New version 2.6.3

- Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803 - kea.conf: Remove /tmp/ from socket-name for existing configurations - kea.conf: Set pseudo-random password for default config to secure fresh install and allow CA startup without user intervention - kea.conf: Restrict directory permissions - Sync service files with upstream - Fix leases ownership when switching from root to kea user Resolves: RHEL-91447 Resolves: RHEL-92741 Resolves: RHEL-95234
2025-06-04 13:11:55 +02:00 · 2025-06-04 13:11:55 +02:00 · 1bdd2ce762
commit 1bdd2ce762
parent b4b056f482
7 changed files with 123 additions and 64 deletions
--- a/kea-ctrl-agent.service
+++ b/kea-ctrl-agent.service
@ -7,9 +7,23 @@ After=time-sync.target

 [Service]
 User=kea
+Environment="KEA_PIDFILE_DIR=/run/kea"
+Environment="KEA_LOCKFILE_DIR=/run/kea"
+#Environment="KEA_LOGGER_DESTINATION=/var/log/kea/early-startup.log"
+Environment="KEA_DHCP_DATA_DIR=/var/lib/kea"
+Environment="KEA_LOG_FILE_DIR=/var/log/kea"
+Environment="KEA_CONTROL_SOCKET_DIR=/run/kea"
+ConfigurationDirectory=kea
+ConfigurationDirectoryMode=0750
+RuntimeDirectory=kea
+RuntimeDirectoryPreserve=yes
+RuntimeDirectoryMode=0750
+LogsDirectory=kea
+LogsDirectoryMode=0750
+StateDirectory=kea
+StateDirectoryMode=0750
 ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
-Environment=KEA_PIDFILE_DIR=/var/run/kea
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/usr/bin/kill -HUP $MAINPID
 Restart=on-failure

 [Install]
--- a/kea-dhcp-ddns.service
+++ b/kea-dhcp-ddns.service
@ -8,9 +8,23 @@ After=time-sync.target
 [Service]
 User=kea
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment="KEA_PIDFILE_DIR=/run/kea"
+Environment="KEA_LOCKFILE_DIR=/run/kea"
+#Environment="KEA_LOGGER_DESTINATION=/var/log/kea/early-startup.log"
+Environment="KEA_DHCP_DATA_DIR=/var/lib/kea"
+Environment="KEA_LOG_FILE_DIR=/var/log/kea"
+Environment="KEA_CONTROL_SOCKET_DIR=/run/kea"
+ConfigurationDirectory=kea
+ConfigurationDirectoryMode=0750
+RuntimeDirectory=kea
+RuntimeDirectoryPreserve=yes
+RuntimeDirectoryMode=0750
+LogsDirectory=kea
+LogsDirectoryMode=0750
+StateDirectory=kea
+StateDirectoryMode=0750
 ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
-Environment=KEA_PIDFILE_DIR=/var/run/kea
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/usr/bin/kill -HUP $MAINPID

 [Install]
 WantedBy=multi-user.target
--- a/kea-dhcp4.service
+++ b/kea-dhcp4.service
@ -8,9 +8,23 @@ After=time-sync.target
 [Service]
 User=kea
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+Environment="KEA_PIDFILE_DIR=/run/kea"
+Environment="KEA_LOCKFILE_DIR=/run/kea"
+#Environment="KEA_LOGGER_DESTINATION=/var/log/kea/early-startup.log"
+Environment="KEA_DHCP_DATA_DIR=/var/lib/kea"
+Environment="KEA_LOG_FILE_DIR=/var/log/kea"
+Environment="KEA_CONTROL_SOCKET_DIR=/run/kea"
+ConfigurationDirectory=kea
+ConfigurationDirectoryMode=0750
+RuntimeDirectory=kea
+RuntimeDirectoryPreserve=yes
+RuntimeDirectoryMode=0750
+LogsDirectory=kea
+LogsDirectoryMode=0750
+StateDirectory=kea
+StateDirectoryMode=0750
 ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
-Environment=KEA_PIDFILE_DIR=/var/run/kea
-ExecReload=kill -HUP $MAINPID
+ExecReload=/usr/bin/kill -HUP $MAINPID

 [Install]
 WantedBy=multi-user.target
--- a/kea-dhcp6.service
+++ b/kea-dhcp6.service
@ -8,9 +8,23 @@ After=time-sync.target
 [Service]
 User=kea
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+Environment="KEA_PIDFILE_DIR=/run/kea"
+Environment="KEA_LOCKFILE_DIR=/run/kea"
+#Environment="KEA_LOGGER_DESTINATION=/var/log/kea/early-startup.log"
+Environment="KEA_DHCP_DATA_DIR=/var/lib/kea"
+Environment="KEA_LOG_FILE_DIR=/var/log/kea"
+Environment="KEA_CONTROL_SOCKET_DIR=/run/kea"
+ConfigurationDirectory=kea
+ConfigurationDirectoryMode=0750
+RuntimeDirectory=kea
+RuntimeDirectoryPreserve=yes
+RuntimeDirectoryMode=0750
+LogsDirectory=kea
+LogsDirectoryMode=0750
+StateDirectory=kea
+StateDirectoryMode=0750
 ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
-Environment=KEA_PIDFILE_DIR=/var/run/kea
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=/usr/bin/kill -HUP $MAINPID

 [Install]
 WantedBy=multi-user.target
--- a/kea.spec
+++ b/kea.spec
@ -1,5 +1,5 @@
 Name:           kea
-Version:        2.6.1
+Version:        2.6.3
 Release:        %autorelease
 Summary:        DHCPv4, DHCPv6 and DDNS server from ISC

@ -44,25 +44,18 @@ BuildRequires: boost-devel
 BuildRequires: gcc-c++
 # %%configure --with-openssl
 BuildRequires: openssl-devel
-%if 0%{?fedora} > 40
+%if 0%{?fedora}
 # https://bugzilla.redhat.com/show_bug.cgi?id=2300868#c4
 BuildRequires: openssl-devel-engine
 %endif
-%if 0%{?fedora} || 0%{?rhel} > 7
-# %%configure --with-mysql
-BuildRequires: mariadb-connector-c-devel
 # %%configure --with-pgsql
-%if 0%{?fedora} > 40 || 0%{?rhel} > 9
+%if 0%{?fedora} || 0%{?rhel} > 9
 BuildRequires: libpq-devel
 %else
 BuildRequires: postgresql-server-devel
 %endif
-%else
 # %%configure --with-mysql
-BuildRequires: mariadb-devel
-# %%configure --with-pgsql
-BuildRequires: postgresql-devel
-%endif
+BuildRequires: mariadb-connector-c-devel
 BuildRequires: log4cplus-devel
 %if %{with sysrepo}
 # %%configure --with-sysrepo
@ -255,36 +248,32 @@ find %{buildroot} -type f -name "*.la" -delete -print
 rm %{buildroot}%{_mandir}/man8/kea-netconf.8
 %endif

+rm -f %{buildroot}%{_pkgdocdir}/COPYING
+rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo
+
+# Create empty password file for the Kea Control Agent
+install -m 0640 /dev/null %{buildroot}%{_sysconfdir}/kea/kea-api-password
+
 # Install systemd units
 install -Dpm 0644 %{S:11} %{buildroot}%{_unitdir}/kea-dhcp4.service
 install -Dpm 0644 %{S:12} %{buildroot}%{_unitdir}/kea-dhcp6.service
 install -Dpm 0644 %{S:13} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
 install -Dpm 0644 %{S:14} %{buildroot}%{_unitdir}/kea-ctrl-agent.service

-# systemd-sysusers
-install -p -D -m 0644 %{S:16} %{buildroot}%{_sysusersdir}/kea.conf
-
 # Start empty lease databases
 mkdir -p %{buildroot}%{_sharedstatedir}/kea/
 touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv
 touch %{buildroot}%{_sharedstatedir}/kea/kea-leases6.csv

-rm -f %{buildroot}%{_pkgdocdir}/COPYING
-rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo
-
-mkdir -p %{buildroot}/run
-install -dm 0755 %{buildroot}/run/kea/
-
+# Install systemd sysusers and tmpfiles configs
+install -Dpm 0644 %{S:16} %{buildroot}%{_sysusersdir}/kea.conf
 install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf

-# Create log dir /var/log/kea for logging, since kea user can't create log files in /var/log
-mkdir -p %{buildroot}%{_localstatedir}/log/kea
-sed -i -e 's|log\/|log\/kea\/|g' \
-    %{buildroot}%{_sysconfdir}/kea/kea-dhcp4.conf \
-    %{buildroot}%{_sysconfdir}/kea/kea-dhcp6.conf \
-    %{buildroot}%{_sysconfdir}/kea/kea-dhcp-ddns.conf \
-    %{buildroot}%{_sysconfdir}/kea/kea-ctrl-agent.conf
-#    %{buildroot}%{_sysconfdir}/kea/kea-netconf.conf  # TODO: no support for netconf/sysconf yet
+mkdir -p %{buildroot}%{_rundir}
+install -dm 0750 %{buildroot}%{_rundir}/kea/
+
+mkdir -p %{buildroot}%{_localstatedir}/log
+install -dm 0750 %{buildroot}%{_localstatedir}/log/kea/


 %pre
@ -295,14 +284,26 @@ sed -i -e 's|log\/|log\/kea\/|g' \
 # ownership&permissions won't get changed so fix them to prevent startup failures
 [ "`stat --format '%U:%G' %{_rundir}/kea/logger_lockfile 2>&1 | grep root:root`" = "root:root" ] \
    && chown kea:kea %{_rundir}/kea/logger_lockfile
-[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases4.csv 2>&1 | grep root:root`" = "root:root" ] \
-    && chown kea:kea %{_sharedstatedir}/kea/kea-leases4.csv && chmod 0640 %{_sharedstatedir}/kea/kea-leases4.csv
-[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases6.csv 2>&1 | grep root:root`" = "root:root" ] \
-    && chown kea:kea %{_sharedstatedir}/kea/kea-leases6.csv && chmod 0640 %{_sharedstatedir}/kea/kea-leases6.csv
+[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases4.csv* 2>&1 | grep root:root | head -1`" = "root:root" ] \
+    && chown kea:kea %{_sharedstatedir}/kea/kea-leases4.csv* && chmod 0640 %{_sharedstatedir}/kea/kea-leases4.csv*
+[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases6.csv* 2>&1 | grep root:root | head -1`" = "root:root" ] \
+    && chown kea:kea %{_sharedstatedir}/kea/kea-leases6.csv* && chmod 0640 %{_sharedstatedir}/kea/kea-leases6.csv*
 [ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-dhcp6-serverid 2>&1 | grep root:root`" = "root:root" ] \
    && chown kea:kea %{_sharedstatedir}/kea/kea-dhcp6-serverid
 [ "`stat --format '%U:%G' %{_sysconfdir}/kea/kea*.conf 2>&1 | grep root:root | head -1`" = "root:root" ] \
    && chown root:kea %{_sysconfdir}/kea/kea*.conf && chmod 0640 %{_sysconfdir}/kea/kea*.conf
+
+# Remove /tmp/ from socket-name for existing configurations to fix CVE-2025-32802
+for i in kea-ctrl-agent.conf keactrl.conf kea-dhcp4.conf kea-dhcp6.conf kea-dhcp-ddns.conf; do
+    if [ -n "`grep '\"socket-name\": \"/tmp/' %{_sysconfdir}/kea/$i`" ]; then
+        sed -i.CVE-2025-32802.bak 's#\("socket-name": "/tmp/\)\(.*\)#"socket-name": "\2#g' %{_sysconfdir}/kea/$i
+    fi
+done
+# Set a pseudo-random password for default config to secure fresh install and allow CA startup without user intervention
+if [[ ! -s %{_sysconfdir}/kea/kea-api-password && -n `grep '"password-file": "kea-api-password"' %{_sysconfdir}/kea/kea-ctrl-agent.conf` ]]; then
+    (umask 0027; head -c 32 /dev/urandom | base64 > %{_sysconfdir}/kea/kea-api-password)
+    chown root:kea %{_sysconfdir}/kea/kea-api-password
+fi
 %systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service

 %preun
@ -327,11 +328,14 @@ sed -i -e 's|log\/|log\/kea\/|g' \
 %{_sbindir}/keactrl
 %{_sbindir}/perfdhcp
 %{_unitdir}/kea*.service
-%dir %{_sysconfdir}/kea/
-%config(noreplace) %attr(0640,root,kea) %{_sysconfdir}/kea/kea*.conf
 %{_datarootdir}/kea
+%dir %attr(0750,root,kea) %{_sysconfdir}/kea/
+%config(noreplace) %attr(0640,root,kea) %{_sysconfdir}/kea/kea*.conf
+%ghost %config(noreplace,missingok) %attr(0640,root,kea) %verify(not md5 size mtime) %{_sysconfdir}/kea/kea-api-password
 %dir %attr(0750,kea,kea) %{_sharedstatedir}/kea
 %config(noreplace) %attr(0640,kea,kea) %{_sharedstatedir}/kea/kea-leases*.csv
+%dir %attr(0750,kea,kea) %{_rundir}/kea/
+%dir %attr(0750,kea,kea) %{_localstatedir}/log/kea
 %{python3_sitelib}/kea
 %{_mandir}/man8/kea-admin.8*
 %{_mandir}/man8/kea-ctrl-agent.8*
@ -345,10 +349,8 @@ sed -i -e 's|log\/|log\/kea\/|g' \
 %{_mandir}/man8/kea-shell.8*
 %{_mandir}/man8/keactrl.8*
 %{_mandir}/man8/perfdhcp.8*
-%dir %attr(0755,kea,kea) %{_rundir}/kea/
 %{_tmpfilesdir}/kea.conf
 %{_sysusersdir}/kea.conf
-%dir %attr(0750,kea,kea) %{_localstatedir}/log/kea

 %files doc
 %dir %{_pkgdocdir}
@ -372,30 +374,31 @@ sed -i -e 's|log\/|log\/kea\/|g' \

 %files libs
 %license COPYING
-# find `rpm --eval %%{_topdir}`/BUILDROOT/kea-*/usr/lib64/ -type f | grep /usr/lib64/libkea | sed -e 's#.*/usr/lib64\(.*\.so\.[0-9]\+\)\.[0-9]\+\.[0-9]\+#%%{_libdir}\1*#' | sort
-%{_libdir}/libkea-asiodns.so.48*
-%{_libdir}/libkea-asiolink.so.71*
+# older: find `rpm --eval %%{_topdir}`/BUILDROOT/kea-*/usr/lib64/ -type f | grep /usr/lib64/libkea | sed -e 's#.*/usr/lib64\(.*\.so\.[0-9]\+\)\.[0-9]\+\.[0-9]\+#%%{_libdir}\1*#' | sort
+# >=f41: find `rpm --eval %%{_topdir}`/BUILD/kea-*/BUILDROOT/usr/lib64/ -type f | grep /usr/lib64/libkea | sed -e 's#.*/usr/lib64\(.*\.so\.[0-9]\+\)\.[0-9]\+\.[0-9]\+#%%{_libdir}\1*#' | sort
+%{_libdir}/libkea-asiodns.so.49*
+%{_libdir}/libkea-asiolink.so.72*
 %{_libdir}/libkea-cc.so.68*
-%{_libdir}/libkea-cfgclient.so.65*
+%{_libdir}/libkea-cfgclient.so.66*
 %{_libdir}/libkea-cryptolink.so.50*
-%{_libdir}/libkea-d2srv.so.46*
-%{_libdir}/libkea-database.so.61*
-%{_libdir}/libkea-dhcp_ddns.so.56*
-%{_libdir}/libkea-dhcp++.so.90*
-%{_libdir}/libkea-dhcpsrv.so.109*
-%{_libdir}/libkea-dns++.so.56*
+%{_libdir}/libkea-d2srv.so.47*
+%{_libdir}/libkea-database.so.62*
+%{_libdir}/libkea-dhcp_ddns.so.57*
+%{_libdir}/libkea-dhcp++.so.92*
+%{_libdir}/libkea-dhcpsrv.so.111*
+%{_libdir}/libkea-dns++.so.57*
 %{_libdir}/libkea-eval.so.69*
 %{_libdir}/libkea-exceptions.so.33*
-%{_libdir}/libkea-hooks.so.98*
-%{_libdir}/libkea-http.so.71*
+%{_libdir}/libkea-hooks.so.100*
+%{_libdir}/libkea-http.so.72*
 %{_libdir}/libkea-log.so.61*
-%{_libdir}/libkea-mysql.so.70*
-%{_libdir}/libkea-pgsql.so.70*
-%{_libdir}/libkea-process.so.72*
+%{_libdir}/libkea-mysql.so.71*
+%{_libdir}/libkea-pgsql.so.71*
+%{_libdir}/libkea-process.so.74*
 %{_libdir}/libkea-stats.so.41*
-%{_libdir}/libkea-tcp.so.18*
+%{_libdir}/libkea-tcp.so.19*
 %{_libdir}/libkea-util-io.so.0*
-%{_libdir}/libkea-util.so.84*
+%{_libdir}/libkea-util.so.86*

 %files keama
 %license COPYING
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-SHA512 (kea-2.6.1.tar.gz) = 23a4c431117097538a15afd8a28016b49db5490f866aa03abd2bdfef5eaab5031491320acdf3097899d4b071cccff4b53c032ff076b13cab853e063aaa2810ec
-SHA512 (kea-2.6.1.tar.gz.asc) = 66681f183141832011c63b3b18b21b2b8a577ab1c61d14888df4bbbcdd757a0772c21fc73779a218c36e2f4d31ef4a82f04fe4e71b101da223e906065bafe6c3
+SHA512 (kea-2.6.3.tar.gz) = d7781c0b95529bfe89c19615c1dd5952fd4c4b60274e187a641992dad81ef5af921dfb15050ec43169a0c2ad267639642b2e294c5d43405f85a5fb11bb1a939a
+SHA512 (kea-2.6.3.tar.gz.asc) = ceb5771c7e8533ed93103a6d3ed9a616ffeec0c8d4feb697e3514d1be90993f8a3255c96990be96b2698b708abadbe7a42cd87a80326f376a1d450dc226a12e0
 SHA512 (keama-4.5.0.tar.gz) = 2e48987e21999718be7ceb5b604be672c84666b07dde9545285ff7146ab6825e81af1ec3b5a4b50f20e61b40ed11b0254e3705cc580bb85de24b77ee8cbca162
 SHA512 (keama-4.5.0.tar.gz.asc) = 8ec416e44e143037a6936682d1e11b96c1a48be05f3e747e7a26b190e1f11c75104ef16c23eda9b257433b8de5a73c081b65fd903b611d8faa9c4b3b47702763
--- a/systemd-tmpfiles.conf
+++ b/systemd-tmpfiles.conf
@ -1,4 +1,4 @@
 # kea needs existing /run/kea/ to create logger_lockfile and pidfile there
 # See tmpfiles.d(5) for details

-d /run/kea 0755 kea kea -
+d /run/kea 0750 kea kea -