Sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)

Please sync ntpsec 1.1.0+dfsg1-1 (universe) from Debian sid (main)

I am the maintainer of ntpsec in Debian.

I understand that there is a feature freeze on Bionic. I am requesting a feature freeze exception for the following reasons:

1) There is a security vulnerability (CVE-2018-7182), so *something* has to be done. The simplest way to fix this would be to sync either 1.0.0+dfsg1-5 or 1.1.0+dfsg1-1. I'm not sure if it's still possible to sync 1.0.0+dfsg1-5. (I realize a security bug doesn't, by itself, necessarily justify an exception.)

2) ntpsec is a new package. It has never appeared in an Ubuntu release (LTS or non-LTS), nor a Debian release for that matter. This means that the potential negative impact of the exception is much lower (basically zero).

3) The 1.1.0 release fixes an interoperability bug with the Amazon time service where 33% of packets are dropped when ntpsec is the client.

4) The 1.1.0 release dramatically reduces the number of patches in the Debian package, as a large number of patches were upstreamed. This should make future security maintenance for the lifecycle of Bionic slightly easier.

5) Other important bugs were fixed in 1.0.0+dfsg1-4, 1.0.0+dfsg1-5, and 1.1.0+dfsg1-1, including those relating to conversions from the venerable ntp package to ntpsec, which is likely to be a common path.

I am an Ubuntu user primarily. Every change to ntpsec is tested on Ubuntu first. I have been running 1.1.0+dfsg1-1 (from a PPA) on multiple machines running Xenial even before it was uploaded to Debian. I tested in a Bionic VM by installing 1.0.0+dfsg1-3 and upgrading to a PPA-packaged version of 1.1.0+dfsg1-1.

Changelog entries since current bionic version 1.0.0+dfsg1-3:

ntpsec (1.1.0+dfsg1-1) unstable; urgency=medium

  * Make ntpsec Conflict with ntpdate
    - Use ntpsec-ntpdate instead of ntpdate.
  * Stop deleting /var/lib/ntpdate/ (Closes: 892966)
    Thanks to Bernhard Schmidt <email address hidden> for the suggestion.
  * New upstream version
    - Digests longer then 20 bytes will be truncated.
    - We have dropped support for Broadcast servers.
    - A bug that caused the rejection of 33% of packets from Amazon time
      service has been fixed.
  * Drop patches merged upstream
    - fix-ntpdig.patch
    - systemd-remove-extra-dependencies.patch
    - fix-name-of-psutil.patch
    - fix-spectracom-log-prefixes.patch
    - fix-ntpviz-file-encodings.patch
    - systemd-remove-remainafterexit.patch
    - systemd-use-high-priority.patch
    - systemd-ionice-ntpviz.patch
    - systemd-cleanup-ntp-wait-service.patch
    - fix-ntploggps.patch
    - systemd-use-usr-sbin.patch
    - systemd-do-not-restart.patch
    - systemd-allow-running-in-containers.patch
    - Merge-Classic-fix-for-CVE-2018-7182.patch
  * Update copyright

 -- Richard Laager <email address hidden> Fri, 16 Mar 2018 00:42:24 -0500

ntpsec (1.0.0+dfsg1-5) unstable; urgency=high

  * Fix CVE-2018-7182

 -- Richard Laager <email address hidden> Wed, 07 Mar 2018 19:47:34 -0600

ntpsec (1.0.0+dfsg1-4) unstable; urgency=medium

  * Remove empty /var/log/ntpstats on ntpviz removal
  * Fix installing ntpsec-ntpviz without ntpsec (Closes: 891278)
  * systemd: Allow running in containers (Closes: 890771)

 -- Richard Laager <email address hidden> Sun, 04 Mar 2018 15:06:58 -0600