Hello community, here is the log from the commit of package shibboleth-sp for openSUSE:Factory checked in at 2019-12-03 12:41:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shibboleth-sp (Old) and /work/SRC/openSUSE:Factory/.shibboleth-sp.new.4691 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shibboleth-sp" Tue Dec 3 12:41:57 2019 rev:14 rq:752898 version:3.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/shibboleth-sp/shibboleth-sp.changes 2019-04-26 22:55:16.505283240 +0200 +++ /work/SRC/openSUSE:Factory/.shibboleth-sp.new.4691/shibboleth-sp.changes 2019-12-03 12:42:18.634133952 +0100 @@ -1,0 +2,7 @@ +Mon Dec 2 10:36:30 UTC 2019 - Kristyna Streitova <kstreit...@suse.com> + +- remove fixing of the ownership of log files as this allows shibd + to escalate to root [bsc#1157471] [CVE-2019-19191] +- generate two keys on new installs instead of just one + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shibboleth-sp.spec ++++++ --- /var/tmp/diff_new_pack.Zl0WnX/_old 2019-12-03 12:42:19.098133824 +0100 +++ /var/tmp/diff_new_pack.Zl0WnX/_new 2019-12-03 12:42:19.098133824 +0100 @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -184,16 +184,13 @@ %post -n libshibsp%{libvers} -p /sbin/ldconfig %post -n libshibsp-lite%{libvers} -p /sbin/ldconfig %post -# Key generation or ownership fix -cd %{_sysconfdir}/%{realname} -if [ -f sp-key.pem ] ; then - chown %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || : -else - /bin/sh ./keygen.sh -b -u %{runuser} -g %{runuser} -fi -# Fix ownership of log files (even on new installs, if they're left from an older one). -chown %{runuser}:%{runuser} %{_localstatedir}/log/%{realname}/* 2>/dev/null || : +# Generate two keys on new installs. +if [ $1 -eq 1 ] ; then + cd %{_sysconfdir}/shibboleth + /bin/sh ./keygen.sh -b -n sp-signing -u %{runuser} -g %{runuser} + /bin/sh ./keygen.sh -b -n sp-encrypt -u %{runuser} -g %{runuser} +fi %service_add_post shibd.service