From e06ae9f49f00842d47c94f527886044d89e6bfbf Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 4 Dec 2025 08:12:08 +0000 Subject: [PATCH] import OL kea-3.0.1-2.el10_1 --- .gitignore | 2 +- CVE-2025-11232.patch | 180 ++++++++++++++++++++++++++ kea-2.6.3.tar.gz.asc | 16 --- kea-3.0.1.tar.xz.asc | 16 +++ kea-dhcp4.service | 1 + kea-dhcp6.service | 1 + kea-gtest.patch | 30 ----- kea-openssl-version.patch | 13 -- kea-sd-daemon.patch | 189 +++++++++++++++++++++++++++ kea.spec | 263 ++++++++++++++++++++++---------------- sources | 2 +- 11 files changed, 543 insertions(+), 170 deletions(-) create mode 100644 CVE-2025-11232.patch delete mode 100644 kea-2.6.3.tar.gz.asc create mode 100644 kea-3.0.1.tar.xz.asc delete mode 100644 kea-gtest.patch delete mode 100644 kea-openssl-version.patch create mode 100644 kea-sd-daemon.patch diff --git a/.gitignore b/.gitignore index e0a2d85..21d0e26 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -kea-2.6.3.tar.gz +kea-3.0.1.tar.xz keama-4.5.0.tar.gz diff --git a/CVE-2025-11232.patch b/CVE-2025-11232.patch new file mode 100644 index 0000000..07af123 --- /dev/null +++ b/CVE-2025-11232.patch @@ -0,0 +1,180 @@ +diff --git a/src/bin/dhcp4/dhcp4_messages.mes b/src/bin/dhcp4/dhcp4_messages.mes +index 1deb2e6074..b359d09616 100644 +--- a/src/bin/dhcp4/dhcp4_messages.mes ++++ b/src/bin/dhcp4/dhcp4_messages.mes +@@ -164,6 +164,20 @@ This debug message is issued when the server starts processing the Hostname + option sent in the client's query. The argument includes the client and + transaction identification information. + ++% DHCP4_CLIENT_HOSTNAME_SCRUBBED_EMPTY %1: sanitizing client's Hostname option '%2' yielded an empty string ++Logged at debug log level 50. ++This debug message is issued when the result of sanitizing the ++hostname option(12) sent by the client is an empty string. When this occurs ++the server will ignore the hostname option. The arguments include the ++client and the hostname option it sent. ++ ++% DHCP4_CLIENT_FQDN_SCRUBBED_EMPTY %1: sanitizing client's FQDN option '%2' yielded an empty string ++Logged at debug log level 50. ++This debug message is issued when the result of sanitizing the ++FQDN option(81) sent by the client is an empty string. When this occurs ++the server will ignore the FQDN option. The arguments include the ++client and the FQDN option it sent. ++ + % DHCP4_CLIENT_NAME_PROC_FAIL %1: failed to process the fqdn or hostname sent by a client: %2 + Logged at debug log level 55. + This debug message is issued when the DHCP server was unable to process the +diff --git a/src/bin/dhcp4/dhcp4_srv.cc b/src/bin/dhcp4/dhcp4_srv.cc +index 0701ed41e9..a6be662889 100644 +--- a/src/bin/dhcp4/dhcp4_srv.cc ++++ b/src/bin/dhcp4/dhcp4_srv.cc +@@ -2714,8 +2714,15 @@ Dhcpv4Srv::processClientFqdnOption(Dhcpv4Exchange& ex) { + } else { + // Adjust the domain name based on domain name value and type sent by the + // client and current configuration. +- d2_mgr.adjustDomainName(*fqdn, *fqdn_resp, +- *(ex.getContext()->getDdnsParams())); ++ try { ++ d2_mgr.adjustDomainName(*fqdn, *fqdn_resp, ++ *(ex.getContext()->getDdnsParams())); ++ } catch (const FQDNScrubbedEmpty& scrubbed) { ++ LOG_DEBUG(ddns4_logger, DBG_DHCP4_DETAIL, DHCP4_CLIENT_FQDN_SCRUBBED_EMPTY) ++ .arg(ex.getQuery()->getLabel()) ++ .arg(scrubbed.what()); ++ return; ++ } + } + + // Add FQDN option to the response message. Note that, there may be some +@@ -2857,7 +2864,15 @@ Dhcpv4Srv::processHostnameOption(Dhcpv4Exchange& ex) { + ex.getContext()->getDdnsParams()->getHostnameSanitizer(); + + if (sanitizer) { +- hostname = sanitizer->scrub(hostname); ++ auto tmp = sanitizer->scrub(hostname); ++ if (tmp.empty()) { ++ LOG_DEBUG(ddns4_logger, DBG_DHCP4_DETAIL, DHCP4_CLIENT_HOSTNAME_SCRUBBED_EMPTY) ++ .arg(ex.getQuery()->getLabel()) ++ .arg(hostname); ++ return; ++ } ++ ++ hostname = tmp; + } + + // Convert hostname to lower case. +diff --git a/src/bin/dhcp6/dhcp6_messages.mes b/src/bin/dhcp6/dhcp6_messages.mes +index fff50ed367..79fc984ff5 100644 +--- a/src/bin/dhcp6/dhcp6_messages.mes ++++ b/src/bin/dhcp6/dhcp6_messages.mes +@@ -1167,3 +1167,10 @@ such modification. The clients will remember previous server-id, and will + use it to extend their leases. As a result, they will have to go through + a rebinding phase to re-acquire their leases and associate them with a + new server id. ++ ++% DHCP6_CLIENT_FQDN_SCRUBBED_EMPTY %1: sanitizing client's FQDN option '%2' yielded an empty string ++Logged at debug log level 50. ++This debug message is issued when the result of sanitizing the ++FQDN option(39) sent by the client is an empty string. When this occurs ++the server will ignore the FQDN option. The arguments include the ++client and the FQDN option it sent. +diff --git a/src/bin/dhcp6/dhcp6_srv.cc b/src/bin/dhcp6/dhcp6_srv.cc +index 417960b126..f999c3178f 100644 +--- a/src/bin/dhcp6/dhcp6_srv.cc ++++ b/src/bin/dhcp6/dhcp6_srv.cc +@@ -2332,7 +2332,14 @@ Dhcpv6Srv::processClientFqdn(const Pkt6Ptr& question, const Pkt6Ptr& answer, + } else { + // Adjust the domain name based on domain name value and type sent by + // the client and current configuration. +- d2_mgr.adjustDomainName(*fqdn, *fqdn_resp, *ddns_params); ++ try { ++ d2_mgr.adjustDomainName(*fqdn, *fqdn_resp, *ddns_params); ++ } catch(const FQDNScrubbedEmpty& scrubbed) { ++ LOG_DEBUG(ddns6_logger, DBG_DHCP6_DETAIL, DHCP6_CLIENT_FQDN_SCRUBBED_EMPTY) ++ .arg(question->getLabel()) ++ .arg(scrubbed.what()); ++ return; ++ } + } + + // Once we have the FQDN setup to use it for the lease hostname. This +diff --git a/src/lib/dhcpsrv/d2_client_mgr.cc b/src/lib/dhcpsrv/d2_client_mgr.cc +index 84ee11d9fb..54c815176e 100644 +--- a/src/lib/dhcpsrv/d2_client_mgr.cc ++++ b/src/lib/dhcpsrv/d2_client_mgr.cc +@@ -186,10 +186,15 @@ std::string + D2ClientMgr::qualifyName(const std::string& partial_name, + const DdnsParams& ddns_params, + const bool trailing_dot) const { ++ if (partial_name.empty()) { ++ isc_throw(BadValue, "D2ClientMgr::qualifyName" ++ " - partial_name cannot be an empty string"); ++ } ++ + std::ostringstream gen_name; + gen_name << partial_name; + std::string suffix = ddns_params.getQualifyingSuffix(); +- if (!suffix.empty() && partial_name.back() != '.') { ++ if (!suffix.empty() && (partial_name.back() != '.')) { + bool suffix_present = true; + std::string str = gen_name.str(); + auto suffix_rit = suffix.rbegin(); +@@ -241,7 +246,7 @@ D2ClientMgr::qualifyName(const std::string& partial_name, + // If the trailing dot should not be appended but it is present, + // remove it. + if ((len > 0) && (str[len - 1] == '.')) { +- gen_name.str(str.substr(0,len-1)); ++ gen_name.str(str.substr(0, len-1)); + } + + } +diff --git a/src/lib/dhcpsrv/d2_client_mgr.h b/src/lib/dhcpsrv/d2_client_mgr.h +index 7344f19a40..238fd0a415 100644 +--- a/src/lib/dhcpsrv/d2_client_mgr.h ++++ b/src/lib/dhcpsrv/d2_client_mgr.h +@@ -30,6 +30,14 @@ + namespace isc { + namespace dhcp { + ++/// @brief Exception thrown when host name sanitizing reduces ++/// the domain name to an empty string. ++class FQDNScrubbedEmpty : public Exception { ++public: ++ FQDNScrubbedEmpty(const char* file, size_t line, const char* what) : ++ isc::Exception(file, line, what) { } ++}; ++ + /// @brief Defines the type for D2 IO error handler. + /// This callback is invoked when a send to kea-dhcp-ddns completes with a + /// failed status. This provides the application layer (Kea) with a means to +@@ -197,6 +205,7 @@ public: + /// suffix itself is empty (i.e. ""). + /// + /// @return std::string containing the qualified name. ++ /// @throw BadValue if partial_name is empty. + std::string qualifyName(const std::string& partial_name, + const DdnsParams& ddns_params, + const bool trailing_dot) const; +@@ -264,6 +273,9 @@ public: + /// @param ddns_params DDNS behavioral configuration parameters + /// @tparam T FQDN Option class containing the FQDN data such as + /// dhcp::Option4ClientFqdn or dhcp::Option6ClientFqdn ++ /// ++ /// @throw FQDNScrubbedEmpty if hostname sanitizing reduces the input domain ++ /// name to an empty string. + template + void adjustDomainName(const T& fqdn, T& fqdn_resp, + const DdnsParams& ddns_params); +@@ -515,7 +527,12 @@ D2ClientMgr::adjustDomainName(const T& fqdn, T& fqdn_resp, const DdnsParams& ddn + ss << sanitizer->scrub(label); + } + +- client_name = ss.str(); ++ std::string clean_name = ss.str(); ++ if (clean_name.empty() || clean_name == ".") { ++ isc_throw(FQDNScrubbedEmpty, client_name); ++ } ++ ++ client_name = clean_name; + } + + // If the supplied name is partial, qualify it by adding the suffix. diff --git a/kea-2.6.3.tar.gz.asc b/kea-2.6.3.tar.gz.asc deleted file mode 100644 index 860f457..0000000 --- a/kea-2.6.3.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmgvfDoACgkQel4ITKyl -GIQKQA/9ExKLzofEhdch9eE9gcRVth2RehqbrJdVE0iPZOGZFnbSKe6KUleyPOgt -g6kympVGO+8ZHbu5BBMc29SpsBXSTAm79ZvLiHVM4EjWaTH0uqZgb3HyNrloIYzX -QW5/TtXVCdDHreH7Giy+Bx3303aMEu2H+hlQpCl2a2LbsvqI9Tv9ytymdHyNWfUy -yCwPzUdE8mi+KJdE0XE/pibZrI1UaQdfsg/ZmLzho3nGbaWMrvbTIgcuqYtTCD+S -Dodv/Bx195rHhecOQ1liNWwAxkeB+9Um6YCstvbpON3uwnwVp+e3T60rHVg5SGqe -66Un7WME5wVZ7nOg1XBijSK7BmyGucPGA+/IBWAdjpU+m7gb2M6quTs6Elyf6p53 -AdIq0UX0nN9eo8wa+bme71JOzFive9iR9RtnNhaus6IeMB6lSH7kmrXnDXK2EQQe -x53bYPe+yFL6QeWSFTxlIDj77fqcN9vI20zRkDvWdyG83VzZP6tOS7JTR3dJoToM -4GTRdkJ3maUV/gujx3hR41b1EknlcFW3LUEVV0NqdlU1Qy9fOh/mLwFosuaOPSYx -4WFuT5aIScS7bxQqPSBQ/h2Xn63oUuTch08eGMuTtMs+TdkQuhciXKXpYE3lt1sW -8NNI0M4HqaviUu9SaVg1aGAvJ8pFJQjI8YR9NrK2O3mTcAprNPA= -=inHP ------END PGP SIGNATURE----- diff --git a/kea-3.0.1.tar.xz.asc b/kea-3.0.1.tar.xz.asc new file mode 100644 index 0000000..0d93514 --- /dev/null +++ b/kea-3.0.1.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEAlmjO19aOkRmzzRcel4ITKylGIQFAmil4+0ACgkQel4ITKyl +GIRxlg//f+A5yEQ6RKl0DOJfQIKKPZ9SL/2a04q6Gcay2ghUl8LZOiiO98RYicyV +PmrsY/5/nuJmLPRSPKt/pmosfgZUbWK9yuKOoBrfu0KZfQWMX+1ZJIfagY47PCvU +RKtT50+iPOsYZAtuRw8faO8g/rdgl1vMreSIjCPZTG1R4qZkQXNnwhNRV7O3pzsr +wSndDINLvjQoYYbklKpUszoBNppXzBCegzVFjcIjNOSta2U8xEPGQ7sv2JvKkaYf +bVjzKuoEVn0YkkAdf7C7vLotl4UZESNo/w+DcRbrbq/FYpT1R8YWzVAJtqJCVNFI +q0WqlK5/G2/4giAveSWzuX0dnk+OZ5kQrd323Ol6MlM/O4ymkHK7OJrcxLLrEyIC +OnRNWQqVzJddmUTOntvoLk90wJ9yF1jrdM+S3xTpOJzhnfRoFuioZ7njjfGTyskR +Nlt4DX3wGsg0quDQfQJAf1z1qk651/OIF27KThj5jNOPB5eWz4YjJBht9T+eHlcS +kOsNwnKtdZe+KiGeFCsfWU7wOR65w4kQXoH1ruFqVa44ZZKUvzDi4fiJYYfJLedJ +FfBx3c65B0COk+3kOWjAV1F+Zaf0PlrEnb75zbN0O4BrztPL12HhDtjF+CbAuOG2 +k4ZpogxZ0Q6MhiQjGFiFMs2PN2FlgiaL2zbKKG/KIjUzPnog60c= +=1ZFT +-----END PGP SIGNATURE----- diff --git a/kea-dhcp4.service b/kea-dhcp4.service index a0ae770..dc7a57a 100644 --- a/kea-dhcp4.service +++ b/kea-dhcp4.service @@ -6,6 +6,7 @@ After=network-online.target After=time-sync.target [Service] +Type=notify User=kea AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW Environment="KEA_PIDFILE_DIR=/run/kea" diff --git a/kea-dhcp6.service b/kea-dhcp6.service index f7b7835..35872dc 100644 --- a/kea-dhcp6.service +++ b/kea-dhcp6.service @@ -6,6 +6,7 @@ After=network-online.target After=time-sync.target [Service] +Type=notify User=kea AmbientCapabilities=CAP_NET_BIND_SERVICE Environment="KEA_PIDFILE_DIR=/run/kea" diff --git a/kea-gtest.patch b/kea-gtest.patch deleted file mode 100644 index 6c014f2..0000000 --- a/kea-gtest.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/m4macros/ax_gtest.m4 b/m4macros/ax_gtest.m4 -index 138a03f..80ebb98 100644 ---- a/m4macros/ax_gtest.m4 -+++ b/m4macros/ax_gtest.m4 -@@ -173,9 +173,9 @@ if test "x$enable_gtest" = "xyes" ; then - for dir in $GTEST_PATHS; do - if test -f "$dir/include/gtest/gtest.h"; then - if test -f "$dir/lib/libgtest.a" || \ -- test -f "$dir/lib/libgtest.so"; then -+ test -f "$dir/lib64/libgtest.so"; then - GTEST_INCLUDES="-I$dir/include" -- GTEST_LDFLAGS="-L$dir/lib" -+ GTEST_LDFLAGS="-L$dir/lib64" - GTEST_LDADD="-lgtest" - GTEST_FOUND="true" - AC_MSG_RESULT([$dir/lib]) -diff --git a/src/lib/util/tests/pid_file_unittest.cc b/src/lib/util/tests/pid_file_unittest.cc -index 5f00d72..583a35b 100644 ---- a/src/lib/util/tests/pid_file_unittest.cc -+++ b/src/lib/util/tests/pid_file_unittest.cc -@@ -181,7 +181,8 @@ TEST_F(PIDFileTest, pidGarbage) { - } - - /// @brief Test failing to write a file. --TEST_F(PIDFileTest, pidWriteFail) { -+/// Fails to fail for root, it doesn't throw PIDFileError exception. -+TEST_F(PIDFileTest, DISABLED_pidWriteFail) { - PIDFile pid_file(absolutePath(TESTNAME)); - - // Create the test file and change it's permission bits diff --git a/kea-openssl-version.patch b/kea-openssl-version.patch deleted file mode 100644 index 246cd56..0000000 --- a/kea-openssl-version.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/m4macros/ax_crypto.m4 b/m4macros/ax_crypto.m4 -index e1b43f8..a3a2c84 100644 ---- a/m4macros/ax_crypto.m4 -+++ b/m4macros/ax_crypto.m4 -@@ -258,7 +258,7 @@ then - else - CRYPTO_NAME="OpenSSL" - DISABLED_CRYPTO="Botan" -- CRYPTO_PACKAGE="openssl-1.1.0" -+ CRYPTO_PACKAGE="openssl" - DISTCHECK_CRYPTO_CONFIGURE_FLAG="--with-openssl=${use_openssl}" - AC_DEFINE_UNQUOTED([WITH_OPENSSL], [], [Compile with OpenSSL crypto]) - AC_MSG_CHECKING(for OpenSSL library) diff --git a/kea-sd-daemon.patch b/kea-sd-daemon.patch new file mode 100644 index 0000000..a3a9ea0 --- /dev/null +++ b/kea-sd-daemon.patch @@ -0,0 +1,189 @@ +diff --git a/config-report.sh.in b/config-report.sh.in +index 1af984e..ddd4b62 100755 +--- a/config-report.sh.in ++++ b/config-report.sh.in +@@ -105,6 +105,18 @@ Netconf: no + HERE_DOCUMENT + fi + ++if test '@HAVE_LIBSYSTEMD_DAEMON@' != 'no'; then ++add_to_report < + ++#ifdef HAVE_LIBSYSTEMD_DAEMON ++#include ++#endif ++ + using namespace isc::data; + using namespace isc::dhcp; + using namespace isc::process; +@@ -290,6 +294,13 @@ main(int argc, char* argv[]) { + + // Tell the admin we are ready to process packets + LOG_INFO(dhcp4_logger, DHCP4_STARTED).arg(VERSION); ++#ifdef HAVE_LIBSYSTEMD_DAEMON ++ // Notify systemd about the same ++ sd_notifyf(0, "READY=1\n" ++ "STATUS=Dispatching packets...\n" ++ "MAINPID=%lu", ++ (unsigned long) getpid()); ++#endif + + // And run the main loop of the server. + ret = server.run(); +diff --git a/src/bin/dhcp4/meson.build b/src/bin/dhcp4/meson.build +index 3dac320..e8cacb9 100644 +--- a/src/bin/dhcp4/meson.build ++++ b/src/bin/dhcp4/meson.build +@@ -1,3 +1,8 @@ ++kea_dhcp4_dependencies = [CRYPTO_DEP] ++if SYSTEMD_DEP.found() ++ kea_dhcp4_dependencies += [SYSTEMD_DEP] ++endif ++ + dhcp4_lib = static_library( + 'dhcp4', + 'client_handler.cc', +@@ -16,7 +21,7 @@ dhcp4_lib = static_library( + kea_dhcp4 = executable( + 'kea-dhcp4', + 'main.cc', +- dependencies: [CRYPTO_DEP], ++ dependencies: kea_dhcp4_dependencies, + include_directories: [include_directories('.')] + INCLUDES, + install: true, + install_dir: SBINDIR, +diff --git a/src/bin/dhcp6/main.cc b/src/bin/dhcp6/main.cc +index 7ab1999..abac799 100644 +--- a/src/bin/dhcp6/main.cc ++++ b/src/bin/dhcp6/main.cc +@@ -24,6 +24,10 @@ + + #include + ++#ifdef HAVE_LIBSYSTEMD_DAEMON ++#include ++#endif ++ + using namespace isc::data; + using namespace isc::dhcp; + using namespace isc::process; +@@ -290,6 +294,13 @@ main(int argc, char* argv[]) { + + // Tell the admin we are ready to process packets + LOG_INFO(dhcp6_logger, DHCP6_STARTED).arg(VERSION); ++#ifdef HAVE_LIBSYSTEMD_DAEMON ++ // Notify systemd about the same ++ sd_notifyf(0, "READY=1\n" ++ "STATUS=Dispatching packets...\n" ++ "MAINPID=%lu", ++ (unsigned long) getpid()); ++#endif + + // And run the main loop of the server. + ret = server.run(); +diff --git a/src/bin/dhcp6/meson.build b/src/bin/dhcp6/meson.build +index de60fbf..04a22a9 100644 +--- a/src/bin/dhcp6/meson.build ++++ b/src/bin/dhcp6/meson.build +@@ -1,3 +1,8 @@ ++kea_dhcp6_dependencies = [CRYPTO_DEP] ++if SYSTEMD_DEP.found() ++ kea_dhcp6_dependencies += [SYSTEMD_DEP] ++endif ++ + dhcp6_lib = static_library( + 'dhcp6', + 'client_handler.cc', +@@ -17,7 +22,7 @@ dhcp6_lib = static_library( + kea_dhcp6 = executable( + 'kea-dhcp6', + 'main.cc', +- dependencies: [CRYPTO_DEP], ++ dependencies: kea_dhcp6_dependencies, + include_directories: [include_directories('.')] + INCLUDES, + install: true, + install_dir: SBINDIR, diff --git a/kea.spec b/kea.spec index 2832c63..67c06fa 100644 --- a/kea.spec +++ b/kea.spec @@ -2,25 +2,23 @@ ## (rpmautospec version 0.6.5) ## RPMAUTOSPEC: autorelease, autochangelog %define autorelease(e:s:pb:n) %{?-p:0.}%{lua: - release_number = 1; + release_number = 2; base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}")); print(release_number + base_release_number - 1); }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}} ## END: Set by rpmautospec Name: kea -Version: 2.6.3 +Version: 3.0.1 Release: %autorelease Summary: DHCPv4, DHCPv6 and DDNS server from ISC - License: MPL-2.0 AND BSL-1.0 URL: http://kea.isc.org -# TODO: no support for netconf/sysconf yet +# Support for netconf is not enabled %bcond_with sysrepo -%bcond_with gtest +%bcond_with tests -#%%global prever P1 %global keama_version 4.5.0 # Bundled version of Bind libraries linked into Keama %global bind_version 9.11.36 @@ -33,8 +31,8 @@ Provides: %1 = %{version}-%{release} \ Conflicts: %1 \ %endif -Source0: https://downloads.isc.org/isc/kea/%{version}%{?prever:-%{prever}}/kea-%{version}%{?prever:-%{prever}}.tar.gz -Source1: https://downloads.isc.org/isc/kea/%{version}%{?prever:-%{prever}}/kea-%{version}%{?prever:-%{prever}}.tar.gz.asc +Source0: https://downloads.isc.org/isc/kea/%{version}/kea-%{version}.tar.xz +Source1: https://downloads.isc.org/isc/kea/%{version}/kea-%{version}.tar.xz.asc Source2: https://downloads.isc.org/isc/keama/%{keama_version}/keama-%{keama_version}.tar.gz Source3: https://downloads.isc.org/isc/keama/%{keama_version}/keama-%{keama_version}.tar.gz.asc Source10: https://www.isc.org/docs/isc-keyblock.asc @@ -45,54 +43,55 @@ Source14: kea-ctrl-agent.service Source15: systemd-tmpfiles.conf Source16: systemd-sysusers.conf -Patch1: kea-openssl-version.patch -Patch2: kea-gtest.patch +Patch1: kea-sd-daemon.patch +# https://issues.redhat.com/browse/RHEL-125048 +# Based on: https://gitlab.isc.org/isc-projects/kea/-/commit/92b65b2345e07d826b56ffd65cf47538f1c7a271 +Patch2: CVE-2025-11232.patch -# autoreconf -BuildRequires: autoconf automake libtool BuildRequires: boost-devel -BuildRequires: gcc-c++ -# %%configure --with-openssl +# %%meson -D crypto=openssl BuildRequires: openssl-devel %if 0%{?fedora} # https://bugzilla.redhat.com/show_bug.cgi?id=2300868#c4 BuildRequires: openssl-devel-engine %endif -# %%configure --with-pgsql +# %%meson -D krb5=enabled +BuildRequires: krb5-devel +# %%meson -D mysql=enabled +BuildRequires: mariadb-connector-c-devel +# %%meson -D postgresql=enabled %if 0%{?fedora} || 0%{?rhel} > 9 BuildRequires: libpq-devel %else BuildRequires: postgresql-server-devel %endif -# %%configure --with-mysql -BuildRequires: mariadb-connector-c-devel -BuildRequires: log4cplus-devel +# %%meson -D systemd=enabled +BuildRequires: systemd-devel %if %{with sysrepo} -# %%configure --with-sysrepo +# %%meson -D netconf=enabled BuildRequires: sysrepo-devel %endif - +%if %{with tests} +# %%meson -D tests=enabled %ifarch %{valgrind_arches} BuildRequires: valgrind-devel %endif -%if %{with gtest} -# %%configure --enable-gtest BuildRequires: gtest-devel -# src/lib/testutils/dhcp_test_lib.sh BuildRequires: procps-ng %endif -# %%configure --enable-generate-parser +BuildRequires: log4cplus-devel +BuildRequires: python3-devel + +BuildRequires: gcc-c++ +BuildRequires: autoconf automake libtool +BuildRequires: make +BuildRequires: meson BuildRequires: bison BuildRequires: flex -# %%configure --enable-shell -BuildRequires: python3-devel -# in case you ever wanted to use %%configure --enable-generate-docs -#BuildRequires: elinks asciidoc plantuml BuildRequires: systemd BuildRequires: systemd-rpm-macros BuildRequires: python3-sphinx BuildRequires: python3-sphinx_rtd_theme -BuildRequires: make BuildRequires: gnupg2 Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -101,7 +100,6 @@ Requires: coreutils util-linux %{?systemd_requires} %{?sysusers_requires_compat} - %description DHCP implementation from Internet Systems Consortium, Inc. that features fully functional DHCPv4, DHCPv6 and Dynamic DNS servers. @@ -109,7 +107,6 @@ Both DHCP servers fully support server discovery, address assignment, renewal, rebinding and release. The DHCPv6 server supports prefix delegation. Both servers support DNS Update mechanism, using stand-alone DDNS daemon. - %package doc Summary: Documentation for Kea DHCP server BuildArch: noarch @@ -117,7 +114,6 @@ BuildArch: noarch %description doc Documentation and example configuration for Kea DHCP server. - %package devel Summary: Development headers and libraries for Kea DHCP server Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -129,7 +125,6 @@ Requires: pkgconfig %description devel Header files and API documentation. - %package hooks Summary: Hooks libraries for kea Requires: %{name}-libs%{?_isa} = %{version}-%{release} @@ -140,7 +135,6 @@ Hooking mechanism allow Kea to load one or more dynamically-linked libraries ("hook points"), call functions in them. Those functions perform whatever custom processing is required. - %package libs Summary: Shared libraries used by Kea DHCP server %upstream_name_compat %{upstream_name}-libs @@ -148,7 +142,6 @@ Summary: Shared libraries used by Kea DHCP server %description libs This package contains shared libraries used by Kea DHCP server. - %package keama Summary: Experimental migration assistant for Kea Provides: bundled(bind-libs) = %{bind_version} @@ -157,7 +150,6 @@ Provides: bundled(bind-libs) = %{bind_version} The KEA Migration Assistant is an experimental tool which helps to translate ISC DHCP configurations to Kea. - %prep %if 0%{?fedora} || 0%{?rhel} > 8 %{gpgverify} --keyring='%{S:10}' --signature='%{S:1}' --data='%{S:0}' @@ -165,42 +157,34 @@ ISC DHCP configurations to Kea. %endif %autosetup -T -b2 -N -n keama-%{keama_version} -%autosetup -p1 -n kea-%{version}%{?prever:-%{prever}} - -rm -rf doc/sphinx/_build - -# to be able to build on ppc64(le) -# https://sourceforge.net/p/flex/bugs/197 -# https://lists.isc.org/pipermail/kea-dev/2016-January/000599.html -sed -i -e 's|ECHO|YYECHO|g' src/lib/eval/lexer.cc - +%autosetup -p1 -n kea-%{version} %build -autoreconf --verbose --force --install +# This removes RPATH from binaries +export KEA_PKG_TYPE_IN_CONFIGURE="rpm" -%configure \ - --disable-dependency-tracking \ - --disable-rpath \ - --disable-silent-rules \ - --disable-static \ - --enable-generate-docs \ - --enable-generate-messages \ - --enable-generate-parser \ - --enable-shell \ - --enable-perfdhcp \ -%if %{with gtest} - --with-gtest \ -%endif - --with-mysql \ - --with-pgsql \ - --with-gnu-ld \ - --with-log4cplus \ +%meson \ + --install-umask 0022 \ %if %{with sysrepo} - --with-sysrepo \ + -D netconf=enabled \ +%else + -D netconf=disabled \ %endif - --with-openssl +%if %{with tests} + -D tests=enabled \ +%else + -D tests=disabled \ +%endif + -D crypto=openssl \ + -D krb5=enabled \ + -D mysql=enabled \ + -D postgresql=enabled \ + -D systemd=enabled -%make_build +# Messages need to be regenerated by kea-msg-compiler for CVE-2025-11232.patch +%meson_build messages +%meson_build +%meson_build doc # Configure & build Keama pushd ../keama-%{keama_version} @@ -230,15 +214,13 @@ autoreconf --verbose --force --install %make_build popd - -%if %{with gtest} +%if %{with tests} %check -make check +%meson_test %endif - %install -%make_install docdir=%{_pkgdocdir} +%meson_install # Install Keama pushd ../keama-%{keama_version} @@ -246,20 +228,23 @@ pushd ../keama-%{keama_version} popd # Remove Keama's static library, dhcp headers and man pages -rm -f %{buildroot}/%{_libdir}/libdhcp.a +rm %{buildroot}/%{_libdir}/libdhcp.a rm -rf %{buildroot}/%{_includedir}/omapip/ rm -rf %{buildroot}%{_mandir}/man5/ -# Get rid of .la files -find %{buildroot} -type f -name "*.la" -delete -print +# Remove keactrl +rm %{buildroot}%{_sysconfdir}/kea/keactrl.conf +rm %{buildroot}%{_sbindir}/keactrl +rm %{buildroot}%{_mandir}/man8/keactrl.8* %if %{without sysrepo} # Remove netconf files rm %{buildroot}%{_mandir}/man8/kea-netconf.8 %endif -rm -f %{buildroot}%{_pkgdocdir}/COPYING -rm -f %{buildroot}%{_pkgdocdir}/html/.buildinfo +rm %{buildroot}%{_pkgdocdir}/COPYING + +rm -rf %{buildroot}/usr/share/kea/meson-info/ # Create empty password file for the Kea Control Agent install -m 0640 /dev/null %{buildroot}%{_sysconfdir}/kea/kea-api-password @@ -285,7 +270,6 @@ install -dm 0750 %{buildroot}%{_rundir}/kea/ mkdir -p %{buildroot}%{_localstatedir}/log install -dm 0750 %{buildroot}%{_localstatedir}/log/kea/ - %pre %sysusers_create_compat %{S:16} @@ -304,7 +288,7 @@ install -dm 0750 %{buildroot}%{_localstatedir}/log/kea/ && chown root:kea %{_sysconfdir}/kea/kea*.conf && chmod 0640 %{_sysconfdir}/kea/kea*.conf # Remove /tmp/ from socket-name for existing configurations to fix CVE-2025-32802 -for i in kea-ctrl-agent.conf keactrl.conf kea-dhcp4.conf kea-dhcp6.conf kea-dhcp-ddns.conf; do +for i in kea-ctrl-agent.conf kea-dhcp4.conf kea-dhcp6.conf kea-dhcp-ddns.conf; do if [ -n "`grep '\"socket-name\": \"/tmp/' %{_sysconfdir}/kea/$i`" ]; then sed -i.CVE-2025-32802.bak 's#\("socket-name": "/tmp/\)\(.*\)#"socket-name": "\2#g' %{_sysconfdir}/kea/$i fi @@ -321,13 +305,10 @@ fi %postun %systemd_postun_with_restart kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service - %ldconfig_scriptlets libs - %files %license COPYING -%{_bindir}/kea-msg-compiler %{_sbindir}/kea-admin %{_sbindir}/kea-ctrl-agent %{_sbindir}/kea-dhcp-ddns @@ -335,7 +316,6 @@ fi %{_sbindir}/kea-dhcp6 %{_sbindir}/kea-lfc %{_sbindir}/kea-shell -%{_sbindir}/keactrl %{_sbindir}/perfdhcp %{_unitdir}/kea*.service %{_datarootdir}/kea @@ -357,7 +337,6 @@ fi %{_mandir}/man8/kea-netconf.8* %endif %{_mandir}/man8/kea-shell.8* -%{_mandir}/man8/keactrl.8* %{_mandir}/man8/perfdhcp.8* %{_tmpfilesdir}/kea.conf %{_sysusersdir}/kea.conf @@ -375,49 +354,115 @@ fi %doc %{_pkgdocdir}/SECURITY.md %files devel +%{_bindir}/kea-msg-compiler %{_includedir}/kea -%{_libdir}/libkea-*.so +%{_libdir}/libkea-asiodns.so +%{_libdir}/libkea-asiolink.so +%{_libdir}/libkea-cc.so +%{_libdir}/libkea-cfgrpt.so +%{_libdir}/libkea-config.so +%{_libdir}/libkea-cryptolink.so +%{_libdir}/libkea-d2srv.so +%{_libdir}/libkea-database.so +%{_libdir}/libkea-dhcp_ddns.so +%{_libdir}/libkea-dhcp.so +%{_libdir}/libkea-dhcpsrv.so +%{_libdir}/libkea-dns.so +%{_libdir}/libkea-eval.so +%{_libdir}/libkea-exceptions.so +%{_libdir}/libkea-hooks.so +%{_libdir}/libkea-http.so +%{_libdir}/libkea-log-interprocess.so +%{_libdir}/libkea-log.so +%{_libdir}/libkea-mysql.so +%{_libdir}/libkea-pgsql.so +%{_libdir}/libkea-process.so +%{_libdir}/libkea-stats.so +%{_libdir}/libkea-tcp.so +%{_libdir}/libkea-util-io.so +%{_libdir}/libkea-util.so +%{_libdir}/pkgconfig/kea.pc %files hooks +%dir %{_sysconfdir}/kea/radius +%{_sysconfdir}/kea/radius/dictionary %dir %{_libdir}/kea -%{_libdir}/kea/hooks +%dir %{_libdir}/kea/hooks +%{_libdir}/kea/hooks/libddns_gss_tsig.so +%{_libdir}/kea/hooks/libdhcp_bootp.so +%{_libdir}/kea/hooks/libdhcp_class_cmds.so +%{_libdir}/kea/hooks/libdhcp_ddns_tuning.so +%{_libdir}/kea/hooks/libdhcp_flex_id.so +%{_libdir}/kea/hooks/libdhcp_flex_option.so +%{_libdir}/kea/hooks/libdhcp_ha.so +%{_libdir}/kea/hooks/libdhcp_host_cache.so +%{_libdir}/kea/hooks/libdhcp_host_cmds.so +%{_libdir}/kea/hooks/libdhcp_lease_cmds.so +%{_libdir}/kea/hooks/libdhcp_lease_query.so +%{_libdir}/kea/hooks/libdhcp_legal_log.so +%{_libdir}/kea/hooks/libdhcp_limits.so +%{_libdir}/kea/hooks/libdhcp_mysql.so +%{_libdir}/kea/hooks/libdhcp_perfmon.so +%{_libdir}/kea/hooks/libdhcp_pgsql.so +%{_libdir}/kea/hooks/libdhcp_ping_check.so +%{_libdir}/kea/hooks/libdhcp_radius.so +%{_libdir}/kea/hooks/libdhcp_run_script.so +%{_libdir}/kea/hooks/libdhcp_stat_cmds.so +%{_libdir}/kea/hooks/libdhcp_subnet_cmds.so %files libs %license COPYING # older: find `rpm --eval %%{_topdir}`/BUILDROOT/kea-*/usr/lib64/ -type f | grep /usr/lib64/libkea | sed -e 's#.*/usr/lib64\(.*\.so\.[0-9]\+\)\.[0-9]\+\.[0-9]\+#%%{_libdir}\1*#' | sort # >=f41: find `rpm --eval %%{_topdir}`/BUILD/kea-*/BUILDROOT/usr/lib64/ -type f | grep /usr/lib64/libkea | sed -e 's#.*/usr/lib64\(.*\.so\.[0-9]\+\)\.[0-9]\+\.[0-9]\+#%%{_libdir}\1*#' | sort -%{_libdir}/libkea-asiodns.so.49* -%{_libdir}/libkea-asiolink.so.72* -%{_libdir}/libkea-cc.so.68* -%{_libdir}/libkea-cfgclient.so.66* -%{_libdir}/libkea-cryptolink.so.50* -%{_libdir}/libkea-d2srv.so.47* -%{_libdir}/libkea-database.so.62* -%{_libdir}/libkea-dhcp_ddns.so.57* -%{_libdir}/libkea-dhcp++.so.92* -%{_libdir}/libkea-dhcpsrv.so.111* -%{_libdir}/libkea-dns++.so.57* -%{_libdir}/libkea-eval.so.69* -%{_libdir}/libkea-exceptions.so.33* -%{_libdir}/libkea-hooks.so.100* -%{_libdir}/libkea-http.so.72* -%{_libdir}/libkea-log.so.61* -%{_libdir}/libkea-mysql.so.71* -%{_libdir}/libkea-pgsql.so.71* -%{_libdir}/libkea-process.so.74* -%{_libdir}/libkea-stats.so.41* -%{_libdir}/libkea-tcp.so.19* -%{_libdir}/libkea-util-io.so.0* -%{_libdir}/libkea-util.so.86* +%{_libdir}/libkea-asiodns.so.62* +%{_libdir}/libkea-asiolink.so.88* +%{_libdir}/libkea-cc.so.82* +%{_libdir}/libkea-cfgrpt.so.3* +%{_libdir}/libkea-config.so.83* +%{_libdir}/libkea-cryptolink.so.64* +%{_libdir}/libkea-d2srv.so.63* +%{_libdir}/libkea-database.so.76* +%{_libdir}/libkea-dhcp_ddns.so.68* +%{_libdir}/libkea-dhcp.so.109* +%{_libdir}/libkea-dhcpsrv.so.130* +%{_libdir}/libkea-dns.so.71* +%{_libdir}/libkea-eval.so.84* +%{_libdir}/libkea-exceptions.so.45* +%{_libdir}/libkea-hooks.so.119* +%{_libdir}/libkea-http.so.87* +%{_libdir}/libkea-log-interprocess.so.3* +%{_libdir}/libkea-log.so.75* +%{_libdir}/libkea-mysql.so.88* +%{_libdir}/libkea-pgsql.so.88* +%{_libdir}/libkea-process.so.90* +%{_libdir}/libkea-stats.so.53* +%{_libdir}/libkea-tcp.so.33* +%{_libdir}/libkea-util-io.so.12* +%{_libdir}/libkea-util.so.101* %files keama %license COPYING %{_bindir}/keama %{_mandir}/man8/keama.8* - %changelog ## START: Generated by rpmautospec +* Thu Oct 30 2025 Martin Osvald - 3.0.1-2 +- Fixes CVE-2025-11232 + +* Tue Sep 02 2025 Martin Osvald - 3.0.1-1 +- New version 3.0.1 +- Fixes CVE-2025-40779 + +* Fri Aug 01 2025 Martin Osvald - 3.0.0-2 +- Support for sending startup notifications to systemd + +* Wed Jul 30 2025 Martin Osvald - 3.0.0-1 +- New version 3.0.0 +- Remove broken keactrl in favor of systemd unit files +- kea.spec: General cleanup and removal of lines that have no effect +- kea-msg-compiler was moved from kea to kea-devel + * Sun Jun 08 2025 Martin Osvald - 2.6.3-1 - New version 2.6.3 - Fix for: CVE-2025-32801, CVE-2025-32802, CVE-2025-32803 diff --git a/sources b/sources index b098537..78dfa08 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (kea-2.6.3.tar.gz) = d7781c0b95529bfe89c19615c1dd5952fd4c4b60274e187a641992dad81ef5af921dfb15050ec43169a0c2ad267639642b2e294c5d43405f85a5fb11bb1a939a +SHA512 (kea-3.0.1.tar.xz) = 84e2164aa91c95b2e6e65994a2327fa1233c82b06af69312f55464119d4edc6151a4662a54f4a3ae83e0487dac7b25c5e59e60bcbed653fd30fb32ae7cacddf3 SHA512 (keama-4.5.0.tar.gz) = 2e48987e21999718be7ceb5b604be672c84666b07dde9545285ff7146ab6825e81af1ec3b5a4b50f20e61b40ed11b0254e3705cc580bb85de24b77ee8cbca162