2025-05-28 20:54:06 +02:00
11 changed files with 111 additions and 234 deletions
--- a/kea-2.6.1-boost_1.87-compat.patch
+++ b/kea-2.6.1-boost_1.87-compat.patch
@@ -1,191 +0,0 @@
-From 81edc181f85395c39964104ef049a195bafb9737 Mon Sep 17 00:00:00 2001
-From: q66 <q66@chimera-linux.org>
-Date: Sun, 15 Dec 2024 03:04:53 +0100
-Subject: [PATCH] [#3696] Update asiolink for boost 1.87
-
---
- src/lib/asiolink/io_address.cc         |  4 ++--
- src/lib/asiolink/io_service.cc         |  8 ++++----
- src/lib/asiolink/tcp_endpoint.h        |  2 +-
- src/lib/asiolink/udp_endpoint.h        |  2 +-
- src/lib/asiolink/unix_domain_socket.cc | 16 ++++++++--------
- src/lib/dhcp/iface_mgr.cc              |  2 +-
- 6 files changed, 17 insertions(+), 17 deletions(-)
-
-diff --git a/src/lib/asiolink/io_address.cc b/src/lib/asiolink/io_address.cc
-index 43459bfe5ab..06b7d3d990c 100644
--- a/src/lib/asiolink/io_address.cc
-+++ b/src/lib/asiolink/io_address.cc
-@@ -37,7 +37,7 @@ IOAddress::Hash::operator()(const IOAddress &io_address) const {
- // because we'd like to throw our own exception on failure.
- IOAddress::IOAddress(const std::string& address_str) {
-     boost::system::error_code err;
-    asio_address_ = ip::address::from_string(address_str, err);
-+    asio_address_ = ip::make_address(address_str, err);
-     if (err) {
-         isc_throw(IOError, "Failed to convert string to address '"
-                   << address_str << "': " << err.message());
-@@ -116,7 +116,7 @@ IOAddress::isV6Multicast() const {
- uint32_t
- IOAddress::toUint32() const {
-     if (asio_address_.is_v4()) {
-        return (asio_address_.to_v4().to_ulong());
-+        return (asio_address_.to_v4().to_uint());
-     } else {
-         isc_throw(BadValue, "Can't convert " << toText()
-                   << " address to IPv4.");
-diff --git a/src/lib/asiolink/io_service.cc b/src/lib/asiolink/io_service.cc
-index 411de641915..cc28d24c19f 100644
--- a/src/lib/asiolink/io_service.cc
-+++ b/src/lib/asiolink/io_service.cc
-@@ -30,7 +30,7 @@ public:
-     /// @brief The constructor.
-     IOServiceImpl() :
-         io_service_(),
-        work_(new boost::asio::io_service::work(io_service_)) {
-+        work_(boost::asio::make_work_guard(io_service_)) {
-     };
- 
-     /// @brief The destructor.
-@@ -92,7 +92,7 @@ public:
- 
-     /// @brief Restarts the IOService in preparation for a subsequent @ref run() invocation.
-     void restart() {
-        io_service_.reset();
-+        io_service_.restart();
-     }
- 
-     /// @brief Removes IO service work object to let it finish running
-@@ -115,12 +115,12 @@ public:
-     ///
-     /// @param callback The callback to be run on the IO service.
-     void post(const std::function<void ()>& callback) {
-        io_service_.post(callback);
-+        boost::asio::post(io_service_, callback);
-     }
- 
- private:
-     boost::asio::io_service io_service_;
-    boost::shared_ptr<boost::asio::io_service::work> work_;
-+    boost::asio::executor_work_guard<boost::asio::io_service::executor_type> work_;
- };
- 
- IOService::IOService() : io_impl_(new IOServiceImpl()) {
-diff --git a/src/lib/asiolink/tcp_endpoint.h b/src/lib/asiolink/tcp_endpoint.h
-index 8ebd57551db..7c8cb35535d 100644
--- a/src/lib/asiolink/tcp_endpoint.h
-+++ b/src/lib/asiolink/tcp_endpoint.h
-@@ -42,7 +42,7 @@ public:
-     /// \param port The TCP port number of the endpoint.
-     TCPEndpoint(const IOAddress& address, const unsigned short port) :
-         asio_endpoint_placeholder_(
-            new boost::asio::ip::tcp::endpoint(boost::asio::ip::address::from_string(address.toText()),
-+            new boost::asio::ip::tcp::endpoint(boost::asio::ip::make_address(address.toText()),
-                               port)),
-         asio_endpoint_(*asio_endpoint_placeholder_)
-     {}
-diff --git a/src/lib/asiolink/udp_endpoint.h b/src/lib/asiolink/udp_endpoint.h
-index f960bf3ce9f..2a3da9f0464 100644
--- a/src/lib/asiolink/udp_endpoint.h
-+++ b/src/lib/asiolink/udp_endpoint.h
-@@ -42,7 +42,7 @@ public:
-     /// \param port The UDP port number of the endpoint.
-     UDPEndpoint(const IOAddress& address, const unsigned short port) :
-         asio_endpoint_placeholder_(
-            new boost::asio::ip::udp::endpoint(boost::asio::ip::address::from_string(address.toText()),
-+            new boost::asio::ip::udp::endpoint(boost::asio::ip::make_address(address.toText()),
-                               port)),
-         asio_endpoint_(*asio_endpoint_placeholder_)
-     {}
-diff --git a/src/lib/asiolink/unix_domain_socket.cc b/src/lib/asiolink/unix_domain_socket.cc
-index f43e1c9e9bb..43ff3c8f241 100644
--- a/src/lib/asiolink/unix_domain_socket.cc
-+++ b/src/lib/asiolink/unix_domain_socket.cc
-@@ -83,7 +83,7 @@ public:
-     /// @param buffer Buffers holding the data to be sent.
-     /// @param handler User supplied callback to be invoked when data have
-     /// been sent or sending error is signalled.
-    void doSend(const boost::asio::const_buffers_1& buffer,
-+    void doSend(const boost::asio::const_buffer& buffer,
-                 const UnixDomainSocket::Handler& handler);
- 
- 
-@@ -103,7 +103,7 @@ public:
-     /// @param ec Error code returned as a result of sending the data.
-     /// @param length Length of the data sent.
-     void sendHandler(const UnixDomainSocket::Handler& remote_handler,
-                     const boost::asio::const_buffers_1& buffer,
-+                     const boost::asio::const_buffer& buffer,
-                      const boost::system::error_code& ec,
-                      size_t length);
- 
-@@ -127,7 +127,7 @@ public:
-     /// @param buffer A buffer into which the data should be received.
-     /// @param handler User supplied callback invoked when data have been
-     /// received on an error is signalled.
-    void doReceive(const boost::asio::mutable_buffers_1& buffer,
-+    void doReceive(const boost::asio::mutable_buffer& buffer,
-                    const UnixDomainSocket::Handler& handler);
- 
-     /// @brief Local handler invoked as a result of asynchronous receive.
-@@ -146,7 +146,7 @@ public:
-     /// @param ec Error code returned as a result of asynchronous receive.
-     /// @param length Size of the received data.
-     void receiveHandler(const UnixDomainSocket::Handler& remote_handler,
-                        const boost::asio::mutable_buffers_1& buffer,
-+                        const boost::asio::mutable_buffer& buffer,
-                         const boost::system::error_code& ec,
-                         size_t length);
- 
-@@ -197,7 +197,7 @@ UnixDomainSocketImpl::asyncSend(const void* data, const size_t length,
- }
- 
- void
-UnixDomainSocketImpl::doSend(const boost::asio::const_buffers_1& buffer,
-+UnixDomainSocketImpl::doSend(const boost::asio::const_buffer& buffer,
-                              const UnixDomainSocket::Handler& handler) {
-     auto local_handler = std::bind(&UnixDomainSocketImpl::sendHandler,
-                                    shared_from_this(),
-@@ -207,7 +207,7 @@ UnixDomainSocketImpl::doSend(const boost::asio::const_buffers_1& buffer,
- 
- void
- UnixDomainSocketImpl::sendHandler(const UnixDomainSocket::Handler& remote_handler,
-                                  const boost::asio::const_buffers_1& buffer,
-+                                  const boost::asio::const_buffer& buffer,
-                                   const boost::system::error_code& ec,
-                                   size_t length) {
-     // The asynchronous send may return EWOULDBLOCK or EAGAIN on some
-@@ -230,7 +230,7 @@ UnixDomainSocketImpl::asyncReceive(void* data, const size_t length,
- }
- 
- void
-UnixDomainSocketImpl::doReceive(const boost::asio::mutable_buffers_1& buffer,
-+UnixDomainSocketImpl::doReceive(const boost::asio::mutable_buffer& buffer,
-                                 const UnixDomainSocket::Handler& handler) {
-     auto local_handler = std::bind(&UnixDomainSocketImpl::receiveHandler,
-                                    shared_from_this(),
-@@ -240,7 +240,7 @@ UnixDomainSocketImpl::doReceive(const boost::asio::mutable_buffers_1& buffer,
- 
- void
- UnixDomainSocketImpl::receiveHandler(const UnixDomainSocket::Handler& remote_handler,
-                                     const boost::asio::mutable_buffers_1& buffer,
-+                                     const boost::asio::mutable_buffer& buffer,
-                                      const boost::system::error_code& ec,
-                                      size_t length) {
-     // The asynchronous receive may return EWOULDBLOCK or EAGAIN on some
-diff --git a/src/lib/dhcp/iface_mgr.cc b/src/lib/dhcp/iface_mgr.cc
-index 01a1d63da5d..419268bfe5c 100644
--- a/src/lib/dhcp/iface_mgr.cc
-+++ b/src/lib/dhcp/iface_mgr.cc
-@@ -1034,7 +1034,7 @@ IfaceMgr::getLocalAddress(const IOAddress& remote_addr, const uint16_t port) {
-     }
- 
-     // Create socket that will be used to connect to remote endpoint.
-    boost::asio::io_service io_service;
-+    boost::asio::io_context io_service;
-     boost::asio::ip::udp::socket sock(io_service);
- 
-     boost::system::error_code err_code;
-- 
-GitLab
-
--- a/kea-2.6.2.tar.gz
+++ b/kea-2.6.2.tar.gz
--- a/kea-2.6.2.tar.gz.asc
+++ b/kea-2.6.2.tar.gz.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEECQoqB5I/kltXZ4A6QuXfeMgycdsFAmfdcgEACgkQQuXfeMgy
-cdtrbA/+MjIYfXn9nu1CoHtX4pxqh35uFYYU6WxDLgeGdHrUIBZe2xGbsZU44n01
-UEJ4u0SJXKpktmnt6R0XZ3R0q5KjQJ1RuOj2nGl/+FupxSYwxZl4ZmT6xivqrPyF
-q5XU/Vp3JQLhxbLo2w4uxcCGV00O4BGXc5SWPwiVUhf3IXElZuLryvjeU39FgfBf
-0y/PkhugUh/PNavkeHuCALbKD4NH4uhDXlbABWJ3GH4rq1gKpl1NAiHFuah2QWtx
-WAstxrR9W0o1SftIrCp2pbmjTXLKEZ2fPxJ4y0hf1ByGrgyN8MIS9JdLQKQdAhDd
-LOe59KxYxYF7lpgfbX4bSQU7XsXkYfETlfC0WvfyoEvl+Eg/LeZuUc1PlG5+u3BG
-RTep9g0WdkPf3SdmdIKGF6/AOvAo1ovms64KVr9mbKGLrGtkiv/mFCKc59EHkl4Y
-MH51YFfE34TB27zi7veGyfsQrKNESnRjVrlnewhWX7WeXkuHkR+Y2cqiYxSCx7Tb
-F2K+qOP2m+ICTWS0APxaUfJyETUyuNFTnfaWj+izYbIkE3vv11hAGuG5t7ef/tXF
-JY68doC9RFc5bF9q89xt93ePL3qls5ADBo4fZI67fpXFnywENiQGwUhBB5sxsYYs
-puVNNq7/nT+05IwpSr1TEpCtPHWDOFHG/lvAjcBYb2AGEnVGdpM=
-=h8nL
-----END PGP SIGNATURE-----
--- a/kea-2.6.3.tar.gz
+++ b/kea-2.6.3.tar.gz
--- a/kea-2.6.3.tar.gz.asc
+++ b/kea-2.6.3.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmgvfDoACgkQel4ITKyl
+GIQKQA/9ExKLzofEhdch9eE9gcRVth2RehqbrJdVE0iPZOGZFnbSKe6KUleyPOgt
+g6kympVGO+8ZHbu5BBMc29SpsBXSTAm79ZvLiHVM4EjWaTH0uqZgb3HyNrloIYzX
+QW5/TtXVCdDHreH7Giy+Bx3303aMEu2H+hlQpCl2a2LbsvqI9Tv9ytymdHyNWfUy
+yCwPzUdE8mi+KJdE0XE/pibZrI1UaQdfsg/ZmLzho3nGbaWMrvbTIgcuqYtTCD+S
+Dodv/Bx195rHhecOQ1liNWwAxkeB+9Um6YCstvbpON3uwnwVp+e3T60rHVg5SGqe
+66Un7WME5wVZ7nOg1XBijSK7BmyGucPGA+/IBWAdjpU+m7gb2M6quTs6Elyf6p53
+AdIq0UX0nN9eo8wa+bme71JOzFive9iR9RtnNhaus6IeMB6lSH7kmrXnDXK2EQQe
+x53bYPe+yFL6QeWSFTxlIDj77fqcN9vI20zRkDvWdyG83VzZP6tOS7JTR3dJoToM
+4GTRdkJ3maUV/gujx3hR41b1EknlcFW3LUEVV0NqdlU1Qy9fOh/mLwFosuaOPSYx
+4WFuT5aIScS7bxQqPSBQ/h2Xn63oUuTch08eGMuTtMs+TdkQuhciXKXpYE3lt1sW
+8NNI0M4HqaviUu9SaVg1aGAvJ8pFJQjI8YR9NrK2O3mTcAprNPA=
+=inHP
+-----END PGP SIGNATURE-----
--- a/kea-ctrl-agent.service
+++ b/kea-ctrl-agent.service
@@ -7,6 +7,7 @@ After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.se
 User=keadhcp
 Environment=KEA_PIDFILE_DIR=/run/kea
 RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
 ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
 ExecReload=kill -HUP $MAINPID
 ProtectSystem=full
--- a/kea-dhcp-ddns.service
+++ b/kea-dhcp-ddns.service
@@ -8,6 +8,7 @@ User=keadhcp
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 Environment=KEA_PIDFILE_DIR=/run/kea
 RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
 ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
 ExecReload=kill -HUP $MAINPID
 ProtectSystem=full
--- a/kea-dhcp4.service
+++ b/kea-dhcp4.service
@@ -8,6 +8,7 @@ User=keadhcp
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
 Environment=KEA_PIDFILE_DIR=/run/kea
 RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
 ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
 ExecReload=kill -HUP $MAINPID
 ProtectSystem=full
--- a/kea-dhcp6.service
+++ b/kea-dhcp6.service
@@ -8,6 +8,7 @@ User=keadhcp
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 Environment=KEA_PIDFILE_DIR=/run/kea
 RuntimeDirectory=kea
+RuntimeDirectoryMode=0750
 ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
 ExecReload=kill -HUP $MAINPID
 ProtectSystem=full
--- a/kea.changes
+++ b/kea.changes
@@ -1,3 +1,73 @@
+-------------------------------------------------------------------
+Mon May 26 15:07:13 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>
+
+- Update to release 2.6.3
+  Security Fixes:
+  * The default configuration for the Kea Control Agent (CA) has
+    been updated to enable basic HTTP authentication.  Access to
+    the Kea API will thus require a password.
+    (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
+    [bsc#1243240]
+  * `kea-dhcp4`, `kea-dhcp6`, `kea-dhcp-ddns`, and
+    `kea-ctrl-agent` now only load hook libraries from the
+    default installation directory. For ease of use, the path may
+    be omitted.
+    (CVE-2025-32801)
+    [bsc#1243240]
+  * The API command `config-write` will now only write to the same
+    directory as the configuration file used when Kea was started
+    (passed as a `-c` argument).
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Lease files can now only be loaded from the data directory
+    `/var/lib/kea`. This path may be overridden at startup by
+    setting the environment variable `KEA_DHCP_DATA_DIR` to the
+    desired path. If a path outside the defined data directory is
+    used in `lease-database.name`, Kea returns an error and refuses
+    to start or, if already running, aborts and exits. For ease of
+    use in specifying a custom file name, simply omit the path
+    component from `name`.
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Log files can now only be written to a defined output directory
+    `/var/log/kea`. This path may be overridden at startup by
+    setting the environment variable `KEA_LOG_FILE_DIR` to the
+    desired path. If a path outside the defined output directory is
+    used in `loggers.output_options.output`, Kea returns an error
+    and refuses to start or, if already running, aborts and exits.
+    For ease of use, simply omit the path component from `output`
+    and specify only the file name.
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Files created by Kea now have more restrictive file
+    permissions. Write access by group and any access by others is
+    now forbidden.
+    (CVE-2025-32803)
+    [bsc#1243240]
+  * Sockets can no longer be created in a world-writable directory,
+    such as `/tmp`. Sockets must now be created in the more
+    restricted `/var/run/kea`.
+    (CVE-2025-32802)
+    [bsc#1243240]
+  * Many sample configuration files have been updated to reflect
+    changes introduced in this release. In the ARM, the Kea
+    Security section has been moved to a more prominent location,
+    and a new section concerning securing the Kea Control Agent has
+    been added.
+    (CVE-2025-32801, CVE-2025-32802, CVE-2025-32803)
+    [bsc#1243240]
+
+  Other changes:
+  * Fix build with the latest Boost 1.87.
+    (Obsoletes patch `kea-2.6.1-boost_1.87-compat.patch`)
+  * Backported a clarification in the ARM about subnet4-delta-add.
+
+- Remove /run/kea from systemd tmpfiles as the creation of this
+  directory is handled by the services.
+- Replace 'chmod -h' and 'chown -h' with 'find' as the '-h' isn't
+  present in Leap/SLE.
+- /run/kea now has mode 0750 for all services.
+
 -------------------------------------------------------------------
 Wed Apr 30 13:21:39 UTC 2025 - Jorik Cronenberg <jorik.cronenberg@suse.com>

--- a/kea.spec
+++ b/kea.spec
@@ -16,36 +16,36 @@
 #


-%define asiodns_sover 48
-%define asiolink_sover 71
+%define asiodns_sover 49
+%define asiolink_sover 72
 %define cc_sover 68
-%define cfgclient_sover 65
+%define cfgclient_sover 66
 %define cryptolink_sover 50
-%define d2srv_sover 46
+%define d2srv_sover 47
 %define database_sover 62
-%define dhcppp_sover 91
-%define dhcp_ddns_sover 56
-%define dhcpsrv_sover 110
-%define dnspp_sover 56
+%define dhcppp_sover 92
+%define dhcp_ddns_sover 57
+%define dhcpsrv_sover 111
+%define dnspp_sover 57
 %define eval_sover 69
 %define exceptions_sover 33
-%define hooks_sover 99
-%define http_sover 71
+%define hooks_sover 100
+%define http_sover 72
 %define log_sover 61
 %define mysql_sover 71
 %define pgsql_sover 71
-%define process_sover 73
+%define process_sover 74
 %define stats_sover 41
-%define tcp_sover 18
+%define tcp_sover 19
 %define util_io_sover 0
-%define util_sover 85
+%define util_sover 86
 %if 0%{?suse_version} >= 1600
 %bcond_without regen_files
 %else
 %bcond_with    regen_files
 %endif
 Name:           kea
-Version:        2.6.2
+Version:        2.6.3
 Release:        0
 Summary:        Dynamic Host Configuration Protocol daemon
 License:        MPL-2.0
@@ -61,7 +61,6 @@ Source4:        kea-dhcp4.service
 Source5:        kea-dhcp6.service
 Source6:        kea-dhcp-ddns.service
 Source7:        kea-ctrl-agent.service
-Patch0:         kea-2.6.1-boost_1.87-compat.patch
 BuildRequires:  autoconf >= 2.59
 BuildRequires:  automake
 %if %{with regen_files}
@@ -377,11 +376,8 @@ make %{?_smp_mflags}
 b=%buildroot
 %make_install
 find %buildroot -type f -name "*.la" -delete -print
-mkdir -p "$b/%_unitdir" "$b/%_tmpfilesdir" "$b/%_sysusersdir"
+mkdir -p "$b/%_unitdir" "$b/%_sysusersdir"
 cp %_sourcedir/*.service "$b/%_unitdir/"
-cat <<-EOF >"$b/%_tmpfilesdir/kea.conf"
-	d /run/kea 0775 keadhcp keadhcp -
-EOF
 echo 'u keadhcp - "Kea DHCP server" /var/lib/kea' >system-user-keadhcp.conf
 cp -a system-user-keadhcp.conf "$b/%_sysusersdir/"
 %sysusers_generate_pre system-user-keadhcp.conf random system-user-keadhcp.conf
@@ -396,7 +392,6 @@ find "%buildroot/%_libdir" -name "*.so.*" -type l -delete
 rm -Rf "%buildroot/%python3_sitelib/kea/__pycache__"

 %pre -f random.pre
-systemd-tmpfiles --create kea.conf || :
 %service_add_pre kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service

 %post
@@ -404,8 +399,8 @@ systemd-tmpfiles --create kea.conf || :
 if [ "$1" -gt 1 ]; then
 	chown -R keadhcp:keadhcp "%_localstatedir/lib/kea"
 	chown -R keadhcp:keadhcp "%_localstatedir/log/kea"
-	chown -h root:keadhcp %_sysconfdir/kea/*.conf
-	chmod -h 640 %_sysconfdir/kea/*.conf
+	find %_sysconfdir/kea/ -type f -name '*.conf' -exec chown root:keadhcp {} +
+	find %_sysconfdir/kea/ -type f -name '*.conf' -exec chmod 640 {} +
 fi
 bigkea_enabled=$(/usr/bin/systemctl is-enabled kea.service 2>/dev/null || :)
 bigkea_active=$(/usr/bin/systemctl is-active kea.service 2>/dev/null || :)
@@ -477,7 +472,7 @@ fi
 %ldconfig_scriptlets -n libkea-util%util_sover

 %files
-%dir %_sysconfdir/kea
+%dir %attr(0755,root,root) %_sysconfdir/kea
 %config(noreplace) %attr(0640,root,keadhcp) %_sysconfdir/kea/*.conf
 %_mandir/man8/*.8%{?ext_man}
 %_sbindir/kea*
@@ -485,7 +480,6 @@ fi
 %_datadir/kea/
 %_unitdir/*.service
 %dir %attr(0750,keadhcp,keadhcp) %_localstatedir/lib/kea
-%_tmpfilesdir/*
 %_sysusersdir/*
 %attr(0750,keadhcp,keadhcp) %_localstatedir/log/kea/