CentOS

Hi,

For our project, we need to update the NTP version to ntp-4.2.8p11 as there is lots of vulnerability report for older version which is available with Centos7.5.

Even link local ipv6 doesn't work with ntp-4.2.6p5. (https://bugzilla.redhat.com/show_bug.cgi?id=1321928 )

I am trying to create rpm of ntp-4.2.8 on centos 7.5.

I am able to build manually ( by running configure , make , make install on source code) but when we create rpm , hitting with the following error

Unable to get much of help on following error on net.

In file included from crypto.h:13:0,
from crypto.c:10:
sntp-opts.h:59:3: error: #error option template version mismatches autoopts/options.h header
# error option template version mismatches autoopts/options.h header
^

sntp-opts.h:60:3: error: unknown type name 'Choke'
Choke Me.
^
sntp-opts.h:60:11: error: expected '=', ',', ';', 'asm' or '__attribute__' before '.' token
Choke Me.
^
sntp-opts.h:90:3: warning: data definition has no type or storage class [enabled by default]
} teOptIndex;
^
sntp-opts.h:90:3: warning: type defaults to 'int' in declaration of 'teOptIndex' [enabled by default]
make[5]: *** [crypto.o] Error 1
make[5]: Leaving directory `/root/rpmbuild/BUILD/ntp-4.2.8p11/sntp'
make[4]: *** [../libsntp.a] Error 2
make[4]: Leaving directory `/root/rpmbuild/BUILD/ntp-4.2.8p11/sntp/tests'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory `/root/rpmbuild/BUILD/ntp-4.2.8p11/sntp'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/rpmbuild/BUILD/ntp-4.2.8p11/sntp'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/root/rpmbuild/BUILD/ntp-4.2.8p11'
make: *** [all] Error 2
+ exit 0


Has anyone successfully built the ntp-4.2.8 on centos 7.5 ? Please provide the spec file if you're successfully built it.

vjpiyush wrote: ↑

2018/07/18 12:17:13

as there is lots of vulnerability report for older version which is available with Centos7.5.

Like which ones? See the backporting page and then check rpm -q ntp --changelog | grep -i cve and then RH's CVE database at https://access.redhat.com/security/secu ... ates/#/cve where you can search for information based on the CVE ID.

Following CVEs are fixed after ntp-4.2.6p5 that is shipped inside CentOS 7.5.1804.
CVE-2015-7704
CVE-2015-8138
CVE-2016-1547
CVE-2016-1548
CVE-2016-1549

CVE-2016-1550
CVE-2016-1551
CVE-2016-2516
CVE-2016-2517
CVE-2016-2518

CVE-2016-2519
CVE-2016-7434
CVE-2016-1549
CVE-2016-1551
CVE-2016-2516

CVE-2016-2517
CVE-2016-2519
CVE-2018-7170
CVE-2018-7185

I am getting following errors while building ntp.

sntp-opts.h:60:3: error: unknown type name 'Choke'

sntp-opts.h:103:47: note: each undeclared identifier is reported only once for each function it appears in
#define DESC(n) (sntpOptions.pOptDesc[INDEX_OPT_## n])
^
sntp-opts.h:105:41: note: in expansion of macro 'DESC'
#define HAVE_OPT(n) (! UNUSED_OPT(& DESC(n)))
^
networking.c:118:18: note: in expansion of macro 'HAVE_OPT'
is_authentic = (HAVE_OPT(AUTHENTICATION)) ? 0 : -1;
^
make[5]: *** [networking.o] Error 1
make[5]: *** [main.o] Error 1
make[5]: Leaving directory `/root/rpmUpgrades/ntp/rpm/BUILD/ntp-4.2.8p11/sntp'
make[4]: *** [../libsntp.a] Error 2
make[4]: Leaving directory `/root/rpmUpgrades/ntp/rpm/BUILD/ntp-4.2.8p11/sntp/tests'

ramacentos wrote: ↑

2018/07/21 00:22:06

Following CVEs are fixed after ntp-4.2.6p5 that is shipped inside CentOS 7.5.1804.
[snip]

Did you bother reading the backporting page I linked to earlier? Or check out the CVE database link?

For example, the first entry on your list, CVE-2015-7704 has been fixed in ntp-4.2.6p5-19.el7_1.3.

We do not support building things from source that the distro already ships as packages. I suggest you use the Redhat CVE pages to check on the status of each of those CVEs and you should find that the majority are already fixed or marked as WONTFIX due to the options used by Redhat to build or configure them. Use e.g. https://access.redhat.com/security/cve/cve-2015-7704 to check each one in turn and read the text there. It also seems you still have not read the backporting link that you've been given which explains how Redhat fixes security vulnerabilities without updating the packages to the latest version.

Also, we dont intend to rebuild something thats already available as distro. Thanks.