- update to 2.0.10
- Fix compiling on Alpine Linux.
- Stop printf compiler warning on Alpine Linux due to rlim_t.
- manpage cosmetic.
- Fix removing snmpd read threads when snmpd becomes unavailable.
- Update to support libipset version 7.
- Use ipset_printf for ipset messages so can go to log.
- When opening files for write, ensure files can only be read by
root. Issue #1048 referred to CVE-2018-19046 regarding files
used for debugging purposes could potentially be read by non
root users. This commit ensures that such log files cannot be
opened by non root users.
- Disable fopen_safe() append mode by default If a non privileged
user creates /tmp/keepalived.log and has it open for read (e.g.
tail -f), then even though keepalived will change the owner to
root and remove all read/write permissions from non owners, the
application which already has the file open will be able to
read the added log entries. Accordingly, opening a file in
append mode is disabled by default, and only enabled if
--enable-smtp-alert-debug or --enable-log-file (which are
debugging options and unset by default) are enabled. This
should further alleviate security concerns related to
CVE-2018-19046.
- vrrp: add support to constant time memcmp. Just an update to
use best practise security design pattern. While comparing
password or hmac you need to ensure comparison function is time
constant in order to figth against any timing attacks. We turn
off potential compiler optimizations for this particular
function to avoid any short circuit.
- Make sure a non privileged user cannot read keepalived file
output Ensure that when a file such as /tmp/keepalived.data is
written, no non privileged can have a previous version of that
file already open, thereby allowing them to read the data.
This should fully resolve CVE-2018-19046.
- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in
update
OBS-URL: https://build.opensuse.org/request/show/652406
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=48
* Improve and fix use of getopt_long().
We musn't use a long option val of 1, since getopt_long() can return
that value.
getopt_long() also returns longindex == 0 when there is no matching
long option, and there needs to be careful checking if there is an
error to work out whether a long or short option was used, which is
needed for meaningful error messages.
* Write assert() messages to syslog.
assert()s are nasty things, but at least let's get the benefit of
them, and write the messages to syslog, rather than losing them down
stderr.
* Enable sorry server at startup if quorum down due to alpha mode
If alpha mode is configured on sufficient checkers so that a
virtual server doesn't have a quorum, we need to add the sorry
server at startup, otherwise it won't be added until a quorum has
been achieved and subsequently lost again. In the case where some
of the checkers remain in the down state at startup, this would have
meant that the sorry server never got added.
* For virtual servers, ensure quorum <= number of real servers
If the quorum were gigher than the number of real servers, the
quorum for the real server to come up could never be achieved, so
if the quorum is greater than the number of real servers, reduce it
to the number of real servers.
* Fix some SNMP keepalived checker integer types and default values.
Some virtual server and real server values were being sent to SNMP
with a signed type whereas the value is unsigned, so set the type
field correctly.
Some virtual server and real server values that apply to checkers
are set to nonsense default values in order to determine if a
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=42
- update to 1.4.0
* Add Linux build and runtime versions to -v output.
* Log kernel version and build kernel version to log at startup.
* Don't sleep for 1 send when exiting vrrp process if no vrrp instances.
* With large configurations the syslog can get flooded and drop output.
This commit adds options to not log to syslog, and also to log all
output to files.
* Add option to only flush log files before forking.
* Don't poll netlink for all interfaces each time add a VMAC.
We can poll for the individual interface details which significantly
reduces what we have to process.
* Print interface details in keepalived.data output.
* Add high performace child finder code.
The code to find the relevant thread to execute afer a child process
(either a vrrp track script or a misc_check healthchecker) was doing
a linear search for the matching pid, which if there are a large number
of child processes running could become time consuming.
The code now will enable high performance child finding, based on using
mlists hashed by the pid, if there are 32 or more vrrp track scripts or
misc check healthcheckers. The size of the mlist is based on the number
of scripts, with a limit of 256.
* Improve high performance child termination timeout code.
* Preserve filename in script path name resolution.
Some executables change their behaviour depending on the name by
which they are invoked (e.g. /usr/sbin/pidof when it is a link to
/usr/sbin/killall5). Using realpath() changes the file name part
if it is a symbolic link. This commit resolves all symbolic links
to directories, but leaves the file name part unaltered. It then
checks the security of both the path to the link and the path to
the real file.
OBS-URL: https://build.opensuse.org/request/show/563827
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=38
- fix building with libnfnetlink. the additional include path needs
to be in CPPFLAGS instead of CFLAGS now.
- enabled a few more features:
- enhanced snmp support (V2/V3 RFC)
- make sure we build with ipset/libiptc and routes support
- prepared dbus support: waiting for boo#1015141
- update 1.3.2
- Security focused on notify heplers. Some minor fix and
extensions.
- changes from 1.3.1
- Quick script fix for regression brought by last release.
- changes from 1.3.0
- New MAJOR release with stabilization fixes. Support to DBus.
Conf extensions. Parser error log. Security extensions to run
scripts more secure.
- changes from 1.2.24
- MAJOR release with stabilization fixes and new features like
support to network namespace.
Refer to /usr/share/doc/packages/keepalived/ChangeLog
for more infos.
OBS-URL: https://build.opensuse.org/request/show/445445
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=29
- update to 1.2.22
Some VRRP fixes. Refer to ChangeLog for more infos.
- update to 1.2.21
Some fixes for last major release 1.2.20. Extensions on vrrp
framework. Refer to ChangeLog for more infos.
- update to 1.2.20
BUNCH of extensions, fixes, cleanup & production considerations.
Distro packages maintainers are strongly encouraged to upgrade.
- new BR libnfnetlink-devel
- we no longer ship the VRRP-MIB
OBS-URL: https://build.opensuse.org/request/show/407252
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=25
latest version and systemd support
- updated to latest upstream version 1.2.12
+ Fix reallocation issue introduced in last merge.
+ Fix some minor memory leaks.
+ Better libnl support and selection.
+ VRRP unicast TTL fix.
+ Support to newer libnl.
+ More IPv6 support.
+ Fix/extend VRRP gratuitous ARP handling.
+ Support xmit VRRP packets from base VMAC interface.
+ VRRP multicast group tweaking.
+ Fixed VRRP socket sync while leaving FAULT state.
+ Code cleanup and cosmetics.
OBS-URL: https://build.opensuse.org/request/show/221839
OBS-URL: https://build.opensuse.org/package/show/network/keepalived?expand=0&rev=6
