diff --git a/0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch b/0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch deleted file mode 100644 index d82f44a..0000000 --- a/0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch +++ /dev/null @@ -1,27 +0,0 @@ -From a814751421422cad22373eb6e568272fd24e1532 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Chv=C3=A1tal?= -Date: Mon, 23 Mar 2015 11:12:58 +0100 -Subject: [PATCH] Do not use insecure MD5 but rather SHA256 - ---- - libpromises/generic_agent.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/libpromises/generic_agent.c b/libpromises/generic_agent.c -index eaace00..4863230 100644 ---- a/libpromises/generic_agent.c -+++ b/libpromises/generic_agent.c -@@ -101,8 +101,8 @@ static void SanitizeEnvironment() - - ENTERPRISE_VOID_FUNC_2ARG_DEFINE_STUB(void, GenericAgentSetDefaultDigest, HashMethod *, digest, int *, digest_len) - { -- *digest = HASH_METHOD_MD5; -- *digest_len = CF_MD5_LEN; -+ *digest = HASH_METHOD_SHA256; -+ *digest_len = CF_SHA256_LEN; - } - - void MarkAsPolicyServer(EvalContext *ctx) --- -2.3.0 - diff --git a/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch b/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch index 2d475d7..662afbc 100644 --- a/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch +++ b/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch @@ -1,7 +1,7 @@ -From 7b0a005250c0398b86ea5adf93c16b5c8735a343 Mon Sep 17 00:00:00 2001 +From 900148bcea077497d062eccb7a8a5f1ea6f4f9e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= -Date: Fri, 2 May 2014 12:47:37 +0200 -Subject: [PATCH 2/2] Set sys.bindir to /usr/sbin, expect cf-* components there +Date: Thu, 30 Jul 2015 10:48:47 +0200 +Subject: [PATCH 1/2] Set sys.bindir to /usr/sbin, expect cf-*components there That's where the /var/cfengine/bin/* symlinks point to and where the systemd .service files expect the daemons. @@ -12,37 +12,38 @@ masterfiles/update/update_processes.cf:enable_cfengine_agents libenv/sysinfo.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) -diff -wruN -x '*~' -x '*.o' -x '*.a' -x '*.so' -x '*.so.[0-9]' -x autom4te.cache -x .deps -x .libs ../orig-core-3.6.3rc-build1/libenv/sysinfo.c ./libenv/sysinfo.c ---- ../orig-core-3.6.3rc-build1/libenv/sysinfo.c 2014-11-27 20:17:34.000000000 +0100 -+++ ./libenv/sysinfo.c 2014-11-28 10:18:49.023646654 +0100 -@@ -567,8 +567,7 @@ +diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c +index a75c6aa1d8d6..1c1139aead94 100644 +--- a/libenv/sysinfo.c ++++ b/libenv/sysinfo.c +@@ -581,8 +581,7 @@ static void GetNameInfo3(EvalContext *ctx) EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "masterdir", GetMasterDir(), CF_DATA_TYPE_STRING, "source=agent"); EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "inputdir", GetInputDir(), CF_DATA_TYPE_STRING, "source=agent"); -- snprintf(workbuf, CF_BUFSIZE, "%s%cbin", CFWORKDIR, FILE_SEPARATOR); +- snprintf(workbuf, CF_BUFSIZE, "%s%cbin", workdir, FILE_SEPARATOR); - EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "bindir", workbuf, CF_DATA_TYPE_STRING, "source=agent"); + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "bindir", "/usr/sbin", CF_DATA_TYPE_STRING, "source=agent"); snprintf(workbuf, CF_BUFSIZE, "%s%cfailsafe.cf", GetInputDir(), FILE_SEPARATOR); EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "failsafe_policy_path", workbuf, CF_DATA_TYPE_STRING, "source=agent"); -@@ -613,7 +612,7 @@ +@@ -627,7 +626,7 @@ static void GetNameInfo3(EvalContext *ctx) components[i]); } #else -- snprintf(name, CF_MAXVARSIZE - 1, "%s%cbin%c%s", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, components[i]); +- snprintf(name, CF_MAXVARSIZE - 1, "%s%cbin%c%s", workdir, FILE_SEPARATOR, FILE_SEPARATOR, components[i]); + snprintf(name, CF_MAXVARSIZE - 1, "/usr/sbin/%s", components[i]); #endif have_component[i] = false; -@@ -636,7 +635,7 @@ - snprintf(name, CF_MAXVARSIZE - 1, "%s%cbin%c%s.exe", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, +@@ -650,7 +649,7 @@ static void GetNameInfo3(EvalContext *ctx) + snprintf(name, CF_MAXVARSIZE - 1, "%s%cbin%c%s.exe", workdir, FILE_SEPARATOR, FILE_SEPARATOR, components[1]); #else -- snprintf(name, CF_MAXVARSIZE - 1, "%s%cbin%c%s", CFWORKDIR, FILE_SEPARATOR, FILE_SEPARATOR, components[1]); +- snprintf(name, CF_MAXVARSIZE - 1, "%s%cbin%c%s", workdir, FILE_SEPARATOR, FILE_SEPARATOR, components[1]); + snprintf(name, CF_MAXVARSIZE - 1, "/usr/sbin/%s", components[1]); #endif if (stat(name, &sb) != -1) -- -1.8.4.5 +2.1.4 diff --git a/0001-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch b/0001-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch index 9c6cec4..4182e51 100644 --- a/0001-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch +++ b/0001-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch @@ -1,7 +1,7 @@ -From 68e63ae137d4f829c569ca0af4fcb86c6d4f688f Mon Sep 17 00:00:00 2001 +From 5954a3e3c1c8be821e32cfac3ec4161892025c95 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= Date: Fri, 11 Apr 2014 09:25:05 +0200 -Subject: [PATCH 1/2] Simplify and fix parsing of /etc/SuSE-release (fixes +Subject: [PATCH 2/2] Simplify and fix parsing of /etc/SuSE-release (fixes issue #5423) This patch is a simplification of sysinfo.c:Linux_Suse_Version() @@ -17,10 +17,10 @@ to achieve the following 1 file changed, 60 insertions(+), 127 deletions(-) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c -index 2bdfb8fbd2fa..f8ffd67b7a49 100644 +index 1c1139aead94..77667b611ad6 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c -@@ -1666,6 +1666,7 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -1754,6 +1754,7 @@ static int Linux_Suse_Version(EvalContext *ctx) #define SUSE_RELEASE_FLAG "linux " char classbuf[CF_MAXVARSIZE]; @@ -28,7 +28,7 @@ index 2bdfb8fbd2fa..f8ffd67b7a49 100644 Log(LOG_LEVEL_VERBOSE, "This appears to be a SUSE system."); EvalContextClassPutHard(ctx, "SUSE", "inventory,attribute_name=none,source=agent"); -@@ -1685,23 +1686,26 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -1773,23 +1774,26 @@ static int Linux_Suse_Version(EvalContext *ctx) return 1; } @@ -62,7 +62,7 @@ index 2bdfb8fbd2fa..f8ffd67b7a49 100644 } } if (ferror(fp)) -@@ -1715,28 +1719,38 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -1803,28 +1807,38 @@ static int Linux_Suse_Version(EvalContext *ctx) fclose(fp); @@ -117,7 +117,7 @@ index 2bdfb8fbd2fa..f8ffd67b7a49 100644 { Item *list, *ip; -@@ -1754,120 +1768,39 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -1842,120 +1856,39 @@ static int Linux_Suse_Version(EvalContext *ctx) } else { @@ -262,5 +262,5 @@ index 2bdfb8fbd2fa..f8ffd67b7a49 100644 } -- -1.8.4.5 +2.1.4 diff --git a/cfengine-fips.patch b/cfengine-fips.patch deleted file mode 100644 index 81b1b0f..0000000 --- a/cfengine-fips.patch +++ /dev/null @@ -1,66 +0,0 @@ -Index: core-3.6.5/cf-key/cf-key-functions.c -=================================================================== ---- core-3.6.5.orig/cf-key/cf-key-functions.c -+++ core-3.6.5/cf-key/cf-key-functions.c -@@ -243,11 +243,11 @@ void KeepKeyPromises(const char *public_ - printf("Making a key pair for cfengine, please wait, this could take a minute...\n"); - - #ifdef OPENSSL_NO_DEPRECATED -- BN_set_word(rsa_bignum, 35); -+ BN_set_word(rsa_bignum, RSA_F4); - - if (!RSA_generate_key_ex(pair, 2048, rsa_bignum, NULL)) - #else -- pair = RSA_generate_key(2048, 35, NULL, NULL); -+ pair = RSA_generate_key(2048, 65537, NULL, NULL); - - if (pair == NULL) - #endif -Index: core-3.6.5/tests/unit/hash_test.c -=================================================================== ---- core-3.6.5.orig/tests/unit/hash_test.c -+++ core-3.6.5/tests/unit/hash_test.c -@@ -52,7 +52,7 @@ void tests_setup() - initialized = 0; - return; - } -- BN_set_word(bn, 3); -+ BN_set_word(bn, RSA_F4); - RSA_generate_key_ex(rsa, 1024, bn, NULL); - BN_free(bn); - } -Index: core-3.6.5/tests/unit/key_test.c -=================================================================== ---- core-3.6.5.orig/tests/unit/key_test.c -+++ core-3.6.5/tests/unit/key_test.c -@@ -25,7 +25,7 @@ void test_setup() - initialized = 0; - return; - } -- BN_set_word(bn, 3); -+ BN_set_word(bn, RSA_F4); - RSA_generate_key_ex(rsa, 1024, bn, NULL); - BN_free(bn); - } -Index: core-3.6.5/tests/unit/tls_generic_test.c -=================================================================== ---- core-3.6.5.orig/tests/unit/tls_generic_test.c -+++ core-3.6.5/tests/unit/tls_generic_test.c -@@ -54,7 +54,7 @@ static bool init_test_server() - int ret; - RSA *key = RSA_new(); - BIGNUM *bignum = BN_new(); -- BN_set_word(bignum, 17); -+ BN_set_word(bignum, RSA_F4); - ret = RSA_generate_key_ex(key, 1024, bignum, NULL); - if (!ret) - { -@@ -450,7 +450,7 @@ static bool init_test_client() - int ret; - RSA *key = RSA_new(); - BIGNUM *bignum = BN_new(); -- BN_set_word(bignum, 17); -+ BN_set_word(bignum, RSA_F4); - ret = RSA_generate_key_ex(key, 1024, bignum, NULL); - if (!ret) - { diff --git a/cfengine.changes b/cfengine.changes index ec3745c..cd455d3 100644 --- a/cfengine.changes +++ b/cfengine.changes @@ -1,3 +1,86 @@ +------------------------------------------------------------------- +Mon Jul 20 09:04:00 UTC 2015 - kkaempf@suse.com + +- Update to 3.7.0 + See https://github.com/cfengine/core/blob/3.7.x/ChangeLog for + full changelog + + New features: + - New package promise implementation. + The syntax is much simpler, to try it out, check out the syntax: + packages: + "mypackage" + policy => "absent/present", + + # Optional, default taken from common control + package_module => apt_get, + + # Optional, will only match exact version. May be + # "latest". + version => "32.0", + + # Optional. + architecture => "x86_64"; + + - Full systemd support for all relevant platforms + - New classes to determine whether certain features are enabled: + * feature_yaml + * feature_xml + For the official CFEngine packages, these are always enabled, but + packages from other sources may be built without the support. + - New readdata() support for generic data input (CSV, YAML, JSON, or auto) + - YAML support: new readyaml() function and in readdata() + - CSV support: new readcsv() function and in readdata() + - New string_mustache() function + - New data_regextract() function + - eval() can now be called with "class" as the "mode" argument, which + will cause it to return true ("any") if the calculated result is + non-zero, and false ("!any") if it is zero. + - New list_ifelse() function + - New mapjson() function as well as JSON support in maparray(). + - filestat() function now supports "xattr" argument for extended + attributes. + - "ifvarclass" now has "if" as an alias, and "unless" as an inverse + alias. + - Ability to expand JSON variables directory in Mustache templates: + Prefix the name with '%' for multiline expansion, '$' for compact + expansion. + - Ability to expand the iteration *key* in Mustache templates with @ + - Canonical JSON output: JSON output has reliably sorted keys so the + same data structure will produce the same JSON every time. + - New "@if minimum_version(x.x)" syntax in order to hide future language + improvements from versions that don't understand them. + - compile time option (--with-statedir) to + override the default state/ directory path. + - Fix error messages/ handling in process signalling which no longer + allowed any signals to fail silently + - Also enable shortcut keyword for cf-serverd classic protocol, eg to + simplify the bootstrap process for clients that have different + sys.masterdir settings (Redmine #3697) + - methods promises now accepts the bundle name in the promiser string, + as long as it doesn't have any parameters. + - In a services promise, if the service_method bundle is not specified, + it defaults to the promiser string (canonified) with "service_" as a + prefix. The bundle must be in the same namespace as the promise. + - inline JSON in policy files: surrounding with parsejson() is now + optional *when creating a new data container*. + - New data_expand() function to interpolate variables in a data container. + - Add configurable network bandwidth limit for all outgoing + connections ("bwlimit" attribute in "body common control") . To + enforce it in both directions, make sure the attribute is set on both + sides of the connection. + - Secure bootstrap has been facilitated by use of + "cf-agent --boostrap HUB_ADDRESS --trust-server=no" + - Implement new TLS-relevant options (Redmine #6883): + - body common control: tls_min_version + - body server control: allowtlsversion + - body common control: tls_ciphers + - body server control: allowciphers (preexisting) + +- Drop patches, both upstream + 0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch + cfengine-fips.patch + ------------------------------------------------------------------- Wed Jun 17 13:09:09 UTC 2015 - kkaempf@suse.com diff --git a/cfengine.spec b/cfengine.spec index 4c978b1..f065c75 100644 --- a/cfengine.spec +++ b/cfengine.spec @@ -33,7 +33,7 @@ %bcond_with postgresql %bcond_with libvirt Name: cfengine -Version: 3.6.5 +Version: 3.7.0 Release: 0 # This is the place where workdir should be #define basedir /var/lib/%{name} @@ -64,9 +64,7 @@ Patch5: 0001-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch # set cfengine's notion of bindir to /usr/sbin instead of /var/cfengine/bin # kkaempf@suse.de Patch6: 0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch -# PATCH-FIX-UPSTREAM: Use ssl exponent of 65537 for FIPS bnc#922571 -Patch7: cfengine-fips.patch -Patch8: 0001-Do-not-use-insecure-MD5-but-rather-SHA256.patch + BuildRequires: bison BuildRequires: db-devel BuildRequires: flex @@ -176,8 +174,6 @@ Lots of examples promises for CFEngine. %endif %patch5 -p1 %patch6 -p1 -%patch7 -p1 -%patch8 -p1 ##### rpmlint #### wrong-file-end-of-line-encoding diff --git a/core-3.6.5.tar.gz b/core-3.6.5.tar.gz deleted file mode 100644 index 9d35723..0000000 --- a/core-3.6.5.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:62a308a954a70d6854aa182e0612731618d08ab364a5fdf5359585a02ae32d8c -size 1549020 diff --git a/core-3.7.0.tar.gz b/core-3.7.0.tar.gz new file mode 100644 index 0000000..71455fe --- /dev/null +++ b/core-3.7.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f64dccbde4651e0bcf1ece8c756bd6ba42fe7f76c6fe23ba3a0a653dadb5e87c +size 1638407