Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package kea for openSUSE:Factory checked in
at 2025-05-30 14:35:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kea (Old)
and /work/SRC/openSUSE:Factory/.kea.new.25440 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kea"
Fri May 30 14:35:23 2025 rev:20 rq:1280982 version:2.6.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/kea/kea.changes 2025-05-05 22:58:03.432659860
+0200
+++ /work/SRC/openSUSE:Factory/.kea.new.25440/kea.changes 2025-05-30
17:21:50.970579729 +0200
@@ -1,0 +2,70 @@
+Mon May 26 15:07:13 UTC 2025 - Jorik Cronenberg <jorik.cronenb...@suse.com>
+
+- Update to release 2.6.3
+ Security Fixes:
+ * The default configuration for the Kea Control Agent (CA) has
+ been updated to enable basic HTTP authentication. Access to
+ the Kea API will thus require a password.
+ (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
+ [bsc#1243240]
+ * `kea-dhcp4`, `kea-dhcp6`, `kea-dhcp-ddns`, and
+ `kea-ctrl-agent` now only load hook libraries from the
+ default installation directory. For ease of use, the path may
+ be omitted.
+ (CVE-2025-32801)
+ [bsc#1243240]
+ * The API command `config-write` will now only write to the same
+ directory as the configuration file used when Kea was started
+ (passed as a `-c` argument).
+ (CVE-2025-32802)
+ [bsc#1243240]
+ * Lease files can now only be loaded from the data directory
+ `/var/lib/kea`. This path may be overridden at startup by
+ setting the environment variable `KEA_DHCP_DATA_DIR` to the
+ desired path. If a path outside the defined data directory is
+ used in `lease-database.name`, Kea returns an error and refuses
+ to start or, if already running, aborts and exits. For ease of
+ use in specifying a custom file name, simply omit the path
+ component from `name`.
+ (CVE-2025-32802)
+ [bsc#1243240]
+ * Log files can now only be written to a defined output directory
+ `/var/log/kea`. This path may be overridden at startup by
+ setting the environment variable `KEA_LOG_FILE_DIR` to the
+ desired path. If a path outside the defined output directory is
+ used in `loggers.output_options.output`, Kea returns an error
+ and refuses to start or, if already running, aborts and exits.
+ For ease of use, simply omit the path component from `output`
+ and specify only the file name.
+ (CVE-2025-32802)
+ [bsc#1243240]
+ * Files created by Kea now have more restrictive file
+ permissions. Write access by group and any access by others is
+ now forbidden.
+ (CVE-2025-32803)
+ [bsc#1243240]
+ * Sockets can no longer be created in a world-writable directory,
+ such as `/tmp`. Sockets must now be created in the more
+ restricted `/var/run/kea`.
+ (CVE-2025-32802)
+ [bsc#1243240]
+ * Many sample configuration files have been updated to reflect
+ changes introduced in this release. In the ARM, the Kea
+ Security section has been moved to a more prominent location,
+ and a new section concerning securing the Kea Control Agent has
+ been added.
+ (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
+ [bsc#1243240]
+
+ Other changes:
+ * Fix build with the latest Boost 1.87.
+ (Obsoletes patch `kea-2.6.1-boost_1.87-compat.patch`)
+ * Backported a clarification in the ARM about subnet4-delta-add.
+
+- Remove /run/kea from systemd tmpfiles as the creation of this
+ directory is handled by the services.
+- Replace 'chmod -h' and 'chown -h' with 'find' as the '-h' isn't
+ present in Leap/SLE.
+- /run/kea now has mode 0750 for all services.
+
+-------------------------------------------------------------------
Old:
----
kea-2.6.1-boost_1.87-compat.patch
kea-2.6.2.tar.gz
kea-2.6.2.tar.gz.asc
New:
----
kea-2.6.3.tar.gz
kea-2.6.3.tar.gz.asc
BETA DEBUG BEGIN:
Old: * Fix build with the latest Boost 1.87.
(Obsoletes patch `kea-2.6.1-boost_1.87-compat.patch`)
* Backported a clarification in the ARM about subnet4-delta-add.
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kea.spec ++++++
--- /var/tmp/diff_new_pack.IkKypF/_old 2025-05-30 17:21:51.478600820 +0200
+++ /var/tmp/diff_new_pack.IkKypF/_new 2025-05-30 17:21:51.478600820 +0200
@@ -16,36 +16,36 @@
#
-%define asiodns_sover 48
-%define asiolink_sover 71
+%define asiodns_sover 49
+%define asiolink_sover 72
%define cc_sover 68
-%define cfgclient_sover 65
+%define cfgclient_sover 66
%define cryptolink_sover 50
-%define d2srv_sover 46
+%define d2srv_sover 47
%define database_sover 62
-%define dhcppp_sover 91
-%define dhcp_ddns_sover 56
-%define dhcpsrv_sover 110
-%define dnspp_sover 56
+%define dhcppp_sover 92
+%define dhcp_ddns_sover 57
+%define dhcpsrv_sover 111
+%define dnspp_sover 57
%define eval_sover 69
%define exceptions_sover 33
-%define hooks_sover 99
-%define http_sover 71
+%define hooks_sover 100
+%define http_sover 72
%define log_sover 61
%define mysql_sover 71
%define pgsql_sover 71
-%define process_sover 73
+%define process_sover 74
%define stats_sover 41
-%define tcp_sover 18
+%define tcp_sover 19
%define util_io_sover 0
-%define util_sover 85
+%define util_sover 86
%if 0%{?suse_version} >= 1600
%bcond_without regen_files
%else
%bcond_with regen_files
%endif
Name: kea
-Version: 2.6.2
+Version: 2.6.3
Release: 0
Summary: Dynamic Host Configuration Protocol daemon
License: MPL-2.0
@@ -61,7 +61,6 @@
Source5: kea-dhcp6.service
Source6: kea-dhcp-ddns.service
Source7: kea-ctrl-agent.service
-Patch0: kea-2.6.1-boost_1.87-compat.patch
BuildRequires: autoconf >= 2.59
BuildRequires: automake
%if %{with regen_files}
@@ -377,11 +376,8 @@
b=%buildroot
%make_install
find %buildroot -type f -name "*.la" -delete -print
-mkdir -p "$b/%_unitdir" "$b/%_tmpfilesdir" "$b/%_sysusersdir"
+mkdir -p "$b/%_unitdir" "$b/%_sysusersdir"
cp %_sourcedir/*.service "$b/%_unitdir/"
-cat <<-EOF >"$b/%_tmpfilesdir/kea.conf"
- d /run/kea 0775 keadhcp keadhcp -
-EOF
echo 'u keadhcp - "Kea DHCP server" /var/lib/kea' >system-user-keadhcp.conf
cp -a system-user-keadhcp.conf "$b/%_sysusersdir/"
%sysusers_generate_pre system-user-keadhcp.conf random system-user-keadhcp.conf
@@ -396,7 +392,6 @@
rm -Rf "%buildroot/%python3_sitelib/kea/__pycache__"
%pre -f random.pre
-systemd-tmpfiles --create kea.conf || :
%service_add_pre kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service
kea-ctrl-agent.service
%post
@@ -404,8 +399,8 @@
if [ "$1" -gt 1 ]; then
chown -R keadhcp:keadhcp "%_localstatedir/lib/kea"
chown -R keadhcp:keadhcp "%_localstatedir/log/kea"
- chown -h root:keadhcp %_sysconfdir/kea/*.conf
- chmod -h 640 %_sysconfdir/kea/*.conf
+ find %_sysconfdir/kea/ -type f -name '*.conf' -exec chown root:keadhcp
{} +
+ find %_sysconfdir/kea/ -type f -name '*.conf' -exec chmod 640 {} +
fi
bigkea_enabled=$(/usr/bin/systemctl is-enabled kea.service 2>/dev/null || :)
bigkea_active=$(/usr/bin/systemctl is-active kea.service 2>/dev/null || :)
@@ -477,7 +472,7 @@
%ldconfig_scriptlets -n libkea-util%util_sover
%files
-%dir %_sysconfdir/kea
+%dir %attr(0755,root,root) %_sysconfdir/kea
%config(noreplace) %attr(0640,root,keadhcp) %_sysconfdir/kea/*.conf
%_mandir/man8/*.8%{?ext_man}
%_sbindir/kea*
@@ -485,7 +480,6 @@
%_datadir/kea/
%_unitdir/*.service
%dir %attr(0750,keadhcp,keadhcp) %_localstatedir/lib/kea
-%_tmpfilesdir/*
%_sysusersdir/*
%attr(0750,keadhcp,keadhcp) %_localstatedir/log/kea/
++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.IkKypF/_old 2025-05-30 17:21:51.514602314 +0200
+++ /var/tmp/diff_new_pack.IkKypF/_new 2025-05-30 17:21:51.518602481 +0200
@@ -1,6 +1,6 @@
-mtime: 1746021613
-commit: 92ab1af6af67ca440e22aa09d70da58d86aa6c22e6871093b112d5c6ce564e3f
+mtime: 1748451825
+commit: 6b30b46d603a6f68cb47abadd69825f2a8593f0f8a146b5d29c745d6de52b163
url: https://src.opensuse.org/dhcp/kea.git
-revision: 92ab1af6af67ca440e22aa09d70da58d86aa6c22e6871093b112d5c6ce564e3f
+revision: 6b30b46d603a6f68cb47abadd69825f2a8593f0f8a146b5d29c745d6de52b163
projectscmsync: https://src.opensuse.org/dhcp/_ObsPrj.git
++++++ build.specials.obscpio ++++++
++++++ kea-2.6.2.tar.gz -> kea-2.6.3.tar.gz ++++++
/work/SRC/openSUSE:Factory/kea/kea-2.6.2.tar.gz
/work/SRC/openSUSE:Factory/.kea.new.25440/kea-2.6.3.tar.gz differ: char 30,
line 1
++++++ kea-ctrl-agent.service ++++++
--- /var/tmp/diff_new_pack.IkKypF/_old 2025-05-30 17:21:51.654608127 +0200
+++ /var/tmp/diff_new_pack.IkKypF/_new 2025-05-30 17:21:51.658608293 +0200
@@ -7,6 +7,7 @@
User=keadhcp
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
++++++ kea-dhcp-ddns.service ++++++
--- /var/tmp/diff_new_pack.IkKypF/_old 2025-05-30 17:21:51.682609289 +0200
+++ /var/tmp/diff_new_pack.IkKypF/_new 2025-05-30 17:21:51.686609455 +0200
@@ -8,6 +8,7 @@
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
++++++ kea-dhcp4.service ++++++
--- /var/tmp/diff_new_pack.IkKypF/_old 2025-05-30 17:21:51.710610452 +0200
+++ /var/tmp/diff_new_pack.IkKypF/_new 2025-05-30 17:21:51.714610618 +0200
@@ -8,6 +8,7 @@
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
++++++ kea-dhcp6.service ++++++
--- /var/tmp/diff_new_pack.IkKypF/_old 2025-05-30 17:21:51.734611448 +0200
+++ /var/tmp/diff_new_pack.IkKypF/_new 2025-05-30 17:21:51.738611614 +0200
@@ -8,6 +8,7 @@
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment=KEA_PIDFILE_DIR=/run/kea
RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
ExecReload=kill -HUP $MAINPID
ProtectSystem=full
