Yet another NTP security bug we fixed before the CVE issued