License has been changed due to date time, no new stuff added.
delete source patch reproducibility-respect-source-date-epoch.patch
for new version source tree contains it.
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The current NTP server responds to mode 6 queries from any clients.
Devices that respond to these queries have the potential to be used in
NTP amplification attacks. An unauthenticated, remote attacker could
potentially exploit this, via a specially crafted mode 6 query, to cause
a reflected denial of service condition.
See: https://www.tenable.com/plugins/nessus/97861https://scan.shadowserver.org/ntpversion/
Update ntp.conf to restrict NTP mode 6 queries.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
A ntpdc is a special NTP query program. It shouldn't be part of ntp-utils
which is depending on perl.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* when usrmerge is enabled, ${libdir} is /usr/lib, and
${systemd_unitdir} is /usr/lib/systemd, sine PACKAGE
ntpdate is after ntp in variable PACKAGES, so file
${systemd_unitdir}/system/ntpdate.service will be populated
into PACKAGE ntp, but actually we have add it into FILES_ntpdate
when usrmerge is disabled, ${libdir} is empty, and usrmerge is
enabled, files under ${libdir} have been covered by other FILES
config, so fix by remove ${libdir}
* libexecdir is empty, so remove it FILES_${PN}
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
ntpq is the standard query program for ntp,
but ntp-utils depends on perl.
Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
At configure time, the ntp build goes looking on the build machine for a posix
shell, using `which` to find it. Under OE, it settles on hosttools/bash,
resulting in this build host path being written into several binaries.
This did not affect the Debian reproducibility project, presumably because it
consistently found bash at /bin/bash.
Don't go looking, just use a fixed path to /bin/sh instead.
Upstream-Status: Submitted http://bugs.ntp.org/show_bug.cgi?id=3551
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
If a SOURCE_DATE_EPOCH is set in the environment, use that date in the build
version string, otherwise use the current build date.
See https://reproducible-builds.org/docs/source-date-epoch/
Should GNU date options fail, try BSD date options as a fall-back.
This patch can potentially be pushed upstream for use on Mac OSX or OpenBSD,
though it has not been tested on OSX or any BSD platform.
Upstream-Status: Submitted http://bugs.ntp.org/show_bug.cgi?id=3550
Signed-off-by: Douglas Royds <douglas.royds@taitradio.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
1. Upgrade ntp to 4.2.8p12
2. Disable sntp service by default.
Default NTPSERVER in config sntp is "ntpserver.example.org",
just an example, not a valid address, if enable sntp service
by default, it will startup failed during boot. It should be
enabled after user set the correct config for sntp according
to current config of ntpd.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
WARNING: ntp-4.2.8p10-r0 do_patch:
Some of the context lines in patches were ignored. This can lead to incorrectly applied patches.
The context lines in the patches can be updated with devtool:
devtool modify <recipe>
devtool finish --force-patch-refresh <recipe> <layer_path>
Then the updated patches and the source tree (in devtool's workspace)
should be reviewed to make sure the patches apply in the correct place
and don't introduce duplicate lines (which can, and does happen
when some of the context is ignored). Further information:
http://lists.openembedded.org/pipermail/openembedded-core/2018-March/148675.htmlhttps://bugzilla.yoctoproject.org/show_bug.cgi?id=10450
Details:
Applying patch ntp-4.2.4_p6-nano.patch
patching file include/ntp_syscall.h
Hunk #1 succeeded at 10 with fuzz 2 (offset -4 lines).
Now at patch ntp-4.2.4_p6-nano.patch
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
libgcc is required by ntpd for execution, so add it as runtime dependency.
ntpd execution ref. log.
~# /etc/init.d/ntpd start
Starting ntpd: libgcc_s.so.1 must be installed for pthread_cancel to work
Aborted
done
~#
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Depending on the configuration used to build ntp it is possible to
have an empty libexecdir. This can cause QA issues. Add a test at the
end of install() to remove libexecdir if it is empty, thus avoiding
the possibility of QA issues, regardless of configuration.
Signed-off-by: Mark Asselstine <mark.asselstine@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
QA error fix:
ERROR: QA Issue: ntp: Files/directories were installed but not shipped in any package:
/usr/libexec
CVES addressed:
Bug 2948 / CVE-2015-8158
Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass
Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode
Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list
Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference
Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames
Bug 2937 / CVE-2015-7975: nextvar() missing length check
Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers
Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode
Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks
Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin
NTP-4.2.8p5
NtpBug2956: Small-step/Big-step CVE-2015-5300
Bug #2829 Clean up pipe_fds in ntpd.c
Bug #2887 stratum -1 config results as showing value 99.
Bug #2932 Update leapsecond file info in miscopt.html.
Bug #2934 tests/ntpd/t-ntp_scanner.c has a magic constant wired in.
Bug #2944 errno is not preserved properly in ntpdate after sendto call.
Bug #2952 peer associations were broken by the fix for NtpBug2901 CVE-2015-7704
Bug #2954 Version 4.2.8p4 crashes on startup on some OSes.
Bug #2957 'unsigned int' vs 'size_t' format clash.
Bug #2958 ntpq: fatal error messages need a final newline.
Bug #2962 truncation of size_t/ptrdiff_t on 64bit targets.
Bug #2965 Local clock didn't work since 4.2.8p4.
Bug #2967 ntpdate command suffers an assertion failure
Bug #2969 Seg fault from ntpq/mrulist when looking at server with lots of clients.
Bug #2971 ntpq bails on ^C: select fails: Interrupted system call
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
When ntp could be correctly built with openssh and libcrypto, we would meet
the following QA issue.
WARNING: QA Issue: package ntp contains bad RPATH ... [rpath]
Fix this problem by adding '--disable-rpath' to EXTRA_OECONF.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
SECTION has been used inconsistently throughout the recipes in this layer.
Convert them to all use the same convention.
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
ntp 4.2.8p2 has more CVE fixes, like CVE-2015-1799, CVE-2015-1798;
and remove ntp-4.2.8-ntp-keygen-no-openssl.patch which 4.2.8p2 has integrated
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
The ntp-utils package contains at least one perl-using script as well as
a supporting perl module, therefore we need a dependency on perl.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
After the upgrade to 4.2.8, ntp's configure process now uses a custom
script which looks at the host to determine what install locations it
should use. This resulted in the recipe working on some people's
machines and failing during do_install on others. Force it to use the
"redhat" configuration as this seems closest to what we used to be
using prior to the upgrade (this means that binaries are now back in
sbindir as they used to be).
Thanks to Philip Balister for reporting this.
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
* Upgrade to 4.2.8 which fixes several security issues, including
CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296. For
more details please see:
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A
* LIC_FILES_CHKSUM changed due to a number of copyright year and patch
list changes; nothing material about the license text changed.
* This version moves a number of binaries from sbindir to bindir;
there's supposed to be a configure option --with-locfile=legacy to use
the old layout but it does not seem to work. I guess we'll just have
to live with the change.
* Drop patches which are no longer applicable.
* Merge inc file into recipe; there were too many changes required to
the inc file in this version and it's unlikely it was much use split
out in any case.
* Move remaining files in files/ to ntp/
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
This solves the following warning:
lib32-ntp-4.2.6p5: lib32-ntp: Files/directories were installed but not shipped
/lib/systemd/system/sntp.service [installed-vs-shipped]
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
The default path of ntp drift file is /etc/ntp.drift, ntp daemon
maybe fails to create this file since the user ntp is not always
permitted to write /etc.
Refer to other distributions such as RedHat, Debian, just moving
the file to /var/lib/ntp which the home dir of user ntp.
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This allows the base recipe and bbappends to reference persistent
mutable state such as a drift file.
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
ntp checks for presence of sys/timepps.h to determine whether the kernel
supports the RFC 2783 KPPS interface. Under Linux the pps-tools package
installs this header. Without this feature the ATOM clock driver does
not work, and other drivers like NMEA have reduced precision. Remove
the feature non-determinism and increase ntpd capabilities by adding an
explicit dependency.
See: http://doc.ntp.org/4.2.6/kernpps.html
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The description in a previous patch to disable debugging is incorrect.
Although the option is default-enabled in configure.ac, configure does
respect the option that disables it.
In ntp 4.2.7 the option code is refactored to ntp_debug.m4 and has an
effect in sntp as well. Adding --disable-debugging to the top-level
configure options overrides the default for both 4.2.6 and 4.2.7 without
patching the distribution.
Make the selection explicit and configurable, but restore the historical
default. Absence of debugging capability in the server makes it
difficult to validate complex configurations.
Signed-off-by: Peter A. Bigot <pab@pabigot.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The monlist feature in ntp_request.c in ntpd in NTP before
4.2.7p26 allows remote attackers to cause a denial of service
(traffic amplification) via forged (1) REQ_MON_GETLIST or
(2) REQ_MON_GETLIST_1 requests, as exploited in the wild
in December 2013.
Signed-off-by: Zhang Xiao <xiao.zhang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
There is a problem in configure.ac file that whether or not
'--enable-debugging' is specified in configure cmdline, debugging
is always enabled.
We should disable ntp debugging by default.
Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This patch properly uses the path variables and fixes ntptrace and
ntp-wait, just in case perl is not installed with the hardcode path.
Signed-off-by: Rahat Mahbub <rahat.mahbub@windriver.com>
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
If ntp is built without libcap, it refuses to start with the following
message:
Starting ntpd: /usr/sbin/ntpd: The ``user'' option has been disabled -- built
without --enable-clockctl or --enable-linuxcaps
ntpd - NTP daemon program - Ver. 4.2.6p5
USAGE: ntpd [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
By adding cap to the PACKAGECONFIG the default runs. In the
future, someone could add an option for using clockctl.
Signed-off-by: Philip Balister <philip@balister.org>
Signed-off-by: Joe MacDonald <joe@deserted.net>
"--with-binsubdir" controls whether we use bin_PROGRAMS or
sbin_PROGRAMS while installing executable files in ntp
Makefile, in order to install all the relevant files in
/usr/sbin instead of /usr/bin, we can pass "--with-binsubdir=sbin"
in ntp configure cmdline.
Accordingly, updating the path for the files which are
contained in rpm packages.
Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Adding ntp:ntp(user:group) to system and running
ntpd dameon as ntp:ntp.
Signed-off-by: Xufeng Zhang <xufeng.zhang@windriver.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
We will get the following ERROR/WARN if we enable systemd and
the installed-vs-shipped check in QA:
ERROR: QA Issue: ntp: Files/directories were installed but not shipped
/lib/systemd/ntp-units.d
/lib/systemd/ntp-units.d/60-ntpd.list
Signed-off-by: Stefan Herbrechtsmeier <stefan@herbrechtsmeier.net>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The default ntp.conf file does the right thing but one of the comments is
a bit misleading based on the active parts of the file changing a few
times. Update the comment to accurately describe what is happening in the
configuration file and what a user should do next.
Signed-off-by: Joe MacDonald <joe@deserted.net>
Armin Kuster
zhangxiao
Yi Zhao
Andrej Valek
Changqing Li
Adrian Bunk
douglas.royds
Armin Kuster
Martin Jansa
Shrikant Bobade
Peter Kjellerstedt
Joe Slater
Jackie Huang
Pascal Bach
fan.xin
Andre McCurdy
Mark Asselstine
Wenzong Fan
Qi.Chen@windriver.com
Li xin
Joe MacDonald
Roy Li
Szombathelyi György
Paul Eggleton
Chong Lu
Peter Bigot
Xufeng Zhang
Jack Mitchell
Philip Balister
Stefan Herbrechtsmeier
Joe MacDonald