Hello community,
here is the log from the commit of package keepalived for openSUSE:Factory checked in at 2018-11-29 23:00:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/keepalived (Old)
and /work/SRC/openSUSE:Factory/.keepalived.new.19453 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keepalived"
Thu Nov 29 23:00:30 2018 rev:23 rq:652407 version:2.0.10
Changes:
--------
--- /work/SRC/openSUSE:Factory/keepalived/keepalived.changes 2018-05-01 23:40:56.618741254 +0200
+++ /work/SRC/openSUSE:Factory/.keepalived.new.19453/keepalived.changes 2018-11-29 23:00:30.751498124 +0100
@@ -1,0 +2,628 @@
+Wed Nov 28 12:27:13 UTC 2018 - Marcus Rueckert
+
+- update to 2.0.10
+ - Fix compiling on Alpine Linux.
+ - Stop printf compiler warning on Alpine Linux due to rlim_t.
+ - manpage cosmetic.
+ - Fix removing snmpd read threads when snmpd becomes unavailable.
+ - Update to support libipset version 7.
+ - Use ipset_printf for ipset messages so can go to log.
+ - When opening files for write, ensure files can only be read by
+ root. Issue #1048 referred to CVE-2018-19046 regarding files
+ used for debugging purposes could potentially be read by non
+ root users. This commit ensures that such log files cannot be
+ opened by non root users.
+ - Disable fopen_safe() append mode by default If a non privileged
+ user creates /tmp/keepalived.log and has it open for read (e.g.
+ tail -f), then even though keepalived will change the owner to
+ root and remove all read/write permissions from non owners, the
+ application which already has the file open will be able to
+ read the added log entries. Accordingly, opening a file in
+ append mode is disabled by default, and only enabled if
+ --enable-smtp-alert-debug or --enable-log-file (which are
+ debugging options and unset by default) are enabled. This
+ should further alleviate security concerns related to
+ CVE-2018-19046.
+ - vrrp: add support to constant time memcmp. Just an update to
+ use best practise security design pattern. While comparing
+ password or hmac you need to ensure comparison function is time
+ constant in order to figth against any timing attacks. We turn
+ off potential compiler optimizations for this particular
+ function to avoid any short circuit.
+ - Make sure a non privileged user cannot read keepalived file
+ output Ensure that when a file such as /tmp/keepalived.data is
+ written, no non privileged can have a previous version of that
+ file already open, thereby allowing them to read the data.
+ This should fully resolve CVE-2018-19046.
+- drop b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch: included in
+ update
+
+-------------------------------------------------------------------
+Sat Nov 10 21:01:14 UTC 2018 - Marcus Rueckert
+
+- added b7a98f9265ffb5927c4d54c9a30726c76e65bb52.patch to fix
+ building with libipset >= 7
+
+-------------------------------------------------------------------
+Fri Nov 9 16:07:40 UTC 2018 - Marcus Rueckert
+
+- update to 2.0.9
+ - Fix updating a timer thread's timeout. Issue #1042 identified
+ that the BFD process could segfault. This was tracked down to a
+ timer thread which had already expired having its timeout
+ updated by timer_thread_update_timeout(). The sands timer
+ should only be updated if the thread is on a waiting queue, and
+ not if it has already timed out or it is unused.
+ - Don't requeue read thread if it is not waiting. This update
+ matches commit 09a2a37 - Fix updating a timer thread's timeout
+ should.
+ - Allow BFD instance to recover after send error. If sendto
+ failed in bfd_send_packet(), the bfd instance was put into
+ admin down state, but there was no means for the bfd instance
+ to transition out of admin down state. This commit makes
+ keepalived log the first instance of a sequence of failures to
+ send a bfd packet, but does not bring the bfd instance down in
+ case the error is a transient error. If the error is longer
+ lasting, the remote system will timeout, transition to down
+ state, and send a message saying it is down. Once the bfd
+ instance can start sending again the bfd instance can now
+ transition again to up state.
+ - Make DGB definition use log_message() rather than syslog().
+ - Fix building with --enable-debug configure option.
+ - Start list of required kernel features in INSTALL file. Issue
+ #1024 asked what kernel features are needed to support
+ keepalived. The simple answer was that it isn't recorded
+ anywhere, so this is a start of making a list of the features
+ required.
+ - Make list_remove() call list free function and add
+ list_transfer(). If an element is being removed from a list,
+ the free function should be called. list_transfer() allows a
+ list element to be moved from one list to another without
+ freeing and reallocating the list element control information.
+ - Add mem_check diagnostics re calling functions of list
+ functions. When using mem_check, mallocs and frees were
+ recorded against the list functions, and the originating
+ functions weren't identified. This patch adds recording of the
+ functions calling the list functions so that the originating
+ function is identified.
+ - Simplify the processing of comments in configuration files.
+ This commit moves the handling (and removal) of comments to a
+ single function (called from read_line()) which simplifies the
+ processing of config files.
+ - Add ~SEQ(start, step, end) config functionality Where a
+ configuration has repeated blocks of configuration where the
+ only thing that changes is a numeric value (e.g. for VRIDs from
+ 1 to 255) this allows the block to be defined once, and a
+ single line using ~SEQ can then generate all the blocks.
+ - Use REALLOC when building a multiline definition. The code
+ used to use MALLOC, strcpy() and FREE, but REALLOC can do all
+ this for us.
+ - Improve mem-check diagnostics. When using an allocation list
+ of over 50,000 entries, it was quite slow searching thtough all
+ the entries to find the matching memory allocation, and to find
+ free entries. This commit changes to using malloc() to create
+ entries, and a red-black tree to hold the entries. It also has
+ a separate list of free entries. This commit also adds 4 more
+ types of memory allocation error, and improves the consistency
+ of the entries in the log files.
+ - Don't attempt to delete VMAC when underlying interface is
+ deleted. If the underlying interface of one of our vmacs is
+ deleted, and we know the vmac has been deleted, don't attempt
+ to delete it again.
+ - Include master state in determining if vmacs are up or down
+ Netlink doesn't send messages for a state change of a macvlan
+ when the master device changes state, so we have to track that
+ for ourselves.
+ - Turn off parser debugging.
+ - Make test/mk_if create iptables chains.
+ - Handle interfaces not existing when keepalived terminates. If
+ the underlying interface of a vmac we created has been deleted,
+ the vmac will not exist so don't attempt to delete it again.
+ Also, don't attempt to reset the configuration of the
+ underlying interface.
+ - Handle the underlying interface of a macvlan interface going
+ up/down. The kernel doesn't send netlink messages for macvlans
+ going up or down when the underlying interface transitions (it
+ doesn't even update their status to say they are up/down), but
+ the interfaces don't work. We need to track the state of the
+ underlying interfaces and propagate that to the macvlan
+ interfaces.
+ - Fix duplicate value in track_t enum.
+ - Fix check for matching track types.
+ - Treat macvtap interfaces in the same way as macvlan interfaces.
+ - Improve handling of interfaces not existing when keepalived
+ starts.
+ - Fix handling interface deletion and creation of vmacs on
+ macvlan i/fs.
+ - When interface created, open sockets on it if used by VRRP
+ directly If an interface is created that has vrrp instances
+ configured on it that don't use VMACs, or use vmac_xmit_base,
+ then the raw sockets must be opened.
+ - Force seeing a transition to up state when an interface is
+ created.
+ - Fix netlink remnant data error.
+ - Add command line and configuration option to set umask. Issue
+ #1048 identified that files created by keepalived are created
+ with mode 0666. This commit changes the default to 0644, and
+ also allows the umask to be specified in the configuration or
+ as a command line option.
+ - Fix compile warning introduced in commit c6247a9. Commit
+ c6247a9 - "Add command line and configuration option to set
+ umask" introduced a compile warning, although the code would
+ have worked OK.
+ - When opening files for write, ensure they aren't symbolic
+ links. Issue #1048 identified that if, for example, a non
+ privileged user created a symbolic link from
+ /etc/keepalvied.data to /etc/passwd, writing to
+ /etc/keepalived.data (which could be invoked via DBus) would
+ cause /etc/passwd to be overwritten. This commit stops
+ keepalived writing to pathnames where the ultimate component is
+ a symbolic link, by setting O_NOFOLLOW whenever opening a file
+ for writing. This might break some setups, where, for example,
+ /etc/keepalived.data was a symbolic link to
+ /home/fred/keepalived.data. If this was the case, instead
+ create a symbolic link from /home/fred/keepalived.data to
+ /tmp/keepalived.data, so that the file is still accessible
+ via /home/fred/keepalived.data. There doesn't appear to be a
+ way around this backward incompatibility, since even checking
+ if the pathname is a symbolic link prior to opening for
+ writing would create a race condition.
+ - Make netlink error messages more meaningful.
+ - Fix compiling without support for macvlans.
+ - fix uninitialized structure. The linkinfo and linkattr
+ structures were not initialized, so we should not expect that
+ unexistant attributes are set to NULL. Add the missing
+ memset().
+ - fix socket allocation with dynamic interfaces. When there are
+ several vrrp instance binding different interfaces that don't
+ exist at startup, their ifindex is set to 0 in the sock. The
+ function already_exist_sock() that lookup for an existing
+ socket will always return the first sock because the ifindex is
+ the same. Later, when an interface appears, the fd will be
+ created for one instance, and all instances will wrongly use
+ this fd to send the advertisments. Fix this by using the
+ interface structure pointer instead of the ifindex as the key
+ for sock lookup. The problem was identified by Olivier Matz
+ who also provided a patch fixing the problem. This patch is a
+ slight rework of Olivier's patch, better using the existing
+ data structures that keepalived already holds.
+ - When creating a macvlan interface, use AF_UNSPEC rather than
+ AF_INET.
+ - Stop using libnl for configuring interfaces. Since there is
+ code to configure the interfaces using netlink without using
+ libnl, there is no point in having code to do it using libnl.
+ - Fix building on Centos 6.5.
+ - Stop including some files not needed after libnl removal for
+ i/fs.
+ - Fix some compilation issues when building without vrrp support.
++++ 431 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/keepalived/keepalived.changes
++++ and /work/SRC/openSUSE:Factory/.keepalived.new.19453/keepalived.changes
Old:
----
keepalived-1.4.1.tar.gz
New:
----
keepalived-2.0.10.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ keepalived.spec ++++++
--- /var/tmp/diff_new_pack.TS20P6/_old 2018-11-29 23:00:31.595497085 +0100
+++ /var/tmp/diff_new_pack.TS20P6/_new 2018-11-29 23:00:31.611497064 +0100
@@ -26,11 +26,15 @@
%else
%bcond_with systemd
%endif
+%if 0%{?suse_version} > 1500
+%bcond_without dbus
+%else
%bcond_with dbus
-%bcond_with json
+%endif
+%bcond_without json
Name: keepalived
-Version: 1.4.1
+Version: 2.0.10
Release: 0
Summary: A keepalive facility for Linux
License: GPL-2.0-or-later
@@ -56,6 +60,7 @@
BuildRequires: pkgconfig(libipset)
BuildRequires: pkgconfig(libiptc)
BuildRequires: pkgconfig(libnl-3.0)
+BuildRequires: pkgconfig(libpcre2-8)
BuildRequires: pkgconfig(xtables)
%else
BuildRequires: dbus-1-devel
@@ -64,6 +69,7 @@
BuildRequires: libiptc-devel
BuildRequires: libnl-devel
BuildRequires: libxtables-devel
+BuildRequires: pcre2-devel
%endif
BuildRequires: libnfnetlink-devel
# BuildRequires: netsnmp-devel
@@ -80,8 +86,6 @@
Requires(pre): %insserv_prereq
%endif
-BuildRoot: %{_tmppath}/%{name}-%{version}-build
-
%description
This project provides facilities for load balancing and high-availability to
Linux system and Linux-based infrastructures. The load-balancing framework
@@ -106,10 +110,12 @@
export CFLAGS="%optflags -DOPENSSL_NO_SSL_INTERN"
%configure \
--disable-silent-rules \
+ --enable-bfd \
%if %{with json}
--enable-json \
%endif
--enable-snmp \
+ --enable-snmp-checker \
--enable-snmp-vrrp \
--enable-snmp-rfc \
--enable-snmp-rfcv2 \
@@ -118,6 +124,8 @@
--enable-dbus \
--enable-dbus-create-instance \
%endif
+ --enable-regex \
+ --enable-regex-timers \
%if %{with systemd}
--with-init=systemd \
--with-systemdsystemunitdir="%{_unitdir}" \
@@ -191,7 +199,8 @@
%files
%defattr(-,root,root)
-%doc AUTHOR ChangeLog CONTRIBUTORS COPYING README
+%license COPYING
+%doc AUTHOR ChangeLog CONTRIBUTORS README
%doc %{_datadir}/doc/keepalived/
%doc doc/samples/
%doc doc/keepalived.conf.SYNOPSIS doc/NOTE_vrrp_vmac.txt
++++++ keepalive-init.patch ++++++
--- /var/tmp/diff_new_pack.TS20P6/_old 2018-11-29 23:00:31.659497005 +0100
+++ /var/tmp/diff_new_pack.TS20P6/_new 2018-11-29 23:00:31.671496990 +0100
@@ -1,8 +1,8 @@
-Index: keepalived-1.4.0/keepalived/etc/init.d/keepalived.suse.init.in
+Index: keepalived-2.0.7/keepalived/etc/init.d/keepalived.suse.init.in
===================================================================
---- keepalived-1.4.0.orig/keepalived/etc/init.d/keepalived.suse.init.in
-+++ keepalived-1.4.0/keepalived/etc/init.d/keepalived.suse.init.in
-@@ -1,23 +1,23 @@
+--- keepalived-2.0.7.orig/keepalived/etc/init.d/keepalived.suse.init.in
++++ keepalived-2.0.7/keepalived/etc/init.d/keepalived.suse.init.in
+@@ -1,23 +1,24 @@
#! /bin/sh
### BEGIN INIT INFO
@@ -31,6 +31,7 @@
+DAEMON_BIN='@sbindir@/keepalived'
+DAEMON_CONF='@sysconfdir@/keepalived/keepalived.conf'
+DAEMON_PIDFILE='@localstatedir@/run/keepalived.pid'
++DAEMON_SYSCONF='/etc/sysconfig/keepalived'
+DAEMON_OPT='-d'
#DAEMON_USER="root"
-SUPPORTS_HUP="yes"
@@ -38,7 +39,7 @@
# PidFile @localstatedir@/run/keepalived.pid
# DatabaseOwner root
-@@ -25,6 +25,18 @@ pid_par=${DAEMON_PIDFILE:+"-p $DAEMON_PI
+@@ -25,6 +26,18 @@ pid_par=${DAEMON_PIDFILE:+"-p $DAEMON_PI
usr_par=${DAEMON_USER:+"-u $DAEMON_USER"}
test -x $DAEMON_BIN || exit 5
@@ -57,140 +58,14 @@
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
-@@ -60,71 +72,70 @@ rc_reset
- test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE
-
- case "$1" in
-- start)
-- echo -n "Starting $DAEMON "
-- if test ! -f ${DAEMON_CONF}; then
-- echo -n >&2 "Configuration file, ${DAEMON_CONF} does not exist. "
-- rc_status -s
-- exit 6
-- fi
-- checkproc $pid_par ${DAEMON_BIN}
-- case $? in
-- 0) echo -n "- Warning: daemon already running. " ;;
-- 1) echo -n "- Warning: ${DAEMON_PIDFILE} exists. " ;;
-- esac
+@@ -72,8 +85,8 @@ case "$1" in
+ 0) echo -n "- Warning: daemon already running. " ;;
+ 1) echo -n "- Warning: ${DAEMON_PIDFILE} exists. " ;;
+ esac
-# echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT}"
- startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT}
-- rc_status -v
-- ;;
-- stop)
-- echo -n "Shutting down $DAEMON "
-- checkproc $pid_par ${DAEMON_BIN} || \
-- echo -n " Warning: daemon not running. "
-- killproc $pid_par -t 10 ${DAEMON_BIN}
-- rc_status -v
-- ;;
-- try-restart|condrestart)
-- if test "$1" = "condrestart"; then
-- echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
-- fi
-- $0 status
-- if test $? = 0; then
-- $0 restart
-- else
-- rc_reset
-- fi
-- rc_status
-- ;;
-- restart)
-- $0 stop
-- $0 start
-- rc_status
-- ;;
-- force-reload|reload)
-- if test "$SUPPORTS_HUP" = "yes"; then
-- echo -n "Reload service $DAEMON "
-- checkproc $pid_par ${DAEMON_BIN} && \
-- touch ${DAEMON_PIDFILE} || \
-- echo -n >&2 " Warning: daemon not running. "
-- killproc $pid_par -HUP ${DAEMON_BIN}
-- rc_status -v
-- else
-- $0 stop && sleep 3 && $0 start
-- rc_status
-- fi
-- ;;
-- status)
-- echo -n "Checking for $DAEMON "
-- checkproc $pid_par ${DAEMON_BIN}
-- rc_status -v
-- ;;
-- probe)
-- test ${DAEMON_CONF} -nt ${DAEMON_PIDFILE} && echo reload
-- ;;
-- *)
-- echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
-- exit 1
-- ;;
-+ start)
-+ echo -n "Starting $DAEMON "
-+ if test ! -f ${DAEMON_CONF}; then
-+ echo -n >&2 "Configuration file, ${DAEMON_CONF} does not exist. "
-+ rc_status -s
-+ exit 6
-+ fi
-+ checkproc $pid_par ${DAEMON_BIN}
-+ case $? in
-+ 0) echo -n "- Warning: daemon already running. " ;;
-+ 1) echo -n "- Warning: ${DAEMON_PIDFILE} exists. " ;;
-+ esac
-+# echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${KEEPALIVED_OPTIONS}"
-+ startproc $usr_par $pid_par ${DAEMON_BIN} ${KEEPALIVED_OPTIONS}
-+ rc_status -v
-+ ;;
-+ stop)
-+ echo -n "Shutting down $DAEMON "
-+ checkproc $pid_par ${DAEMON_BIN} || \
-+ echo -n " Warning: daemon not running. "
-+ killproc $pid_par -t 10 ${DAEMON_BIN}
-+ rc_status -v
-+ ;;
-+ try-restart|condrestart)
-+ if test "$1" = "condrestart"; then
-+ echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
-+ fi
-+ $0 status
-+ if test $? = 0; then
-+ $0 restart
-+ else
-+ rc_reset
-+ fi
-+ rc_status
-+ ;;
-+ restart)
-+ $0 stop
-+ $0 start
-+ rc_status
-+ ;;
-+ force-reload|reload)
-+ if test "$SUPPORTS_HUP" = "yes"; then
-+ echo -n "Reload service $DAEMON "
-+ checkproc $pid_par ${DAEMON_BIN} && \
-+ touch ${DAEMON_PIDFILE} || \
-+ echo -n >&2 " Warning: daemon not running. "
-+ killproc $pid_par -HUP ${DAEMON_BIN}
-+ rc_status -v
-+ else
-+ $0 stop && sleep 3 && $0 start
-+ rc_status
-+ fi
-+ ;;
-+ status)
-+ echo -n "Checking for $DAEMON "
-+ checkproc $pid_par ${DAEMON_BIN}
-+ rc_status -v
-+ ;;
-+ probe)
-+ test ${DAEMON_CONF} -nt ${DAEMON_PIDFILE} && echo reload
-+ ;;
-+ *)
-+ echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
-+ exit 1
-+ ;;
- esac
- rc_exit
--
++# echo "startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT} ${KEEPALIVED_OPTIONS}"
++ startproc $usr_par $pid_par ${DAEMON_BIN} ${DAEMON_OPT} ${KEEPALIVED_OPTIONS}
+ rc_status -v
+ ;;
+ stop)
++++++ keepalive-rpmlintrc ++++++
--- /var/tmp/diff_new_pack.TS20P6/_old 2018-11-29 23:00:31.735496912 +0100
+++ /var/tmp/diff_new_pack.TS20P6/_new 2018-11-29 23:00:31.735496912 +0100
@@ -1,2 +1,2 @@
# Those PEM files are only examples:
-addFilter("pem-certificate /usr/share/doc/packages/keepalived/samples/*.pem")
+addFilter("pem-certificate /usr/share/doc/packages/keepalived/samples/.*.pem")
++++++ keepalived-1.4.1.tar.gz -> keepalived-2.0.10.tar.gz ++++++
++++ 72941 lines of diff (skipped)
++++++ linux-4.15.patch ++++++
--- /var/tmp/diff_new_pack.TS20P6/_old 2018-11-29 23:00:32.107496453 +0100
+++ /var/tmp/diff_new_pack.TS20P6/_new 2018-11-29 23:00:32.107496453 +0100
@@ -28,27 +28,41 @@
keepalived/vrrp/vrrp.c | 1 +
2 files changed, 2 insertions(+)
-diff --git a/keepalived/include/vrrp_arp.h b/keepalived/include/vrrp_arp.h
-index c2b4e6b5..9dd68f63 100644
---- a/keepalived/include/vrrp_arp.h
-+++ b/keepalived/include/vrrp_arp.h
+Index: keepalived-2.0.9/keepalived/include/vrrp_arp.h
+===================================================================
+--- keepalived-2.0.9.orig/keepalived/include/vrrp_arp.h
++++ keepalived-2.0.9/keepalived/include/vrrp_arp.h
@@ -24,6 +24,7 @@
#define _VRRP_ARP_H
/* system includes */
+#include
- #include
- #include
+ #include
+ #include
-diff --git a/keepalived/vrrp/vrrp.c b/keepalived/vrrp/vrrp.c
-index 56395363..eaa9c567 100644
---- a/keepalived/vrrp/vrrp.c
-+++ b/keepalived/vrrp/vrrp.c
-@@ -26,6 +26,7 @@
- #include "config.h"
+Index: keepalived-2.0.9/keepalived/vrrp/vrrp.c
+===================================================================
+--- keepalived-2.0.9.orig/keepalived/vrrp/vrrp.c
++++ keepalived-2.0.9/keepalived/vrrp/vrrp.c
+@@ -40,6 +40,7 @@
+ #include
/* local include */
+#define _GNU_SOURCE
+ #include "parser.h"
+
#include "vrrp_arp.h"
- #include "vrrp_ndisc.h"
- #include "vrrp_scheduler.h"
+Index: keepalived-2.0.9/keepalived/include/vrrp_if.h
+===================================================================
+--- keepalived-2.0.9.orig/keepalived/include/vrrp_if.h
++++ keepalived-2.0.9/keepalived/include/vrrp_if.h
+@@ -33,9 +33,7 @@
+ #include
+ #include
+ #include
+-#ifdef _HAVE_NET_LINUX_IF_H_COLLISION_
+ #define _LINUX_IF_H
+-#endif
+ #include
+ #ifdef _HAVE_VRRP_VMAC_
+ #include