Accepting request 957421 from home:susnux:branches:systemsmanagement

Update to version 3.19.0

Fix CVE-2021-38379 - Publicly available exported reports
Fix CVE-2021-36756 - Certificate not checked in Federated Reporting

OBS-URL: https://build.opensuse.org/request/show/957421
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement/cfengine?expand=0&rev=196

cfengine-rpmlintrc

@@ -1 +1,2 @@
-addFilter(".* is not allowed anymore in FHS 2.2.");
+addFilter("E: filelist-forbidden-fhs23 *");
+addFilter("cfengine-examples.noarch: E: wrong-script-interpreter *")

cfengine.changes

@@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Thu Feb 24 15:23:22 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
+
+- Update to version 3.19.0
+  * -N/--negate now prevents persistent classes from being defined
+  * 'null' JSON value is now handled as empty data in
+    augments/host-specific data
+  * Added a new common control attribute 'system_log_level'
+    For specifying the minimum log level required for log messages to
+    go to the system log.
+  * Added support for cfbs managed policy set to masterfiles staging script
+  * Trailing commas can now be used in policy argument lists
+  * Changed cf-key option --print-digest to take an optional argument.
+  * Enabled 'handle', 'depends_on', 'with' attribute for custom
+    promise types
+  * Don't fail on new file creation when backups are enabled
+  * Set apache umask to 0177
+  * cf-serverd now binds to both IPV6 and IPV4 if bindtointerface
+    is unspecified
+  * cf-serverd now reports if fails to bind to all possible
+    addresses/interfaces
+  * Fixed dbm_quick.c, dbm_tokyocab.c DBPrivRead() argument type
+  * Fixed crashes (Segfaults)
+- Update to version 3.18.0
+  * Fix CVE-2021-38379 - Publicly available exported reports
+    An attacker with network access to the hub machine (port 443)
+    can obtain reports generated by users in Mission Portal with
+    potentially sensitive data.
+  * Fix CVE-2021-36756 - Certificate not checked in Federated Reporting
+    An attacker can use IP spoofing, DNS spoofing or other common
+    techniques to direct the traffic from the superhub to their own
+    machine instead of the real feeder hub and get it connected to
+    the superhub.
+  * "No action for file" warning is no longer triggered when only
+    'content => "something"' is used
+  * "source=promise_iteration" variables are no longer created in
+    foreign bundles
+  * 'rename => newname()' now supports relative paths
+  * 'variables' and 'classes' in CMDB and augments data now support
+    'comment' fields
+  * Added a new --simulate=manifest-full mode
+  * Added a new runagent_socket_allow_users body executor control attribute
+  * Fixed crash when attempting to put methods promises in bundles
+    which are not agent bundles
+  * Fixed various memory leaks
+  * Various other changes see provided ChangeLog file
+- Refresh harden_cf-hub.service.patch
+
 -------------------------------------------------------------------
 Wed Aug 25 15:25:36 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
 

cfengine.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package cfengine
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -18,14 +18,12 @@
 
 %define libname   libpromises
 %define libsoname %{libname}3
-
 # Yes, its not FHS conformant but in sync with cfengine documentation
 %define   basedir   %{_localstatedir}/%{name}
 %define   workdir   %{basedir}
 # This is the place where workdir should be
 #%%define basedir   %%{_localstatedir}/lib/%%{name}
 #%%define workdir   %%{basedir}/work
-
 %if 0%{?suse_version} < 1500
 # assume SuSEfirewall2
 %define with_sfw2 1
@@ -34,13 +32,13 @@
 %define with_sfw2 0
 %endif
 # Version of libntech needed (see git repo of core)
-%define libntech_hash 4e9efcb84172110fa92742836b8d34688983c2e7
+%define libntech_hash 66274a1752c88922c2acd000e23b11b76b3bfc2a
 # pass --with-bla to enable the build
 %bcond_with mysql
 %bcond_with postgresql
 %bcond_with libvirt
 Name:           cfengine
-Version:        3.17.0
+Version:        3.19.0
 Release:        0
 Summary:        Configuration management framework
 License:        GPL-3.0-only

core-3.17.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ab5634ad6e3fe262209b54ccb49ea06da00872cfb320a802756ee50ab9c7b8a7
-size 2291995

core-3.19.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:af83b5bd9679f2771dc4213cd6564210397bdc458721f38522844efe056ce92c
+size 2371273

harden_cf-hub.service.patch

@@ -1,9 +1,9 @@
-Index: core-3.17.0/misc/systemd/cf-hub.service.in
+Index: core-3.19.0/misc/systemd/cf-hub.service.in
 ===================================================================
---- core-3.17.0.orig/misc/systemd/cf-hub.service.in
-+++ core-3.17.0/misc/systemd/cf-hub.service.in
-@@ -10,6 +10,19 @@ After=cf-postgres.service
- Requires=cf-postgres.service
+--- core-3.19.0.orig/misc/systemd/cf-hub.service.in
++++ core-3.19.0/misc/systemd/cf-hub.service.in
+@@ -10,6 +10,19 @@ Wants=cf-postgres.service
+ After=cf-postgres.service
  
  [Service]
 +# added automatically, for details please see

libntech-4e9efcb84172110fa92742836b8d34688983c2e7.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:342fe2cd05f8e79cd438dea144bb53b357c06255030b94e9870dd3b9b8eb97cf
-size 365588

libntech-66274a1752c88922c2acd000e23b11b76b3bfc2a.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1510c938056e4b7ddc8154589f2f2df27dcbc9a49d950043ff24310350cd7e77
+size 374456