Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package memcached for openSUSE:Factory checked in at 2021-10-31 22:55:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/memcached (Old) and /work/SRC/openSUSE:Factory/.memcached.new.1890 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "memcached" Sun Oct 31 22:55:36 2021 rev:52 rq:928154 version:1.6.9 Changes: -------- --- /work/SRC/openSUSE:Factory/memcached/memcached.changes 2021-07-02 13:26:31.381200085 +0200 +++ /work/SRC/openSUSE:Factory/.memcached.new.1890/memcached.changes 2021-10-31 22:56:17.535728221 +0100 @@ -1,0 +2,8 @@ +Wed Oct 6 12:01:19 UTC 2021 - Johannes Segitz <jseg...@suse.com> + +- Added hardening to systemd service(s) (bsc#1181400). Added patch(es): + * harden_memcached.service.patch + Modified: + * memcached.service + +------------------------------------------------------------------- New: ---- harden_memcached.service.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ memcached.spec ++++++ --- /var/tmp/diff_new_pack.jjmJo0/_old 2021-10-31 22:56:18.007728583 +0100 +++ /var/tmp/diff_new_pack.jjmJo0/_new 2021-10-31 22:56:18.011728587 +0100 @@ -40,6 +40,7 @@ Source3: memcached-rpmlintrc Source4: memcached.service Source5: system-user-memcached.conf +Patch0: harden_memcached.service.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: cyrus-sasl-devel @@ -87,6 +88,7 @@ %prep %setup -q +%patch0 -p1 %build autoreconf -fi ++++++ harden_memcached.service.patch ++++++ Index: memcached-1.6.9/scripts/memcached.service =================================================================== --- memcached-1.6.9.orig/scripts/memcached.service +++ memcached-1.6.9/scripts/memcached.service @@ -41,6 +41,13 @@ CapabilityBoundingSet=CAP_SETGID CAP_SET # Restricts the set of socket address families accessible to the processes # of this unit. Protects against vulnerabilities such as CVE-2016-8655 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelLogs=true +# end of automatic additions # Some security features are not in the older versions of systemd used by ++++++ memcached.service ++++++ --- /var/tmp/diff_new_pack.jjmJo0/_old 2021-10-31 22:56:18.059728623 +0100 +++ /var/tmp/diff_new_pack.jjmJo0/_new 2021-10-31 22:56:18.059728623 +0100 @@ -3,6 +3,19 @@ After=network.target [Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions EnvironmentFile=/etc/sysconfig/memcached ExecStart=/usr/sbin/memcached -u $MEMCACHED_USER $MEMCACHED_PARAMS
