From d648602bb0ea72f06f8662f2b13d44b95ebd393b Mon Sep 17 00:00:00 2001
From: Sergey Cherevko <sergey.cherevko@softline.com>
Date: Mon, 10 Jun 2024 12:53:57 +0300
Subject: [PATCH] Update to 4.5-1

---
 .chrony.metadata                              |   5 +-
 .gitignore                                    |   5 +-
 ...hronize-time-via-Russian-NTP-servers.patch | 158 ++++++++++++------
 SOURCES/chrony-4.3-tar-gz-asc.txt             |  16 --
 SOURCES/chrony-4.5-tar-gz-asc.txt             |  16 ++
 SOURCES/chrony-keys.patch                     |   9 +
 SOURCES/chrony-serverstats.patch              |  39 +++++
 ...375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc |  54 ++++++
 SPECS/chrony.spec                             |  66 +++++---
 9 files changed, 273 insertions(+), 95 deletions(-)
 delete mode 100644 SOURCES/chrony-4.3-tar-gz-asc.txt
 create mode 100644 SOURCES/chrony-4.5-tar-gz-asc.txt
 create mode 100644 SOURCES/chrony-keys.patch
 create mode 100644 SOURCES/chrony-serverstats.patch
 create mode 100644 SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc

diff --git a/.chrony.metadata b/.chrony.metadata
index b0c5d0d..59f2c95 100644
--- a/.chrony.metadata
+++ b/.chrony.metadata
@@ -1,3 +1,2 @@
-bc7884eb4fde69478a00faee3d42092d426d57c1 SOURCES/chrony-4.3.tar.gz
-9c453ae65e5c1a6983cd1121410faf1ffd2d9092 SOURCES/clknetsim-f00531.tar.gz
-1395afa521d2e3302a31083edcf568bbc036aafc SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
+4661e5df181a9761b73caeaef2f2ab755bbe086a SOURCES/chrony-4.5.tar.gz
+e021461c23fe4e5c46fd53c449587d8f6cc217ae SOURCES/clknetsim-5d1dc0.tar.gz
diff --git a/.gitignore b/.gitignore
index 422eb36..a1b6ce7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,2 @@
-SOURCES/chrony-4.3.tar.gz
-SOURCES/clknetsim-f00531.tar.gz
-SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
+SOURCES/chrony-4.5.tar.gz
+SOURCES/clknetsim-5d1dc0.tar.gz
diff --git a/SOURCES/0001-Synchronize-time-via-Russian-NTP-servers.patch b/SOURCES/0001-Synchronize-time-via-Russian-NTP-servers.patch
index 95751e7..00ff7e0 100644
--- a/SOURCES/0001-Synchronize-time-via-Russian-NTP-servers.patch
+++ b/SOURCES/0001-Synchronize-time-via-Russian-NTP-servers.patch
@@ -1,25 +1,36 @@
-From 0e89d48f500c29f4370f77c438fa2ebeb80261bf Mon Sep 17 00:00:00 2001
-From: Sergey Cherevko <s.cherevko@msvsphere.ru>
-Date: Wed, 30 Aug 2023 17:02:52 +0300
+From fe74e4d7dec4ba1f8ffb5b0c2713e36a1ffb1a1c Mon Sep 17 00:00:00 2001
+From: Sergey Cherevko <s.cherevko@msvsphere-os.ru>
+Date: Mon, 10 Jun 2024 12:03:59 +0300
 Subject: [PATCH] Synchronize time via Russian NTP servers
 
 ---
- FAQ                           | 10 +++++-----
+ FAQ                           | 12 ++++++------
  INSTALL                       |  4 ++--
- doc/chrony.conf.adoc          |  9 ++++-----
- doc/chrony.conf.man.in        | 12 +++++-------
- doc/faq.adoc                  | 10 +++++-----
+ doc/chrony.conf.adoc          |  8 ++++----
+ doc/chrony.conf.man.in        | 12 ++++++------
+ doc/chronyc.adoc              |  2 +-
+ doc/chronyc.man.in            |  4 ++--
+ doc/faq.adoc                  | 12 ++++++------
  doc/installation.adoc         |  4 ++--
  examples/chrony.conf.example1 | 11 +++++++++--
  examples/chrony.conf.example2 | 12 +++++++++---
  examples/chrony.conf.example3 |  4 ++--
- 9 files changed, 43 insertions(+), 33 deletions(-)
+ 11 files changed, 49 insertions(+), 36 deletions(-)
 
 diff --git a/FAQ b/FAQ
-index 2bbb24e..92b71d2 100644
+index c96acfa..18687b7 100644
 --- a/FAQ
 +++ b/FAQ
-@@ -110,10 +110,10 @@ next boot from the RTC, the rtcsync directive enables a mode in which the
+@@ -101,7 +101,7 @@ poll multiple servers at the same time and detect servers having incorrect time
+ (falsetickers in the NTP terminology). It should be used only with trusted
+ reliable servers, ideally in local network.
+ 
+-Using timesyncd with pool.ntp.org is problematic. The pool is very robust as a
++Using timesyncd with https://www.vniiftri.ru/ is problematic. The pool is very robust as a
+ whole, but the individual servers run by volunteers cannot be relied on.
+ Occasionally, servers drift away or make a step to distant past or future due
+ to misconfiguration, problematic implementation, and other bugs (e.g. in
+@@ -141,10 +141,10 @@ next boot from the RTC, the rtcsync directive enables a mode in which the
  system time is periodically copied to the RTC. It is supported on Linux and
  macOS.
  
@@ -28,39 +39,39 @@ index 2bbb24e..92b71d2 100644
  minimal chrony.conf file could be:
  
 -pool pool.ntp.org iburst
-+pool ntp1.vniiftri.ru iburst
++pool https://www.vniiftri.ru/ iburst
  driftfile /var/lib/chrony/drift
  makestep 1 3
  rtcsync
-@@ -392,7 +392,7 @@ the -Q option it will print the measured offset without setting the clock. If
+@@ -433,7 +433,7 @@ the -Q option it will print the measured offset without setting the clock. If
  you do not want to use a configuration file, NTP servers can be specified on
  the command line. For example:
  
 -# chronyd -q 'pool pool.ntp.org iburst'
-+# chronyd -q 'pool ntp1.vniiftri.ru iburst'
++# chronyd -q 'pool https://www.vniiftri.ru/ iburst'
  
  The command above would normally take about 5 seconds if the servers were well
  synchronised and responding to all requests. If not synchronised or responding,
-@@ -403,7 +403,7 @@ option to one (supported since chrony version 4.0), and a timeout can be
+@@ -444,7 +444,7 @@ option to one (supported since chrony version 4.0), and a timeout can be
  specified with the -t option. The following command would take only up to about
  one second.
  
 -# chronyd -q -t 1 'server pool.ntp.org iburst maxsamples 1'
-+# chronyd -q -t 1 'server ntp1.vniiftri.ru iburst maxsamples 1'
++# chronyd -q -t 1 'server https://www.vniiftri.ru/ iburst maxsamples 1'
  
  It is not recommended to run chronyd with the -q option periodically (e.g. from
  a cron job) as a replacement for the daemon mode, because it performs
-@@ -466,7 +466,7 @@ same server instance.
+@@ -507,7 +507,7 @@ same server instance.
  
  An example configuration of the client instance could be
  
 -pool pool.ntp.org iburst
-+pool ntp1.vniiftri.ru iburst
++pool https://www.vniiftri.ru/ iburst
  allow 127.0.0.1
  port 11123
  driftfile /var/lib/chrony/drift
 diff --git a/INSTALL b/INSTALL
-index e73dcd2..8633948 100644
+index 9ca6e22..6f48020 100644
 --- a/INSTALL
 +++ b/INSTALL
 @@ -116,10 +116,10 @@ make install-docs
@@ -72,15 +83,15 @@ index e73dcd2..8633948 100644
  project as your time reference. A minimal useful configuration file could be
  
 -pool pool.ntp.org iburst
-+pool ntp1.vniiftri.ru iburst
++pool https://www.vniiftri.ru/ iburst
  makestep 1.0 3
  rtcsync
  
 diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
-index 2cf5326..f9db123 100644
+index cb3f95c..832a97f 100644
 --- a/doc/chrony.conf.adoc
 +++ b/doc/chrony.conf.adoc
-@@ -356,7 +356,7 @@ sources responding to requests. The default value is 4 and the maximum value is
+@@ -365,7 +365,7 @@ sources responding to requests. The default value is 4 and the maximum value is
  An example of the *pool* directive is
  +
  ----
@@ -89,16 +100,16 @@ index 2cf5326..f9db123 100644
  ----
  
  [[peer]]*peer* _hostname_ [_option_]...::
-@@ -2731,7 +2731,7 @@ the following methods:
+@@ -2820,7 +2820,7 @@ the following methods:
    stratum 1 and stratum 2 servers. You should find one or more servers that are
    near to you. Check that their access policy allows you to use their
    facilities.
 -* Use public servers from the https://www.pool.ntp.org/[pool.ntp.org] project.
 +* Use public servers from the https://www.vniiftri.ru/[ntp1.vniiftri.ru] project.
  
- Assuming that your NTP servers are called _foo.example.net_, _bar.example.net_
- and _baz.example.net_, your _chrony.conf_ file could contain as a minimum:
-@@ -2764,7 +2764,7 @@ directive instead of multiple *server* directives. The configuration file could
+ Assuming that your NTP servers are called _ntp1.example.net_, _ntp2.example.net_
+ and _ntp3.example.net_, your _chrony.conf_ file could contain as a minimum:
+@@ -2853,7 +2853,7 @@ directive instead of multiple *server* directives. The configuration file could
  in this case look like:
  
  ----
@@ -107,70 +118,111 @@ index 2cf5326..f9db123 100644
  driftfile @CHRONYVARDIR@/drift
  makestep 1.0 3
  rtcsync
-@@ -3022,8 +3022,7 @@ information to be saved.
- 
+@@ -3112,7 +3112,7 @@ information to be saved.
  === Public NTP server
  
--*chronyd* can be configured to operate as a public NTP server, e.g. to join the
+ *chronyd* can be configured to operate as a public NTP server, e.g. to join the
 -https://www.pool.ntp.org/en/join.html[pool.ntp.org] project. The configuration
-+*chronyd* can be configured to operate as a public NTP server. The configuration
++https://www.vniiftri.ru/[ntp1.vniiftri.ru] project. The configuration
  is similar to the NTP client with permanent connection, except it needs to
  allow client access from all addresses. It is recommended to find at least four
  good servers (e.g. from the pool, or on the NTP homepage). If the server has a
 diff --git a/doc/chrony.conf.man.in b/doc/chrony.conf.man.in
-index 1a51b24..5c34507 100644
+index 66d2358..8b88b70 100644
 --- a/doc/chrony.conf.man.in
 +++ b/doc/chrony.conf.man.in
-@@ -467,7 +467,7 @@ An example of the \fBpool\fP directive is
+@@ -479,7 +479,7 @@ An example of the \fBpool\fP directive is
  .if n .RS 4
  .nf
  .fam C
 -pool pool.ntp.org iburst maxsources 3
-+pool ntp1.vniiftri.ru iburst maxsources 3
++pool ntp1.vniiftri].ru iburst maxsources 3
  .fam
  .fi
  .if n .RE
-@@ -4502,7 +4502,7 @@ facilities.
+@@ -4651,7 +4651,7 @@ facilities.
  .  IP \(bu 2.3
  .\}
  Use public servers from the \c
 -.URL "https://www.pool.ntp.org/" "pool.ntp.org" ""
-+.URL "https://www.vniiftri.ru/" "www.vniiftri.ru" ""
++.URL "https://www.ntp1.vniiftri].ru/" "ntp1.vniiftri].ru" ""
  project.
  .RE
  .sp
-@@ -4547,7 +4547,7 @@ in this case look like:
+@@ -4696,7 +4696,7 @@ in this case look like:
  .if n .RS 4
  .nf
  .fam C
 -pool pool.ntp.org iburst
-+pool ntp1.vniiftri.ru iburst
++pool ntp1.vniiftri].ru iburst
  driftfile @CHRONYVARDIR@/drift
  makestep 1.0 3
  rtcsync
-@@ -4843,9 +4843,7 @@ before the final SIGKILL; the SIGTERM causes the measurement histories and RTC
- information to be saved.
+@@ -4993,8 +4993,8 @@ information to be saved.
  .SS "Public NTP server"
  .sp
--\fBchronyd\fP can be configured to operate as a public NTP server, e.g. to join the
+ \fBchronyd\fP can be configured to operate as a public NTP server, e.g. to join the
 -.URL "https://www.pool.ntp.org/en/join.html" "pool.ntp.org" ""
 -project. The configuration
++.URL "https://www.ntp.vniiftri].ru/en/join.html" "ntp1.vniiftri].ru" ""
 +\fBchronyd\fP can be configured to operate as a public NTP server. The configuration
  is similar to the NTP client with permanent connection, except it needs to
  allow client access from all addresses. It is recommended to find at least four
  good servers (e.g. from the pool, or on the NTP homepage). If the server has a
-@@ -4891,4 +4889,4 @@ For instructions on how to report bugs, please visit
- .URL "https://chrony.tuxfamily.org/" "" "."
+@@ -5040,4 +5040,4 @@ For instructions on how to report bugs, please visit
+ .URL "https://chrony\-project.org/" "" "."
+ .SH "AUTHORS"
+ .sp
+-chrony was written by Richard Curnow, Miroslav Lichvar, and others.
+\ No newline at end of file
++chrony was written by Richard Curnow, Miroslav Lichvar, and others.
+diff --git a/doc/chronyc.adoc b/doc/chronyc.adoc
+index 96a0551..d88c7dc 100644
+--- a/doc/chronyc.adoc
++++ b/doc/chronyc.adoc
+@@ -979,7 +979,7 @@ them immediately, e.g. after suspending and resuming the machine in a different
+ network.
+ +
+ Note that with pools which have more than 16 addresses, or not all IPv4 or IPv6
+-addresses are included in a single DNS response (e.g. pool.ntp.org), this
++addresses are included in a single DNS response (e.g. https://www.vniiftri.ru/), this
+ command might replace the addresses even if they are still in the pool.
+ 
+ [[reload]]*reload* *sources*::
+diff --git a/doc/chronyc.man.in b/doc/chronyc.man.in
+index 4541fc6..7888eff 100644
+--- a/doc/chronyc.man.in
++++ b/doc/chronyc.man.in
+@@ -1793,7 +1793,7 @@ them immediately, e.g. after suspending and resuming the machine in a different
+ network.
+ .sp
+ Note that with pools which have more than 16 addresses, or not all IPv4 or IPv6
+-addresses are included in a single DNS response (e.g. pool.ntp.org), this
++addresses are included in a single DNS response (e.g. ntp1.vniiftri.ru), this
+ command might replace the addresses even if they are still in the pool.
+ .RE
+ .sp
+@@ -2753,4 +2753,4 @@ For instructions on how to report bugs, please visit
+ .URL "https://chrony\-project.org/" "" "."
  .SH "AUTHORS"
  .sp
 -chrony was written by Richard Curnow, Miroslav Lichvar, and others.
 \ No newline at end of file
 +chrony was written by Richard Curnow, Miroslav Lichvar, and others.
 diff --git a/doc/faq.adoc b/doc/faq.adoc
-index 1b299d2..470c451 100644
+index 8fd350f..69b8b3e 100644
 --- a/doc/faq.adoc
 +++ b/doc/faq.adoc
-@@ -70,11 +70,11 @@ system time is periodically copied to the RTC. It is supported on Linux and
+@@ -56,7 +56,7 @@ limitations is that it cannot poll multiple servers at the same time and detect
+ servers having incorrect time (falsetickers in the NTP terminology). It should
+ be used only with trusted reliable servers, ideally in local network.
+ 
+-Using `timesyncd` with `pool.ntp.org` is problematic. The pool is very
++Using `timesyncd` with `ntp.vniiftri.ru` is problematic. The pool is very
+ robust as a whole, but the individual servers run by volunteers cannot be
+ relied on. Occasionally, servers drift away or make a step to distant past or
+ future due to misconfiguration, problematic implementation, and other bugs
+@@ -98,11 +98,11 @@ system time is periodically copied to the RTC. It is supported on Linux and
  macOS.
  
  If you wanted to use public NTP servers from the
@@ -184,7 +236,7 @@ index 1b299d2..470c451 100644
  driftfile /var/lib/chrony/drift
  makestep 1 3
  rtcsync
-@@ -371,7 +371,7 @@ clock. If you do not want to use a configuration file, NTP servers can be
+@@ -411,7 +411,7 @@ clock. If you do not want to use a configuration file, NTP servers can be
  specified on the command line. For example:
  
  ----
@@ -193,7 +245,7 @@ index 1b299d2..470c451 100644
  ----
  
  The command above would normally take about 5 seconds if the servers were
-@@ -384,7 +384,7 @@ timeout can be specified with the `-t` option. The following command would take
+@@ -424,7 +424,7 @@ timeout can be specified with the `-t` option. The following command would take
  only up to about one second.
  
  ----
@@ -202,7 +254,7 @@ index 1b299d2..470c451 100644
  ----
  
  It is not recommended to run `chronyd` with the `-q` option periodically (e.g.
-@@ -451,7 +451,7 @@ the same server instance.
+@@ -491,7 +491,7 @@ the same server instance.
  An example configuration of the client instance could be
  
  ----
@@ -212,7 +264,7 @@ index 1b299d2..470c451 100644
  port 11123
  driftfile /var/lib/chrony/drift
 diff --git a/doc/installation.adoc b/doc/installation.adoc
-index b683911..3750f85 100644
+index b683911..0fa1eca 100644
 --- a/doc/installation.adoc
 +++ b/doc/installation.adoc
 @@ -146,11 +146,11 @@ make install-docs
@@ -220,7 +272,7 @@ index b683911..3750f85 100644
  configuration file. The default location of the file is _/etc/chrony.conf_.
  Several examples of configuration with comments are included in the examples
 -directory. Suppose you want to use public NTP servers from the pool.ntp.org
-+directory. Suppose you want to use public NTP servers from the https://www.vniiftri.ru/
++directory. Suppose you want to use public NTP servers from the ntp1.vniiftri.ru
  project as your time reference. A minimal useful configuration file could be
  
  ----
@@ -269,7 +321,7 @@ index bf2bbdd..61b4576 100644
  # Record the rate at which the system clock gains/losses time.
  driftfile /var/lib/chrony/drift
 diff --git a/examples/chrony.conf.example3 b/examples/chrony.conf.example3
-index 4e3e3a8..db9d395 100644
+index 6d84c01..e893292 100644
 --- a/examples/chrony.conf.example3
 +++ b/examples/chrony.conf.example3
 @@ -25,13 +25,13 @@
@@ -279,9 +331,9 @@ index 4e3e3a8..db9d395 100644
 -# you can use servers from the pool.ntp.org project.
 +# you can use servers from the https://www.vniiftri.ru/ project.
  
- ! server foo.example.net iburst
- ! server bar.example.net iburst
- ! server baz.example.net iburst
+ ! server ntp1.example.net iburst
+ ! server ntp2.example.net iburst
+ ! server ntp3.example.net iburst
  
 -! pool pool.ntp.org iburst
 +! pool ntp1.vniiftri.ru iburst
@@ -289,5 +341,5 @@ index 4e3e3a8..db9d395 100644
  #######################################################################
  ### AVOIDING POTENTIALLY BOGUS CHANGES TO YOUR CLOCK
 -- 
-2.41.0
+2.39.3
 
diff --git a/SOURCES/chrony-4.3-tar-gz-asc.txt b/SOURCES/chrony-4.3-tar-gz-asc.txt
deleted file mode 100644
index 995ffc5..0000000
--- a/SOURCES/chrony-4.3-tar-gz-asc.txt
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmMPLJAACgkQU34rdvdo
-DaxDKRAAh5wfl990Q6sTPxXI92GegZYIGUxJDlCkJtemoI98g+DQbuCJ46AXsAn/
-CIBTbPU3Brvq2KR1nDze/G/YOXkaqoFyaJD00H73qBI7MOMiSS4KbMQ26xLNrnHL
-MCHrgZs+MHhyo6IEpesvr7F/+qyGHZifFlHT+HtCM+SBU1qooYUyQAdnhyK0rb16
-j7/Jc5A28jROZB4lcRQyvB085whPj299FsB/0wJW5RjwA5tcpPH0sTozain3vvlo
-64BAJXcQsyRsilcaPFlkY5zPgFiAuaEJnfTe/uMdfDO/V/g6wADt64+HhaxNPO+z
-p3vzEGpio4Oi1HyYiXpDx9bMM1RLTpmKt9p1V5Y98Fn5Ymx6I7yAe1qwvA7T8eoC
-hK8C27jPytiOgaWSYqPYb0WaHY3JZZpFzdtr0bAPSkEzL4EwrxVmbgTnkuzk2hxk
-6MiIuDLUd9Zl1oroqv+rTd0XA8lXUcoyFhqtsMXHWdAC3yzteaPcJKzv7l9DT6xV
-YadKrSBkzob9jRWRngY3FMKjTvcwnxLE8dfsNlsDNGyLNtTEOJ/QYgh6muOHh80L
-MAayI8hSWPTR/3IXKlathjLIeilsrFthIZcrPq520FoS4A7E3A80vR3uKOqAIDwh
-Y+6ASvEkCHAUneJqlLihqglYTNJlFnVhGw9/LV85JsmRsCZ0+j8=
-=2xMP
------END PGP SIGNATURE-----
diff --git a/SOURCES/chrony-4.5-tar-gz-asc.txt b/SOURCES/chrony-4.5-tar-gz-asc.txt
new file mode 100644
index 0000000..16dae25
--- /dev/null
+++ b/SOURCES/chrony-4.5-tar-gz-asc.txt
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEjzdcfo0O4SWj071RU34rdvdoDawFAmVvJPkACgkQU34rdvdo
+DawQjw//Zkq4UTPZDpU/gifjUtE/jpIa6+tyhSFpRI5abNScOPaEa8nZz6Q33/s4
+qiS9RJh1AA13xnal7bIHsixadON01x91ysW1sbNhFx942SwTpk00wDdLmySqW+u5
+klrTfGlGRejp7ahasbXx/dXqk3Sz+J19YIvdz2X1o2HaUZwp1SIwq5Y8BYS8iE0a
+G5ov/ail2965hwSoYWNbR7/UuOTEO3YgRk2YSpKKKGJgL27pAzwGlOVwgP9JLAD0
+WsGDEpn+EY+4BOkwMyFeACOHyJ+QCcpKXF9B6CGJELyPqTp2uQy+OkaF4VtkGvpp
+wRs6IhMoHFt5NjvCiBhOMvocKd6JrxDxN84gGhSG6OtSFp8GZoFhTxIp//mnZDoz
+WPl/Z+n3yABdaG7IWavl6tn2wvipMsgcTJHxRYg6A4d2+mKKy0pRyfLUtGTM9EA/
+NEhTIHVZZLORNK7zPaB8CkFmmsmDQVhowBjXjFcq2HDNzQawbU5gjWUBEH+4R4bq
+rb4P9Eg3Kus0fvBxj4z72XkzYGNn951YFhwW26x4w09+J35/1eoshNkBaPfOdsRf
+Xgb37MmEe5yfU32k27aYtERnH9w/+rOk1RISrVcK0c87uz0RnzPN5HBzc4PnEpx6
+KQFkFxVaaMeJNc0Ca5/u9aE9nli1DIS8Afo/Z4zQtjVMqLsvecQ=
+=4/yB
+-----END PGP SIGNATURE-----
diff --git a/SOURCES/chrony-keys.patch b/SOURCES/chrony-keys.patch
new file mode 100644
index 0000000..da951c3
--- /dev/null
+++ b/SOURCES/chrony-keys.patch
@@ -0,0 +1,9 @@
+diff -up chrony-4.5/examples/chrony.keys.example.keys chrony-4.5/examples/chrony.keys.example
+--- chrony-4.5/examples/chrony.keys.example.keys	2023-12-05 14:22:10.000000000 +0100
++++ chrony-4.5/examples/chrony.keys.example	2023-12-06 09:59:26.089508934 +0100
+@@ -11,5 +11,3 @@
+ #1 MD5 AVeryLongAndRandomPassword
+ #2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F
+ #3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995
+-#4 AES128 HEX:2DA837C4B6573748CA692B8C828E4891
+-#5 AES256 HEX:2666B8099BFF2D5BA20876121788ED24D2BE59111B8FFB562F0F56AE6EC7246E
diff --git a/SOURCES/chrony-serverstats.patch b/SOURCES/chrony-serverstats.patch
new file mode 100644
index 0000000..a5131fe
--- /dev/null
+++ b/SOURCES/chrony-serverstats.patch
@@ -0,0 +1,39 @@
+commit e11b518a1ffa704986fb1f1835c425844ba248ef
+Author: Miroslav Lichvar <mlichvar@redhat.com>
+Date:   Mon Jan 8 11:35:56 2024 +0100
+
+    ntp: fix authenticated requests in serverstats
+    
+    Fix the CLG_UpdateNtpStats() call to count requests passing the
+    authentication check instead of requests triggering a KoD response
+    (i.e. NTS NAK).
+
+diff --git a/ntp_core.c b/ntp_core.c
+index 023e60b2..35801744 100644
+--- a/ntp_core.c
++++ b/ntp_core.c
+@@ -2736,7 +2736,7 @@ NCR_ProcessRxUnknown(NTP_Remote_Address *remote_addr, NTP_Local_Address *local_a
+       CLG_DisableNtpTimestamps(&ntp_rx);
+   }
+ 
+-  CLG_UpdateNtpStats(kod != 0 && info.auth.mode != NTP_AUTH_NONE &&
++  CLG_UpdateNtpStats(kod == 0 && info.auth.mode != NTP_AUTH_NONE &&
+                      info.auth.mode != NTP_AUTH_MSSNTP,
+                      rx_ts->source, interleaved ? tx_ts->source : NTP_TS_DAEMON);
+ 
+diff --git a/test/system/010-nts b/test/system/010-nts
+index 8d92bbc8..b215efa3 100755
+--- a/test/system/010-nts
++++ b/test/system/010-nts
+@@ -45,6 +45,11 @@ check_chronyc_output "^Name/IP address             Mode KeyID Type KLen Last Atm
+ =========================================================================
+ 127\.0\.0\.1                    NTS     1   (30|15)  (128|256)    [0-9]    0    0    [78]  ( 64|100)$" || test_fail
+ 
++run_chronyc "serverstats" || test_fail
++check_chronyc_output "NTS-KE connections accepted: 1
++NTS-KE connections dropped : 0
++Authenticated NTP packets  : [1-9][0-9]*" || test_fail
++
+ stop_chronyd || test_fail
+ check_chronyd_messages || test_fail
+ check_chronyd_files || test_fail
diff --git a/SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc b/SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
new file mode 100644
index 0000000..604babe
--- /dev/null
+++ b/SOURCES/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
@@ -0,0 +1,54 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGCc9dwBEADLydyZIqgarshQeCtIlWAgP3coy0mdJwxet1CvXwF1xpq18Qi1
+Tt9RZL64SkbQ8sKryBqnPjKZdOfVT5FwUucjp9L+/j7Bhk0tqv30EIQ57rnDLJ9T
+c4LG1leO+Tc5Ym/0tvv4uMjkxr4KAKHPYrweHk6EAw06bbJ02mfy9xhlITSfyyFl
+QRoRTEjy8N2IDutA4QzbZm0T5kvI7k7s/ILG5vyNo53X5PI/rWrSqmPZ5qs0lvDv
+tA+rxOJp+FvlvOyBuv3ftIX0kAwRU+x/ET2Yd9qQWnXRx9d9D2UpFXm9DHfCDJYR
+F56D0O3hf+rrCa/uSutIqmR33j5Wz4bYjWdmg4wbRQaoVxJl5AUrWuYEFwcCuY2B
+FFgttLPb0qHpeBwuWaWJ9U6HM7qY3WEI2C/OWM0XFM8ERezedNEf7O2GTsoVVcm+
+LRg31R3eJzipKMAGZWScSDSRAXhh6oZhflMRjYKGvwRfgeos/Sl2bdYL80hqyjGV
+jMhEYDC9sfLXRyLU+9FexruIzSLR8Vornma3zjzu9pRkbfTHb8FfBMt9MZEWraF2
+7riRq/zJE9QPWnBL/C8rdaXXxflBmGctn7RDKGOvxZ7SxPzzHbl5tV/Fizhkeph/
+v8YLVuCOk0pIpX65mFun3Xw5IF01x1GMzU1xYezExti9yBNiv9HVqf1DWwARAQAB
+tCZNaXJvc2xhdiBMaWNodmFyIDxtbGljaHZhckByZWRoYXQuY29tPokCVAQTAQgA
+PhYhBI83XH6NDuElo9O9UVN+K3b3aA2sBQJgnPXcAhsDBQkSzAMABQsJCAcCBhUK
+CQgLAgQWAgMBAh4BAheAAAoJEFN+K3b3aA2sl8IQAJ9AMppV6cdxzt8g2Ypz0hw1
+6+9T5DjbYE/s0lozFQhCoYfo+SZyc3+yyKzlxI3ryHwFk9NjXGZZ8QjzT7FLj7/s
+nKDjv5hUCOAi9Q+k217xwlBueeMyheeVaGGGa+Hv5CF1fZx/MtxiShUqu8oSqUyP
+nW8lPGz73MfGAPT7kijVnz73pbht0vrZ9I+r8dnQGiweGBohexfCvmncrTyhjM8r
+nvecycYBNnXhupzpmSMZgIA1s2v7oVmTnV0bntxE/gr7+SPk7KozhD12K8OU8deJ
+cDD8F7NKa9Oe5NtuGVN4IPqp5cgj7GAyIj0sYss9Jknu4jX0imR5kwH6GbgFa7c/
+kU+fKTz57Rs1OGr3glYpMnNftXSWbC2V/OJxHVEcMk8HwKLgnQjtmKLVGeCo5iS6
+LFQuWaxpfjvxVjGSpnNu19cHVUhDM9cTP1DhUd4LdnltHQ+/xjwgzTgE4GJ1ZB0W
+vhvxcdb69Sf50bGd4/WuURRoYSE7M6UKRwfXmMpyTiNhZz+3XjAoScA9AS7q9xfS
+y3OddQEle/+qNFdABB12WmCgRhWemHzTZDXydIJuw+ucLO7U5RrDdqdaHkRVXJ9G
+4mdk+3FgUlYgB9GY4pHQdqGdE60838R2zY9x0gK8cHU+FaRPAiTU8SJL0wb/Rko7
+qbZUY/6bgrDoXp4otAP2iF0EExECAB0WIQSLH0qa2nPUAeMIWgtf8G8puh4BOwUC
+YJ0C3AAKCRBf8G8puh4BO9k2AJ4ohgz/p49IBfjf22sEL1FvYM/DhwCfTyCkbogO
+uagIg5qwuEGwHMgn19G5Ag0EYJz13AEQAMrLXgl5u6vAakSF9n+xCP2WOiMHzzrR
+OxHnWzsX6PTXpJt14LSZOZ5wjdyR3gLJWGLdkfHoxHpQYp7PLgNS29SuAc4HQ+Br
+O5F4g9EmwDJ0ueUYxU1FcySRXfXR+gLabpQCc2s9bW6RaMwLuQNxZwkfXClkPQms
+ImTFA0KntWpHc+uEr1J2i6LQS7D/BK6m72l9x8z9k9gqAabXw+xHsis+ffPMG5Jm
+HOqeHYtsq+2JW1VvBnA4Qh3DKH9OQaD9hZbEiUC3nMmlLkPF/r29tWTPa7luBHBn
+X556JTXVm+vDUDwZ2srLfaKyQCxbNLwvQ2Pn5SOyyCnuIWR2xZs/+KPDMhtKUBAV
+HcboVu6iPCTU42CVMPaJvYD2iUEncZNeUGJOSuG240LSLNGEFFsD7YgXb1XHjQD5
+ci3Ki7P/hHi3AG53IsQTiaE5VgBdDje3zYCf5WaZ6c3DQQB9lab2RMz+5Fdr7Z6Y
+mFRUbmxSnsMe0mwwcqVe3ofV0fKvE7Ep0T8bBg53dCqyU8hIbD5wUe99JmhMFnzs
+5elwkv/Hb3Eg92dgu1zWb5kMzuvGEHtCIukIy1B+pzQOfT+iOC+lbmRHhPslJ9S0
+1vENJE+nEEsGxPy9pRHrmWSKI4Zh+ysjb/vW/vOwAd1RsvxTfgBeOOawmlz+n0pJ
+T018ZnUgmc35ABEBAAGJAjwEGAEIACYWIQSPN1x+jQ7hJaPTvVFTfit292gNrAUC
+YJz13AIbDAUJEswDAAAKCRBTfit292gNrPuRD/43kM0P71gxfJQj6PBpPtjIVVfm
+4TIPWKmV+F4/9eCwAPC/o44Yw+nxGr77Rk2DsaSn0V51j2egRCXKuZBZx/v6JXP7
+qpDk3Uecml7IfxTd+N+gkI3viUsrt4ykUgyUH/wy/edMG3h9qhBQP0RxiDge18P6
+YUpQSnq3uP72ycTPLBJlqp/Y9+GXUapvcyDqBFnvs96ieDmSbjSf6tris1cuLv6f
+eld4HNUY/LmI5MlYbywbgWGpSOyKUlTtyF33LqPnWd7UuTN7QNsYyjGnlJbkkGi/
+KwuNbIo5Gs4avaUSTc7SBLdCYneEIt7mt7hg0StKHQC6s/ak/w8yl1yFy5gRusO4
+QCFT2ZMQ6jZUAuaQGx0rhWQr9akNNJEDsHTBQR8pxpFp3LcDXcUXSSeySRSFZLt+
+hExvDQxXuhdbZHYGL1E6g5gtJQKnobNu2jMOziBcDivhAsqNw2Poq6fJVLavjBI5
+BI1xAqmymIExJFSlHdLuZq09cVzY3EOj3x23YTzPKNOI/qu4jTUT4Byi8Oy3PN1B
+B0n5SqORWJ0KfAyVEewshSAqJ7zrZ5sJXWnKeVQqBOg5EwkOB8rz/M3mqgrnBRiq
+hLiiiG5tKETA1YIQGXIbP8t1vqoQrpvYaJfkk3kQlktxfFkDRt8dKIxpFk8uPiNb
+bcAu2uXfRrQxpaqcOg==
+=/wbD
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec
index acd4404..df6df2e 100644
--- a/SPECS/chrony.spec
+++ b/SPECS/chrony.spec
@@ -1,5 +1,5 @@
 %global _hardened_build 1
-%global clknetsim_ver f00531
+%global clknetsim_ver 5d1dc0
 %bcond_without debug
 %bcond_without nts
 
@@ -8,25 +8,29 @@
 %endif
 
 Name:           chrony
-Version:        4.3
-Release:        1%{?dist}.inferit.3
+Version:        4.5
+Release:        1%{?dist}.inferit.1
 Summary:        An NTP client/server
 
 License:        GPLv2
-URL:            https://chrony.tuxfamily.org
-Source0:        https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz
-Source1:        https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
-Source2:        https://chrony.tuxfamily.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
+URL:            https://chrony-project.org
+Source0:        https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz
+Source1:        https://chrony-project.org/releases/chrony-%{version}%{?prerelease}-tar-gz-asc.txt
+Source2:        https://chrony-project.org/gpgkey-8F375C7E8D0EE125A3D3BD51537E2B76F7680DAC.asc
 Source3:        chrony.dhclient
 Source4:        chrony.sysusers
 # simulator for test suite
-Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz
+Source10:       https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz
 %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz}
 
 # add distribution-specific bits to DHCP dispatcher
 Patch1:         chrony-nm-dispatcher-dhcp.patch
+# revert changes in packaged chrony.keys example
+Patch2:         chrony-keys.patch
 # revert some hardening options in service files
 Patch3:         chrony-services.patch
+# fix serverstats to correctly count authenticated packets
+Patch4:         chrony-serverstats.patch
 
 # MSVSphere
 Patch100:       0001-Synchronize-time-via-Russian-NTP-servers.patch
@@ -61,20 +65,23 @@ service to other computers in the network.
 %setup -q -n %{name}-%{version}%{?prerelease} -a 10
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
+%patch2 -p1 -b .keys
 %patch3 -p1 -b .services
+%patch4 -p1 -b .serverstats
 %patch100 -p1
 
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 
 # review changes in packaged configuration files and scripts
 md5sum -c <<-EOF | (! grep -v 'OK$')
-        222e652b95027289877fa77146d3b9b1  examples/chrony-wait.service
+        d1e59feabc7847d30cfd09fd3c569f21  examples/chrony-wait.service
         dc373a30c229f7477e913bee76d03eb7  examples/chrony.conf.example2
         96999221eeef476bd49fe97b97503126  examples/chrony.keys.example
         6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
         c3992e2f985550739cd1cd95f98c9548  examples/chrony.nm-dispatcher.dhcp
-        2b81c60c020626165ac655b2633608eb  examples/chrony.nm-dispatcher.onoffline
-        619dd00009ea312c7201beefde10341a  examples/chronyd.service
+        4e85d36595727318535af3387411070c  examples/chrony.nm-dispatcher.onoffline
+        60447a26dce93b3a61f488a364ac46cd  examples/chronyd.service
+        46fa3e2d42c8eb9c42e71095686c90ed  examples/chronyd-restricted.service
 EOF
 
 # don't allow packaging without vendor zone
@@ -93,10 +100,14 @@ sed -e 's|^\(pool \)\(pool.ntp.org\)|\12.%{vendorzone}\2|' \
 
 touch -r examples/chrony.conf.example2 chrony.conf
 
+# set selinux context in chronyd-restricted service
+sed -i '/^ExecStart/a SELinuxContext=system_u:system_r:chronyd_restricted_t:s0' \
+	examples/chronyd-restricted.service
+
 # regenerate the file from getdate.y
 rm -f getdate.c
 
-mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
+mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim
 
 %build
 %configure \
@@ -111,9 +122,7 @@ mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim
         --with-hwclockfile=%{_sysconfdir}/adjtime \
         --with-pidfile=/run/chrony/chronyd.pid \
         --with-sendmail=%{_sbindir}/sendmail \
-        --without-nettle \
-        --without-nss \
-        --without-tomcrypt
+        --without-nettle
 %make_build
 
 %install
@@ -140,6 +149,8 @@ install -m 644 -p examples/chrony.logrotate \
 
 install -m 644 -p examples/chronyd.service \
         $RPM_BUILD_ROOT%{_unitdir}/chronyd.service
+install -m 644 -p examples/chronyd-restricted.service \
+        $RPM_BUILD_ROOT%{_unitdir}/chronyd-restricted.service
 install -m 755 -p examples/chrony.nm-dispatcher.onoffline \
         $RPM_BUILD_ROOT%{_prefix}/lib/NetworkManager/dispatcher.d/20-chrony-onoffline
 install -m 755 -p examples/chrony.nm-dispatcher.dhcp \
@@ -180,13 +191,13 @@ if test -a %{_libexecdir}/chrony-helper; then
                 sed 's|.*|server &|' < $f > /run/chrony-dhcp/"${f##*servers.}.sources"
         done 2> /dev/null
 fi
-%systemd_post chronyd.service chrony-wait.service
+%systemd_post chronyd.service chronyd-restricted.service chrony-wait.service
 
 %preun
-%systemd_preun chronyd.service chrony-wait.service
+%systemd_preun chronyd.service chronyd-restricted.service chrony-wait.service
 
 %postun
-%systemd_postun_with_restart chronyd.service
+%systemd_postun_with_restart chronyd.service chronyd-restricted.service
 
 %files
 %{!?_licensedir:%global license %%doc}
@@ -210,7 +221,19 @@ fi
 %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony
 
 %changelog
-* Wed Nov 16 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 4.3-1.inferit.3
+* Mon Jun 10 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 4.5-1.inferit.1
+- Update to 4.5-1
+- Rebuilt for MSVSphere 9.4
+
+* Tue Apr 02 2024 Sergey Cherevko <s.cherevko@msvsphere-os.ru> - 4.5-1.inferit
+- Rebuilt for MSVSphere 9.4-beta
+
+* Tue Jan 09 2024 Miroslav Lichvar <mlichvar@redhat.com> 4.5-1
+- update to 4.5 (RHEL-6522 RHEL-6520 RHEL-9969 RHEL-9971 RHEL-9973 RHEL-9975
+  RHEL-12411)
+- add chronyd-restricted service (RHEL-9972)
+
+* Thu Nov 16 2023 Arkady L. Shane <tigro@msvsphere-os.ru> - 4.3-1.inferit.3
 - Use more servers instead of pool
 
 * Wed Aug 30 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 4.3-1.inferit.2
@@ -223,7 +246,10 @@ fi
 
 * Mon May 15 2023 Sergey Cherevko <s.cherevko@msvsphere.ru> - 4.3-1.inferit
 - MSVSphere debranding: changed vendorzone
-- Rebuilt for MSVSphere 9.2.
+- Rebuilt for MSVSphere 9.2 beta
+
+* Fri Apr 14 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 4.3-1
+- Rebuilt for MSVSphere 9.2 beta
 
 * Wed Oct 12 2022 Miroslav Lichvar <mlichvar@redhat.com> 4.3-1
 - update to 4.3 (#2133754)