- drop linux-4.15.patch: No longer needed as it was a backport from
upstream
- Cleanup configure options after consultation with upstream:
- --enable-regex-timers is for debugging purposes
- --enable-snmp-checker and --enable-snmp-vrrp are enabled by
--enable-snmp
- --enable-snmp-rfcv2 and --enable-snmp-rfcv3 anre enabled by
--enable-snmp-rfc
- --enable-stacktrace is definitely a debugging option
- on systems where we have nftables support we will only ship with
nftables support (>= 15.0) and use iptables support only on older
distributions.
OBS-URL: https://build.opensuse.org/request/show/877792
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=70
- update to 2.0.10
- Fix compiling on Alpine Linux.
- Stop printf compiler warning on Alpine Linux due to rlim_t.
- manpage cosmetic.
- Fix removing snmpd read threads when snmpd becomes unavailable.
- Update to support libipset version 7.
- Use ipset_printf for ipset messages so can go to log.
- When opening files for write, ensure files can only be read by
root. Issue #1048 referred to CVE-2018-19046 regarding files
used for debugging purposes could potentially be read by non
root users. This commit ensures that such log files cannot be
opened by non root users.
- Disable fopen_safe() append mode by default If a non privileged
user creates /tmp/keepalived.log and has it open for read (e.g.
tail -f), then even though keepalived will change the owner to
root and remove all read/write permissions from non owners, the
application which already has the file open will be able to
read the added log entries. Accordingly, opening a file in
append mode is disabled by default, and only enabled if
--enable-smtp-alert-debug or --enable-log-file (which are
debugging options and unset by default) are enabled. This
should further alleviate security concerns related to
CVE-2018-19046.
- vrrp: add support to constant time memcmp. Just an update to
use best practise security design pattern. While comparing
password or hmac you need to ensure comparison function is time
constant in order to figth against any timing attacks. We turn
off potential compiler optimizations for this particular
function to avoid any short circuit.
- Make sure a non privileged user cannot read keepalived file
output Ensure that when a file such as /tmp/keepalived.data is
written, no non privileged can have a previous version of that
file already open, thereby allowing them to read the data.
This should fully resolve CVE-2018-19046.
- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in
update
OBS-URL: https://build.opensuse.org/request/show/652406
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=48
- add linux-4.15.patch
- update to 1.4.1:
* Improve and fix use of getopt_long().
We musn't use a long option val of 1, since getopt_long() can return
that value.
getopt_long() also returns longindex == 0 when there is no matching
long option, and there needs to be careful checking if there is an
error to work out whether a long or short option was used, which is
needed for meaningful error messages.
* Write assert() messages to syslog.
assert()s are nasty things, but at least let's get the benefit of
them, and write the messages to syslog, rather than losing them down
stderr.
* Enable sorry server at startup if quorum down due to alpha mode
If alpha mode is configured on sufficient checkers so that a
virtual server doesn't have a quorum, we need to add the sorry
server at startup, otherwise it won't be added until a quorum has
been achieved and subsequently lost again. In the case where some
of the checkers remain in the down state at startup, this would have
meant that the sorry server never got added.
* For virtual servers, ensure quorum <= number of real servers
If the quorum were gigher than the number of real servers, the
quorum for the real server to come up could never be achieved, so
if the quorum is greater than the number of real servers, reduce it
to the number of real servers.
* Fix some SNMP keepalived checker integer types and default values.
Some virtual server and real server values were being sent to SNMP
with a signed type whereas the value is unsigned, so set the type
field correctly.
OBS-URL: https://build.opensuse.org/request/show/578944
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/keepalived?expand=0&rev=21
* Improve and fix use of getopt_long().
We musn't use a long option val of 1, since getopt_long() can return
that value.
getopt_long() also returns longindex == 0 when there is no matching
long option, and there needs to be careful checking if there is an
error to work out whether a long or short option was used, which is
needed for meaningful error messages.
* Write assert() messages to syslog.
assert()s are nasty things, but at least let's get the benefit of
them, and write the messages to syslog, rather than losing them down
stderr.
* Enable sorry server at startup if quorum down due to alpha mode
If alpha mode is configured on sufficient checkers so that a
virtual server doesn't have a quorum, we need to add the sorry
server at startup, otherwise it won't be added until a quorum has
been achieved and subsequently lost again. In the case where some
of the checkers remain in the down state at startup, this would have
meant that the sorry server never got added.
* For virtual servers, ensure quorum <= number of real servers
If the quorum were gigher than the number of real servers, the
quorum for the real server to come up could never be achieved, so
if the quorum is greater than the number of real servers, reduce it
to the number of real servers.
* Fix some SNMP keepalived checker integer types and default values.
Some virtual server and real server values were being sent to SNMP
with a signed type whereas the value is unsigned, so set the type
field correctly.
Some virtual server and real server values that apply to checkers
are set to nonsense default values in order to determine if a
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=42
