	EVP_DigestInit_ex(ctx, EVP_get_digestbynid(crypto_nid), NULL);
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+    /* [Bug 3457] set flags and don't kill them again */
-+    OSSL_LIB_CTX *octx = OSSL_LIB_CTX_new();
-+    EVP_MD *type = EVP_MD_fetch(octx, OBJ_nid2sn(crypto_nid), "-fips");
-+    EVP_DigestInit_ex(ctx, type, NULL);
- #   else
--	EVP_DigestInit(ctx, EVP_get_digestbynid(crypto_nid));
-+#   ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-+#   endif
-+        EVP_DigestInit(ctx, EVP_get_digestbynid(crypto_nid));
-+#   endif
-+        EVP_DigestUpdate(ctx, (u_char *)header, hdlen);
-+        EVP_DigestFinal(ctx, dgst, &len);
-+        EVP_MD_CTX_free(ctx);
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+    EVP_MD_free(type);
-+    OSSL_LIB_CTX_free(octx);
- #   endif
--	EVP_DigestUpdate(ctx, (u_char *)header, hdlen);
--	EVP_DigestFinal(ctx, dgst, &len);
--	EVP_MD_CTX_free(ctx);
- 	memcpy(&keyid, dgst, 4);
- 	keyid = ntohl(keyid);
- 	if (lifetime != 0) {
-@@ -374,7 +384,7 @@ make_keylist(
- 	 * Save the last session key ID, sequence number and timestamp,
- 	 * then sign these values for later retrieval by the clients. Be
- 	 * careful not to use invalid key media. Use the public values
--	 * timestamp as filestamp. 
-+	 * timestamp as filestamp.
- 	 */
- 	vp = &peer->sndval;
- 	if (vp->ptr == NULL)
-@@ -896,8 +906,8 @@ crypto_recv(
- 			 * autokey values.
- 			 */
- 			if ((rval = crypto_verify(ep, &peer->recval,
--			    peer)) != XEVNT_OK) 
--				break;
-+                            peer)) != XEVNT_OK)
-+                                break;
- 
- 			/*
- 			 * Discard the message if a broadcast client and
-@@ -2094,18 +2104,26 @@ bighash(
- 	ptr = emalloc(len);
- 	BN_bn2bin(bn, ptr);
- 	ctx = EVP_MD_CTX_new();
--#   if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
--	/* [Bug 3457] set flags and don't kill them again */
--	EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
--	EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+    /* [Bug 3457] set flags and don't kill them again */
-+    OSSL_LIB_CTX *octx = OSSL_LIB_CTX_new();
-+    EVP_MD *type = EVP_MD_fetch(octx, OSSL_DIGEST_NAME_MD5, "-fips");
-+    EVP_DigestInit_ex(ctx, type, NULL);
- #   else
--	EVP_DigestInit(ctx, EVP_md5());
-+#   ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-+    EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
- #   endif
--	EVP_DigestUpdate(ctx, ptr, len);
--	EVP_DigestFinal(ctx, dgst, &len);
--	EVP_MD_CTX_free(ctx);
--	BN_bin2bn(dgst, len, bk);
--	free(ptr);
-+        EVP_DigestInit(ctx, EVP_md5());
-+#   endif
-+        EVP_DigestUpdate(ctx, ptr, len);
-+        EVP_DigestFinal(ctx, dgst, &len);
-+        EVP_MD_CTX_free(ctx);
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+    EVP_MD_free(type);
-+    OSSL_LIB_CTX_free(octx);
-+#   endif
-+        BN_bin2bn(dgst, len, bk);
-+        free(ptr);
- }
- 
- 
-Index: ntp-4.2.8p17/sntp/crypto.c
-===================================================================
---- ntp-4.2.8p17.orig/sntp/crypto.c
-+++ ntp-4.2.8p17/sntp/crypto.c
-@@ -80,16 +80,36 @@ compute_mac(
- 			goto mac_fail;
- 		}
- #ifdef OPENSSL	/* OpenSSL 1 supports return codes 0 fail, 1 okay */
--#	    ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
--		EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
--#	    endif
--		/* [Bug 3457] DON'T use plain EVP_DigestInit! It would
--		 *  kill the flags! */
--		if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(key_type), NULL)) {
--			msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.",
--				macname);
--			goto mac_fail;
--		}
-+#   if OPENSSL_VERSION_NUMBER >= 0x30000000
-+        OSSL_LIB_CTX *octx = OSSL_LIB_CTX_new();
-+        if (!octx) {
-+            msyslog(LOG_ERR, "make_mac: OSSL_LIB_CTX_new failed");
-+            goto mac_fail;
-+        }
-+
-+        EVP_MD *type = EVP_MD_fetch(octx, OBJ_nid2sn(key_type), "-fips");
-+        if (!type) {
-+            msyslog(LOG_ERR, "make_mac: EVP_MD_fetch failed");
-+            goto mac_fail;
-+        }
-+
-+        /* [Bug 3457] DON'T use plain EVP_DigestInit! It would
-+                 *  kill the flags! */
-+        if (!EVP_DigestInit_ex(ctx, type, NULL)) {
-+                        msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.",
-+                                macname);
-+                        goto mac_fail;
-+                }
-+#   else
-+#       ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-+        EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-+#       endif
-+        if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(key_type), NULL)) {
-+            msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.",
-+                    macname);
-+            goto mac_fail;
-+        }
-+#   endif
- 		if (!EVP_DigestUpdate(ctx, key_data, key_size)) {
- 			msyslog(LOG_ERR, "make_mac: MAC %s Digest Update key failed.",
- 				macname);
-@@ -117,7 +137,13 @@ compute_mac(
- #endif
- 	  mac_fail:
- 		EVP_MD_CTX_free(ctx);
--	}
-+#   if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x30000000
-+        if (type)
-+            EVP_MD_free(type);
-+        if (octx)
-+            OSSL_LIB_CTX_free(octx);
-+#   endif
-+        }
- 
- 	return len;
- }

conf.start-ntpd

@@ -80,10 +80,11 @@ function ntpd_is_running() {
 }
 
 function parse_symlink() {
-  if [ -c "$NTP_PARSE_DEVICE" ]; then
-    if [ -n "$NTP_PARSE_LINK" ]; then
-    ln -sf $NTP_PARSE_DEVICE $NTP_PARSE_LINK
+  if [ -c "${CHROOT_PREFIX}$NTP_PARSE_DEVICE" ]; then
+    if [ -n "${CHROOT_PREFIX}$NTP_PARSE_LINK" ]; then
+      ln -sf $NTP_PARSE_DEVICE ${CHROOT_PREFIX}$NTP_PARSE_LINK
     fi
+    chown ntp:ntp ${CHROOT_PREFIX}$NTP_PARSE_DEVICE
   fi
 }
 
@@ -145,10 +146,10 @@ case "$1" in
         ntpd_is_running || $0 ntptimeset
     fi
     echo -n "Starting network time protocol daemon (NTPD)"
-    # do we need a refclock symlink?
-    parse_symlink
     # do we run chrooted?
     test "${NTPD_RUN_CHROOTED}" = "yes" && prepare_chroot
+    # do we need a refclock symlink?
+    parse_symlink
 
     $NTPD_BIN -p ${NTPD_PID#${CHROOT_PREFIX}} $NTPD_OPTIONS -c $NTP_CONF
 

ntp-4.2.8p17.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866
-size 7120469

ntp-4.2.8p18.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cf84c5f3fb1a295284942624d823fffa634144e096cfc4f9969ac98ef5f468e5
+size 7210799

ntp-check-argv.patch

@@ -0,0 +1,29 @@
+--- libntp/work_fork.c.orig
++++ libntp/work_fork.c
+@@ -543,17 +543,21 @@ fork_blocking_child(
+ 
+ 	/*
+ 	 * Change the process name of the child to avoid confusion
+-	 * about ntpd trunning twice.
++	 * about ntpd running twice.
+ 	 */
+ 	if (saved_argc != 0) {
+ 		int argcc;
+ 		int argvlen = 0;
+-		/* Clear argv */
++		char *end_of_argv = saved_argv[0];
++		/* Check that argv is contiguous, measure and clear it */
+ 		for (argcc = 0; argcc < saved_argc; argcc++) {
+-			int l = strlen(saved_argv[argcc]);
+-			argvlen += l + 1;
+-			memset(saved_argv[argcc], 0, l);
++			if (end_of_argv == saved_argv[argcc]) {
++				end_of_argv += strlen(saved_argv[argcc]) + 1;
++			}
+ 		}
++		argvlen = end_of_argv - saved_argv[0];
++		memset(saved_argv[0], 0, argvlen);
++
+ 		strlcpy(saved_argv[0], "ntpd: asynchronous dns resolver", argvlen);
+ 	}
+ 

ntp-openssl-version.patch

@@ -1,21 +1,22 @@
 --- libntp/ssl_init.c.orig
 +++ libntp/ssl_init.c
-@@ -67,18 +67,6 @@ ssl_init(void)
+@@ -62,19 +62,6 @@ ssl_init(void)
  void
  ssl_check_version(void)
  {
 -	u_long	v;
+-	char *  buf;
 -
 -	v = OpenSSL_version_num();
 -	if ((v ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
--		msyslog(LOG_WARNING,
--		    "OpenSSL version mismatch. Built against %lx, you have %lx",
--		    (u_long)OPENSSL_VERSION_NUMBER, v);
--		fprintf(stderr,
--		    "OpenSSL version mismatch. Built against %lx, you have %lx\n",
--		    (u_long)OPENSSL_VERSION_NUMBER, v);
+-		LIB_GETBUF(buf);
+-		snprintf(buf, LIB_BUFLENGTH, 
+-			 "OpenSSL version mismatch."
+-			 "Built against %lx, you have %lx\n",
+-			 (u_long)OPENSSL_VERSION_NUMBER, v);
+-		msyslog(LOG_WARNING, "%s", buf);
+-		fputs(buf, stderr);
 -	}
--
  	INIT_SSL();
  }
- 
+ #endif	/* OPENSSL */

ntp-sntp-assert.patch

@@ -0,0 +1,10 @@
+--- sntp/main.c.orig
++++ sntp/main.c
+@@ -981,6 +981,7 @@ void sntp_addremove_fd(
+ 		return;
+ 	}
+ 
++	make_socket_nonblocking(fd);
+ 	ev = event_new(base, fd, EV_READ | EV_PERSIST,
+ 		       &worker_resp_cb, c);
+ 	if (NULL == ev) {

ntp.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Fri Aug 29 11:24:53 UTC 2025 - Reinhard Max <max@suse.com>
+
+- bsc#1247587: Fix a crash when calling "sntp -d".
+  * ntp-sntp-assert.patch
+- Update source URL.
+
+-------------------------------------------------------------------
+Wed Feb  5 15:20:57 UTC 2025 - Reinhard Max <max@suse.com>
+
+- Update to 4.2.8p18
+  * obsoletes Get-rid-of-EVP_MD_CTX_FLAG_NON_FIPS_ALLOW.patch
+  * Multiple bug fixes and improvements. For details, see:
+    /usr/share/doc/packages/ntp/ChangeLog
+    http://www.ntp.org/support/securitynotice/4_2_8-series-changelog/  
+- bsc#1233890: chown refclock device to ntp user on startup.
+- ntp-check-argv.patch: Improve the handling of the process name of
+  the forked-off DNS resolver process.
+
 -------------------------------------------------------------------
 Fri May 24 13:38:02 UTC 2024 - Thorsten Kukuk <kukuk@suse.com>
 

ntp.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package ntp
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,14 +23,14 @@
 
 %define ntpfaqversion 3.4
 Name:           ntp
-Version:        4.2.8p17
+Version:        4.2.8p18
 Release:        0
 Summary:        Network Time Protocol daemon (version 4)
 License:        BSD-3-Clause AND MIT AND BSD-4-Clause AND GPL-2.0-only
 Group:          Productivity/Networking/Other
 URL:            http://www.ntp.org/
 # main source
-Source0:        http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-%{version}.tar.gz
+Source0:        https://downloads.nwtime.org/ntp/4.2.8/ntp-%{version}.tar.gz
 # configuration
 Source1:        conf.logrotate.ntp
 Source2:        conf.ntp.conf
@@ -58,7 +58,8 @@ Patch30:        ntp-move-kod-file.patch
 Patch33:        ntp-sntp-libevent.patch
 Patch34:        testdcf-gude.diff
 Patch35:        ntp-clarify-interface.patch
-Patch36:        Get-rid-of-EVP_MD_CTX_FLAG_NON_FIPS_ALLOW.patch
+Patch36:        ntp-check-argv.patch
+Patch37:        ntp-sntp-assert.patch
 
 BuildRequires:  avahi-compat-mDNSResponder-devel
 BuildRequires:  fdupes
@@ -145,7 +146,8 @@ cp %{SOURCE12} .
 %patch -P 33
 %patch -P 34 -p1
 %patch -P 35
-%patch -P 36 -p1
+%patch -P 36
+%patch -P 37
 
 # fix DOS line breaks
 sed -i 's/\r//g' html/scripts/{footer.txt,style.css}