From 169bd5f56bafc27e34a7800bfa5ffdb982a87fbfccd291863a6d45ac668ad754 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Mon, 29 Jun 2020 12:40:34 +0000 Subject: [PATCH 1/2] - Remove potentially harmful scriptlet (bsc#1154167). Documented transition case in the maintainer README. Unlikely enough. The versions that have not transitioned yet would be broken for more than two years now. OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=59 --- README.maintainer | 7 +++++++ dehydrated.changes | 8 ++++++++ dehydrated.spec | 1 - 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.maintainer b/README.maintainer index ab0db12..a3bd5f0 100644 --- a/README.maintainer +++ b/README.maintainer @@ -160,6 +160,13 @@ Limitations & Ceveats will be executed by the cron script / systemd timer *after* an update run has been performed. +Upgrade Notes +============= + +If you are upgrading from letsencrypt.sh, note that you need to move +/etc/letsencrypt.sh to /etc/dehydrated and chown it to the "dehydrated" +user. + Links ===== diff --git a/dehydrated.changes b/dehydrated.changes index 713414a..f6d26b7 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jun 29 12:38:31 UTC 2020 - Daniel Molkentin + +- Remove potentially harmful scriptlet (bsc#1154167). Documented + transition case in the maintainer README. Unlikely enough. The + versions that have not transitioned yet would be broken for more + than two years now. + ------------------------------------------------------------------- Wed May 6 12:34:56 UTC 2020 - Daniel Molkentin diff --git a/dehydrated.spec b/dehydrated.spec index a82fba4..b6215a6 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -146,7 +146,6 @@ This adds a configuration file for dehydrated's acme-challenge to nginx. getent group %{_user} >/dev/null || %{_sbindir}/groupadd -r %{_user} getent passwd %{_user} >/dev/null || %{_sbindir}/useradd -g %{_user} \ -s /bin/false -r -c "%{_user}" -d %{_home} %{_user} -if [ -d %{_sysconfdir}/letsencrypt.sh ]; then mv %{_sysconfdir}/letsencrypt.sh %{_sysconfdir}/dehydrated; chown -R %{_user} %{_sysconfdir}/dehydrated; fi if [ -e %{_sysconfdir}/dehydrated/config.sh ]; then mv %{_sysconfdir}/dehydrated/config.sh %{_sysconfdir}/dehydrated/config; fi %if %{with systemd} From 2ae092d676bccfac123021e47575db01f2032d812001ea521083aef48fdaf289 Mon Sep 17 00:00:00 2001 From: Daniel Molkentin Date: Mon, 29 Jun 2020 12:45:22 +0000 Subject: [PATCH 2/2] - Update maintainer file and package description, remove features that are better described in the (maintained) man page. OBS-URL: https://build.opensuse.org/package/show/security:dehydrated/dehydrated?expand=0&rev=60 --- README.maintainer | 1 - dehydrated.changes | 6 ++++++ dehydrated.spec | 9 +-------- 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/README.maintainer b/README.maintainer index a3bd5f0..7f5c945 100644 --- a/README.maintainer +++ b/README.maintainer @@ -150,7 +150,6 @@ where should be the name of the first column in domains.txt Limitations & Ceveats ===================== -* It is currently not possible to aqcuire Wildcard certificates * No EV- or OV-validated certificates * Certificates expire within weeks, not years. This is by design. Ensure that certificate renewal works and that daemons get reloaded frequently to pick diff --git a/dehydrated.changes b/dehydrated.changes index f6d26b7..ae59675 100644 --- a/dehydrated.changes +++ b/dehydrated.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Jun 29 12:41:48 UTC 2020 - Daniel Molkentin + +- Update maintainer file and package description, remove features + that are better described in the (upstream maintained) man page. + ------------------------------------------------------------------- Mon Jun 29 12:38:31 UTC 2020 - Daniel Molkentin diff --git a/dehydrated.spec b/dehydrated.spec index b6215a6..2c9ef29 100644 --- a/dehydrated.spec +++ b/dehydrated.spec @@ -108,14 +108,7 @@ It uses the openssl utility for everything related to actually handling keys and certificates, so you need to have that installed. Other dependencies are: curl, sed, grep, mktemp (all found on almost -any system, curl being the only exception) - -Current features: - -* Signing of a list of domains -* Signing of a CSR -* Renewal if a certificate is about to expire or SAN (subdomains) changed -* Certificate revocation +any system, curl being the only exception). %package %{_apache} Summary: Apache Integration for dehydrated