rpms/kea
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import OL kea-3.0.1-2.el10_1

Browse Source
This commit is contained in:
eabdullin 2025-12-04 08:12:08 +00:00
parent 193b4251f0
commit e06ae9f49f
11 changed files with 543 additions and 170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
kea-2.6.3.tar.gz
kea-3.0.1.tar.xz
keama-4.5.0.tar.gz

180
CVE-2025-11232.patch Normal file
View File

@ -0,0 +1,180 @@
diff --git a/src/bin/dhcp4/dhcp4_messages.mes b/src/bin/dhcp4/dhcp4_messages.mes
index 1deb2e6074..b359d09616 100644
--- a/src/bin/dhcp4/dhcp4_messages.mes
+++ b/src/bin/dhcp4/dhcp4_messages.mes
@@ -164,6 +164,20 @@ This debug message is issued when the server starts processing the Hostname
option sent in the client's query. The argument includes the client and
transaction identification information.
+% DHCP4_CLIENT_HOSTNAME_SCRUBBED_EMPTY %1: sanitizing client's Hostname option '%2' yielded an empty string
+Logged at debug log level 50.
+This debug message is issued when the result of sanitizing the
+hostname option(12) sent by the client is an empty string. When this occurs
+the server will ignore the hostname option. The arguments include the
+client and the hostname option it sent.
+
+% DHCP4_CLIENT_FQDN_SCRUBBED_EMPTY %1: sanitizing client's FQDN option '%2' yielded an empty string
+Logged at debug log level 50.
+This debug message is issued when the result of sanitizing the
+FQDN option(81) sent by the client is an empty string. When this occurs
+the server will ignore the FQDN option. The arguments include the
+client and the FQDN option it sent.
+
% DHCP4_CLIENT_NAME_PROC_FAIL %1: failed to process the fqdn or hostname sent by a client: %2
Logged at debug log level 55.
This debug message is issued when the DHCP server was unable to process the
diff --git a/src/bin/dhcp4/dhcp4_srv.cc b/src/bin/dhcp4/dhcp4_srv.cc
index 0701ed41e9..a6be662889 100644
--- a/src/bin/dhcp4/dhcp4_srv.cc
+++ b/src/bin/dhcp4/dhcp4_srv.cc
@@ -2714,8 +2714,15 @@ Dhcpv4Srv::processClientFqdnOption(Dhcpv4Exchange& ex) {
} else {
// Adjust the domain name based on domain name value and type sent by the
// client and current configuration.
- d2_mgr.adjustDomainName<Option4ClientFqdn>(*fqdn, *fqdn_resp,
- *(ex.getContext()->getDdnsParams()));
+ try {
+ d2_mgr.adjustDomainName<Option4ClientFqdn>(*fqdn, *fqdn_resp,
+ *(ex.getContext()->getDdnsParams()));
+ } catch (const FQDNScrubbedEmpty& scrubbed) {
+ LOG_DEBUG(ddns4_logger, DBG_DHCP4_DETAIL, DHCP4_CLIENT_FQDN_SCRUBBED_EMPTY)
+ .arg(ex.getQuery()->getLabel())
+ .arg(scrubbed.what());
+ return;
+ }
}
// Add FQDN option to the response message. Note that, there may be some
@@ -2857,7 +2864,15 @@ Dhcpv4Srv::processHostnameOption(Dhcpv4Exchange& ex) {
ex.getContext()->getDdnsParams()->getHostnameSanitizer();
if (sanitizer) {
- hostname = sanitizer->scrub(hostname);
+ auto tmp = sanitizer->scrub(hostname);
+ if (tmp.empty()) {
+ LOG_DEBUG(ddns4_logger, DBG_DHCP4_DETAIL, DHCP4_CLIENT_HOSTNAME_SCRUBBED_EMPTY)
+ .arg(ex.getQuery()->getLabel())
+ .arg(hostname);
+ return;
+ }
+
+ hostname = tmp;
}
// Convert hostname to lower case.
diff --git a/src/bin/dhcp6/dhcp6_messages.mes b/src/bin/dhcp6/dhcp6_messages.mes
index fff50ed367..79fc984ff5 100644
--- a/src/bin/dhcp6/dhcp6_messages.mes
+++ b/src/bin/dhcp6/dhcp6_messages.mes
@@ -1167,3 +1167,10 @@ such modification. The clients will remember previous server-id, and will
use it to extend their leases. As a result, they will have to go through
a rebinding phase to re-acquire their leases and associate them with a
new server id.
+
+% DHCP6_CLIENT_FQDN_SCRUBBED_EMPTY %1: sanitizing client's FQDN option '%2' yielded an empty string
+Logged at debug log level 50.
+This debug message is issued when the result of sanitizing the
+FQDN option(39) sent by the client is an empty string. When this occurs
+the server will ignore the FQDN option. The arguments include the
+client and the FQDN option it sent.
diff --git a/src/bin/dhcp6/dhcp6_srv.cc b/src/bin/dhcp6/dhcp6_srv.cc
index 417960b126..f999c3178f 100644
--- a/src/bin/dhcp6/dhcp6_srv.cc
+++ b/src/bin/dhcp6/dhcp6_srv.cc
@@ -2332,7 +2332,14 @@ Dhcpv6Srv::processClientFqdn(const Pkt6Ptr& question, const Pkt6Ptr& answer,
} else {
// Adjust the domain name based on domain name value and type sent by
// the client and current configuration.
- d2_mgr.adjustDomainName<Option6ClientFqdn>(*fqdn, *fqdn_resp, *ddns_params);
+ try {
+ d2_mgr.adjustDomainName<Option6ClientFqdn>(*fqdn, *fqdn_resp, *ddns_params);
+ } catch(const FQDNScrubbedEmpty& scrubbed) {
+ LOG_DEBUG(ddns6_logger, DBG_DHCP6_DETAIL, DHCP6_CLIENT_FQDN_SCRUBBED_EMPTY)
+ .arg(question->getLabel())
+ .arg(scrubbed.what());
+ return;
+ }
}
// Once we have the FQDN setup to use it for the lease hostname. This
diff --git a/src/lib/dhcpsrv/d2_client_mgr.cc b/src/lib/dhcpsrv/d2_client_mgr.cc
index 84ee11d9fb..54c815176e 100644
--- a/src/lib/dhcpsrv/d2_client_mgr.cc
+++ b/src/lib/dhcpsrv/d2_client_mgr.cc
@@ -186,10 +186,15 @@ std::string
D2ClientMgr::qualifyName(const std::string& partial_name,
const DdnsParams& ddns_params,
const bool trailing_dot) const {
+ if (partial_name.empty()) {
+ isc_throw(BadValue, "D2ClientMgr::qualifyName"
+ " - partial_name cannot be an empty string");
+ }
+
std::ostringstream gen_name;
gen_name << partial_name;
std::string suffix = ddns_params.getQualifyingSuffix();
- if (!suffix.empty() && partial_name.back() != '.') {
+ if (!suffix.empty() && (partial_name.back() != '.')) {
bool suffix_present = true;
std::string str = gen_name.str();
auto suffix_rit = suffix.rbegin();
@@ -241,7 +246,7 @@ D2ClientMgr::qualifyName(const std::string& partial_name,
// If the trailing dot should not be appended but it is present,
// remove it.
if ((len > 0) && (str[len - 1] == '.')) {
- gen_name.str(str.substr(0,len-1));
+ gen_name.str(str.substr(0, len-1));
}
}
diff --git a/src/lib/dhcpsrv/d2_client_mgr.h b/src/lib/dhcpsrv/d2_client_mgr.h
index 7344f19a40..238fd0a415 100644
--- a/src/lib/dhcpsrv/d2_client_mgr.h
+++ b/src/lib/dhcpsrv/d2_client_mgr.h
@@ -30,6 +30,14 @@
namespace isc {
namespace dhcp {
+/// @brief Exception thrown when host name sanitizing reduces
+/// the domain name to an empty string.
+class FQDNScrubbedEmpty : public Exception {
+public:
+ FQDNScrubbedEmpty(const char* file, size_t line, const char* what) :
+ isc::Exception(file, line, what) { }
+};
+
/// @brief Defines the type for D2 IO error handler.
/// This callback is invoked when a send to kea-dhcp-ddns completes with a
/// failed status. This provides the application layer (Kea) with a means to
@@ -197,6 +205,7 @@ public:
/// suffix itself is empty (i.e. "").
///
/// @return std::string containing the qualified name.
+ /// @throw BadValue if partial_name is empty.
std::string qualifyName(const std::string& partial_name,
const DdnsParams& ddns_params,
const bool trailing_dot) const;
@@ -264,6 +273,9 @@ public:
/// @param ddns_params DDNS behavioral configuration parameters
/// @tparam T FQDN Option class containing the FQDN data such as
/// dhcp::Option4ClientFqdn or dhcp::Option6ClientFqdn
+ ///
+ /// @throw FQDNScrubbedEmpty if hostname sanitizing reduces the input domain
+ /// name to an empty string.
template <class T>
void adjustDomainName(const T& fqdn, T& fqdn_resp,
const DdnsParams& ddns_params);
@@ -515,7 +527,12 @@ D2ClientMgr::adjustDomainName(const T& fqdn, T& fqdn_resp, const DdnsParams& ddn
ss << sanitizer->scrub(label);
}
- client_name = ss.str();
+ std::string clean_name = ss.str();
+ if (clean_name.empty() || clean_name == ".") {
+ isc_throw(FQDNScrubbedEmpty, client_name);
+ }
+
+ client_name = clean_name;
}
// If the supplied name is partial, qualify it by adding the suffix.

16
kea-2.6.3.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmgvfDoACgkQel4ITKyl
GIQKQA/9ExKLzofEhdch9eE9gcRVth2RehqbrJdVE0iPZOGZFnbSKe6KUleyPOgt
g6kympVGO+8ZHbu5BBMc29SpsBXSTAm79ZvLiHVM4EjWaTH0uqZgb3HyNrloIYzX
QW5/TtXVCdDHreH7Giy+Bx3303aMEu2H+hlQpCl2a2LbsvqI9Tv9ytymdHyNWfUy
yCwPzUdE8mi+KJdE0XE/pibZrI1UaQdfsg/ZmLzho3nGbaWMrvbTIgcuqYtTCD+S
Dodv/Bx195rHhecOQ1liNWwAxkeB+9Um6YCstvbpON3uwnwVp+e3T60rHVg5SGqe
66Un7WME5wVZ7nOg1XBijSK7BmyGucPGA+/IBWAdjpU+m7gb2M6quTs6Elyf6p53
AdIq0UX0nN9eo8wa+bme71JOzFive9iR9RtnNhaus6IeMB6lSH7kmrXnDXK2EQQe
x53bYPe+yFL6QeWSFTxlIDj77fqcN9vI20zRkDvWdyG83VzZP6tOS7JTR3dJoToM
4GTRdkJ3maUV/gujx3hR41b1EknlcFW3LUEVV0NqdlU1Qy9fOh/mLwFosuaOPSYx
4WFuT5aIScS7bxQqPSBQ/h2Xn63oUuTch08eGMuTtMs+TdkQuhciXKXpYE3lt1sW
8NNI0M4HqaviUu9SaVg1aGAvJ8pFJQjI8YR9NrK2O3mTcAprNPA=
=inHP
-----END PGP SIGNATURE-----

16
kea-3.0.1.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmil4+0ACgkQel4ITKyl
GIRxlg//f+A5yEQ6RKl0DOJfQIKKPZ9SL/2a04q6Gcay2ghUl8LZOiiO98RYicyV
PmrsY/5/nuJmLPRSPKt/pmosfgZUbWK9yuKOoBrfu0KZfQWMX+1ZJIfagY47PCvU
RKtT50+iPOsYZAtuRw8faO8g/rdgl1vMreSIjCPZTG1R4qZkQXNnwhNRV7O3pzsr
wSndDINLvjQoYYbklKpUszoBNppXzBCegzVFjcIjNOSta2U8xEPGQ7sv2JvKkaYf
bVjzKuoEVn0YkkAdf7C7vLotl4UZESNo/w+DcRbrbq/FYpT1R8YWzVAJtqJCVNFI
q0WqlK5/G2/4giAveSWzuX0dnk+OZ5kQrd323Ol6MlM/O4ymkHK7OJrcxLLrEyIC
OnRNWQqVzJddmUTOntvoLk90wJ9yF1jrdM+S3xTpOJzhnfRoFuioZ7njjfGTyskR
Nlt4DX3wGsg0quDQfQJAf1z1qk651/OIF27KThj5jNOPB5eWz4YjJBht9T+eHlcS
kOsNwnKtdZe+KiGeFCsfWU7wOR65w4kQXoH1ruFqVa44ZZKUvzDi4fiJYYfJLedJ
FfBx3c65B0COk+3kOWjAV1F+Zaf0PlrEnb75zbN0O4BrztPL12HhDtjF+CbAuOG2
k4ZpogxZ0Q6MhiQjGFiFMs2PN2FlgiaL2zbKKG/KIjUzPnog60c=
=1ZFT
-----END PGP SIGNATURE-----

1
kea-dhcp4.service
View File

@ -6,6 +6,7 @@ After=network-online.target
After=time-sync.target
[Service]
Type=notify
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
Environment="KEA_PIDFILE_DIR=/run/kea"

1
kea-dhcp6.service
View File

@ -6,6 +6,7 @@ After=network-online.target
After=time-sync.target
[Service]
Type=notify
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment="KEA_PIDFILE_DIR=/run/kea"

30
kea-gtest.patch
View File

@ -1,30 +0,0 @@
diff --git a/m4macros/ax_gtest.m4 b/m4macros/ax_gtest.m4
index 138a03f..80ebb98 100644
--- a/m4macros/ax_gtest.m4
+++ b/m4macros/ax_gtest.m4
@@ -173,9 +173,9 @@ if test "x$enable_gtest" = "xyes" ; then
for dir in $GTEST_PATHS; do
if test -f "$dir/include/gtest/gtest.h"; then
if test -f "$dir/lib/libgtest.a" || \
- test -f "$dir/lib/libgtest.so"; then
+ test -f "$dir/lib64/libgtest.so"; then
GTEST_INCLUDES="-I$dir/include"
- GTEST_LDFLAGS="-L$dir/lib"
+ GTEST_LDFLAGS="-L$dir/lib64"
GTEST_LDADD="-lgtest"
GTEST_FOUND="true"
AC_MSG_RESULT([$dir/lib])
diff --git a/src/lib/util/tests/pid_file_unittest.cc b/src/lib/util/tests/pid_file_unittest.cc
index 5f00d72..583a35b 100644
--- a/src/lib/util/tests/pid_file_unittest.cc
+++ b/src/lib/util/tests/pid_file_unittest.cc
@@ -181,7 +181,8 @@ TEST_F(PIDFileTest, pidGarbage) {
}
/// @brief Test failing to write a file.
-TEST_F(PIDFileTest, pidWriteFail) {
+/// Fails to fail for root, it doesn't throw PIDFileError exception.
+TEST_F(PIDFileTest, DISABLED_pidWriteFail) {
PIDFile pid_file(absolutePath(TESTNAME));
// Create the test file and change it's permission bits

13
kea-openssl-version.patch
View File

@ -1,13 +0,0 @@
diff --git a/m4macros/ax_crypto.m4 b/m4macros/ax_crypto.m4
index e1b43f8..a3a2c84 100644
--- a/m4macros/ax_crypto.m4
+++ b/m4macros/ax_crypto.m4
@@ -258,7 +258,7 @@ then
else
CRYPTO_NAME="OpenSSL"
DISABLED_CRYPTO="Botan"
- CRYPTO_PACKAGE="openssl-1.1.0"
+ CRYPTO_PACKAGE="openssl"
DISTCHECK_CRYPTO_CONFIGURE_FLAG="--with-openssl=${use_openssl}"
AC_DEFINE_UNQUOTED([WITH_OPENSSL], [], [Compile with OpenSSL crypto])
AC_MSG_CHECKING(for OpenSSL library)

189
kea-sd-daemon.patch Normal file
View File

@ -0,0 +1,189 @@
diff --git a/config-report.sh.in b/config-report.sh.in
index 1af984e..ddd4b62 100755
--- a/config-report.sh.in
+++ b/config-report.sh.in
@@ -105,6 +105,18 @@ Netconf: no
HERE_DOCUMENT
fi
+if test '@HAVE_LIBSYSTEMD_DAEMON@' != 'no'; then
+add_to_report <<HERE_DOCUMENT
+Systemd: yes
+
+HERE_DOCUMENT
+else
+add_to_report <<HERE_DOCUMENT
+Systemd: no
+
+HERE_DOCUMENT
+fi
+
if test '@HAVE_GTEST@' != 'no'; then
add_to_report <<HERE_DOCUMENT
Google Test: @GTEST_VERSION@
diff --git a/config.h.in b/config.h.in
index 42ccf28..cc6354a 100644
--- a/config.h.in
+++ b/config.h.in
@@ -52,6 +52,9 @@
/* Check valgrind headers */
#mesondefine HAVE_VALGRIND_HEADERS
+/* Support for systemd notification through sd_notify() enabled */
+#mesondefine HAVE_LIBSYSTEMD_DAEMON
+
/* Whether libc is musl */
#mesondefine LIBC_MUSL
diff --git a/meson.build b/meson.build
index 66e7fd0..dc86d89 100644
--- a/meson.build
+++ b/meson.build
@@ -100,6 +100,7 @@ krb5_opt = get_option('krb5')
mysql_opt = get_option('mysql')
netconf_opt = get_option('netconf')
postgresql_opt = get_option('postgresql')
+systemd_opt = get_option('systemd')
FUZZ_OPT = get_option('fuzz')
TESTS_OPT = get_option('tests')
@@ -297,6 +298,13 @@ if netconf_opt.allowed()
endif
endif
+# Systemd
+SYSTEMD_DEP = disabler()
+if systemd_opt.enabled()
+ SYSTEMD_DEP = dependency('libsystemd')
+ conf_data.set('HAVE_LIBSYSTEMD_DAEMON', true)
+endif
+
# Google Test
GTEST_DEP = dependency(
'gtest',
@@ -867,6 +875,11 @@ else
report_conf_data.set('SYSREPOCPP_VERSION', 'no')
report_conf_data.set('SYSREPOCPP_PREFIX', 'no')
endif
+if SYSTEMD_DEP.found()
+ report_conf_data.set('HAVE_LIBSYSTEMD_DAEMON', 'yes')
+else
+ report_conf_data.set('HAVE_LIBSYSTEMD_DAEMON', 'no')
+endif
if FUZZ_OPT.enabled() or TESTS_OPT.enabled()
report_conf_data.set('HAVE_GTEST', 'yes')
version = GTEST_DEP.version()
diff --git a/meson.options b/meson.options
index 5c222d5..3ecd2e1 100644
--- a/meson.options
+++ b/meson.options
@@ -27,6 +27,7 @@ option(
type: 'feature',
description: 'Support for PostgreSQL backends.',
)
+option('systemd', type: 'feature', description: 'Support for systemd notification through sd_notify().')
# Options for enabling testing code (not real features).
option(
diff --git a/src/bin/dhcp4/main.cc b/src/bin/dhcp4/main.cc
index 4f88e29..5581b7a 100644
--- a/src/bin/dhcp4/main.cc
+++ b/src/bin/dhcp4/main.cc
@@ -24,6 +24,10 @@
#include <iostream>
+#ifdef HAVE_LIBSYSTEMD_DAEMON
+#include <systemd/sd-daemon.h>
+#endif
+
using namespace isc::data;
using namespace isc::dhcp;
using namespace isc::process;
@@ -290,6 +294,13 @@ main(int argc, char* argv[]) {
// Tell the admin we are ready to process packets
LOG_INFO(dhcp4_logger, DHCP4_STARTED).arg(VERSION);
+#ifdef HAVE_LIBSYSTEMD_DAEMON
+ // Notify systemd about the same
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Dispatching packets...\n"
+ "MAINPID=%lu",
+ (unsigned long) getpid());
+#endif
// And run the main loop of the server.
ret = server.run();
diff --git a/src/bin/dhcp4/meson.build b/src/bin/dhcp4/meson.build
index 3dac320..e8cacb9 100644
--- a/src/bin/dhcp4/meson.build
+++ b/src/bin/dhcp4/meson.build
@@ -1,3 +1,8 @@
+kea_dhcp4_dependencies = [CRYPTO_DEP]
+if SYSTEMD_DEP.found()
+ kea_dhcp4_dependencies += [SYSTEMD_DEP]
+endif
+
dhcp4_lib = static_library(
'dhcp4',
'client_handler.cc',
@@ -16,7 +21,7 @@ dhcp4_lib = static_library(
kea_dhcp4 = executable(
'kea-dhcp4',
'main.cc',
- dependencies: [CRYPTO_DEP],
+ dependencies: kea_dhcp4_dependencies,
include_directories: [include_directories('.')] + INCLUDES,
install: true,
install_dir: SBINDIR,
diff --git a/src/bin/dhcp6/main.cc b/src/bin/dhcp6/main.cc
index 7ab1999..abac799 100644
--- a/src/bin/dhcp6/main.cc
+++ b/src/bin/dhcp6/main.cc
@@ -24,6 +24,10 @@
#include <iostream>
+#ifdef HAVE_LIBSYSTEMD_DAEMON
+#include <systemd/sd-daemon.h>
+#endif
+
using namespace isc::data;
using namespace isc::dhcp;
using namespace isc::process;
@@ -290,6 +294,13 @@ main(int argc, char* argv[]) {
// Tell the admin we are ready to process packets
LOG_INFO(dhcp6_logger, DHCP6_STARTED).arg(VERSION);
+#ifdef HAVE_LIBSYSTEMD_DAEMON
+ // Notify systemd about the same
+ sd_notifyf(0, "READY=1\n"
+ "STATUS=Dispatching packets...\n"
+ "MAINPID=%lu",
+ (unsigned long) getpid());
+#endif
// And run the main loop of the server.
ret = server.run();
diff --git a/src/bin/dhcp6/meson.build b/src/bin/dhcp6/meson.build
index de60fbf..04a22a9 100644
--- a/src/bin/dhcp6/meson.build
+++ b/src/bin/dhcp6/meson.build
@@ -1,3 +1,8 @@
+kea_dhcp6_dependencies = [CRYPTO_DEP]
+if SYSTEMD_DEP.found()
+ kea_dhcp6_dependencies += [SYSTEMD_DEP]
+endif
+
dhcp6_lib = static_library(
'dhcp6',
'client_handler.cc',
@@ -17,7 +22,7 @@ dhcp6_lib = static_library(
kea_dhcp6 = executable(
'kea-dhcp6',
'main.cc',
- dependencies: [CRYPTO_DEP],
+ dependencies: kea_dhcp6_dependencies,
include_directories: [include_directories('.')] + INCLUDES,
install: true,
install_dir: SBINDIR,

263
kea.spec
View File

@ -2,25 +2,23 @@
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 1;
release_number = 2;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
Name: kea
Version: 2.6.3
Version: 3.0.1
Release: %autorelease
Summary: DHCPv4, DHCPv6 and DDNS server from ISC
License: MPL-2.0 AND BSL-1.0
URL: http://kea.isc.org
# TODO: no support for netconf/sysconf yet
# Support for netconf is not enabled
%bcond_with sysrepo
%bcond_with gtest
%bcond_with tests
#%%global prever P1
%global keama_version 4.5.0
# Bundled version of Bind libraries linked into Keama
%global bind_version 9.11.36
@ -33,8 +31,8 @@ Provides: %1 = %{version}-%{release} \
Conflicts: %1 \
%endif
Source0: https://downloads.isc.org/isc/kea/%{version}%{?prever:-%{prever}}/kea-%{version}%{?prever:-%{prever}}.tar.gz
Source1: https://downloads.isc.org/isc/kea/%{version}%{?prever:-%{prever}}/kea-%{version}%{?prever:-%{prever}}.tar.gz.asc
Source0: https://downloads.isc.org/isc/kea/%{version}/kea-%{version}.tar.xz
Source1: https://downloads.isc.org/isc/kea/%{version}/kea-%{version}.tar.xz.asc
Source2: https://downloads.isc.org/isc/keama/%{keama_version}/keama-%{keama_version}.tar.gz
Source3: https://downloads.isc.org/isc/keama/%{keama_version}/keama-%{keama_version}.tar.gz.asc
Source10: https://www.isc.org/docs/isc-keyblock.asc
@ -45,54 +43,55 @@ Source14: kea-ctrl-agent.service
Source15: systemd-tmpfiles.conf
Source16: systemd-sysusers.conf
Patch1: kea-openssl-version.patch
Patch2: kea-gtest.patch
Patch1: kea-sd-daemon.patch
# https://issues.redhat.com/browse/RHEL-125048
# Based on: https://gitlab.isc.org/isc-projects/kea/-/commit/92b65b2345e07d826b56ffd65cf47538f1c7a271
Patch2: CVE-2025-11232.patch
# autoreconf
BuildRequires: autoconf automake libtool
BuildRequires: boost-devel
BuildRequires: gcc-c++
# %%configure --with-openssl
# %%meson -D crypto=openssl
BuildRequires: openssl-devel
%if 0%{?fedora}
# https://bugzilla.redhat.com/show_bug.cgi?id=2300868#c4
BuildRequires: openssl-devel-engine
%endif
# %%configure --with-pgsql
# %%meson -D krb5=enabled
BuildRequires: krb5-devel
# %%meson -D mysql=enabled
BuildRequires: mariadb-connector-c-devel
# %%meson -D postgresql=enabled
%if 0%{?fedora} || 0%{?rhel} > 9
BuildRequires: libpq-devel
%else
BuildRequires: postgresql-server-devel
%endif
# %%configure --with-mysql
BuildRequires: mariadb-connector-c-devel
BuildRequires: log4cplus-devel
# %%meson -D systemd=enabled
BuildRequires: systemd-devel
%if %{with sysrepo}
# %%configure --with-sysrepo
# %%meson -D netconf=enabled
BuildRequires: sysrepo-devel
%endif
%if %{with tests}
# %%meson -D tests=enabled
%ifarch %{valgrind_arches}
BuildRequires: valgrind-devel
%endif
%if %{with gtest}
# %%configure --enable-gtest
BuildRequires: gtest-devel
# src/lib/testutils/dhcp_test_lib.sh
BuildRequires: procps-ng
%endif
# %%configure --enable-generate-parser
BuildRequires: log4cplus-devel
BuildRequires: python3-devel
BuildRequires: gcc-c++
BuildRequires: autoconf automake libtool
BuildRequires: make
BuildRequires: meson
BuildRequires: bison
BuildRequires: flex
# %%configure --enable-shell
BuildRequires: python3-devel
# in case you ever wanted to use %%configure --enable-generate-docs
#BuildRequires: elinks asciidoc plantuml
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: python3-sphinx
BuildRequires: python3-sphinx_rtd_theme
BuildRequires: make
BuildRequires: gnupg2
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -101,7 +100,6 @@ Requires: coreutils util-linux
%{?systemd_requires}
%{?sysusers_requires_compat}
%description
DHCP implementation from Internet Systems Consortium, Inc. that features fully
functional DHCPv4, DHCPv6 and Dynamic DNS servers.
@ -109,7 +107,6 @@ Both DHCP servers fully support server discovery, address assignment, renewal,
rebinding and release. The DHCPv6 server supports prefix delegation. Both
servers support DNS Update mechanism, using stand-alone DDNS daemon.
%package doc
Summary: Documentation for Kea DHCP server
BuildArch: noarch
@ -117,7 +114,6 @@ BuildArch: noarch
%description doc
Documentation and example configuration for Kea DHCP server.
%package devel
Summary: Development headers and libraries for Kea DHCP server
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -129,7 +125,6 @@ Requires: pkgconfig
%description devel
Header files and API documentation.
%package hooks
Summary: Hooks libraries for kea
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
@ -140,7 +135,6 @@ Hooking mechanism allow Kea to load one or more dynamically-linked libraries
("hook points"), call functions in them. Those functions perform whatever
custom processing is required.
%package libs
Summary: Shared libraries used by Kea DHCP server
%upstream_name_compat %{upstream_name}-libs
@ -148,7 +142,6 @@ Summary: Shared libraries used by Kea DHCP server
%description libs
This package contains shared libraries used by Kea DHCP server.
%package keama
Summary: Experimental migration assistant for Kea
Provides: bundled(bind-libs) = %{bind_version}
@ -157,7 +150,6 @@ Provides: bundled(bind-libs) = %{bind_version}
The KEA Migration Assistant is an experimental tool which helps to translate
ISC DHCP configurations to Kea.
%prep
%if 0%{?fedora} || 0%{?rhel} > 8
%{gpgverify} --keyring='%{S:10}' --signature='%{S:1}' --data='%{S:0}'
@ -165,42 +157,34 @@ ISC DHCP configurations to Kea.
%endif
%autosetup -T -b2 -N -n keama-%{keama_version}
%autosetup -p1 -n kea-%{version}%{?prever:-%{prever}}
rm -rf doc/sphinx/_build
# to be able to build on ppc64(le)
# https://sourceforge.net/p/flex/bugs/197
# https://lists.isc.org/pipermail/kea-dev/2016-January/000599.html
sed -i -e 's|ECHO|YYECHO|g' src/lib/eval/lexer.cc
%autosetup -p1 -n kea-%{version}
%build
autoreconf --verbose --force --install
# This removes RPATH from binaries
export KEA_PKG_TYPE_IN_CONFIGURE="rpm"
%configure \
--disable-dependency-tracking \
--disable-rpath \
--disable-silent-rules \
--disable-static \
--enable-generate-docs \
--enable-generate-messages \
--enable-generate-parser \
--enable-shell \
--enable-perfdhcp \
%if %{with gtest}
--with-gtest \
%endif
--with-mysql \
--with-pgsql \
--with-gnu-ld \
--with-log4cplus \
%meson \
--install-umask 0022 \
%if %{with sysrepo}
--with-sysrepo \
-D netconf=enabled \
%else
-D netconf=disabled \
%endif
--with-openssl
%if %{with tests}
-D tests=enabled \
%else
-D tests=disabled \
%endif
-D crypto=openssl \
-D krb5=enabled \
-D mysql=enabled \
-D postgresql=enabled \
-D systemd=enabled
%make_build
# Messages need to be regenerated by kea-msg-compiler for CVE-2025-11232.patch
%meson_build messages
%meson_build
%meson_build doc
# Configure & build Keama
pushd ../keama-%{keama_version}
@ -230,15 +214,13 @@ autoreconf --verbose --force --install
%make_build
popd
%if %{with gtest}
%if %{with tests}
%check
make check
%meson_test
%endif
%install
%make_install docdir=%{_pkgdocdir}
%meson_install
# Install Keama
pushd ../keama-%{keama_version}
@ -246,20 +228,23 @@ pushd ../keama-%{keama_version}
popd
# Remove Keama's static library, dhcp headers and man pages
rm -f %{buildroot}/%{_libdir}/libdhcp.a
rm %{buildroot}/%{_libdir}/libdhcp.a
rm -rf %{buildroot}/%{_includedir}/omapip/
rm -rf %{buildroot}%{_mandir}/man5/
# Get rid of .la files
find %{buildroot} -type f -name "*.la" -delete -print
# Remove keactrl
rm %{buildroot}%{_sysconfdir}/kea/keactrl.conf
rm %{buildroot}%{_sbindir}/keactrl
rm %{buildroot}%{_mandir}/man8/keactrl.8*
%if %{without sysrepo}
# Remove netconf files
rm %{buildroot}%{_mandir}/man8/kea-netconf.8
%endif
rm -f %{buildroot}%{_pkgdocdir}/COPYING
rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo
rm %{buildroot}%{_pkgdocdir}/COPYING
rm -rf %{buildroot}/usr/share/kea/meson-info/
# Create empty password file for the Kea Control Agent
install -m 0640 /dev/null %{buildroot}%{_sysconfdir}/kea/kea-api-password
@ -285,7 +270,6 @@ install -dm 0750 %{buildroot}%{_rundir}/kea/
mkdir -p %{buildroot}%{_localstatedir}/log
install -dm 0750 %{buildroot}%{_localstatedir}/log/kea/
%pre
%sysusers_create_compat %{S:16}
@ -304,7 +288,7 @@ install -dm 0750 %{buildroot}%{_localstatedir}/log/kea/
&& chown root:kea %{_sysconfdir}/kea/kea*.conf && chmod 0640 %{_sysconfdir}/kea/kea*.conf
# Remove /tmp/ from socket-name for existing configurations to fix CVE-2025-32802
for i in kea-ctrl-agent.conf keactrl.conf kea-dhcp4.conf kea-dhcp6.conf kea-dhcp-ddns.conf; do
for i in kea-ctrl-agent.conf kea-dhcp4.conf kea-dhcp6.conf kea-dhcp-ddns.conf; do
if [ -n "`grep '\"socket-name\": \"/tmp/' %{_sysconfdir}/kea/$i`" ]; then
sed -i.CVE-2025-32802.bak 's#\("socket-name": "/tmp/\)\(.*\)#"socket-name": "\2#g' %{_sysconfdir}/kea/$i
fi
@ -321,13 +305,10 @@ fi
%postun
%systemd_postun_with_restart kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
%ldconfig_scriptlets libs
%files
%license COPYING
%{_bindir}/kea-msg-compiler
%{_sbindir}/kea-admin
%{_sbindir}/kea-ctrl-agent
%{_sbindir}/kea-dhcp-ddns
@ -335,7 +316,6 @@ fi
%{_sbindir}/kea-dhcp6
%{_sbindir}/kea-lfc
%{_sbindir}/kea-shell
%{_sbindir}/keactrl
%{_sbindir}/perfdhcp
%{_unitdir}/kea*.service
%{_datarootdir}/kea
@ -357,7 +337,6 @@ fi
%{_mandir}/man8/kea-netconf.8*
%endif
%{_mandir}/man8/kea-shell.8*
%{_mandir}/man8/keactrl.8*
%{_mandir}/man8/perfdhcp.8*
%{_tmpfilesdir}/kea.conf
%{_sysusersdir}/kea.conf
@ -375,49 +354,115 @@ fi
%doc %{_pkgdocdir}/SECURITY.md
%files devel
%{_bindir}/kea-msg-compiler
%{_includedir}/kea
%{_libdir}/libkea-*.so
%{_libdir}/libkea-asiodns.so
%{_libdir}/libkea-asiolink.so
%{_libdir}/libkea-cc.so
%{_libdir}/libkea-cfgrpt.so
%{_libdir}/libkea-config.so
%{_libdir}/libkea-cryptolink.so
%{_libdir}/libkea-d2srv.so
%{_libdir}/libkea-database.so
%{_libdir}/libkea-dhcp_ddns.so
%{_libdir}/libkea-dhcp.so
%{_libdir}/libkea-dhcpsrv.so
%{_libdir}/libkea-dns.so
%{_libdir}/libkea-eval.so
%{_libdir}/libkea-exceptions.so
%{_libdir}/libkea-hooks.so
%{_libdir}/libkea-http.so
%{_libdir}/libkea-log-interprocess.so
%{_libdir}/libkea-log.so
%{_libdir}/libkea-mysql.so
%{_libdir}/libkea-pgsql.so
%{_libdir}/libkea-process.so
%{_libdir}/libkea-stats.so
%{_libdir}/libkea-tcp.so
%{_libdir}/libkea-util-io.so
%{_libdir}/libkea-util.so
%{_libdir}/pkgconfig/kea.pc
%files hooks
%dir %{_sysconfdir}/kea/radius
%{_sysconfdir}/kea/radius/dictionary
%dir %{_libdir}/kea
%{_libdir}/kea/hooks
%dir %{_libdir}/kea/hooks
%{_libdir}/kea/hooks/libddns_gss_tsig.so
%{_libdir}/kea/hooks/libdhcp_bootp.so
%{_libdir}/kea/hooks/libdhcp_class_cmds.so
%{_libdir}/kea/hooks/libdhcp_ddns_tuning.so
%{_libdir}/kea/hooks/libdhcp_flex_id.so
%{_libdir}/kea/hooks/libdhcp_flex_option.so
%{_libdir}/kea/hooks/libdhcp_ha.so
%{_libdir}/kea/hooks/libdhcp_host_cache.so
%{_libdir}/kea/hooks/libdhcp_host_cmds.so
%{_libdir}/kea/hooks/libdhcp_lease_cmds.so
%{_libdir}/kea/hooks/libdhcp_lease_query.so
%{_libdir}/kea/hooks/libdhcp_legal_log.so
%{_libdir}/kea/hooks/libdhcp_limits.so
%{_libdir}/kea/hooks/libdhcp_mysql.so
%{_libdir}/kea/hooks/libdhcp_perfmon.so
%{_libdir}/kea/hooks/libdhcp_pgsql.so
%{_libdir}/kea/hooks/libdhcp_ping_check.so
%{_libdir}/kea/hooks/libdhcp_radius.so
%{_libdir}/kea/hooks/libdhcp_run_script.so
%{_libdir}/kea/hooks/libdhcp_stat_cmds.so
%{_libdir}/kea/hooks/libdhcp_subnet_cmds.so
%files libs
%license COPYING
# older: find `rpm --eval %%{_topdir}`/BUILDROOT/kea-*/usr/lib64/ -type f | grep /usr/lib64/libkea | sed -e 's#.*/usr/lib64\(.*\.so\.[0-9]\+\)\.[0-9]\+\.[0-9]\+#%%{_libdir}\1*#' | sort
# >=f41: find `rpm --eval %%{_topdir}`/BUILD/kea-*/BUILDROOT/usr/lib64/ -type f | grep /usr/lib64/libkea | sed -e 's#.*/usr/lib64\(.*\.so\.[0-9]\+\)\.[0-9]\+\.[0-9]\+#%%{_libdir}\1*#' | sort
%{_libdir}/libkea-asiodns.so.49*
%{_libdir}/libkea-asiolink.so.72*
%{_libdir}/libkea-cc.so.68*
%{_libdir}/libkea-cfgclient.so.66*
%{_libdir}/libkea-cryptolink.so.50*
%{_libdir}/libkea-d2srv.so.47*
%{_libdir}/libkea-database.so.62*
%{_libdir}/libkea-dhcp_ddns.so.57*
%{_libdir}/libkea-dhcp++.so.92*
%{_libdir}/libkea-dhcpsrv.so.111*
%{_libdir}/libkea-dns++.so.57*
%{_libdir}/libkea-eval.so.69*
%{_libdir}/libkea-exceptions.so.33*
%{_libdir}/libkea-hooks.so.100*
%{_libdir}/libkea-http.so.72*
%{_libdir}/libkea-log.so.61*
%{_libdir}/libkea-mysql.so.71*
%{_libdir}/libkea-pgsql.so.71*
%{_libdir}/libkea-process.so.74*
%{_libdir}/libkea-stats.so.41*
%{_libdir}/libkea-tcp.so.19*
%{_libdir}/libkea-util-io.so.0*
%{_libdir}/libkea-util.so.86*
%{_libdir}/libkea-asiodns.so.62*
%{_libdir}/libkea-asiolink.so.88*
%{_libdir}/libkea-cc.so.82*
%{_libdir}/libkea-cfgrpt.so.3*
%{_libdir}/libkea-config.so.83*
%{_libdir}/libkea-cryptolink.so.64*
%{_libdir}/libkea-d2srv.so.63*
%{_libdir}/libkea-database.so.76*
%{_libdir}/libkea-dhcp_ddns.so.68*
%{_libdir}/libkea-dhcp.so.109*
%{_libdir}/libkea-dhcpsrv.so.130*
%{_libdir}/libkea-dns.so.71*
%{_libdir}/libkea-eval.so.84*
%{_libdir}/libkea-exceptions.so.45*
%{_libdir}/libkea-hooks.so.119*
%{_libdir}/libkea-http.so.87*
%{_libdir}/libkea-log-interprocess.so.3*
%{_libdir}/libkea-log.so.75*
%{_libdir}/libkea-mysql.so.88*
%{_libdir}/libkea-pgsql.so.88*
%{_libdir}/libkea-process.so.90*
%{_libdir}/libkea-stats.so.53*
%{_libdir}/libkea-tcp.so.33*
%{_libdir}/libkea-util-io.so.12*
%{_libdir}/libkea-util.so.101*
%files keama
%license COPYING
%{_bindir}/keama
%{_mandir}/man8/keama.8*
%changelog
## START: Generated by rpmautospec
* Thu Oct 30 2025 Martin Osvald <mosvald@redhat.com> - 3.0.1-2
- Fixes CVE-2025-11232
* Tue Sep 02 2025 Martin Osvald <mosvald@redhat.com> - 3.0.1-1
- New version 3.0.1
- Fixes CVE-2025-40779
* Fri Aug 01 2025 Martin Osvald <mosvald@redhat.com> - 3.0.0-2
- Support for sending startup notifications to systemd
* Wed Jul 30 2025 Martin Osvald <mosvald@redhat.com> - 3.0.0-1
- New version 3.0.0
- Remove broken keactrl in favor of systemd unit files
- kea.spec: General cleanup and removal of lines that have no effect
- kea-msg-compiler was moved from kea to kea-devel
* Sun Jun 08 2025 Martin Osvald <mosvald@redhat.com> - 2.6.3-1
- New version 2.6.3
- Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803

2
sources
View File

@ -1,2 +1,2 @@
SHA512 (kea-2.6.3.tar.gz) = d7781c0b95529bfe89c19615c1dd5952fd4c4b60274e187a641992dad81ef5af921dfb15050ec43169a0c2ad267639642b2e294c5d43405f85a5fb11bb1a939a
SHA512 (kea-3.0.1.tar.xz) = 84e2164aa91c95b2e6e65994a2327fa1233c82b06af69312f55464119d4edc6151a4662a54f4a3ae83e0487dac7b25c5e59e60bcbed653fd30fb32ae7cacddf3
SHA512 (keama-4.5.0.tar.gz) = 2e48987e21999718be7ceb5b604be672c84666b07dde9545285ff7146ab6825e81af1ec3b5a4b50f20e61b40ed11b0254e3705cc580bb85de24b77ee8cbca162