Hello community,

here is the log from the commit of package shibboleth-sp for openSUSE:Factory 
checked in at 2019-12-03 12:41:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shibboleth-sp (Old)
 and      /work/SRC/openSUSE:Factory/.shibboleth-sp.new.4691 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "shibboleth-sp"

Tue Dec  3 12:41:57 2019 rev:14 rq:752898 version:3.0.4

Changes:
--------
--- /work/SRC/openSUSE:Factory/shibboleth-sp/shibboleth-sp.changes      
2019-04-26 22:55:16.505283240 +0200
+++ /work/SRC/openSUSE:Factory/.shibboleth-sp.new.4691/shibboleth-sp.changes    
2019-12-03 12:42:18.634133952 +0100
@@ -1,0 +2,7 @@
+Mon Dec  2 10:36:30 UTC 2019 - Kristyna Streitova <kstreit...@suse.com>
+
+- remove fixing of the ownership of log files as this allows shibd
+  to escalate to root [bsc#1157471] [CVE-2019-19191]
+- generate two keys on new installs instead of just one
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ shibboleth-sp.spec ++++++
--- /var/tmp/diff_new_pack.Zl0WnX/_old  2019-12-03 12:42:19.098133824 +0100
+++ /var/tmp/diff_new_pack.Zl0WnX/_new  2019-12-03 12:42:19.098133824 +0100
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -184,16 +184,13 @@
 %post -n libshibsp%{libvers} -p /sbin/ldconfig
 %post -n libshibsp-lite%{libvers} -p /sbin/ldconfig
 %post
-# Key generation or ownership fix
-cd %{_sysconfdir}/%{realname}
-if [ -f sp-key.pem ] ; then
-       chown %{runuser}:%{runuser} sp-key.pem sp-cert.pem 2>/dev/null || :
-else
-       /bin/sh ./keygen.sh -b -u %{runuser} -g %{runuser}
-fi
 
-# Fix ownership of log files (even on new installs, if they're left from an 
older one).
-chown %{runuser}:%{runuser} %{_localstatedir}/log/%{realname}/* 2>/dev/null || 
:
+# Generate two keys on new installs.
+if [ $1 -eq 1 ] ; then
+        cd %{_sysconfdir}/shibboleth
+        /bin/sh ./keygen.sh -b -n sp-signing -u %{runuser} -g %{runuser}
+        /bin/sh ./keygen.sh -b -n sp-encrypt -u %{runuser} -g %{runuser}
+fi
 
 %service_add_post shibd.service
 




Reply via email to